Welcome back. As we continue to build up your secure, resilient, and compliant environment, we now must cover another foundational and required step: the vendor assessments. It is a mandatory regulatory requirement to conduct these assessments, however, the physical audit is not mandatory.
The need for analytics, high-capacity storage, and increased computing power has expanded the need for data handling, analytics tools, and applications that only the cloud can support.
Also, in response to the COVID-19 pandemic, pharmaceutical and life science organizations are looking into new methods for assessing a cloud vendor without physically visiting their datacenters.
In this article, we’ll cover how the offerings we have at Microsoft serve as a resource for you to save time while conducting your vendor assessment, and why our openness to compliance sets us apart.
When considering a vendor and compliance, it’s important to understand that the cloud builds on the shared responsibility model that can help in guidance and understanding of the documents needed for compliance reporting.
Figure 1: The shared responsibility model
Regardless of the type of deployment, there are responsibilities that are always retained by Microsoft, including datacenter building access, physical hosts, and physical networks. The data, endpoints, account, and access management are always retained by the customer. This means that you need to have controls in place to protect the security of your data and identities. It’s also important to have documented evidence ready at all times to show how you govern those assets.
Microsoft offers you the platform and tools to help build a secure, resilient, and available environment. These tools can also assist in building reports that demonstrate continuous compliance. We will be taking a closer look at some of these tools, like the Azure Cloud Adoption Framework and enterprise scale landing zone.
As mentioned in the previous blog post on GxP guidelines, physical security is a vital security layer to consider. Microsoft takes numerous measures to ensure that our infrastructure is secure. We also recently published a virtual tour around our datacenters that gives insight into the Azure physical security layer.
Remote vendor assessment
Conducting a vendor assessment is a requirement for using third-party vendors. A vendor audit is optional. To produce a vendor assessment remotely, you must assess how to build quality, security, and integrity into your services. You also need to document the competencies and training records of staff and reliability of the services offered.
It’s necessary to have the appropriate controls and mitigations documented in the quality management system to help comply with regulatory expectations.
When factoring the level of depth of the assessment, organizations must consider their vendor management process and the associated risk documented for outsourcing or using cloud services.
According to regulations, there are three levels of assessing vendors:
- Basic assessment: A review of available information from the vendor.
- Postal audit: Questions sent to the vendor in which detailed information about the vendor’s quality management system and business processes is requested.
- On-site audit: A review of the vendor’s procedural controls and process documentation performed by an appointed auditor.
Special areas of interest in the vendor assessment would be:
- The security of our facilities (e.g., human access restrictions)
- Controls to protect hardware and devices (e.g., controls for destroying hardware)
- Controls for human access
- Availability of services
While an on-site audit is not allowed for security concerns and logistical reasons, Microsoft has contracted with third parties to do that inspection for you, making it easier for you to access the information to do a vendor assessment.
The above areas needed in the vendor assessment are all included in the audit cycle of our services and are also made available on the Microsoft Trust Center in SOC1/SOC2 reports, as well as our ISO/IEC 27001 certification report.
The SOC reports include the following areas:
- Privacy of personal information
To show full visibility, the audit report we make available also includes the findings for the controls that are being audited. Remember to look for the correct version (date covered by the report) and to check for the relevant bridge letter, if applicable.
The vendor assessments provide you with the evidence relevant to your controls of our quality standards and practices. Building solutions and using cloud relies on trust, which we hope is established with our openness to security, process and compliance. The openness and dedication to show that we have appropriate controls in place to secure and govern your foundational estate. A trust that should bring confidence that you can build your solutions on Microsoft Clouds.
Several of our customers have done remote vendor assessments (desk-audit) using our available reports discussed in the previous blog. These are available on the Microsoft Trust Center Website.
We hope that the above information helps you in building your assessment and starting to leverage the tools and services we offer to build a compliant service inside your business or in your partnership.
As you read this, the next question you may be thinking is: how do I build the technical part to support this secure, resilient, and compliant environment?
In a future post, we will look into building a foundation that has automation, good software development life cycle practices, standardization, and compliance at the core.
A valuable resource for building a qualified foundation is the Microsoft Cloud Adoption Framework. We will dive “into the how’s” with some operational examples on using enterprise scale adoption of the framework in later blog posts. A teaser can be found here.
The need for a true enterprise scale foundation is important because it offers the availability and control points, as well as the ability to deliver the services as infrastructure as code.
It’s important to familiarize yourself with infrastructure as code since it is needed to build compliance into the flow and to work with continuous validation across the cloud services that you wish to use or offer to your business.
The need for governance and control has never been greater. At Microsoft, we try to build our services with that need in mind. Our products have high-quality coverage to give you the insight and control to build out the policies to support your secure environment.
Governance is important now that we look at infrastructure as code and low-code/no-code principles. That’s why we will also look at some examples of how you can establish good governance in your journey.
So, stick around as we continue to work our way through the next steps for GxP Cloud Compliance using Microsoft Cloud.