Automated Evidence Collection for Life Sciences continuous compliance solutions using AWS Audit Manager
In the first post of this two-part series, we highlighted how Life Sciences customers can implement a controlled change management process using AWS Systems Manager Change Manager and AWS Config. The solution in our first post, highlighted how a you can follow your Standard Operating Procedures (SOP’s) by implementing approval steps in order to make resource changes. This is a common requirement for organization’s that need to maintain compliance with FDA 21 CFR Part 11. In this second post of the series, we will show you how to complete the continuous compliance cycle by detailing how to automate evidence collection for the FDA 21 CFR Part 11 framework which many Life Sciences customers are operating under. Throughout this blog post, we will refer to Good Laboratory Practices (GLP), Good Clinical Practices (GCP), Good Manufacturing Practices (GMP) as GxP.
Implementing a continuous compliance solution that is highly automated is one of the most effective ways customers can achieve compliance at scale in the cloud. To accomplish this, you need to (1) continuously monitor and evaluate resource configurations, (2) flag and remediate any non-compliant resources automatically, (3) log the changes and evidence before you then re-evaluate. In our first post, we show you how to accomplish the first two steps in the continuous compliance cycle by using AWS Systems Manager Change Manager and AWS Config to implement a change control process for non-compliant resources. In that post, if a resource is found to be non-compliant by AWS Config the remediation action will be taken by Change Manager. Change Manager will invoke an approval process before the remediation action on the resource takes place. This is done to ensure the remediation action does not have an adverse effect which will degrade operations downstream.
We will now explore the third step where we will use AWS Audit Manager to automatically collect evidence of the compliance state of our resources. AWS Audit Manager is a fully managed service that enables customers to continuously audit and evaluate their compliance with common industry standards. In this blog post, we will focus on Life Sciences and the GxP framework, the same steps will apply for other standards such as PCI-DSS, FedRAMP (Moderate), or NIST-CSF for example. You can find a list of available prebuilt frameworks in the Audit Manager Framework Library.
Overview of solution
This solution utilizes AWS Config to continuously evaluate the configurations of your resources and sends evidence of the result to AWS Audit Manager. If Config evaluates a resource that is non-compliant with your desired configuration state, it will leverage AWS Systems Manager Change Manager for remediation. Change Manager will send an email to an approver to review the change request before the remediation takes place. Once the change request is approved, the automation in the defined change template will then remediate the resource. After Change Manager has remediated the non-compliant resource, the compliance state of that resource is then updated and the evidence is automatically sent to Audit Manager for reporting.
Figure 1 – Example architecture of a continuous compliance solution that utilizes change control and AWS Audit Manager as evidence collection
We will now go over the high level steps needed to implement evidence collection for the GxP framework, completing the continuous compliance cycle.
- Create an assessment for the GxP framework to start collecting evidence.
- Generate an assessment report.
The following prerequisites need to be completed to deploy this solution:
- Enable AWS Config in your AWS account.
- Follow the steps to set up AWS Audit Manager.
- Follow the steps to AWS Systems Manager Change Manager.
Step 1: Create an assessment for the GxP framework
- Navigate to the AWS Audit Manager consoleand Select Create assessment.
- In the Assessment details section, enter a name for your assessment. We will use GxP 21 CFR Part 11 for this blog post.
- Provide a description for the assessment, we will simply add that this assessment is for GxP 21 CFR Part 11.
- In the Assessment report destination section, select an existing (or create new) Amazon S3 bucket where you intend to save your assessment reports. Following the steps above, you should have the following selections in your console.
Figure 2 – Assessment details for GxP 21 CFR Part 11
- In the Frameworks search bar, search for the GxP 21 CFR Part 11 framework.
- If you would like to add a tag to associate with your assessment, choose Add new tag. When your done choose Next.
- Select the accounts you want to include in the scope of your assessment.
You can specify multiple AWS accounts to be in the scope of an assessment. AWS Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, with the evidence that’s collected consolidated into a delegated administrator account.
Figure 4 – Accounts in scope for GxP assessment
- Review the AWS services in scope and choose Next
- Specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment.
- Choose Create assessment.
Figure 3 – GxP 21 CFR Part 11 framework selection
Prebuilt frameworks will already have the AWS services in scope selected for you. If you create a custom framework you can define the services that will be in scope for your assessment.
Figure 5 – Services in scope for GxP assessment
Figure 6 – Selecting audit owners for the GxP assessment
Step 2: Create an assessment report for the GxP framework
It may take some time for Audit Manager to gather evidence for your assessment. If you are not seeing evidence in your controls, allow some time for the evidence to be collected and then proceed to the next steps.
- From the AWS Audit Manager console, select Assessments from the left panel menu. Then select the GxP framework assessment that we created.
- The Controls tab displays a summary of the controls in the assessment, along with a full list of those controls. Each assessment can contain multiple control sets, and each control set contains multiple controls.
- Choose the “+” to expand the list for the first control set (Controls for closed systems).
- Select the first control which should be 11.10.
- Select the latest evidence folder and choose add to assessment report.
- Repeat steps 3-5 with any other controls you want to add to your assessment report.
- Choose View evidence in assessment report from the top banner displayed.
- In the Assessment report selection tab in the bottom panel select Generate assessment report.
- Provide the report with a name and description, we will give ours the name GxP_controls.
- Select Generate assessment report.
- From the Audit Manager console choose Download center, which you can find in the left panel menu.
- You can now select and download the assessment report.
Figure 7 – Selecting the GxP Framework assessment to review
Figure 8 – Review the controls tab
We will add the evidence collected for this control to our assessment report. The Evidence folders tab lists the evidence that is automatically collected for this control. It’s organized into folders on a daily basis.
Figure 9 – Expand Controls for closed systems to view control 11.10
Figure 10 – Select evidence folders to add to your assessment report
Now that we have selected the evidence to be added to our assessment report, we will now generate and download the report.
Figure 11 – View evidence in assessment report after making selections
Figure 12 – View evidence in assessment report after making selections
To avoid incurring future charges, delete the resources.
In this blog post, we detailed the steps to start automating evidence collection for GxP CFR 21 part 11. Leveraging AWS Audit Manager to automate evidence collection not only streamlines the compliance process but also help organizations demonstrate their adherence to regulatory standards. By using Audit Manager you can quickly get started on gathering evidence for the controls in your selected framework. Automated evidence collection is an essential piece of a continuous compliance solution when operating in the cloud. In highly regulated environments organizations must make changes using approvals in order to ensure resource changes do not introduce unintended issues to their applications. Our first post of this series outlined how Life Sciences customers can adhere to their SOP’s by implementing a defined change control process. By combining this post with the previous of this series we created a solution for continuous compliance and highlighted the art of the possible for Life Sciences customers.
About the authors