This topic describes the background information and scenarios of the GxPComplianceCheckForEU11 compliance package, and the rules provided in the compliance package.
Background information
GxP EU Annex 11 guidelines apply to computerized systems used in the European Union (EU), especially to computerized systems used by enterprises and organizations in pharmacy, biotechnology, and medical device industries. The requirements cover the development, validation, operation, maintenance, and monitoring of computerized systems to ensure compliance with relevant regulations and standards for the production, control, and assurance of product quality and reliability. As a component of the good manufacturing practice (GMP) regulations for pharmaceuticals, Annex 11 is widely used in the pharmaceutical and biotechnology industries in Europe and even the world.
Based on the Annex 11 baseline standards for account data protection, the GxPComplianceCheckForEU11 compliance package provides optional compliance evaluation in terms of resource usage and control in the cloud.
For more information about the compliance standards of Annex 11, see Annex 11: Computerised Systems.
Scenarios
The GxPComplianceCheckForEU11 compliance package applies to enterprises and organizations using computerized systems in pharmacy, biotechnology, and medical instruments.
Rules
A compliance package template provides a common framework. You can use the template to efficiently create compliance packages that meet your requirements in specific business scenarios. If a resource is evaluated as compliant by using a rule, the resource meets only the compliance requirements of the rule. The resource may not be compliant with legal or regulatory requirements, or industry standards.
Rule name | Rule description | Requirement No. | Requirement description |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is compliant. | 1.1 | Risk management shall be performed throughout the lifecycle of the computerized systems, taking into account patient safety, data integrity, and product quality. As a part of a risk management system, decisions on validation and data integrity control shall be made based on the sound and reasonable risk assessments of computerized systems. | |
4.2 | Validation documents, such as change control records (if applicable) and reports on deviations observed during validation, are required. | ||
9.1 | All GMP-related changes, including deletions, shall be recorded in the system based on a risk assessment. These system records are conducive to auditing. Reasons why GMP-related data is changed or deleted shall be documented. These records must be available, convertible to a generally understandable form, and subject to regular auditing. | ||
11.1 | Computerized systems shall be periodically evaluated to stay valid and in compliance with GMP. The evaluation shall be implemented based on the functional scope, deviation records, events, issues, upgrade history, performance, reliability, security, and validation status reports. | ||
12.3 | The creation, change, and cancellation of access permissions shall be documented. | ||
12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | ||
13.1 | In addition to system failures and data errors, all other events shall be reported and evaluated. The root causes of critical events shall be identified and become the basis for correction and prevention. | ||
Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. | 1.1 | Risk management shall be performed throughout the lifecycle of the computerized systems, taking into account patient safety, data integrity, and product quality. As a part of a risk management system, decisions on validation and data integrity control shall be made based on the sound and reasonable risk assessments of computerized systems. | |
11.1 | Computerized systems shall be periodically evaluated to stay valid and in compliance with GMP. The evaluation shall be implemented based on the functional scope, deviation records, events, issues, upgrade history, performance, reliability, security, and validation status reports. | ||
13.1 | In addition to system failures and data errors, all other events shall be reported and evaluated. The root causes of critical events shall be identified and become the basis for correction and prevention. | ||
Checks whether the protection feature of Security Center is enabled for all running Elastic Compute Service (ECS) instances. If so, the evaluation result is Compliant. | 4.3 | An up-to-date list of all relevant systems and their GMP feature lists shall be provided. For critical systems, an up-to-date system description shall be provided specifying the physical and logical arrangement, data flow, interfaces connected to other systems or processes, hardware and software prerequisites, and security measures. | |
Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. If not, the evaluation result is Compliant. | 4.3 | An up-to-date list of all relevant systems and their GMP feature lists shall be provided. For critical systems, an up-to-date system description shall be provided specifying the physical and logical arrangement, data flow, interfaces connected to other systems or processes, hardware and software prerequisites, and security measures. | |
Checks whether an ECS instance is running. If so, the evaluation result is Compliant. | 4.3 | An up-to-date list of all relevant systems and their GMP feature lists shall be provided. For critical systems, an up-to-date system description shall be provided specifying the physical and logical arrangement, data flow, interfaces connected to other systems or processes, hardware and software prerequisites, and security measures. | |
Checks whether each elastic IP address (EIP) is associated with an ECS instance or a NAT gateway. | 4.3 | An up-to-date list of all relevant systems and their GMP feature lists shall be provided. For critical systems, an up-to-date system description shall be provided specifying the physical and logical arrangement, data flow, interfaces connected to other systems or processes, hardware and software prerequisites, and security measures. | |
Checks whether the number of ECS instances that are added to each security group is greater than 0. If so, the evaluation result is Compliant. | 4.3 | An up-to-date list of all relevant systems and their GMP feature lists shall be provided. For critical systems, an up-to-date system description shall be provided specifying the physical and logical arrangement, data flow, interfaces connected to other systems or processes, hardware and software prerequisites, and security measures. | |
Checks whether the log backup feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the retention period for the level-1 backups of each PolarDB cluster is longer than or equal to a specified number of days. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether incremental backup is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the automatic backup feature is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the log backup feature is enabled for each AnalyticDB cluster. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the log backup feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether a backup plan is created for each Apsara File Storage NAS file system. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether an automatic snapshot policy is configured for each ECS disk. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the database backup feature is enabled for each ApsaraDB for OceanBase cluster. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the versioning feature is enabled for each Object Storage Service (OSS) bucket. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the zone-redundant storage (ZRS) feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
7.2 | All relevant data shall be backed up regularly. The integrity, accuracy, and recovery ability of back-up data shall be evaluated and monitored regularly. | ||
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether SSL-encrypted connections are used for the source and destination databases in each synchronization task of a Data Transmission Service (DTS) instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether SSL-encrypted connections are used for the source and destination databases in each migration task of a DTS instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether TLS 1.3 is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether HTTPS is enabled for each Elasticsearch instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
Checks whether the custom domain name bound to a function in Function Compute can be accessed over the Internet, and the function uses the specified version of the TLS protocol. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether the Secure Sockets Layer (SSL) encryption feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether the SSL encryption feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether the request method of each API that allows Internet access in API Gateway is set to HTTPS. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether SSL encryption is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | 4.8 | If data is transmitted to another system or the format is converted, whether the value and meaning of the data are not altered shall be evaluated. | |
5.1 | Computerized systems that electronically exchange data with other systems shall include appropriate built-in checks to ensure the validity, and safe input and processing of data, and minimize risks. | ||
Checks whether the encryption feature is enabled for each ECS data disk that is in use. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether Transparent Data Encryption (TDE) encryption is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether an encryption algorithm is enabled for each VPN connection. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
Checks whether the disk encryption feature is enabled for the data nodes of each Elasticsearch instance. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the TDE feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether a custom key is used to enable TDE for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether data encryption is enabled for each Logstore in Simple Log Service. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
17.1 | Archived data shall be checked for accessibility, readability, and integrity. If changes are made to systems, such as computer equipment or programs, the data retrieval ability shall be tested and guaranteed. | ||
Checks whether the deletion protection feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | 7.1 | Data shall be protected from damages by physical and electronic means. The stored data shall be checked for accessibility, readability, and accuracy. Access to data shall be ensured throughout the retention period. | |
Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the deletion protection feature is enabled for each ApsaraDB for HBase cluster. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the release protection feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant. | 10.1 | Changes to computerized systems, including system configurations, can only be made in a controlled manner in accordance with relevant regulations. | |
16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | ||
Checks whether the CloudMonitor agent is installed on each running ECS instance. If so, the evaluation result is Compliant. | 11.1 | Computerized systems shall be periodically evaluated to stay valid and in compliance with GMP. The evaluation shall be implemented based on the functional scope, deviation records, events, issues, upgrade history, performance, reliability, security, and validation status reports. | |
13.1 | In addition to system failures and data errors, all other events shall be reported and evaluated. The root causes of critical events shall be identified and become the basis for correction and prevention. | ||
Checks whether the event history feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | 11.1 | Computerized systems shall be periodically evaluated to stay valid and in compliance with GMP. The evaluation shall be implemented based on the functional scope, deviation records, events, issues, upgrade history, performance, reliability, security, and validation status reports. | |
12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | ||
Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether MFA is enabled for each RAM user. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the Bucket ACL parameter of each OSS bucket is set to Private. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the read and write permissions are granted to anonymous accounts in the bucket policy of each OSS bucket or a bucket policy is configured for each OSS bucket. If no read or write permissions are granted, or no bucket is configured, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether a RAM role is assigned to each ECS instance. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether a service-linked role is configured for Function Compute. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the RAM Roles for Service Accounts (RRSA) feature is enabled for each Container Service for Kubernetes (ACK) cluster. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether console access and API access are enabled for a RAM user at the same time. If not, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the authentication feature is enabled for each Microservices Engine (MSE) cluster that allows access over the Internet or whether each MSE cluster denies access over the Internet. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the interval between the time when each RAM user last used an AccessKey pair and the current time is less than a specified value. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the parameter values of a password policy that is configured for each RAM user are the same as the specified values. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether each RAM user logs on to the Alibaba Cloud Management Console at least once in the previous 90 days. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the interval between the time when the AccessKey pair of each RAM user was created and the time when the compliance check started is less than or equal to a specified number of days. If so, the evaluation result is Compliant. | 12.1 | Physical and logical controls shall be selectively implemented to restrict access to computerized systems. Measures that can be used to prevent unauthorized access to computer equipment and data storage areas include keys, access cards, MFA, and biometrics. | |
Checks whether the audit logging feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the audit logging feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the log storage feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and the number of days for which SQL audit logs can be retained is greater than or equal to a specified value. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the access log feature is enabled for each Classic Load Balancer (CLB) instance. If so, the evaluation result is Compliant. | 12.4 | Data and document management systems shall be established to record operators who write, change, confirm, or delete data, including date and time. | |
Checks whether the Deployment Method parameter of each ApsaraDB RDS instance is set to Multi-zone Deployment. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether each ApsaraDB for Redis instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether each SLB instance is deployed across zones. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether each Application Load Balancer (ALB) instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether each ApsaraDB for MongoDB instance is of the multi-zone architecture. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether at least two vSwitches are associated with each scaling group. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether multiple zones are configured for each endpoint service. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether the hot standby cluster feature is enabled for each PolarDB cluster and data of the cluster is distributed across multiple zones. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether the associated resources of the vServer groups of each SLB instance are distributed across multiple zones. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. | |
Checks whether the associated resources of the server groups of each ALB instance are distributed across multiple zones. If so, the evaluation result is Compliant. | 16.1 | In order to provide computerized systems that support critical processes, regulations shall be made to ensure that these processes continue to be supported in the event of failures. Manual or alternative systems can be used instead. The time required for system replacement depends on the risks, system, and supported workflows. System replacement shall be thoroughly recorded and tested. |