Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-008 Product requirements
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, Redesign and Development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
      • Templates
      • Specific procedures
    • GP-019 Software validation plan
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Cybersecurity
    • GP-025 Corporate Governance
    • GP-026 Product requirements for US market
    • GP-027 Product requirements for UK market
    • GP-028 Product requirements for the Brazilian market
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-200 Remote Data Acquisition in Clinical Investigations
  • Records
  • TF_Legit.Health_Plus
  • Licenses and accreditations
  • External documentation
  • Procedures
  • GP-018 Infrastructure and facilities

GP-018 Infrastructure and facilities

Procedure flowchart​

Purpose​

To define the methodology to establish the acquisition, maintenance and incident control activities on our facilities and devices, in accordance with the requirements previously established by the organization.

Scope​

All of our facilities and devices.

Responsibilities​

JD-001 and JD-003​

  • To approve the acquisition of new facilities and devices and their corresponding infrastructure control plan.

JD-004​

  • To ensure that the process of acquisition, risk definition and creation of the infrastructure plan is done according to the methodology established in the present procedure.
  • To check that all maintenance activities are being carried out and recording all non-conformities related that may affect the proper functioning of the processes.

JD-005​

  • To coordinate the maintenance tasks of each infrastructure element and generate the corresponding records.
  • To coordinate the correction and documentation of detected incidents according to the defined plan.

JD-007​

  • To perform the activities described in this procedure and record the corresponding evidence.

Inputs​

  • Requirements for the new infrastructure element.

Outputs​

  • The new physical device or AWS resource.
  • T-018-001 Infrastructure list and control plan
  • T-018-002 Infrastructure and facilities incidents log

Development​

As it is defined and validated at the R-002-007 Process validation card 2023-005, the top management decided to implement remote work to all the employees. The infrastructure and facilities have been designed according to this type of work as explained in this document.

Infrastructure identification​

The facilities and equipment are identified with an alpha-numerical code that is registered in the T-018-001 Infrastructure list and control plan, which in turn maintains a list of the infrastructure, which also includes its location and intended use in the activities of the established processes.

The company handle two different types of infrastructure elements:

  • Physical devices, like laptops or mobile devices.
  • Cloud resources provided by AWS.

Each of these resources is associated with its corresponding access control as well as the risk assessment and control plan, whose contents are detailed in this document.

Minimum requirements​

Laptops​

The laptops of the company staff that carry out remote work must have at least the following specifications:

CharacteristicRequirement
MicroprocessorIntel® Core™ i5
RAM4 GB
Hard disk256 GB (SSD)
Video graphicsIntel® UHD Graphics 620, Integrated
Display13 inches display

Any equipment that does not meet these specifications must be validated for use by the JD-003.

Connectivity​

The internet connection must be at least 50 Mb/sec being the responsibility of each remote worker their hiring and maintenance.

Infrastructure access control​

The access to all company's resources has been defined under a minimum access policy that restricts a user to only the least amount of access to privileged resources and permissions that are needed to perform an authorized and assigned activity or activities. The process to grant and control the remote access to the resources is explained at the SP-018-001 Remote infrastructure control access policy.

Physical devices​

Currently, each physical resource of the company is used by one single person, ie, there are not shared devices at this time. For managing and use purposes, each of these devices must have (if possible) two accounts created:

  • The one belonging to the team member who has been assigned the resource. This account must have the minimum permissions necessary to use it.
  • An administration account that allows the management of the device as well as the accounts created on it.

AWS Resources​

The company uses different AWS resources for the development of its activities. Unlike physical devices, these resources are accessible to multiple team members.

The cloud resources used by the company fall into two categories.

Resources managed from the AWS console​

Team members who require access to a resource that must be managed from the AWS console will have a user within the company's AWS account. Access must be through two-factor authentication.

Each of the users thus defined will belong to one of the following groups:

  • "Administrators", with full access to all resources defined within the AWS account.
  • "Developers", with access to a subset of resources needed for the tasks this group do.

Each account created in AWS has CloudTrail enabled by default. AWS CloudTrail is an AWS service that enable operational and risk auditing, governance, and compliance of each AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Resources managed through remote access to it​

In this case, the process for granting access must follow the procedure described in SP-018-001 Remote infrastructure control access policy.

Each access to this kind of resources is logged in the corresponding file of the operating system. For example, for Linux instances, these logs can be found in the following file: /var/log/auth.log .

Infrastructure risk analysis​

The JD-005 is in charge of creating an analysis of the criticality of a failure mode of each resource in the infrastructure. The risk analysis is based on the procedure GP-013 Risk management.

In the case of the infrastructure, the probability values are taken as the probability that the equipment or infrastructure may be out of control if the control actions are not carried out and the severity is understood as the severity of the results in the final product. According to the risk that is established in the T-013-002 Risk Management Record a more or less severe type of control is applied.

Regardless of the level of risk that has been assigned to an infrastructure, the analysis included in the T-013-002 Risk Management Record should be updated if the specifications initially evaluated change.

Infrastructure control plan​

From the T-018-001 Infrastructure list and control plan, it is possible to obtain information about the maintenance and incident control tasks planned. In the same way, when corrective maintenance actions are taken, their status in the list is updated, keeping the evidence that can be applied in the appropriate location (delivery notes, contracts, parts of intervention, invoices, etc.). In case of obtaining unsatisfactory results, it will be registered in accordance with what it is established in the procedure GP-006 Non-conformity. Corrective and preventive actions.

The infrastructure plan contains the maintenance plan, listing all the maintenance tasks related to the resource.

Maintenance plan​

The maintenance plan for each resource list in the T-018-001 Infrastructure list and control plan must include the following items:

  • The access control for that resource, specifying the users or groups that will have access to it or who owns the device in case it is a physical device.
  • The location for the access records generated for that resource. This location must be a file inside the own resource or a S3 bucket. Only admins will have access to this audit logs.
  • A set of records with each of the maintenance tasks carried out on the device. Each entry must show the type of the action and the finished date.
Maintenance tasks for physical devices​
TaskCodeMax periodicity
Installation of security updatesPD-MT-0011 month
Execution of Clean My Mac (only MacOS devices)PD-MT-0021 month
Execution of Windows Defender Scan (only Windows devices)PD-MT-0031 month
Review of the installed applicationsPD-MT-0046 months
Check disk encryption is enabledPD-MT-0051 year
Hardware check / Memory RAM / Free Space availablePD-MT-0066 monts
Maintenance tasks for cloud instances​
TaskCodeMax periodicity
Installation of security updatesCI-MT-0011 month
Hardware check / Memory RAM / Free Space availableCI-MT-0021 monts
Manual review of the access logsCI-MT-0031 month
Manual review of performance metricsCI-MT-0041 month
Maintenance tasks for self managed resources​
TaskCodeMax periodicity
Manual review of the access logsSMR-MT-0011 month
Manual review of performance metricsSMR-MT-0021 month

According to what is established in the T-013-002 Risk Management Record, the JD-004 is responsible for checking that all maintenance activities are being carried out and recording all non-conformities related that may affect the proper functioning of the processes.

Incidents control plan​

The incident plan is a document made up of the list of possible incidents related to the device and the record of all those that have occurred.

Each incident must display the following information:

  • Code, with the format I-XXXX, where XXXX is an incremental numeric identifier starting from I-0001.
  • The date and person reporting the incident
  • Description of the incident.
  • Record of the actions necessary to solve it
  • The date the incident is solved

The incident log will display the following information:

Incident codeReported byDescriptionActions requiredReported dateSolved at
I-XXXX

Associated Records​

  • GP-006 Non-conformity. Corrective and preventive actions
  • GP-013 Risk management
  • R-002-007 Process validation card 2023-005
  • SP-018-001 Remote infrastructure control access policy
  • T-013-002 Risk Management Record
  • T-018-001 Infrastructure list and control plan
  • T-018-002 Infrastructure and facilities incidents log

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003, JD-004
  • Approver: JD-001
Previous
GP-017 Technical assistance service
Next
Templates
  • Procedure flowchart
  • Purpose
  • Scope
  • Responsibilities
    • JD-001 and JD-003
    • JD-004
    • JD-005
    • JD-007
  • Inputs
  • Outputs
  • Development
    • Infrastructure identification
    • Minimum requirements
      • Laptops
      • Connectivity
    • Infrastructure access control
      • Physical devices
      • AWS Resources
        • Resources managed from the AWS console
        • Resources managed through remote access to it
    • Infrastructure risk analysis
    • Infrastructure control plan
      • Maintenance plan
        • Maintenance tasks for physical devices
        • Maintenance tasks for cloud instances
        • Maintenance tasks for self managed resources
      • Incidents control plan
  • Associated Records
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)