Testing cloud-based backups

psp1234

Involved In Discussions
#1
Hi,
Not sure if I should post here in "13485", but I'll start here.
My auditor, for ISO 13485, was concerned that we don't have a plan to test cloud-based applications' backup.
Our cloud-based apps are hosted by AWS.
What is you recommendation to approach towards testing the backup?
It appears that the expectation is to call our contractor (the app owner) and ask for a file recovery from AWS - in a certain frequency.
Does it make sense? is it an overkill? or enough to say that AWS is ISO 27001 certified and this testing activity is "covered by the certification"?

happy to hear advice,
thx
Sue
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
AWS may provide a reliable hosting platform, but the app owner is responsible for configuration of teh software and accounts that sit on top of that platform, including configuring backups. There have been endless stories of how misconfigured S3 buckets have allowed access to confidential data, and the example of the case linked below where backups were performed, but the backups were on the same AWS account as the main servers, so once a hacker got in, he was able to delete both the production servers and all the backups, putting the company out of business.

My point is that it is not merely testing the app owner's backup plan that is a potential risk; it is also all the risks associated with configuration, which depends on how competent and diligent are the app owners at securely configuring the app and the AWS accounts.

Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
Hacker Puts Hosting Service Code Spaces Out of Business
 

psp1234

Involved In Discussions
#3
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
 

Ninja

Looking for Reality
Trusted Information Resource
#4
If it were me (and it was) I would pretend that my site went offline totally.

You aren't testing AWS...you are testing the purpose for having backups at all...catastrophic accident requiring the backup.

AWS is part of your BCP...test the BCP as a whole.
Where will you access the backup from? Go there.
What terminal/computer will you use? Use that one.
How will you operate? Operate that way.

That's how you test the 'real world scenario' of "I need a backup".
Because of the cost, we tested it once... then tested the particular items of highest concern yearly.

Items of highest concern:
Computer data: develop a list of what you want most, download those items, check them.
Calling the remote rental site to review contract.

HTH
 

Tagin

Trusted Information Resource
#5
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
Unless they give you transparency to their procedures and security settings, you can't really tell. You can perhaps see if they can provide you some certifications for IT management and IT cybersecurity, or some kind of report they can provide you to which shows the controls and risk mgmt they are performing (and then, do you trust the report to be truthful?) Otherwise, aside from auditing them, your kind of stuck with a reputation-based assessment.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#7
You will need to do what others have said and probably more for GDPR & the new California regs if you are larger company.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#8
Is there a forum for GDPR? I have a few templates I can link there since we self-certified this year.
 
#9
I recommend following a testing process similar to what you would use to test the backup of any other system. This process should include the following steps:
  1. Identify the critical data and systems that need to be backed up.
  2. Develop a backup strategy that includes how often the backups should be performed, where the backups will be stored, and how the backups will be validated.
  3. Implement the backup strategy.
  4. Regularly test the backup process to ensure it is working as expected. This can be done by restoring a small amount of data from the backup and verifying that it is complete and uncorrupted.
  5. Document the backup and testing process.
For cloud-based applications hosted by AWS, you may also want to consider using AWS's backup and disaster recovery services, such as AWS Backup and AWS Disaster Recovery. These services can help automate the backup and recovery process and provide additional safeguards for your data.
 
Thread starter Similar threads Forum Replies Date
P Biocompatibility testing ISO-10993 for FDA submission Other Medical Device Related Standards 7
R Tips on transitioning out of testing lab Career and Occupation Discussions 0
T Aircraft GAPP Software Testing Compliance Question AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
E Usability for Near Patient Testing Test Kit Human Factors and Ergonomics in Engineering 2
J Single Fault Testing for Secondary Circuits (60601-1 section 13.1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
P Medical device testing lab/service standard Other Medical Device Related Standards 1
T Cytoxtoxicity Testing Dilution Other Medical Device Related Standards 1
M Altitude testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
H IEC 62368-1 Scope of Testing CE Marking (Conformité Européene) / CB Scheme 3
H EMC & Safety Testing of the product with the same Sr. No. for EC Declaration CE Marking (Conformité Européene) / CB Scheme 3
A Non-medical device testing in the medical system IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
H Is testing according to IEC 60601-1 & IEC 60601-1-2 mandatory for a device being registered under MDR? IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
W CQI-9 Testing Fluids Manufacturing and Related Processes 0
XRAY_3121 Class II heating pad - does the power supply have to have IEC 60601-1 testing?? US Medical Device Regulations 5
T Testing for proving food safety on USP class vi material RoHS, REACH, ELV, IMDS and Restricted Substances 0
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
Rene Minassian Control of (TMME) Testing and Measurement Equipment Oil and Gas Industry Standards and Regulations 2
M Is complete testing required as per ISO 10993 for materials used in orthopedic implants or is literature review route possible Other Medical Device Related Standards 3
B A testing lab within an organization ISO 17025 related Discussions 10
B Package integrity Testing failure ISO 13485:2016 - Medical Device Quality Management Systems 7
R Basic Lab Practices - related to ISO 17025 testing labs ISO 17025 related Discussions 1
N Microbial testing on food packaging materials Food Safety - ISO 22000, HACCP (21 CFR 120) 3
A Stability Testing of a device with sterile fluid pathway claim Other Medical Device and Orthopedic Related Topics 1
M Cosmetic Shelf Life Testing Misc. Quality Assurance and Business Systems Related Topics 10
S Safety testing IEC 60601 series Medical Device and FDA Regulations and Standards News 2
M EE's - Laptops/Printer Change and Emissions Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
keya1tos EU to UK plug adapter correct testing standard CE Marking (Conformité Européene) / CB Scheme 9
D IEC 60601-1-2: Is EMC immunity testing required for a device without essential performance? IEC 60601 - Medical Electrical Equipment Safety Standards Series 25
M Oral irritation testing Medical Information Technology, Medical Software and Health Informatics 0
A Fire Testing - EN 50339 Not 20 minutes ISO 17025 related Discussions 0
M Biological testing at the end of the real time of MD Other Medical Device Related Standards 3
M In Vitro irritation testing according to ISO 10993-23 ISO 13485:2016 - Medical Device Quality Management Systems 2
R SaMD Performance Testing US Medical Device Regulations 5
J 'Failure rate leading to false-negatives and repeat testing' - MDCG and Common Tech Specs Other Medical Device Regulations World-Wide 0
M Extractables testing replicates - Chemical Characterization ISO 10993-18 EU Medical Device Regulations 2
C Strategies to Mitigate Fails in DV Testing Design and Development of Products and Processes 3
E 17025 Accredited Microbiological Testing Laboratory ISO 17025 related Discussions 3
X Looking for 17025 auditor to perform internal audit on IT software testing laboratory ISO 17025 related Discussions 3
J Design Verification Testing and Statistics Reliability Analysis - Predictions, Testing and Standards 3
W External PSU Providing a MOOP -- Will This Necessitate Conducted Emissions Testing? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
G How to Record Informal Testing (Not Verification/Validation) Other Medical Device and Orthopedic Related Topics 15
J Medical Device Component Change - Testing, Sampling Criteria ISO 14971 - Medical Device Risk Management 3
R Microbiological test (USP61, USP62, USP71, ISO 11137.1, ISO11137.2) --- Testing flow chart Other Medical Device Related Standards 0
R GB9706.1:2020 - in-country testing China Medical Device Regulations 1
A Bench Testing US Food and Drug Administration (FDA) 2
R Validation of Software used in Verification Testing ISO 13485:2016 - Medical Device Quality Management Systems 2
M Do i need to have equipment validation if 100% testing is completed? Qualification and Validation (including 21 CFR Part 11) 6
E Biocompatibility testing of our applied part seems redundant Other Medical Device Related Standards 2
A Recommended testing methods for weather stripping Manufacturing and Related Processes 6
T Shrinkage Testing for EPDM Material Various Other Specifications, Standards, and related Requirements 5

Similar threads

Top Bottom