Computer System Validation - Justifying the use of...

Erinyes · ‎12-30-2015

I am a system administration at a cGxP facility. Currently, each time a server is required we have to write, circulate and execute the same installation qualification script. I am proposing to our Technical Change Control (TCC) board that we use VMware's template feature as a secured manner in which to deploy Windows 2012 R2 servers going forward.

I anticipate a substantial amount of resistance on this proposal from a validation resource who sits on the TCC board. I'll spare you the details.

Is anyone aware of government or other accredited sources which I can cite as this being an acceptable practice to thwart the anticipated resistance?

Thank you so much for your time, help and suggestions!

HawkieMan · ‎01-08-2016

I work as vmware administrator for the Norwegian Tax Authority, and I manage massive deployments of virtual servers.

Our organisation have done a very substantial research and investments in security, and there is NO better way to ensure that all VMs satisfy the same required security requirements, than to start with a hardened pre-configured template.

However there is one factore you need to have in mind, upon deployment the VM runs sysprep, and any settings that is reset by sysprep will not be same as on template. If there is security settings in the VM itself like firewall settings, certificates or other similar things, then you rather deploy those post-deployment using a GPO instead. This way you ensure nobody can change them when they are deluvered to use.

All

Computer System Validation - Justifying the use of a VM Template