IT Support and Structure

At Smooth Drug Development, we pay special attention to data retention, access control and compliance requirements.

All systems are built according to the FDA recommendations for computerized systems used in clinical trials and the requirements of regulation 21 CFR Part 11, including:

We use the most advanced server hardware, which allows us to maintain high performance of our work. To ensure smooth functioning of the network we deployed a distributed data storage, which allows us to continue our activities in case of failure of individual components of the system till the replacement or repair. Even physical destruction of one of our servers will not affect our work. In case of destruction of two or more storage centers, the term of recovery to an acceptable level of performance is less than 24 hours, to a normal level – up to 72.

A system of constant data synchronization allows our staff to work in the network, or remotely with a minimal risk of losing information. Working documents are available at various devices that allows you to combine flexibility with the highest level of protection.

To provide more flexible access to the information we provide employees with mobile devices. Device management system allows us to set security policies and safely control them.

We use electronic tools for team work to optimize the data flow and to help the team to work more comfortable and rapid.

To protect data from damage or loss, we use the modern and reliable software that allows us to make backup copies of data under the scheme GFS. For maximize availability, we use a best practice on a 3-2-1 approach to data protection: 3 – Maintain at least three copies of data and applications, 2 – Store backups on at least two different types of storage, 1 – Keep one of the backups in a different location. In addition to our backup servers the data is saved at the international Tier Level 4 data centers in real-time.

To maintain continuous operation of all our offices we implemented the principle of an independent duplication of broadband Internet access.

For a list of crucial software we perform validation of the software environment, installation and performance qualification that allows us to make sure that the software is installed and work properly.

To protect the information we use up-to-date antivirus software for file and email servers, workstations and mobile devices. For additional protection for mail servers we use proven spam filters.

To control access to our system, we use a system of dual user authentification, which enables repeatedly increase protection compared to conventional passwords.

• Protect Company’s information resources from all internal, external, intentional or unintentional threats.

• Ensure information security of main Company's business processes.

• Minimize the possibility of loss and damage from violations as well as achieve the adequacy of threat protection measures in the field of information security.

• Increase client confidence and competitiveness of Company's business activity.

• Ensure compliance with legal requirements and contractual obligations in terms of information security.

• Provide security of Company's corporate assets, including staff members, material and technical assets, information resources, processes.

• Understanding and establishing requirements of the interested parties.

• Identification and protection against negative consequences and information security provision of principal products and services.

• Ability to control an incident sufficient for ensuring effective counter measures in a specific situation.

• Development, documentation and understanding of internal relationship and relationship with other companies, respective legislative and government bodies, local authorities and emergency services.

• Awareness of effective counter measures by the staff members in case of an incidence or failure in operations.

• Ensuring necessary support and information exchange tools for the staff members in case of any incidents or failures in operations.

• Additional protection for Company’s supply chain.

• Additional protection for Company’s reputation.

• Maintaining resistance when performing mandatory and legal requirements.

• This ISM policy that defines general provisions, philosophy, purposes, scope, structure and principles for ISM system implementation is to be approved by the CEO.

• The ISM program defines requirements to information security, contains analysis of internal and external impacts, risk assessment, programs for competence assurance, training and ISM integration in the corporate culture, list of third party agreements for the purpose of information security. The ISM program is to be approved by the CEO.

• Risk assessment and handling is a register of assets, risk analysis, a plan of risk handling.

• Training plans that contain schedule and information security training program intended for Company’s employees as well as schedule, training program and training activities intended for employees of IT Department, corresponding reporting documents.

• ISM improvement program is a management plan for ISM system improvement.