atomicai/it-infrastructure
Template
1
0
Copy 0
Documents Lab Tickets Change Requests Projects Wiki Activity

Sync template from atomicqms-style deployment

Browse Source
This commit is contained in:
AtomicQMS Service
2025-12-27 11:24:11 -05:00
parent 5d75fcdd58
commit 438adf6f4f
28 changed files with 1899 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
SOPs/Access-Control/.gitkeep Normal file
View File

0
SOPs/Backup-Recovery/.gitkeep Normal file
View File

0
SOPs/Change-Management/.gitkeep Normal file
View File

193
SOPs/Change-Management/SOP-CHG-001-Change-Management.md Normal file
View File

@@ -0,0 +1,193 @@
# Standard Operating Procedure: Change Management
| Document ID | SOP-CHG-001 |
|-------------|-------------|
| Title | IT Change Management Process |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | IT Operations |
---
## 1. Purpose
To establish a controlled process for managing changes to IT infrastructure, applications, and services to minimize risk and ensure stability while enabling business agility.
## 2. Scope
This procedure applies to all changes to:
- Production servers and network infrastructure
- Databases and storage systems
- Applications and software
- Security configurations
- Cloud infrastructure and services
- Network and firewall rules
## 3. Responsibilities
### 3.1 Change Requester
- Submit complete RFC with business justification
- Coordinate with stakeholders
- Verify change success post-implementation
### 3.2 Change Manager
- Review and classify changes
- Schedule CAB meetings
- Track change metrics
### 3.3 Change Advisory Board (CAB)
- Review and approve/reject changes
- Assess risk and impact
- Prioritize conflicting changes
### 3.4 Technical Implementer
- Develop implementation plan
- Execute approved changes
- Document results
## 4. Definitions
| Term | Definition |
|------|------------|
| RFC | Request for Change - formal change proposal |
| CAB | Change Advisory Board - approval committee |
| ECAB | Emergency CAB - expedited approval for urgent changes |
| PIR | Post-Implementation Review |
## 5. Change Categories
### 5.1 Standard Changes
Pre-approved, low-risk, routine changes:
- Password resets
- User account creation
- Approved software installations
- Scheduled maintenance activities
### 5.2 Normal Changes
Require CAB review and approval:
- Application deployments
- Server configuration changes
- Network modifications
- Database changes
### 5.3 Emergency Changes
Require ECAB approval, used only for:
- Security incidents requiring immediate response
- Critical system failures
- Regulatory compliance issues
## 6. Procedure
### 6.1 Change Request Submission
1. **Complete RFC Form** (FRM-CHG-001)
- Description of change
- Business justification
- Risk assessment
- Implementation plan
- Rollback plan
- Testing plan
- Affected systems/users
2. **Submit RFC**
- Submit via ticketing system
- Attach all supporting documentation
- Identify change window preference
### 6.2 Change Assessment
| Risk Level | Criteria | Approval Required |
|------------|----------|-------------------|
| Low | Single system, no downtime, easy rollback | Change Manager |
| Medium | Multiple systems, planned downtime, tested rollback | CAB |
| High | Critical systems, extended downtime, complex rollback | CAB + Management |
### 6.3 CAB Review Process
1. **Pre-CAB Preparation**
- Review all pending RFCs
- Verify completeness
- Identify conflicts with other changes
2. **CAB Meeting Agenda**
- Review of failed/problematic changes
- Assessment of new RFCs
- Scheduling of approved changes
- Review of change calendar
3. **Decision Outcomes**
- **Approved**: Proceed as planned
- **Approved with conditions**: Requires modifications
- **Deferred**: Reschedule for later review
- **Rejected**: Not approved, requires rework
### 6.4 Change Implementation
1. **Pre-Implementation**
- [ ] Approval documented in ticket
- [ ] Stakeholders notified
- [ ] Backup completed
- [ ] Rollback plan ready
- [ ] Monitoring in place
2. **During Implementation**
- [ ] Follow implementation plan exactly
- [ ] Document each step
- [ ] Test at defined checkpoints
- [ ] Communicate status updates
3. **Post-Implementation**
- [ ] Verify change success
- [ ] Update documentation
- [ ] Close RFC with results
- [ ] Schedule PIR if required
### 6.5 Rollback Criteria
Initiate rollback if:
- Change causes unplanned outage
- Functionality fails verification
- Security vulnerability introduced
- Performance degradation exceeds threshold
- Change window expiring with incomplete work
### 6.6 Emergency Change Process
1. Obtain verbal ECAB approval (minimum 2 members)
2. Document decision and justification
3. Implement with minimal viable scope
4. Complete formal RFC within 24 hours
5. Conduct PIR for all emergency changes
## 7. Change Freeze Periods
No non-emergency changes permitted during:
- Month-end/quarter-end processing
- Major business events
- Holiday periods (as defined)
- Audit periods
## 8. Metrics and Reporting
| Metric | Target |
|--------|--------|
| Change success rate | >95% |
| Emergency change ratio | <5% |
| Unauthorized changes | 0 |
| Average approval time | <3 business days |
## 9. Related Documents
- FRM-CHG-001 Request for Change Form
- FRM-CHG-002 CAB Meeting Minutes
- SOP-INC-001 Incident Response Procedure
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

112
SOPs/General/SOP-001-Document-Control.md Normal file
View File

@@ -0,0 +1,112 @@
# Standard Operating Procedure: Document Control
| Document ID | SOP-001 |
|-------------|---------|
| Title | Document Control |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a procedure for the creation, review, approval, distribution, and control of documents within the Quality Management System.
## 2. Scope
This procedure applies to all controlled documents including:
- Policies
- Standard Operating Procedures (SOPs)
- Work Instructions
- Forms and Templates
- Specifications
- External documents of external origin
## 3. Responsibilities
### 3.1 Document Owner
- Responsible for document content and accuracy
- Initiates document creation and revision
- Ensures periodic review is performed
### 3.2 Quality Assurance
- Maintains the document control system
- Assigns document numbers
- Manages document distribution
- Archives obsolete documents
### 3.3 Approvers
- Review and approve documents before release
- Ensure documents are adequate for intended purpose
## 4. Procedure
### 4.1 Document Creation
1. Identify the need for a new document
2. Request document number from Quality Assurance
3. Draft document using appropriate template
4. Include all required header information
5. Submit for review and approval
### 4.2 Document Review and Approval
1. Route document to appropriate reviewers
2. Reviewers provide comments within 5 business days
3. Author addresses all comments
4. Final approval by designated approver
5. Quality Assurance releases document
### 4.3 Document Numbering
Documents shall be numbered according to the following convention:
| Type | Prefix | Example |
|------|--------|---------|
| Policy | POL | POL-001 |
| SOP | SOP | SOP-001 |
| Work Instruction | WI | WI-001 |
| Form | FRM | FRM-001 |
### 4.4 Revision Control
1. All changes require documented justification
2. Changes follow same review/approval process as new documents
3. Revision number increments with each approved change
4. Revision history maintained in document footer
### 4.5 Document Distribution
1. Current versions available in document control system
2. Obsolete versions marked and archived
3. Training on new/revised documents as needed
### 4.6 Periodic Review
1. Documents reviewed at least every 2 years
2. Review documented even if no changes made
3. Reviews may result in revision or reaffirmation
## 5. Related Documents
- FRM-001 Document Change Request Form
- FRM-002 Document Review Record
## 6. Definitions
| Term | Definition |
|------|------------|
| Controlled Document | Document managed under document control system |
| Obsolete | Document no longer valid for use |
| Revision | Updated version of a document |
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

134
SOPs/General/SOP-002-CAPA.md Normal file
View File

@@ -0,0 +1,134 @@
# Standard Operating Procedure: Corrective and Preventive Action (CAPA)
| Document ID | SOP-002 |
|-------------|---------|
| Title | Corrective and Preventive Action |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a systematic process for identifying, investigating, correcting, and preventing nonconformities and potential nonconformities.
## 2. Scope
This procedure applies to:
- Product and process nonconformities
- Customer complaints
- Audit findings
- Process deviations
- Potential nonconformities identified through risk analysis
## 3. Definitions
| Term | Definition |
|------|------------|
| Corrective Action | Action to eliminate the cause of a detected nonconformity |
| Preventive Action | Action to eliminate the cause of a potential nonconformity |
| Root Cause | Fundamental reason for a nonconformity |
| Effectiveness Check | Verification that implemented actions achieved desired results |
## 4. Responsibilities
### 4.1 CAPA Owner
- Investigates the issue
- Identifies root cause
- Develops and implements corrective/preventive actions
- Verifies effectiveness
### 4.2 Quality Assurance
- Manages CAPA system
- Assigns CAPA numbers
- Tracks CAPA status
- Reviews and approves CAPAs
- Reports CAPA metrics to management
### 4.3 Management
- Provides resources for CAPA implementation
- Reviews CAPA trends
- Ensures timely closure
## 5. Procedure
### 5.1 CAPA Initiation
1. Identify nonconformity or potential nonconformity
2. Document issue on CAPA Form (FRM-003)
3. Classify severity and priority
4. Assign CAPA owner
### 5.2 Investigation
1. Gather relevant data and evidence
2. Interview personnel involved
3. Review related documents and records
4. Use appropriate investigation tools:
- 5 Whys
- Fishbone Diagram
- Failure Mode Analysis
### 5.3 Root Cause Analysis
1. Identify potential root causes
2. Verify root cause through evidence
3. Document root cause determination
4. Consider systemic implications
### 5.4 Action Development
1. Develop corrective/preventive actions
2. Assign responsibilities and due dates
3. Assess actions for:
- Appropriateness to problem severity
- Impact on other processes
- Resource requirements
### 5.5 Implementation
1. Execute approved actions
2. Document implementation evidence
3. Update affected documents/processes
4. Provide training as needed
### 5.6 Effectiveness Verification
1. Define effectiveness criteria
2. Allow sufficient time for actions to take effect
3. Collect and analyze data
4. Document verification results
5. If ineffective, reopen CAPA for further action
### 5.7 Closure
1. Review all CAPA documentation
2. Verify all actions completed
3. Confirm effectiveness verified
4. Obtain approval for closure
## 6. CAPA Metrics
Quality Assurance shall track and report:
- Number of open CAPAs
- CAPA aging
- On-time closure rate
- Effectiveness rate
- CAPAs by category/source
## 7. Related Documents
- FRM-003 CAPA Form
- SOP-003 Nonconforming Product Control
- SOP-004 Customer Complaints
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

123
SOPs/General/SOP-003-Training.md Normal file
View File

@@ -0,0 +1,123 @@
# Standard Operating Procedure: Training and Competence
| Document ID | SOP-003 |
|-------------|---------|
| Title | Training and Competence |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Human Resources / Quality |
---
## 1. Purpose
To ensure personnel performing work affecting product quality are competent based on appropriate education, training, skills, and experience.
## 2. Scope
This procedure applies to:
- All employees performing quality-affecting activities
- Contractors and temporary personnel
- Personnel requiring GxP training
## 3. Responsibilities
### 3.1 Supervisors/Managers
- Identify training needs for their personnel
- Ensure training is completed before performing tasks
- Evaluate competence of personnel
- Maintain department training records
### 3.2 Human Resources
- Coordinate training programs
- Maintain central training database
- Track training compliance
- Archive training records
### 3.3 Quality Assurance
- Develop QMS-related training
- Approve training curricula for GxP activities
- Audit training compliance
### 3.4 Employees
- Complete assigned training on time
- Maintain current qualifications
- Report training needs to supervisor
## 4. Procedure
### 4.1 Training Needs Assessment
1. Identify competence requirements for each role
2. Document requirements in job descriptions
3. Assess current competence of personnel
4. Identify training gaps
### 4.2 Training Curriculum Development
1. Define learning objectives
2. Develop training materials
3. Identify delivery method:
- Classroom
- On-the-job
- Self-study
- Computer-based
4. Define assessment criteria
5. Obtain approval from Quality (for GxP training)
### 4.3 Training Delivery
1. Schedule training session
2. Document attendance
3. Deliver training per curriculum
4. Assess comprehension through:
- Written test (minimum 80% passing)
- Practical demonstration
- Supervisor observation
### 4.4 Training Documentation
Training records shall include:
- Employee name and ID
- Training title and date
- Trainer name and qualifications
- Assessment results
- Signatures
### 4.5 Retraining Requirements
Retraining is required when:
- Significant document revisions occur
- Performance deficiencies identified
- Extended absence from job function
- Periodic requalification due
### 4.6 New Employee Orientation
All new employees shall complete:
1. Company orientation
2. Quality system overview
3. Job-specific training
4. SOP read and understand for applicable procedures
## 5. Training Records Retention
- Training records maintained for duration of employment
- Records retained 3 years after employee departure
- Records available for regulatory inspection
## 6. Related Documents
- FRM-004 Training Record Form
- FRM-005 Training Assessment Form
- Job Descriptions
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

136
SOPs/General/SOP-004-Internal-Audit.md Normal file
View File

@@ -0,0 +1,136 @@
# Standard Operating Procedure: Internal Audit
| Document ID | SOP-004 |
|-------------|---------|
| Title | Internal Audit |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a systematic approach for conducting internal audits to verify the effectiveness of the Quality Management System.
## 2. Scope
This procedure covers:
- QMS process audits
- Compliance audits
- Product audits
- System audits
## 3. Definitions
| Term | Definition |
|------|------------|
| Audit | Systematic, independent examination to determine conformance |
| Auditor | Person qualified to perform audits |
| Finding | Observation of conformance or nonconformance |
| Observation | Noted item not rising to level of finding |
## 4. Responsibilities
### 4.1 Lead Auditor
- Plans and schedules audits
- Prepares audit checklists
- Conducts audit activities
- Reports audit findings
### 4.2 Quality Manager
- Maintains audit program
- Qualifies auditors
- Reviews audit reports
- Reports to management
### 4.3 Auditee
- Provides access to areas/records
- Responds to findings
- Implements corrective actions
## 5. Procedure
### 5.1 Annual Audit Schedule
1. Develop annual audit schedule considering:
- Previous audit results
- Process criticality
- Regulatory requirements
- Changes to processes
2. Ensure all QMS processes audited at least annually
3. Obtain management approval
4. Communicate schedule to affected areas
### 5.2 Auditor Qualification
Auditors shall:
- Complete auditor training course
- Conduct at least 2 audits under supervision
- Be independent of area being audited
- Maintain competence through ongoing audits
### 5.3 Audit Preparation
1. Review applicable procedures and standards
2. Review previous audit reports
3. Prepare audit checklist
4. Notify auditee of audit scope and schedule
5. Confirm auditor availability
### 5.4 Conducting the Audit
1. Hold opening meeting with auditee
2. Execute audit checklist
3. Gather objective evidence:
- Document review
- Personnel interviews
- Process observation
4. Document findings with evidence
5. Classify findings:
- Major Nonconformance
- Minor Nonconformance
- Observation
6. Hold closing meeting
### 5.5 Audit Reporting
1. Complete audit report within 5 business days
2. Report shall include:
- Audit scope and criteria
- Personnel interviewed
- Findings with evidence
- Recommendations
3. Distribute report to auditee and management
### 5.6 Finding Resolution
1. Auditee responds with corrective action plan within 10 business days
2. Quality reviews and approves plan
3. Auditee implements corrective actions
4. Auditor verifies effectiveness
5. Close finding upon verification
## 6. Audit Records
Maintain for 5 years:
- Audit schedules
- Checklists
- Reports
- Corrective action records
## 7. Related Documents
- FRM-006 Audit Checklist Template
- FRM-007 Audit Report Template
- SOP-002 CAPA
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

114
SOPs/General/SOP-005-Management-Review.md Normal file
View File

@@ -0,0 +1,114 @@
# Standard Operating Procedure: Management Review
| Document ID | SOP-005 |
|-------------|---------|
| Title | Management Review |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To ensure top management reviews the Quality Management System at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
## 2. Scope
This procedure applies to the periodic management review of the QMS, including all processes and quality objectives.
## 3. Frequency
Management reviews shall be conducted:
- At least annually
- More frequently if significant changes occur
- As needed based on quality performance
## 4. Responsibilities
### 4.1 Quality Manager
- Prepares management review agenda and materials
- Facilitates the meeting
- Documents meeting minutes and action items
- Tracks completion of action items
### 4.2 Top Management
- Attends management review meetings
- Reviews QMS performance data
- Makes decisions on QMS improvements
- Allocates resources as needed
### 4.3 Department Managers
- Provides input data for their areas
- Attends management review
- Implements assigned action items
## 5. Management Review Inputs
The following shall be considered:
### 5.1 Actions from Previous Reviews
- Status of action items
- Effectiveness of implemented actions
### 5.2 Changes in Context
- Internal changes (organization, resources)
- External changes (regulations, market)
### 5.3 QMS Performance
- Customer satisfaction and feedback
- Quality objectives achievement
- Process performance metrics
- Nonconformities and corrective actions
- Audit results
- Supplier performance
### 5.4 Resource Adequacy
- Personnel
- Infrastructure
- Work environment
### 5.5 Risk and Opportunities
- Risk assessment results
- Effectiveness of risk controls
- New opportunities identified
### 5.6 Improvement Opportunities
- Process improvements
- Product improvements
- QMS enhancements
## 6. Management Review Outputs
Decisions and actions related to:
- Improvement of QMS and processes
- Product improvement
- Resource needs
- Changes to quality policy or objectives
## 7. Documentation
### 7.1 Meeting Minutes
- Date and attendees
- Items discussed
- Decisions made
- Action items with owners and due dates
### 7.2 Record Retention
- Management review records retained for 5 years
- Available for regulatory inspection
## 8. Related Documents
- FRM-008 Management Review Agenda Template
- FRM-009 Management Review Minutes Template
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

0
SOPs/Incident-Response/.gitkeep Normal file
View File

182
SOPs/Incident-Response/SOP-INC-001-Incident-Response.md Normal file
View File

@@ -0,0 +1,182 @@
# Standard Operating Procedure: Security Incident Response
| Document ID | SOP-INC-001 |
|-------------|-------------|
| Title | Security Incident Response Procedure |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | IT Security |
---
## 1. Purpose
To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.
## 2. Scope
This procedure applies to all security incidents including:
- Unauthorized access attempts
- Malware infections
- Data breaches
- Denial of service attacks
- Phishing attacks
- Lost or stolen devices
- Insider threats
- System compromises
## 3. Responsibilities
### 3.1 All Staff
- Report suspected incidents immediately
- Preserve evidence (do not turn off systems unless directed)
- Follow instructions from incident response team
### 3.2 IT Security Team
- Triage and classify incidents
- Lead response efforts
- Coordinate with stakeholders
### 3.3 Incident Response Manager
- Authorize containment actions
- Escalate to management as needed
- Coordinate external communications
## 4. Incident Classification
| Severity | Criteria | Response Time |
|----------|----------|---------------|
| Critical | Active breach, data exfiltration, ransomware | Immediate |
| High | Confirmed compromise, malware spreading | < 1 hour |
| Medium | Attempted intrusion, isolated malware | < 4 hours |
| Low | Policy violation, suspicious activity | < 24 hours |
## 5. Incident Response Phases
### 5.1 Phase 1: Detection and Reporting
**Detection Sources:**
- Security monitoring tools (SIEM, IDS/IPS)
- User reports
- Vendor notifications
- Audit findings
- Automated alerts
**Reporting:**
1. Document initial observations
2. Report via security hotline or email
3. Complete FRM-INC-001 Incident Report
4. Do NOT attempt remediation without guidance
### 5.2 Phase 2: Triage and Analysis
1. **Initial Assessment**
- Confirm incident is genuine (vs. false positive)
- Classify severity level
- Identify affected systems/data
- Determine initial scope
2. **Evidence Collection**
- System logs
- Network traffic captures
- Memory dumps (if warranted)
- Screenshots
- Preserve chain of custody
3. **Escalation Decision**
- Critical/High: Immediate escalation to management
- Notify legal/compliance if data breach suspected
- Engage external forensics if needed
### 5.3 Phase 3: Containment
**Short-term Containment:**
- Isolate affected systems from network
- Block malicious IPs/domains
- Disable compromised accounts
- Preserve evidence before changes
**Long-term Containment:**
- Apply temporary fixes
- Increase monitoring
- Implement additional controls
- Prepare for eradication
**Containment Decision Matrix:**
| Action | Authority Required |
|--------|-------------------|
| Isolate single workstation | Security Team |
| Disable user account | Security Manager |
| Block network segment | IT Director |
| Shut down production system | Executive approval |
### 5.4 Phase 4: Eradication
1. Identify root cause
2. Remove malware/backdoors
3. Patch vulnerabilities exploited
4. Reset compromised credentials
5. Verify removal is complete
### 5.5 Phase 5: Recovery
1. Restore systems from clean backups
2. Rebuild if necessary
3. Verify integrity before reconnecting
4. Monitor closely post-recovery
5. Confirm normal operations
### 5.6 Phase 6: Post-Incident Review
**Conduct within 5 business days:**
- Timeline reconstruction
- Root cause analysis
- Response effectiveness review
- Lessons learned
- Improvement recommendations
**Documentation:**
- Complete FRM-INC-002 Post-Incident Report
- Update procedures as needed
- Brief stakeholders
## 6. Communication Guidelines
### Internal Communication
| Audience | Information | Method |
|----------|-------------|--------|
| Executive Team | Status, business impact, decisions needed | Phone/meeting |
| IT Staff | Technical details, actions required | Secure channel |
| All Staff | General awareness (if warranted) | Email |
### External Communication
- All external communications through designated spokesperson
- Coordinate with Legal and PR
- Regulatory notifications per compliance requirements
- Customer notifications per contract/law
## 7. Regulatory Notification Requirements
| Regulation | Notification Timeframe | Authority |
|------------|----------------------|-----------|
| HIPAA | 60 days (breach of >500) | HHS OCR |
| GDPR | 72 hours | Supervisory Authority |
| PCI DSS | Immediately | Card brands, acquirer |
| State Laws | Varies | State AG |
## 8. Related Documents
- FRM-INC-001 Incident Report Form
- FRM-INC-002 Post-Incident Report
- Contact list for incident response team
- Vendor/partner contact list
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

1
SOPs/Safety/.gitkeep Normal file
View File

@@ -0,0 +1 @@
# Placeholder

0
SOPs/Security-Operations/.gitkeep Normal file
View File