atomicai/it-infrastructure
Template
1
0
Copy 0
Documents Lab Tickets Change Requests Projects Wiki Activity

Sync template from atomicqms-style deployment

Browse Source
This commit is contained in:
AtomicQMS Service
2025-12-27 11:24:11 -05:00
parent 5d75fcdd58
commit 438adf6f4f
28 changed files with 1899 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
.gitea/workflows/atomicai.yml Normal file
View File

@@ -0,0 +1,80 @@
name: AtomicAI IT Infrastructure Assistant
on:
issue_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request:
types: [opened, synchronize, assigned]
pull_request_review_comment:
types: [created]
jobs:
claude-assistant:
runs-on: ubuntu-latest
if: |
github.actor != 'atomicqms-service' &&
(
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@atomicai') && github.event.comment.user.login != 'atomicqms-service') ||
(github.event_name == 'issues' && github.event.action == 'opened' && contains(github.event.issue.body, '@atomicai')) ||
(github.event_name == 'pull_request' && github.event.action == 'opened' && contains(github.event.pull_request.body, '@atomicai')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@atomicai') && github.event.comment.user.login != 'atomicqms-service') ||
(github.event.action == 'assigned' && github.event.assignee.login == 'atomicai')
)
permissions:
contents: write
issues: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run AtomicAI IT Infrastructure Assistant
uses: https://beta.atomicqms.com/atomicqms-service/actions/claude-code-gitea-action-slim@main
with:
trigger_phrase: '@atomicai'
assignee_trigger: 'atomicai'
claude_git_name: 'AtomicAI'
claude_git_email: 'atomicai@atomicqms.local'
custom_instructions: |
You are AtomicAI, an AI assistant specialized in Healthcare IT Infrastructure and Cybersecurity Quality Management.
## Your Expertise
- HIPAA Security Rule technical safeguards
- NIST Cybersecurity Framework
- SOC 2 compliance
- Network security and segmentation
- Access control and identity management
- Incident response and disaster recovery
- Vulnerability management and patching
- Medical device network security
- Cloud security (AWS, Azure, GCP)
- Data backup and recovery procedures
- Change management for IT systems
- Security awareness training
- Audit logging and monitoring
## Document Creation Guidelines
- Place Security SOPs in SOPs/Security/
- Place Infrastructure SOPs in SOPs/Infrastructure/
- Place Incident Response in Protocols/Incident-Response/
- Place Change Management in Forms/Change-Management/
- Place Audit Forms in Forms/Audit/
- Place Policies in Policies/
## Numbering Convention
- SOP-SEC-XXX for Security SOPs
- SOP-INF-XXX for Infrastructure SOPs
- SOP-NET-XXX for Network SOPs
- IRP-XXX for Incident Response Procedures
- POL-XXX for Policies
- FRM-XXX for Forms
Always create branches and submit changes as Pull Requests for review.
Prioritize security, compliance, and system availability.
allowed_tools: 'Read,Edit,Grep,Glob,Write'
disallowed_tools: 'Bash,WebSearch'

0
Forms/Access-Requests/.gitkeep Normal file
View File

0
Forms/Asset-Inventory/.gitkeep Normal file
View File

0
Forms/Audit-Checklists/.gitkeep Normal file
View File

0
Forms/Change-Requests/.gitkeep Normal file
View File

222
Forms/Change-Requests/FRM-CHG-001-Request-For-Change.md Normal file
View File

@@ -0,0 +1,222 @@
# Request for Change (RFC)
| Form ID | FRM-CHG-001 | Revision | 1.0 |
|---------|-------------|----------|-----|
---
## Change Request Information
| Field | Entry |
|-------|-------|
| RFC Number | RFC-[YYYY]-[####] |
| Date Submitted | |
| Requester Name | |
| Requester Department | |
| Requester Email | |
| Requester Phone | |
## Change Classification
**Change Type:**
- [ ] Standard (Pre-approved, routine)
- [ ] Normal (Requires CAB approval)
- [ ] Emergency (Critical, time-sensitive)
**Change Category:**
- [ ] Hardware
- [ ] Software/Application
- [ ] Network
- [ ] Database
- [ ] Security
- [ ] Cloud Infrastructure
- [ ] Other: _______________
**Priority:**
- [ ] Critical (Must be completed ASAP)
- [ ] High (Within 1 week)
- [ ] Medium (Within 2 weeks)
- [ ] Low (Within 30 days)
## Change Description
### Summary
*Provide a brief description of the proposed change (1-2 sentences)*
### Detailed Description
*Describe the change in detail, including what will be modified*
### Reason/Business Justification
*Why is this change necessary? What business need does it address?*
## Impact Assessment
### Affected Systems
| System/Application | Environment | Impact Level |
|-------------------|-------------|--------------|
| | ☐ Prod ☐ Test ☐ Dev | ☐ High ☐ Med ☐ Low |
| | ☐ Prod ☐ Test ☐ Dev | ☐ High ☐ Med ☐ Low |
| | ☐ Prod ☐ Test ☐ Dev | ☐ High ☐ Med ☐ Low |
### Affected Users/Groups
### Dependencies
*List any dependencies on other systems, changes, or external parties*
## Risk Assessment
**What could go wrong?**
**Likelihood of failure:**
- [ ] Low
- [ ] Medium
- [ ] High
**Impact if failure occurs:**
- [ ] Low - Minor inconvenience
- [ ] Medium - Degraded service
- [ ] High - Service outage
- [ ] Critical - Data loss or security breach
**Overall Risk Level:**
- [ ] Low
- [ ] Medium
- [ ] High
## Implementation Plan
### Proposed Change Window
| Field | Entry |
|-------|-------|
| Start Date/Time | |
| End Date/Time | |
| Estimated Duration | |
| Maintenance Window Required? | ☐ Yes ☐ No |
### Implementation Steps
| Step | Action | Responsible | Est. Time |
|------|--------|-------------|-----------|
| 1 | | | |
| 2 | | | |
| 3 | | | |
| 4 | | | |
| 5 | | | |
### Pre-Implementation Checklist
- [ ] Backup completed
- [ ] Stakeholders notified
- [ ] Test plan documented
- [ ] Rollback plan documented
- [ ] Required access/permissions confirmed
## Rollback Plan
**Rollback Trigger Criteria:**
*Under what conditions will rollback be initiated?*
**Rollback Steps:**
| Step | Action | Responsible | Est. Time |
|------|--------|-------------|-----------|
| 1 | | | |
| 2 | | | |
| 3 | | | |
**Estimated Rollback Time:**
## Testing Plan
**Test Environment:**
- [ ] Already tested in Dev
- [ ] Already tested in Test/Stage
- [ ] Production verification only
**Test Cases:**
| Test | Expected Result | Pass/Fail |
|------|-----------------|-----------|
| | | ☐ |
| | | ☐ |
| | | ☐ |
## Communication Plan
### Notifications Required
- [ ] End users
- [ ] Help desk
- [ ] Management
- [ ] External parties
- [ ] None required
### Notification Details
| Audience | Method | Timing | Responsible |
|----------|--------|--------|-------------|
| | | | |
| | | | |
## Approvals
### Technical Review
| Field | Entry |
|-------|-------|
| Reviewer Name | |
| Date | |
| Decision | ☐ Approved ☐ Rejected ☐ More Info Needed |
| Comments | |
| Signature | |
### CAB Review
| Field | Entry |
|-------|-------|
| CAB Meeting Date | |
| Decision | ☐ Approved ☐ Approved w/Conditions ☐ Deferred ☐ Rejected |
| Conditions (if any) | |
| CAB Chair Signature | |
### Management Approval (if required)
| Field | Entry |
|-------|-------|
| Approver Name | |
| Date | |
| Signature | |
## Post-Implementation
### Results
| Field | Entry |
|-------|-------|
| Implementation Date | |
| Actual Start Time | |
| Actual End Time | |
| Status | ☐ Successful ☐ Partial ☐ Failed ☐ Rolled Back |
### Issues Encountered
### Lessons Learned
### PIR Required?
- [ ] Yes (Schedule date: _________)
- [ ] No
### Closure
| Field | Entry |
|-------|-------|
| Closed By | |
| Date Closed | |
| Final Status | ☐ Successful ☐ Failed |
---
*Form FRM-CHG-001 Rev 1.0 - Request for Change*

64
Forms/FRM-001-Document-Change-Request.md Normal file
View File

@@ -0,0 +1,64 @@
# Document Change Request Form
| Form ID | FRM-001 | Revision | 1.0 |
|---------|---------|----------|-----|
---
## Section 1: Request Information
| Field | Entry |
|-------|-------|
| Request Date | |
| Requested By | |
| Department | |
## Section 2: Document Information
| Field | Entry |
|-------|-------|
| Document Number | |
| Document Title | |
| Current Revision | |
## Section 3: Change Description
### Type of Change
- [ ] New Document
- [ ] Revision to Existing Document
- [ ] Document Obsolescence
### Description of Change
*(Describe the proposed change in detail)*
### Reason for Change
*(Explain why this change is needed)*
## Section 4: Impact Assessment
### Affected Areas
- [ ] Training Required
- [ ] Other Documents Affected
- [ ] Process Changes Required
- [ ] Validation Impact
### List Affected Documents
## Section 5: Approvals
| Role | Name | Signature | Date |
|------|------|-----------|------|
| Requester | | | |
| Document Owner | | | |
| Quality Assurance | | | |
---
*Form FRM-001 Rev 1.0*

91
Forms/FRM-003-CAPA-Form.md Normal file
View File

@@ -0,0 +1,91 @@
# Corrective and Preventive Action (CAPA) Form
| Form ID | FRM-003 | Revision | 1.0 |
|---------|---------|----------|-----|
---
## Section 1: CAPA Identification
| Field | Entry |
|-------|-------|
| CAPA Number | |
| Date Initiated | |
| Initiated By | |
| CAPA Owner | |
| Target Closure Date | |
## Section 2: Classification
### Type
- [ ] Corrective Action
- [ ] Preventive Action
### Source
- [ ] Customer Complaint
- [ ] Internal Audit
- [ ] External Audit
- [ ] Process Deviation
- [ ] Nonconforming Product
- [ ] Management Review
- [ ] Other: ____________
### Priority
- [ ] Critical (5 business days)
- [ ] Major (15 business days)
- [ ] Minor (30 business days)
## Section 3: Problem Description
*(Describe the nonconformity or potential nonconformity)*
## Section 4: Immediate Containment
*(Actions taken to contain the immediate impact)*
## Section 5: Root Cause Investigation
### Investigation Method Used
- [ ] 5 Whys
- [ ] Fishbone Diagram
- [ ] Fault Tree Analysis
- [ ] Other: ____________
### Root Cause Determination
## Section 6: Corrective/Preventive Actions
| Action | Responsible | Due Date | Status |
|--------|-------------|----------|--------|
| | | | |
| | | | |
| | | | |
## Section 7: Effectiveness Verification
| Criteria | Method | Result |
|----------|--------|--------|
| | | |
Verification Date: ____________
Verified By: ____________
## Section 8: Closure
| Role | Name | Signature | Date |
|------|------|-----------|------|
| CAPA Owner | | | |
| Quality Approval | | | |
---
*Form FRM-003 Rev 1.0*

56
Forms/FRM-006-Audit-Checklist.md Normal file
View File

@@ -0,0 +1,56 @@
# Internal Audit Checklist
| Form ID | FRM-006 | Revision | 1.0 |
|---------|---------|----------|-----|
---
## Audit Information
| Field | Entry |
|-------|-------|
| Audit Number | |
| Audit Date | |
| Area/Process Audited | |
| Lead Auditor | |
| Auditee(s) | |
---
## Checklist Items
| # | Requirement/Question | Reference | C/NC/NA | Evidence/Notes |
|---|---------------------|-----------|---------|----------------|
| 1 | Are current versions of applicable procedures available? | SOP-001 | | |
| 2 | Are personnel trained on applicable procedures? | SOP-003 | | |
| 3 | Are training records current and complete? | SOP-003 | | |
| 4 | Are records properly maintained and retrievable? | SOP-001 | | |
| 5 | Are nonconformities being documented and addressed? | SOP-002 | | |
| 6 | Are CAPAs being completed on time? | SOP-002 | | |
| 7 | Is equipment calibrated and maintained? | | | |
| 8 | Are process controls being followed? | | | |
| 9 | Are quality objectives being monitored? | | | |
| 10 | | | | |
**Legend:** C = Conforming, NC = Nonconforming, NA = Not Applicable
---
## Findings Summary
| Finding # | Type | Description | Clause Reference |
|-----------|------|-------------|------------------|
| | | | |
| | | | |
---
## Auditor Signature
| Auditor | Signature | Date |
|---------|-----------|------|
| | | |
---
*Form FRM-006 Rev 1.0*

0
Forms/Incident-Reports/.gitkeep Normal file
View File

72
Forms/Training/FRM-004-Training-Record.md Normal file
View File

@@ -0,0 +1,72 @@
# Training Record Form
| Form ID | FRM-004 | Revision | 1.0 |
|---------|---------|----------|-----|
---
## Section 1: Employee Information
| Field | Entry |
|-------|-------|
| Employee Name | |
| Employee ID | |
| Department | |
| Job Title | |
## Section 2: Training Information
| Field | Entry |
|-------|-------|
| Training Title | |
| Training Date | |
| Training Duration | |
| Trainer Name | |
| Trainer Qualification | |
### Training Type
- [ ] Initial Training
- [ ] Retraining
- [ ] Refresher
- [ ] Procedure Update
### Delivery Method
- [ ] Classroom
- [ ] On-the-Job
- [ ] Self-Study
- [ ] Computer-Based
- [ ] Other: ____________
## Section 3: Training Content
*(List topics covered or attach training materials)*
## Section 4: Assessment
### Assessment Method
- [ ] Written Test
- [ ] Practical Demonstration
- [ ] Verbal Assessment
- [ ] Observation
### Assessment Results
| Metric | Result |
|--------|--------|
| Score (if applicable) | |
| Pass/Fail | |
## Section 5: Signatures
| Role | Name | Signature | Date |
|------|------|-----------|------|
| Trainee | | | |
| Trainer | | | |
| Supervisor | | | |
---
*Form FRM-004 Rev 1.0*

57
Policies/POL-001-Quality-Policy.md Normal file
View File

@@ -0,0 +1,57 @@
# Quality Policy
| Document ID | POL-001 |
|-------------|---------|
| Title | Quality Policy |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
---
## 1. Policy Statement
[ORGANIZATION NAME] is committed to providing products and services that consistently meet customer requirements and applicable regulatory requirements. We strive for continual improvement of our Quality Management System to enhance customer satisfaction.
## 2. Quality Objectives
Our organization commits to:
1. **Customer Focus**: Understanding and meeting customer needs and expectations
2. **Regulatory Compliance**: Maintaining compliance with all applicable regulations and standards
3. **Continuous Improvement**: Continually improving the effectiveness of our QMS
4. **Employee Engagement**: Ensuring all employees understand their role in quality
5. **Risk-Based Thinking**: Identifying and addressing risks and opportunities
## 3. Management Commitment
Top management demonstrates commitment to the QMS by:
- Ensuring the quality policy is appropriate to the organization's purpose
- Ensuring quality objectives are established and compatible with strategic direction
- Ensuring integration of QMS requirements into business processes
- Promoting the use of the process approach and risk-based thinking
- Ensuring resources needed for the QMS are available
- Communicating the importance of effective quality management
- Ensuring the QMS achieves its intended results
- Engaging, directing, and supporting persons to contribute to QMS effectiveness
## 4. Scope
This policy applies to all employees, contractors, and processes within the scope of our Quality Management System.
## 5. Communication
This policy shall be:
- Communicated and understood within the organization
- Available to relevant interested parties as appropriate
- Reviewed for continuing suitability
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

132
README.md
View File

@@ -1,3 +1,133 @@
# it-infrastructure
# IT Infrastructure Quality Management System
A comprehensive QMS template designed for IT departments, managed service providers, and technology infrastructure teams in regulated industries.
## 💻 Designed For
- **Healthcare IT Departments** - Hospital and clinic technology teams
- **Managed Service Providers (MSPs)** - IT service organizations
- **Data Centers** - Colocation and hosting facilities
- **Cloud Operations Teams** - AWS, Azure, GCP management
- **Cybersecurity Teams** - Security operations centers
- **Research Computing** - HPC and scientific computing
- **Compliance-Focused IT** - HIPAA, SOC 2, PCI environments
## 📋 Regulatory Framework
This template supports compliance with:
- **ISO 27001** - Information Security Management Systems
- **SOC 2** - Service Organization Control (Trust Services Criteria)
- **HIPAA Security Rule** - Healthcare information security
- **NIST Cybersecurity Framework** - Security controls and practices
- **PCI DSS** - Payment Card Industry Data Security Standard
- **GDPR** - Data protection requirements (if applicable)
- **FISMA** - Federal information security (government)
- **CIS Controls** - Center for Internet Security benchmarks
- **ITIL** - IT Service Management best practices
- **COBIT** - Governance and management of IT
## Repository Structure
```
├── SOPs/
│ ├── Change-Management/ # Change requests, approvals, implementation
│ ├── Incident-Response/ # Security incidents, outages, escalation
│ ├── Access-Control/ # User provisioning, authentication, authorization
│ ├── Backup-Recovery/ # Backups, disaster recovery, business continuity
│ ├── Security-Operations/ # Vulnerability management, patching, monitoring
│ └── General/ # Document control, training, CAPA
├── Forms/
│ ├── Change-Requests/ # RFC forms, CAB meeting records
│ ├── Incident-Reports/ # Incident tickets, post-mortems, RCA
│ ├── Access-Requests/ # User access, privilege escalation forms
│ ├── Audit-Checklists/ # Security audits, compliance assessments
│ ├── Asset-Inventory/ # Hardware, software, license tracking
│ └── Training/ # Security awareness, competency assessments
├── Policies/ # IT and security policies
├── Work-Instructions/ # Step-by-step procedures
└── Templates/ # Document templates
```
## Document Numbering Convention
- **POL-XXX**: Policies
- **SOP-CHG-XXX**: Change Management SOPs
- **SOP-INC-XXX**: Incident Response SOPs
- **SOP-ACC-XXX**: Access Control SOPs
- **SOP-BAK-XXX**: Backup and Recovery SOPs
- **SOP-SEC-XXX**: Security Operations SOPs
- **WI-XXX**: Work Instructions
- **FRM-XXX**: Forms and Records
## 🤖 AI-Powered Assistance
This repository includes **AtomicAI**, your IT infrastructure QMS assistant. Mention `@atomicai` in any issue or pull request to:
- Draft change management and incident response procedures
- Create access control and user provisioning SOPs
- Generate backup and disaster recovery plans
- Develop security policies and procedures
- Create audit checklists and compliance documentation
- Review documents for ISO 27001/SOC 2 compliance
### Example Prompts
- "@atomicai create an SOP for change management with CAB approval workflow"
- "@atomicai draft a security incident response procedure"
- "@atomicai write a user access provisioning and deprovisioning SOP"
- "@atomicai create a disaster recovery plan template"
- "@atomicai develop a vulnerability management procedure"
- "@atomicai create a patch management SOP with testing requirements"
## Getting Started
1. **Establish Governance** - Define IT policies and approval authorities
2. **Implement Change Management** - Configure RFC and CAB processes
3. **Set Up Incident Response** - Create escalation procedures and playbooks
4. **Define Access Controls** - Establish user provisioning workflows
5. **Train Staff** - Security awareness and procedure training
## Key Documents to Create First
1. **Change Management SOP** - RFC, approval, and implementation workflow
2. **Incident Response Procedure** - Detection, containment, recovery, post-mortem
3. **Access Control Policy** - Least privilege, authentication, authorization
4. **Backup and Recovery SOP** - Backup schedules, retention, testing
5. **Vulnerability Management SOP** - Scanning, prioritization, remediation
6. **Patch Management SOP** - Testing, deployment, rollback procedures
7. **Business Continuity Plan** - DR procedures and RTO/RPO targets
## Special Considerations for IT Infrastructure
### Change Management
- Request for Change (RFC) documentation
- Change Advisory Board (CAB) process
- Risk assessment and testing requirements
- Rollback procedures
- Post-implementation review
### Security Operations
- Vulnerability scanning and assessment
- Penetration testing programs
- Security monitoring and SIEM
- Threat intelligence integration
- Incident detection and response
### Access Control
- Identity and access management
- Privileged access management
- Multi-factor authentication
- Access reviews and recertification
- Termination and offboarding
### Business Continuity
- Disaster recovery planning
- RTO/RPO definitions
- Backup verification and testing
- Failover procedures
- Communication plans
---
*This template is maintained by AtomicQMS. For questions, open an issue in this repository.*

0
SOPs/Access-Control/.gitkeep Normal file
View File

0
SOPs/Backup-Recovery/.gitkeep Normal file
View File

0
SOPs/Change-Management/.gitkeep Normal file
View File

193
SOPs/Change-Management/SOP-CHG-001-Change-Management.md Normal file
View File

@@ -0,0 +1,193 @@
# Standard Operating Procedure: Change Management
| Document ID | SOP-CHG-001 |
|-------------|-------------|
| Title | IT Change Management Process |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | IT Operations |
---
## 1. Purpose
To establish a controlled process for managing changes to IT infrastructure, applications, and services to minimize risk and ensure stability while enabling business agility.
## 2. Scope
This procedure applies to all changes to:
- Production servers and network infrastructure
- Databases and storage systems
- Applications and software
- Security configurations
- Cloud infrastructure and services
- Network and firewall rules
## 3. Responsibilities
### 3.1 Change Requester
- Submit complete RFC with business justification
- Coordinate with stakeholders
- Verify change success post-implementation
### 3.2 Change Manager
- Review and classify changes
- Schedule CAB meetings
- Track change metrics
### 3.3 Change Advisory Board (CAB)
- Review and approve/reject changes
- Assess risk and impact
- Prioritize conflicting changes
### 3.4 Technical Implementer
- Develop implementation plan
- Execute approved changes
- Document results
## 4. Definitions
| Term | Definition |
|------|------------|
| RFC | Request for Change - formal change proposal |
| CAB | Change Advisory Board - approval committee |
| ECAB | Emergency CAB - expedited approval for urgent changes |
| PIR | Post-Implementation Review |
## 5. Change Categories
### 5.1 Standard Changes
Pre-approved, low-risk, routine changes:
- Password resets
- User account creation
- Approved software installations
- Scheduled maintenance activities
### 5.2 Normal Changes
Require CAB review and approval:
- Application deployments
- Server configuration changes
- Network modifications
- Database changes
### 5.3 Emergency Changes
Require ECAB approval, used only for:
- Security incidents requiring immediate response
- Critical system failures
- Regulatory compliance issues
## 6. Procedure
### 6.1 Change Request Submission
1. **Complete RFC Form** (FRM-CHG-001)
- Description of change
- Business justification
- Risk assessment
- Implementation plan
- Rollback plan
- Testing plan
- Affected systems/users
2. **Submit RFC**
- Submit via ticketing system
- Attach all supporting documentation
- Identify change window preference
### 6.2 Change Assessment
| Risk Level | Criteria | Approval Required |
|------------|----------|-------------------|
| Low | Single system, no downtime, easy rollback | Change Manager |
| Medium | Multiple systems, planned downtime, tested rollback | CAB |
| High | Critical systems, extended downtime, complex rollback | CAB + Management |
### 6.3 CAB Review Process
1. **Pre-CAB Preparation**
- Review all pending RFCs
- Verify completeness
- Identify conflicts with other changes
2. **CAB Meeting Agenda**
- Review of failed/problematic changes
- Assessment of new RFCs
- Scheduling of approved changes
- Review of change calendar
3. **Decision Outcomes**
- **Approved**: Proceed as planned
- **Approved with conditions**: Requires modifications
- **Deferred**: Reschedule for later review
- **Rejected**: Not approved, requires rework
### 6.4 Change Implementation
1. **Pre-Implementation**
- [ ] Approval documented in ticket
- [ ] Stakeholders notified
- [ ] Backup completed
- [ ] Rollback plan ready
- [ ] Monitoring in place
2. **During Implementation**
- [ ] Follow implementation plan exactly
- [ ] Document each step
- [ ] Test at defined checkpoints
- [ ] Communicate status updates
3. **Post-Implementation**
- [ ] Verify change success
- [ ] Update documentation
- [ ] Close RFC with results
- [ ] Schedule PIR if required
### 6.5 Rollback Criteria
Initiate rollback if:
- Change causes unplanned outage
- Functionality fails verification
- Security vulnerability introduced
- Performance degradation exceeds threshold
- Change window expiring with incomplete work
### 6.6 Emergency Change Process
1. Obtain verbal ECAB approval (minimum 2 members)
2. Document decision and justification
3. Implement with minimal viable scope
4. Complete formal RFC within 24 hours
5. Conduct PIR for all emergency changes
## 7. Change Freeze Periods
No non-emergency changes permitted during:
- Month-end/quarter-end processing
- Major business events
- Holiday periods (as defined)
- Audit periods
## 8. Metrics and Reporting
| Metric | Target |
|--------|--------|
| Change success rate | >95% |
| Emergency change ratio | <5% |
| Unauthorized changes | 0 |
| Average approval time | <3 business days |
## 9. Related Documents
- FRM-CHG-001 Request for Change Form
- FRM-CHG-002 CAB Meeting Minutes
- SOP-INC-001 Incident Response Procedure
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

112
SOPs/General/SOP-001-Document-Control.md Normal file
View File

@@ -0,0 +1,112 @@
# Standard Operating Procedure: Document Control
| Document ID | SOP-001 |
|-------------|---------|
| Title | Document Control |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a procedure for the creation, review, approval, distribution, and control of documents within the Quality Management System.
## 2. Scope
This procedure applies to all controlled documents including:
- Policies
- Standard Operating Procedures (SOPs)
- Work Instructions
- Forms and Templates
- Specifications
- External documents of external origin
## 3. Responsibilities
### 3.1 Document Owner
- Responsible for document content and accuracy
- Initiates document creation and revision
- Ensures periodic review is performed
### 3.2 Quality Assurance
- Maintains the document control system
- Assigns document numbers
- Manages document distribution
- Archives obsolete documents
### 3.3 Approvers
- Review and approve documents before release
- Ensure documents are adequate for intended purpose
## 4. Procedure
### 4.1 Document Creation
1. Identify the need for a new document
2. Request document number from Quality Assurance
3. Draft document using appropriate template
4. Include all required header information
5. Submit for review and approval
### 4.2 Document Review and Approval
1. Route document to appropriate reviewers
2. Reviewers provide comments within 5 business days
3. Author addresses all comments
4. Final approval by designated approver
5. Quality Assurance releases document
### 4.3 Document Numbering
Documents shall be numbered according to the following convention:
| Type | Prefix | Example |
|------|--------|---------|
| Policy | POL | POL-001 |
| SOP | SOP | SOP-001 |
| Work Instruction | WI | WI-001 |
| Form | FRM | FRM-001 |
### 4.4 Revision Control
1. All changes require documented justification
2. Changes follow same review/approval process as new documents
3. Revision number increments with each approved change
4. Revision history maintained in document footer
### 4.5 Document Distribution
1. Current versions available in document control system
2. Obsolete versions marked and archived
3. Training on new/revised documents as needed
### 4.6 Periodic Review
1. Documents reviewed at least every 2 years
2. Review documented even if no changes made
3. Reviews may result in revision or reaffirmation
## 5. Related Documents
- FRM-001 Document Change Request Form
- FRM-002 Document Review Record
## 6. Definitions
| Term | Definition |
|------|------------|
| Controlled Document | Document managed under document control system |
| Obsolete | Document no longer valid for use |
| Revision | Updated version of a document |
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

134
SOPs/General/SOP-002-CAPA.md Normal file
View File

@@ -0,0 +1,134 @@
# Standard Operating Procedure: Corrective and Preventive Action (CAPA)
| Document ID | SOP-002 |
|-------------|---------|
| Title | Corrective and Preventive Action |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a systematic process for identifying, investigating, correcting, and preventing nonconformities and potential nonconformities.
## 2. Scope
This procedure applies to:
- Product and process nonconformities
- Customer complaints
- Audit findings
- Process deviations
- Potential nonconformities identified through risk analysis
## 3. Definitions
| Term | Definition |
|------|------------|
| Corrective Action | Action to eliminate the cause of a detected nonconformity |
| Preventive Action | Action to eliminate the cause of a potential nonconformity |
| Root Cause | Fundamental reason for a nonconformity |
| Effectiveness Check | Verification that implemented actions achieved desired results |
## 4. Responsibilities
### 4.1 CAPA Owner
- Investigates the issue
- Identifies root cause
- Develops and implements corrective/preventive actions
- Verifies effectiveness
### 4.2 Quality Assurance
- Manages CAPA system
- Assigns CAPA numbers
- Tracks CAPA status
- Reviews and approves CAPAs
- Reports CAPA metrics to management
### 4.3 Management
- Provides resources for CAPA implementation
- Reviews CAPA trends
- Ensures timely closure
## 5. Procedure
### 5.1 CAPA Initiation
1. Identify nonconformity or potential nonconformity
2. Document issue on CAPA Form (FRM-003)
3. Classify severity and priority
4. Assign CAPA owner
### 5.2 Investigation
1. Gather relevant data and evidence
2. Interview personnel involved
3. Review related documents and records
4. Use appropriate investigation tools:
- 5 Whys
- Fishbone Diagram
- Failure Mode Analysis
### 5.3 Root Cause Analysis
1. Identify potential root causes
2. Verify root cause through evidence
3. Document root cause determination
4. Consider systemic implications
### 5.4 Action Development
1. Develop corrective/preventive actions
2. Assign responsibilities and due dates
3. Assess actions for:
- Appropriateness to problem severity
- Impact on other processes
- Resource requirements
### 5.5 Implementation
1. Execute approved actions
2. Document implementation evidence
3. Update affected documents/processes
4. Provide training as needed
### 5.6 Effectiveness Verification
1. Define effectiveness criteria
2. Allow sufficient time for actions to take effect
3. Collect and analyze data
4. Document verification results
5. If ineffective, reopen CAPA for further action
### 5.7 Closure
1. Review all CAPA documentation
2. Verify all actions completed
3. Confirm effectiveness verified
4. Obtain approval for closure
## 6. CAPA Metrics
Quality Assurance shall track and report:
- Number of open CAPAs
- CAPA aging
- On-time closure rate
- Effectiveness rate
- CAPAs by category/source
## 7. Related Documents
- FRM-003 CAPA Form
- SOP-003 Nonconforming Product Control
- SOP-004 Customer Complaints
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

123
SOPs/General/SOP-003-Training.md Normal file
View File

@@ -0,0 +1,123 @@
# Standard Operating Procedure: Training and Competence
| Document ID | SOP-003 |
|-------------|---------|
| Title | Training and Competence |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Human Resources / Quality |
---
## 1. Purpose
To ensure personnel performing work affecting product quality are competent based on appropriate education, training, skills, and experience.
## 2. Scope
This procedure applies to:
- All employees performing quality-affecting activities
- Contractors and temporary personnel
- Personnel requiring GxP training
## 3. Responsibilities
### 3.1 Supervisors/Managers
- Identify training needs for their personnel
- Ensure training is completed before performing tasks
- Evaluate competence of personnel
- Maintain department training records
### 3.2 Human Resources
- Coordinate training programs
- Maintain central training database
- Track training compliance
- Archive training records
### 3.3 Quality Assurance
- Develop QMS-related training
- Approve training curricula for GxP activities
- Audit training compliance
### 3.4 Employees
- Complete assigned training on time
- Maintain current qualifications
- Report training needs to supervisor
## 4. Procedure
### 4.1 Training Needs Assessment
1. Identify competence requirements for each role
2. Document requirements in job descriptions
3. Assess current competence of personnel
4. Identify training gaps
### 4.2 Training Curriculum Development
1. Define learning objectives
2. Develop training materials
3. Identify delivery method:
- Classroom
- On-the-job
- Self-study
- Computer-based
4. Define assessment criteria
5. Obtain approval from Quality (for GxP training)
### 4.3 Training Delivery
1. Schedule training session
2. Document attendance
3. Deliver training per curriculum
4. Assess comprehension through:
- Written test (minimum 80% passing)
- Practical demonstration
- Supervisor observation
### 4.4 Training Documentation
Training records shall include:
- Employee name and ID
- Training title and date
- Trainer name and qualifications
- Assessment results
- Signatures
### 4.5 Retraining Requirements
Retraining is required when:
- Significant document revisions occur
- Performance deficiencies identified
- Extended absence from job function
- Periodic requalification due
### 4.6 New Employee Orientation
All new employees shall complete:
1. Company orientation
2. Quality system overview
3. Job-specific training
4. SOP read and understand for applicable procedures
## 5. Training Records Retention
- Training records maintained for duration of employment
- Records retained 3 years after employee departure
- Records available for regulatory inspection
## 6. Related Documents
- FRM-004 Training Record Form
- FRM-005 Training Assessment Form
- Job Descriptions
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

136
SOPs/General/SOP-004-Internal-Audit.md Normal file
View File

@@ -0,0 +1,136 @@
# Standard Operating Procedure: Internal Audit
| Document ID | SOP-004 |
|-------------|---------|
| Title | Internal Audit |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To establish a systematic approach for conducting internal audits to verify the effectiveness of the Quality Management System.
## 2. Scope
This procedure covers:
- QMS process audits
- Compliance audits
- Product audits
- System audits
## 3. Definitions
| Term | Definition |
|------|------------|
| Audit | Systematic, independent examination to determine conformance |
| Auditor | Person qualified to perform audits |
| Finding | Observation of conformance or nonconformance |
| Observation | Noted item not rising to level of finding |
## 4. Responsibilities
### 4.1 Lead Auditor
- Plans and schedules audits
- Prepares audit checklists
- Conducts audit activities
- Reports audit findings
### 4.2 Quality Manager
- Maintains audit program
- Qualifies auditors
- Reviews audit reports
- Reports to management
### 4.3 Auditee
- Provides access to areas/records
- Responds to findings
- Implements corrective actions
## 5. Procedure
### 5.1 Annual Audit Schedule
1. Develop annual audit schedule considering:
- Previous audit results
- Process criticality
- Regulatory requirements
- Changes to processes
2. Ensure all QMS processes audited at least annually
3. Obtain management approval
4. Communicate schedule to affected areas
### 5.2 Auditor Qualification
Auditors shall:
- Complete auditor training course
- Conduct at least 2 audits under supervision
- Be independent of area being audited
- Maintain competence through ongoing audits
### 5.3 Audit Preparation
1. Review applicable procedures and standards
2. Review previous audit reports
3. Prepare audit checklist
4. Notify auditee of audit scope and schedule
5. Confirm auditor availability
### 5.4 Conducting the Audit
1. Hold opening meeting with auditee
2. Execute audit checklist
3. Gather objective evidence:
- Document review
- Personnel interviews
- Process observation
4. Document findings with evidence
5. Classify findings:
- Major Nonconformance
- Minor Nonconformance
- Observation
6. Hold closing meeting
### 5.5 Audit Reporting
1. Complete audit report within 5 business days
2. Report shall include:
- Audit scope and criteria
- Personnel interviewed
- Findings with evidence
- Recommendations
3. Distribute report to auditee and management
### 5.6 Finding Resolution
1. Auditee responds with corrective action plan within 10 business days
2. Quality reviews and approves plan
3. Auditee implements corrective actions
4. Auditor verifies effectiveness
5. Close finding upon verification
## 6. Audit Records
Maintain for 5 years:
- Audit schedules
- Checklists
- Reports
- Corrective action records
## 7. Related Documents
- FRM-006 Audit Checklist Template
- FRM-007 Audit Report Template
- SOP-002 CAPA
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

114
SOPs/General/SOP-005-Management-Review.md Normal file
View File

@@ -0,0 +1,114 @@
# Standard Operating Procedure: Management Review
| Document ID | SOP-005 |
|-------------|---------|
| Title | Management Review |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | Quality Assurance |
---
## 1. Purpose
To ensure top management reviews the Quality Management System at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
## 2. Scope
This procedure applies to the periodic management review of the QMS, including all processes and quality objectives.
## 3. Frequency
Management reviews shall be conducted:
- At least annually
- More frequently if significant changes occur
- As needed based on quality performance
## 4. Responsibilities
### 4.1 Quality Manager
- Prepares management review agenda and materials
- Facilitates the meeting
- Documents meeting minutes and action items
- Tracks completion of action items
### 4.2 Top Management
- Attends management review meetings
- Reviews QMS performance data
- Makes decisions on QMS improvements
- Allocates resources as needed
### 4.3 Department Managers
- Provides input data for their areas
- Attends management review
- Implements assigned action items
## 5. Management Review Inputs
The following shall be considered:
### 5.1 Actions from Previous Reviews
- Status of action items
- Effectiveness of implemented actions
### 5.2 Changes in Context
- Internal changes (organization, resources)
- External changes (regulations, market)
### 5.3 QMS Performance
- Customer satisfaction and feedback
- Quality objectives achievement
- Process performance metrics
- Nonconformities and corrective actions
- Audit results
- Supplier performance
### 5.4 Resource Adequacy
- Personnel
- Infrastructure
- Work environment
### 5.5 Risk and Opportunities
- Risk assessment results
- Effectiveness of risk controls
- New opportunities identified
### 5.6 Improvement Opportunities
- Process improvements
- Product improvements
- QMS enhancements
## 6. Management Review Outputs
Decisions and actions related to:
- Improvement of QMS and processes
- Product improvement
- Resource needs
- Changes to quality policy or objectives
## 7. Documentation
### 7.1 Meeting Minutes
- Date and attendees
- Items discussed
- Decisions made
- Action items with owners and due dates
### 7.2 Record Retention
- Management review records retained for 5 years
- Available for regulatory inspection
## 8. Related Documents
- FRM-008 Management Review Agenda Template
- FRM-009 Management Review Minutes Template
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

0
SOPs/Incident-Response/.gitkeep Normal file
View File

182
SOPs/Incident-Response/SOP-INC-001-Incident-Response.md Normal file
View File

@@ -0,0 +1,182 @@
# Standard Operating Procedure: Security Incident Response
| Document ID | SOP-INC-001 |
|-------------|-------------|
| Title | Security Incident Response Procedure |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | IT Security |
---
## 1. Purpose
To establish a structured approach for detecting, responding to, containing, and recovering from security incidents to minimize impact and prevent recurrence.
## 2. Scope
This procedure applies to all security incidents including:
- Unauthorized access attempts
- Malware infections
- Data breaches
- Denial of service attacks
- Phishing attacks
- Lost or stolen devices
- Insider threats
- System compromises
## 3. Responsibilities
### 3.1 All Staff
- Report suspected incidents immediately
- Preserve evidence (do not turn off systems unless directed)
- Follow instructions from incident response team
### 3.2 IT Security Team
- Triage and classify incidents
- Lead response efforts
- Coordinate with stakeholders
### 3.3 Incident Response Manager
- Authorize containment actions
- Escalate to management as needed
- Coordinate external communications
## 4. Incident Classification
| Severity | Criteria | Response Time |
|----------|----------|---------------|
| Critical | Active breach, data exfiltration, ransomware | Immediate |
| High | Confirmed compromise, malware spreading | < 1 hour |
| Medium | Attempted intrusion, isolated malware | < 4 hours |
| Low | Policy violation, suspicious activity | < 24 hours |
## 5. Incident Response Phases
### 5.1 Phase 1: Detection and Reporting
**Detection Sources:**
- Security monitoring tools (SIEM, IDS/IPS)
- User reports
- Vendor notifications
- Audit findings
- Automated alerts
**Reporting:**
1. Document initial observations
2. Report via security hotline or email
3. Complete FRM-INC-001 Incident Report
4. Do NOT attempt remediation without guidance
### 5.2 Phase 2: Triage and Analysis
1. **Initial Assessment**
- Confirm incident is genuine (vs. false positive)
- Classify severity level
- Identify affected systems/data
- Determine initial scope
2. **Evidence Collection**
- System logs
- Network traffic captures
- Memory dumps (if warranted)
- Screenshots
- Preserve chain of custody
3. **Escalation Decision**
- Critical/High: Immediate escalation to management
- Notify legal/compliance if data breach suspected
- Engage external forensics if needed
### 5.3 Phase 3: Containment
**Short-term Containment:**
- Isolate affected systems from network
- Block malicious IPs/domains
- Disable compromised accounts
- Preserve evidence before changes
**Long-term Containment:**
- Apply temporary fixes
- Increase monitoring
- Implement additional controls
- Prepare for eradication
**Containment Decision Matrix:**
| Action | Authority Required |
|--------|-------------------|
| Isolate single workstation | Security Team |
| Disable user account | Security Manager |
| Block network segment | IT Director |
| Shut down production system | Executive approval |
### 5.4 Phase 4: Eradication
1. Identify root cause
2. Remove malware/backdoors
3. Patch vulnerabilities exploited
4. Reset compromised credentials
5. Verify removal is complete
### 5.5 Phase 5: Recovery
1. Restore systems from clean backups
2. Rebuild if necessary
3. Verify integrity before reconnecting
4. Monitor closely post-recovery
5. Confirm normal operations
### 5.6 Phase 6: Post-Incident Review
**Conduct within 5 business days:**
- Timeline reconstruction
- Root cause analysis
- Response effectiveness review
- Lessons learned
- Improvement recommendations
**Documentation:**
- Complete FRM-INC-002 Post-Incident Report
- Update procedures as needed
- Brief stakeholders
## 6. Communication Guidelines
### Internal Communication
| Audience | Information | Method |
|----------|-------------|--------|
| Executive Team | Status, business impact, decisions needed | Phone/meeting |
| IT Staff | Technical details, actions required | Secure channel |
| All Staff | General awareness (if warranted) | Email |
### External Communication
- All external communications through designated spokesperson
- Coordinate with Legal and PR
- Regulatory notifications per compliance requirements
- Customer notifications per contract/law
## 7. Regulatory Notification Requirements
| Regulation | Notification Timeframe | Authority |
|------------|----------------------|-----------|
| HIPAA | 60 days (breach of >500) | HHS OCR |
| GDPR | 72 hours | Supervisory Authority |
| PCI DSS | Immediately | Card brands, acquirer |
| State Laws | Varies | State AG |
## 8. Related Documents
- FRM-INC-001 Incident Report Form
- FRM-INC-002 Post-Incident Report
- Contact list for incident response team
- Vendor/partner contact list
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

1
SOPs/Safety/.gitkeep Normal file
View File

@@ -0,0 +1 @@
# Placeholder

0
SOPs/Security-Operations/.gitkeep Normal file
View File

62
Templates/SOP-Template.md Normal file
View File

@@ -0,0 +1,62 @@
# Standard Operating Procedure: [Title]
| Document ID | SOP-XXX |
|-------------|---------|
| Title | [Title] |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | [DEPARTMENT] |
---
## 1. Purpose
[State the purpose of this procedure]
## 2. Scope
[Define the scope and applicability]
## 3. Responsibilities
### 3.1 [Role 1]
- [Responsibility]
- [Responsibility]
### 3.2 [Role 2]
- [Responsibility]
- [Responsibility]
## 4. Definitions
| Term | Definition |
|------|------------|
| | |
## 5. Procedure
### 5.1 [Section Title]
[Procedure steps]
### 5.2 [Section Title]
[Procedure steps]
## 6. Related Documents
- [List related procedures, forms, etc.]
## 7. References
- [External standards, regulations, etc.]
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |

68
Work Instructions/WI-001-Template.md Normal file
View File

@@ -0,0 +1,68 @@
# Work Instruction: [Title]
| Document ID | WI-001 |
|-------------|--------|
| Title | [Title] |
| Revision | 1.0 |
| Effective Date | [DATE] |
| Author | [AUTHOR] |
| Approved By | [APPROVER] |
| Department | [DEPARTMENT] |
---
## 1. Purpose
[Describe the purpose of this work instruction]
## 2. Scope
[Define what activities this instruction covers]
## 3. Safety Precautions
- [List any safety requirements]
- [Personal protective equipment needed]
- [Hazards to be aware of]
## 4. Equipment/Materials Required
| Item | Specification |
|------|---------------|
| | |
| | |
## 5. Procedure
### Step 1: [Title]
[Detailed instructions]
### Step 2: [Title]
[Detailed instructions]
### Step 3: [Title]
[Detailed instructions]
## 6. Acceptance Criteria
[Define what constitutes successful completion]
## 7. Records
| Record | Location | Retention |
|--------|----------|-----------|
| | | |
## 8. References
- [Related SOPs]
- [Specifications]
- [Standards]
---
## Revision History
| Rev | Date | Description | Author |
|-----|------|-------------|--------|
| 1.0 | [DATE] | Initial release | [AUTHOR] |