Life Science IT AR / VR

Playbook
byG
Flowchart
Flowchart
Infrastructure/Platform
Features
Hosting of AR/VR applications (application Hosting Options
servers)
Hosting AR/VR Applications: Deploying and managing AR/VR apps on infrastructure for On-Premise Hosting: Host on internal servers for high control and security.
user access and immersive experiences. Cloud Hosting: Use third-party services for scalability and global access.

Key Features Hybrid Hosting: Mix of on-premise and cloud for balanced flexibility.

Scalability: Handles growing user base or content complexity. Edge Computing: Hosts near users for low latency and real-time performance.

Low Latency: Reduces lag for real-time interactions. Dedicated Platforms: Use specialized AR/VR hosting services for ease of use.

High Performance: Ensures smooth 3D rendering and interaction.

Accessibility: Allows remote or on-site user access.
Security: Protects sensitive data and intellectual property.

Internal Use Case External Use Case

Primarily SAAS Azure and AWS, hosting for security, with hybrid cloud options if Hosting supported by external supplier with the Merck approved compliance:
necessary for internal cross-facility access. • Cloud hosting with global reach (e.g., AWS, Azure, Tencent for China).
BU reach out to IT/OT Ruskin team • For Confidential assets Hybrid cloud setup or a highly secure private cloud solution
• Whole process will be supported by IT/OT Ruskin team from a trusted provider (e.g., AWS, Azure, or GCP, leveraging advanced
• Collaboration with ITA Lokesh and Bharath) encryption, data isolation, and compliance with industry standards.
For additional guidance reach out to LS IT IT/OT team
Next steps:
• Approval from EAB Enterprise Architecture Board) with Template: EAB Documents
• GEAR
• Cyber Security Consultancy
Target Architecture
Fit
Internal Use Case Data Classification and Change
Cloud Hosting Approach: Primarily utilize SaaS Azure Security
Align with internal data classification policies, ensuring Management
Leverage existing internal change and release
hosting for security needs, with hybrid cloud options encryption standards for sensitive data like PII. Internal management processes. These processes are tailored
where necessary to enable cross-facility access. regulations are less stringent compared to external for internal deployment, focusing on streamlined
Internal hosting provides cost and operational setups, simplifying compliance efforts. approvals and in-house documentation.
flexibility, suitable for sensitive internal use.

Development Budget Allocation External Use Case

Guidelines
Offer flexible but internally consistent development Emphasize periodic upgrades and maintenance within Need clarification about AR/VR Target Architecture
guidelines that align with organizational security and the internal ITA budget, with reduced reliance on 24/7 supported by external supplier with the Merck
usability standards. Focus on internal needs rather support since internal users are the primary approved compliance:
than rigid external compliance. beneficiaries.

Global Cloud Hosting Data Security Change Management for

Ensure cloud hosting with a global reach AWS, Azure, Compliance
Adhere to GDPR, PII, and CBDT regulations with Vendors
Establish rigorous change and release management
Tencent for China) to meet the diverse needs of mandatory encryption at rest. Implement stringent protocols for external vendors, including rollback
external clients and geographic markets. access controls and external client-specific data processes and extensive documentation to ensure
protection measures. reliability and client satisfaction.

Development Security Reviews and

Standards
Enforce strict development guidelines, including coding standards, data access Certifications
Conduct thorough security reviews with regular vulnerability scans, third-party audits,
protocols, and security rules, to ensure external vendors meet quality and compliance and adherence to ISO/SOC2 certifications to assure clients of platform security and
expectations. reliability.
Network
Considerations
Internal Use Case Security Monitoring Secure VPN with MFA
We will validate this with the Network Team in an Deploy internal monitoring tools to oversee network traffic MUST
Provide secure VPN access for external vendors with
upcoming Meeting and detect potential threats. Emphasize monitoring within mandatory multi-factor authentication MFA) to protect

Internal: Standard connectivity to Merck network if device internal infrastructure without relying heavily on external sensitive data and maintain robust access control.

and platform is under Org approved else considered as SIEM tools. External Traffic
poc and won't be connected to Merck Nw Internal Compliance Monitoring
Use SIEM Security Information and Event Management)
Optimized Internal Ensure all network configurations align with corporate IT tools to monitor network activity from non-Merck devices,
Network
Design a robust internal LAN/WAN setup optimized for low
standards and internal compliance policies, minimizing the ensuring external connections adhere to strict security
complexity of external regulatory adherence. protocols.
latency to ensure seamless data handling across facilities,
particularly for AR/VR applications and other External Use Case Cross-Region
latency-sensitive systems. External: Just data and compliance until model fetched Connectivity
Establish stable cross-region connectivity to support
Restricted VPN from Merck's Dc or cloud external users, using cloud-based solutions AWS, Azure,
Access
Implement VPN access for internal personnel, ensuring Depends on Customers Network and Network Policies: Tencent) to mitigate latency and ensure consistent

that access is restricted to specific, authorized devices performance globally.

Global Network
within the organization to maintain security. Regulatory Adherence
Availability
Leverage a high-performance global network with CDN MUST
Internal Data Flow Ensure network configurations and operations adhere to
integration for optimal performance and low latency,
Optimization
Focus on optimizing internal traffic flows to minimize
external data protection and compliance standards (e.g.,
ensuring seamless external client access to hosted
GDPR, CBDT, particularly for handling client-sensitive
bottlenecks, enhancing performance for applications
applications.
data across international borders.
hosted in hybrid cloud environments and internal data
centers.
Application Use
Cases

Internal Use Case External Use Case

• Application Selection: Catalogue Altoura for AR, RealWorldOne/CN2 for VR) or NEW Application Performed by external vendor/customer
onboarding process • Vendor Management: Engage a central application partner for consistency in quality and integration,or
• Support Requirement: Managed internally by the IT department ITA
allow flexibility for specialized vendors
• Streaming Functionality: Restricted to internal stakeholders, focusing on internal evaluation rather than • Support Requirement: IT-managed with dedicated support teams for external clients to handle updates,
customer-facing demos issues, and ticketing
• SSO Data Usage: Used for internal metrics and efficiency analysis to optimize internal workflows • Streaming Functionality: Utilize secure streaming platforms with limited access for prototypes, ensuring
• Ticketing System: Internal ticketing with moderate response standards as support requirements are less data protection and compliance
stringent • SSO Data Usage: Comprehensive SSO integration for analyzing external client engagement metrics and
• Audits and Security: Internal audits to ensure compliance with corporate policies; less intensive external optimizing based on usage insights
auditing required • Ticketing System: External ticketing system (e.g., ServiceNow) with tiered support levels for rapid
response and escalation for critical issues
Content
Management
Content Management

No CMS currently in place specifically for 3D data

Internal Use Case

Management and sharing of 3D assets can be handled with internal tools Teams, Sharepoint, shared drives) as well as utilizing
internal data classification and management SOP's.

This doesn't include features such as search or version control, although this can be somewhat aitigated by approved
platforms/tools like Github or confluence, which would require requesting access and possible setup, as well as covering
potential costs.

External Use Case

Sharing Merck data assets with vendors or customers can be facilitated with internal tools Teams, Sharepoint or shared drives).

In all cases care must be taken to have an NDA or MSA in place when dealing with data not classified as public LEDOX.
Hardware
Procurement

Internal Use Case External Use Case

Procurement of devices can differ by use case an intended target audience and frequency of Device procurement for external use cases is also project specific. Merck IT will not procure,
need, from a few devices for a POC through integration with End User Support and ability to ship or provide service for AR/VR devices used by external customers/stakeholders. It is
order from a catalog and charge a cost center. Common points to keep in mind are recommended that a third-party provider be identified for this purpose, and this could
• MDM team if Merck network access needed necessitate different providers based on use case, devices needed and countries receiving the
• Procurement procedures if thresholds met Security procedures and network integration at the external customers site will be facilitated by
device.
• Security assessment for new devices/platforms their organizational SOP's.

• Any country/site/environment specific requirements

The end goal of how to best procure devices should be designed by use case for easiest access
Security Assessment
Process
External Use Case
1 GDPR compliance, DPO oversight, privacy practices

Internal Use
2
Case
Internal DPO oversight

Security Assessment
3
Creation
CARMA process

General

DPO Involvement for Use

Cases
Internal Use Case

- Internal oversight by DPO

- Contact: rose.peoples@milliporesigma.com and samuel.lee@milliporesigma.com

Security
Assessment:
Process to Create/Request Security Assessment:

1. Go to CARMA home page

2. Click on The system you own]Ex: GRC_002233_Sterile_Filter_Cartridge_Manufacturing_AR_Training_-_InfoClassification 1.pdf

3. Click on "Create Process"

4. Click on the dropdown menu and select "Security Assessment"

5. Click on "Create"

6. Security Consulting group will receive E-mail and an assessment questionnaire will be created to fill out

No of questions are based on vendor IT sec certifications, ISO or SOC 2 have 20 30, if not 80100 to be filled by vendor

External Use Case

- GDPR compliance (handling external data for Europe) - needs to be defined

- Ensure DPO oversight in data protection- needs to be defined (verify with IT Sec Team)
Procurement
Involvement
Internal Use Case External Use Case
• Procurement involvement for new supplier selection • Handled by Business Unit with Procurement/ External
(starting 200k EUR Supplier, not managed via IT
• New Demand Ralph Schaefer), Extensions /
Reoccurring Niranjana Rajappa)
• SLA and MSA creation
• OR Catalogue
Cost Split of Projects
Depending on the Use
Case
Internal Use Case External Use Case
Shared cost model between Business to cover based on
IT and business, with usage, support levels, and
allocation based on usage, client requirements.
support levels, and client
requirements.
Cost Management
Internal Use Case External Use Case
Approved budget + Run Approved budget + Run