Appendix O3 Automated System Security.pdf

Appendix O3:

Guideline for Automated System Security

Introduction

This is a Guideline describing the measures that should be implemented to ensure that GxP regulated

automated systems and data are adequately and securely protected against wilful or accidental loss, damage,

or unauthorized change. Such measures should ensure the continuous control, integrity, availability, and

(where appropriate) the confidentiality of regulated data.

Scope

This Guideline applies to all GxP regulated automated systems and the scope includes all hardware, software,

infrastructure, and electronically stored data. The security controls described include both electronic and

physical means

Responsibilities

3.1

User Company Management

Appoints the System Owner for an automated system as required and investigates security incidents when

reported and institutes corrective actions as required.

3.2

System Owner

The System Owner is defined as the person ultimately responsible for the operation of a system, and the data

residing on that system.

The System Owner assures that the security requirements for the automated system are specified,

implemented, and maintained in accordance with company policy and procedure. The System Owner, together

with others, such as the Quality Assurance function and technical experts, ensures that the security risks

associated with the automated system are evaluated, documented, and mitigated. Unless otherwise specified,

the head of the functional unit or department using an automated system is the System Owner. The System

Owner should ensure that the impact of organizational changes on access rights is managed.

3.3.

Platform Owner

Automated systems consist of application software running on a hardware platform with the help of system

software. System software includes, for example, operating systems, database management systems, editors,

and a communication system infrastructure (the network) if the application is shared or distributed. The

platform of an automated system is defined as consisting of both the hardware platform and the related system

software on which the application software is executed.

The Platform Owner is the person responsible for the day-to-day operation of the platform, and for ensuring

that the defined, platform-specific security requirements are implemented and maintained.

If the management and control of the platform is wholly or partly outsourced, a formal agreement, supported by

audit or other verification, should be established, to ensure that the defined security requirements are

implemented.

3.4

The End-user

The user of the automated system is responsible for complying with the defined security requirements outlined

in this procedure during the daily use of the automated system.

Principles

The following four elements should be addressed when considering the requirements for and the

implementation of security measures:

•

System classification

•

Employee awareness

•

Incident management

•

Information security policy

4.1

System Classification

The System Owner should ensure that the automated system is classified according to the nature of the data

and records it processes. Systems are regulated if they process data and records subjected to regulatory

control or inspection.

4.2

Employee Awareness

Management should ensure that employee awareness of automated systems security is maintained via the

implementation of effective communication and education programmes. Such programmes should include all

employees (permanent, part-time, and short term contract) and any others with access to systems.

Management should ensure that all end-users are made aware that their activities may be monitored and that

action could be initiated against any employee not following policies and procedures. In addition, effective

awareness programmes should be designed to cover all aspects of security described in this Guideline.

4.3

Incident Management

All security incidents should be reported to the System Owner and Platform Owner. Significant security

incidents (i.e., those involving fraudulent activity, falsification or adulteration of data, loss of data or external

breaches of network security) should be reported to senior management. The incidents should be formally

documented; the causes investigated, and corrective action proposed, implemented, and closed out. A regular

review of incidents should be undertaken to determine if any trends or threats can be identified.

4.4

Information Security Policy

The company or organization should develop an Information Security policy defining the rules and guidance

regarding use of and access to systems. The policy should state conditions for the use of automated systems,

e.g., rules for private use. The policy should also account for the use of controlled or qualified PCs to ensure

the validation status is not compromised. Topics that should be covered include:

•

Physical security

•

System access security, including user-ids and the issue and control of passwords

E-mail systems

•

Shared network resources

•

Internet access and use

•

Use of laptop computers

•

Software licenses: new purchase and installation

•

External automated systems

Operating procedures should be defined and approved that describe how the policy is implemented.

Requirements

Table 5.1:

Requirements and Responsibilities

R = Responsible for

Operations Management Requirements

User

System

Owner

Platform

Owner

Support and operation should be organized so that they do

not rely on a single individual

Production, development, test, and validation environments

should be adequately separated when applicable.

A regularly updated virus shield should be installed on all

PCs that connect to the network and other PCs, as applicable

When outsourced, networks and servers should be protected

against viruses through a formal agreement.

A regularly updated virus shield should be installed on all mail

servers and gateways. The virus shield should be updated

regularly. In case the mail servers or gateways are

outsourced, a formal agreement should specifically ensure

this requirement,

All other servers on the network should be scanned

periodically, and an updated virus shield should be installed.

The origin of all installed software should be checked in order

to minimize the risk of introducing viruses, or other malicious

code.

Communications Management Requirements

User

System

Owner

Platform

Owner

Additional security controls and encryption of regulated data

and records should be considered, based upon an analysis of

potential access and risk to those records.

All security aspects related to physical connections to

external networks – such as the Internet of other extranets –

should be reviewed and approved by Network Owner, the

System Owner and the Platform Owner

Remote access solutions should comply with specific security

requirements defined and maintained by Network Owners

Remote access solutions should log

each remote access.

Formal agreement should be established and approved by

owners and managers of classified or sensitive automated

systems for the secure exchange of data and records to and

from their respective automated systems between individuals

or organizations, e.g., extranet, e-commerce servers

Where there is a business need for third party access or

outsourcing, a Risk Assessment should be carried out to

determine security implications and control requirements.

Security controls should be defined in a formal agreement.

Physical & Environmental Security Requirements

User

System

Owner

Platform

Owner

Systems and platforms should be physically protected from

unauthorized access, damage, and interference

When stored separately, records and data – and copies of

these – created by regulated systems should be stored

securely and safely.

Diskettes or other media carrying data and records created

by classified or sensitive automated systems should not be

reused unless employing at least the same level of security

as was previously the case, and should be effectively erased

before disposal.

Access Control Requirements

User

System

Owner

Platform

Owner

Systems and platforms should be protected by an access

control system.

Controls should be applied to protect information in

accordance with relevant legislation. Adequate measures

should be taken to prevent unauthorized disclosure of

sensitive information about individuals.

Regulated electronic records should be protected using

access control.

Individual user accounts should be accessed by means of a

combination of unique-user-ID and a password, or similarly

secure mechanism.

Technical user accounts, multi-user accounts, or keys should

be owned by the System Owner or designee

User accounts or keys should be issued based on a work-

related need and authorised by the System Owner, who

should maintain an up-to-date list of users who have access

and their level of access. A person independent of the

authorizer should execute granting and revoking of access

privileges in accordance with written procedures. A signed

record should be kept.

User access right lists should be reviewed at least annually

and revoked where no longer required.

Passwords should be managed and use in a secure manner.

A password protected screen saver should be activated when

leaving the workstation. The Platform Owner should define

timeout periods.

Passwords should be constructed using both numeric and

alphabetic characters and a minimum length should be

specified. Users should change their passwords regularly.

System Monitoring Requirements

User

System

Owner

Platform

Owner

Regulated systems or their platforms should generate a

system log. The log should include:

•

All logon attempts, including at least the date and time

of their occurrence and an identification

•

All external attempts to access or modify content,

structure, or context of data and records

•

Use of user accounts with system or platform

privileges

•

All changes to the system or platform parameters

Regulated systems and their respective platforms should

generate an audit trail. This audit trail should include:

•

All operator entries and actions that modify content,

structure, and context of data and records

•

The date and time for the operator entry and action

•

The operator identification

System logs and audit trails should be reviewed regularly and

special attention should be given to use accounts granted to

external parties.

System logs and audit trails should be protected, and stored

safely and securely for a period specified by procedures,

according to relevant laws and regulations.

Continuity Planning Requirements

User

System

Owner

Platform

Owner

A secure Risk Analysis should be performed at an early stage

in the development or procurement life cycle and

documented.

Backup copies of regulated electronic records should be

taken regularly.

Backup copies of electronic records should be properly

stored and protected (e.g., stored in a remote location).

Backup copies should be verified regularly.

A contingency plan should be established for systems and

platforms, where applicable.

Security Effectiveness Requirements

User

System

Owner

Platform

Owner

Platforms, systems, and applications should be challenged

regularly to assess effectiveness of implemented security

controls in relation to the current risk profile.

Security challenge testing, e.g., penetration testing, which

should only be carried out by suitably qualified persons or

organizations, and under the supervision of the Platform or

System Owner.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: