Standard Operating Procedure (SOP) for Physical and Logical Control Policy of Computer system to fulfill the requirement of 21CFR Part 11 under the cGMP activity in the pharmaceutical drug manufacturing unit.
Computer System Control Policy
To define the process of the physical and logical security policy of the computer system.
This applies to all computer systems used in GxP environments pharmaceutical plant.
Good Automated Manufacturing practices V5 (GAMP 5)
21 CFR Part 11
4.0 Responsibilities – Computer System Policy:
Prepare the security plan with the consultation of the functional owner or assignee.
Prepare security administration SOP (Computer System Policy) with the consultation of the functional owner or assignee.
Approve security plan and security admin SOP.
To approve the security plan and security admin SOP reviewed by I.T. designee.
5.0 Abbreviations and Definition of Terms – Computer System Policy :
GxP: Good (x) Practices, where x: L= Laboratory, M=Manufacturing, C= Clinical, D=Distribution, Q=Quality
GAMP 5: Good Automated Manufacturing Practices v5
IT: Information Technology
OSS: Open Source Software
UPS: Uninterrupted Power Supply
Definition of Terms:
Logical Security – Computer System Policy:
Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights, and authority levels.
These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.
It is a subset of computer security/control policy.
Physical Security – Computer System Policy:
Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks).
Computer system policy for physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, protective barriers, locks, access control protocols, and many other techniques
6.0 Procedure – Computer System Control Policy:
Process Overview – Computer System Policy:
Security management is the process that ensures the confidentiality, integrity, and availability of an organization’s regulated systems, records, and processes.
Implement the measures to ensure that GxP regulated computerized systems and data are adequately and securely protected against willful or accidental loss, damage, or unauthorized change.
Implement the appropriate physical and logical controls.
The extent of the controls shall be based on risk, which includes but not limited to the following factors:
1. Regulatory and business requirements associated with the intended use of the computer system.
2. Impact on product quality, safety, and record integrity
3. The complexity of the computer system
4. Number of users
5. Potential for breach of security
Maturity of technology A security plan and Security Administration SOP are required to support the validation policy of the computer system.
Security Planning – Computer System Policy:
Security planning involves defining and documenting the physical as well as logical control policy for the computer system.
Keep the security planning document current.
Description of data security Model:
The data security model describes the planned/actual security mechanisms used for the system.
The description shall include but not limited to:
1. Type of data handled by the system
2. Type of user
3. Identity and authentication mechanisms used?
4. Authorization mechanisms used?
5. Confidentiality mechanisms used?
6. Integrity mechanisms used?
7. Availability required and how will it ensure?
Physical Controls Policy of Computer System:
Keep in place the Physical controls policy to protect the computer system from willful or accidental loss, damage, or unauthorized change.
These shall include but not limited to:
1. The building or Room Access
2. Fire Protection
3. Mechanism use for controlled access
4. Temperature and humidity control
5. Electrical backup and Uninterrupted Power Supply
Logical Controls Policy of Computer System:
Establish appropriate logical controls to protect information assets and limit access to authorized users across the computer system life cycle.
Items in scope include hardware, software (including source code), documentation, and data.
These controls must include, but not limited to:
Define the Logical/Role-based access levels, Including any special access Privileges.
Different types of groups, third-party access, and supplier access.
This shall also include access privileges and control.
|User Role||Access Privilege||Responsibilities|
|System Administrator||Manage||Responsible for adding/deleting users from the system, monitoring system logs|
|Supervisor||Read, Write||Must be able to read and write analysis datasets for a specified study|
|Analyst||Add||Allowed to add new analysis datasets for a specified study|
Access privileges and control
|Access Privilege||Control Limit|
|Read or View only (R)||Allows read-only access to <specify granularity as described above>|
|Write or Modify (W)||Allows read and write access to<specify granularity as described above>|
|Add (A)||Allows new <objects> to be added to the system|
|Delete (D)||Allows <objects> to be deleted from the system|
|Manage (M)||Allows a system administrator to manage <objects>within the system|
Define the elevated/Additional access privileges.
Groups or individuals to be given elevated access privileges, such as system administrators, must be identified.
Apart from default access if someone needs additional accesses like analyst has view rights but due to some reasons he also needs review rights.
Mitigate appropriately the conflicts of interest.
Identify the potential conflicts of interest (e.g. the ability for same individual to request, grant, and approve access for themselves) along with the mitigations in place to address those conflicts.
Assign the accounts to an individual and not shared.
Any accounts that are not assigned to an individual person (i.e. accounts established for other computer systems, batch job accounts, and administrative accounts) must be described.
User IDs and passwords or other credentials (e.g. pins, biometrics) should strong.
Describe the requirement for system-enforced user IDs and passwords, including the minimum number of characters and complexity.
Adequately protect the Data to ensure its integrity.
Describe the methods used to protect the confidentiality and/or integrity of data stored/transmitted internally.
Restrict the Re-use of the recent password.
Describe the system control related to password re-use.
Fix the password age.
Describe the frequency of any system enforced password changes.
Configure the session time.
Describe the Time outs with unattended use.
Restrict the access to the system clock to appropriate personnel.
Describe the method used to restrict access to the system clock to appropriate individuals.
Implement the protection against Viruses and other malware. Describe this protection.
Accounts shall be locked out/deactivated, where appropriate based on security-related triggers.
Triggers for any security-related deactivation of accounts must be described, along with any requirements for resetting the account. E.g. Security Breaches, Exceeding a maximum number of access attempts, etc.
Password Storage and transmission – Computer System Policy:
Do not store the password or transmitted using plain text in any system or media.
All passwords should encrypt using an appropriately strong algorithm.
Default Accounts and Passwords – Computer System Policy :
Disable the Default Accounts, if Possible.
If the account cannot be disabled. Change the default passwords immediately upon installation and configuration of the system.
Unique User Identification – Computer System Policy :
Establish the processes to ensure the uniqueness of the ID throughout the retention period of the records maintained by the system.
All users shall have a unique user ID.
A user ID shall never reassign to any user other than the one to whom it’s originally assigned.
Describe/Refer to ensure the uniqueness of the User ID.
Software Security Updates – Computer System Policy :
Whenever a critical security-related patch/service pack available, Evaluate carefully to determine the potential impact on the system.
Based on the risk, Make a decision for implementation of security/Service pack.
Virus Protection – Computer System Policy :
Install and enable the Virus protection software on all computer systems connected to the network.
Any system on which anti-virus is not installed (Exceptions) needs to be documented, approved with rationale justifying why such software is not installed.
For such exceptions, Document a process for ensuring that they are protected from viruses, worms, Trojan horses, and malware.
Use of Public Domain Software – Computer System Policy :
Any use of software in the public domain (e.g. OSS, Shareware, Freeware) must include controls to ensure that introduction of this type of software, not a negative impact.
Approval Requirement – Computer System Policy :
Security planning document must be agreed by IT owner and Functional owner to signify that:
All appropriate persons have reviewed the document.
Any security risks or limitations and risk mitigation procedures associated with the system are understood and accepted.
IT Owner to signify that:
All appropriate persons have reviewed the document.
The plan is accurate and complete.
Security Administration Processes – Computer System Policy :
Security administration processes, including computer system account and password management, must be determined and document to protect and limit access to the system, documentation, and to authorized users.
The processes shall address access review, physical security, Logical security, and electronic signature devices (if applicable).
Access Review – Computer System Policy :
Access to each secured physical location and computer system accounts must be periodically reviewed to ensure that only authorized personnel has access and that access levels are appropriate.
The security administration access review process must outline the steps for conducting and documenting the review, including the resulting actions.
Physical Security – Computer System Policy :
Access to secure physical locations should be controlled.
The security administration processes must describe the process of access management.
This description shall include, but not necessarily limited to:
– Process of requesting access.
– Verification Process that the access requested is appropriate (i.e. Privileges are consistent with job function and responsibilities.)
– Process and responsibility for documenting and approving the creation, change, and cancellation of access authorizations.
– Process for ensuring that the access is removed from those who no longer require it (e.g. When an individual leaves the company or the area or there is the change in Roles).
Describe a process signing out for issuance of keys at the time of use.
This process shall include documenting who issued the key, who received the key, the specific key issued, date, and time the key was issued and date and time key were returned.
Temporary Access – Computer System Policy :
The security administration processes must describe a process for controlling temporary physical access to controlled areas.
For Example- Access needed by supplier etc.
Logical Security – Computer System Policy :
Establishing and modifying access (including Temporary and Special)
Authorization for access to computer systems.
The Security administration process must describe not to establish and modify access accounts, including how to grant special access privileges.
The account access management process shall include, but not necessarily limited to the following:
Define the process for requesting access.
The process shall include the means for verifying that the access requested is appropriate (e.g. privileges are consistent with required functionality).
The process and responsibility for documenting and approving the creation of access authorizations must be defined.
Related: SOP for Electronic Data Management
Access that no longer required, remove them in a timely manner.
The process and responsibility for documentation and timely changes/cancellation of access authorizations must be described.
Complete the required training to receive access prior to granting access.
Define a process for ensuring the completion of required training prior to establishing access.
Generate the passwords with appropriate strength and communicated securely.
The process for initially creating or resetting passwords and communicating to the owner must be defined.
Grant the temporary access for only the period of time that access required.
The time period that the temporary access will be in place, as well as the means to ensure the temporary access is removed when the time period has expired, shall be defined.
Deactivating Access – Computer System Policy :
The security Administration Process must describe how to deactivate access.
Accounts that no longer needed shall deactivate permanently and not deleted.
Un-Authorized access attempts – Computer System Policy :
The security administration processes shall address the monitoring of unsuccessful access attempts and the reporting of unauthorized access attempts when they are detected.
Enable this during the use of electronic signatures.
This unauthorized access monitoring process shall include, but not necessarily limited to the following:
– Method of monitoring.
– Frequency of monitoring.
– Description of the appropriate triggers or events to initiate a review.
– Triggers, methods, and processes for notifying the appropriate individuals of unauthorized access attempts or account deactivation.
– Appropriate measures to address any instances of unauthorized access attempts.