Data integrity PIC S
good practices for data management and integrity in regulatory GMP/GDP environments
good practices for data management and integrity in regulatory GMP/GDP environments
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
9.5 System security for computerised systems
Item: System security
1. Expectation
User access controls shall be configured and enforced to prohibit
unauthorised access to, changes to and deletion of data. The extent of
security controls is dependent on the criticality of the computerised system.
For example:
- Individual Login IDs and passwords should be set up and assigned
for all staff needing to access and utilise the specific electronic
system. Shared login credentials do not allow for traceability to the
individual who performed the activity. For this reason, shared
passwords, even for reasons of financial savings, should be
prohibited. Login parameters should be verified during validation of
the electronic system to ensure that login profiles, configuration and
password format are clearly defined and function as intended.
- Input of data and changes to computerised records should be made
only by authorised personnel. Companies should maintain a list of
authorised individuals and their access privileges for each electronic
system in use.
- Appropriate controls should be in place regarding the format and
use of passwords, to ensure that systems are effectively secured.
- Upon initially having been granted system access, a system should
allow the user to create a new password, following the normal
password rules.
- Systems should support different user access roles (levels) and
assignment of a role should follow the least-privilege rule, i.e.
assigning the minimum necessary access level for any job function.
As a minimum, simple systems should have normal and admin
users, but complex systems will typically requires more levels of
users (e.g. a hierarchy) to effectively support access control.
- Granting of administrator access rights to computerised systems
and infrastructure used to run GMP/GDP critical applications should
be strictly controlled. Administrator access rights should not be
given to normal users on the system (i.e. segregation of duties).
- Normal users should not have access to critical aspects of the
computerised system, e.g. system clocks, file deletion functions,
etc.
- Systems should be able to generate a list of users with actual
access to the system, including user identification and roles. User
lists should include the names or unique identifiers that permit
identification of specific individuals. The list should be used during
periodic user reviews.
- Systems should be able to generate a list of successful and
unsuccessful login attempts, including:
o User identification
o User access role
o Date and time of the attempted login, either in local time or
traceable to local time
o Session length, in the case of successful logins
PI 041-1 40 of 63 1 July 2021