Data integrity PIC S

Recommendations

Info

of alternative systems should be justified and documented.Increased data review is likely to be required for hybrid systems.Inspectors should verify that a password policy is in place to ensurethat systems enforce good password rules and require strongpasswords. Consideration should be made to using strongerpasswords for systems generating or processing critical data.Systems where a new password cannot be changed by the user,but can only be created by the admin, are incompatible with dataintegrity, as the confidentiality of passwords cannot be maintained.Check that user access levels are appropriately defined,documented and controlled. The use of a single user access levelon a system and assigning all users this role, which per definitionwill be the admin role, is not acceptable.Verify that the system uses authority checks to ensure that onlyauthorised individuals can use the system, electronically sign arecord, access the operation or computerised system input or outputdevice, alter a record, or perform the operation at hand.2. ExpectationComputerised systems should be protected from accidental changes ordeliberate manipulation. Companies should assess systems and theirdesign to prevent unauthorised changes to validated settings that mayultimately affect data integrity. Consideration should be given to:- The physical security of computerised system hardware:o Location of and access to servers;o Restricting access to PLC modules, e.g. by locking accessopanels.Physical access to computers, servers and media should berestricted to authorised individuals. Users on a systemshould not normally have access to servers and media.- Vulnerability of networked systems from local and external attack;- Remote network updates, e.g. automated updating of networkedsystems by the vendor.- Security of system settings, configurations and key data. Access tocritical data/operating parameters of systems should beappropriately restricted and any changes to settings/configurationcontrolled through change management processes by authorisedpersonnel.- The operating system clock should be synchronized with the clockof connected systems and access to all clocks restricted toauthorised personnel.- Appropriate network security measures should be applied, includingintrusion prevention and detection systems.- Firewalls should be setup to protect critical data and operations.Port openings (firewall rules) should be based on the least privilegepolicy, making the firewall rules as tight as possible and therebyallowing only permitting traffic.Regulated users should conduct periodic reviews of the continuedappropriateness and effectiveness of network security measures, (e.g. bythe use of network vulnerability scans of the IT infrastructure to identifyPI 041-1 42 of 63 1 July 2021
potential security weaknesses) and ensure operating systems aremaintained with current security measures.Potential risk of not meeting expectations/items to be checked Check that access to hardware and software is appropriatelysecured, and restricted to authorised personnel. Verify that suitable authentication methods are implemented. Thesemethods should include user IDs and passwords but other methodsare possible and may be required. However, it is essential that usersare positively identifiable. For remote authentication to systems containing critical dataavailable via the internet; verify that additional authenticationtechniques are employed such as the use of pass code tokens orbiometrics. Verify that access to key operational parameters for systems isappropriately controlled and that, where appropriate, systemsenforce the correct order of events and parameters in criticalsequences of GMP/GDP steps.3. ExpectationNetwork protectionNetwork system security should include appropriate methods to detect andprevent potential threats to data.The level of network protection implemented should be based on anassessment of data risk.Firewalls should be used to prevent unauthorised access, and their rulesshould be subject to periodic reviews against specifications in order toensure that they are set as restrictive as necessary, allowing only permittedtraffic. The reviews should be documented.Firewalls should be supplemented with appropriate virus-protection orintrusion prevention/detection systems to protect data and computerisedsystems from attempted attacks and malware.Potential risk of not meeting expectations/items to be checked Inadequate network security presents risks associated withvulnerability of systems from unauthorised access, misuse ormodification. Check that appropriate measures to control network access are inplace. Processes should be in place for the authorisation,monitoring and removal of access. Systems should be designed to prevent threats and detectattempted intrusions to the network and these measures should beinstalled, monitored and maintained. Firewall rules are typically subject to changes over time, e.g.temporary opening of ports due to maintenance on servers etc. Ifnever reviewed, firewall rules may become obsolete permittingunwanted traffic or intrusions.PI 041-1 43 of 63 1 July 2021
Page 1 and 2: PHARMACEUTICAL INSPECTION CONVENTIO
Page 3 and 4: 9.10 Management of Hybrid Systems .
Page 5 and 6: 3.5 The principles of data manageme
Page 7 and 8: o automation; oro the use of techno
Page 9 and 10: process consistency (e.g. biologica
Page 11 and 12: should clearly demonstrate that rep
Page 13 and 14: Staying continuously and actively i
Page 15 and 16: 6.7 Dealing with data integrity iss
Page 17 and 18: Data IntegrityAttributeRequirementt
Page 19 and 20: Specific elements that should be ch
Page 21 and 22: generation of working copies of doc
Page 23 and 24: 4. ExpectationDocuments should be s
Page 25 and 26: 8.5.2 Records should be appropriate
Page 27 and 28: Where appropriate, the reason for t
Page 29 and 30: 8.9 Direct print-outs from electron
Page 31 and 32: 8.11.2 A record/register should be
Page 33 and 34: 9.2.2 Validation alone does not nec
Page 35 and 36: osystems used in the decision proce
Page 37 and 38: Check that end-user testing include
Page 39 and 40: read by the new software. Where nec
Page 41: - User access controls should ensur
Page 45 and 46: 9.6 Audit trails for computerised s
Page 47 and 48: - in the case of changes or modific
Page 49 and 50: 9.8 Review of data within computeri
Page 51 and 52: to access electronically stored dat
Page 53 and 54: Appropriate quality risk management
Page 55 and 56: Area for reviewComparison of analyt
Page 57 and 58: Accurate [4.1], [6.17] [5.40], [5.4
Page 59 and 60: 12 REMEDIATION OF DATA INTEGRITY FA
Page 61 and 62: 12.2.1.2 Evidence of open communica
Page 63: MetadataIn-file data that describes

Data integrity PIC S

Create successful ePaper yourself

Delete template?

Save as template?