Data integrity PIC S
good practices for data management and integrity in regulatory GMP/GDP environments
good practices for data management and integrity in regulatory GMP/GDP environments
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
of alternative systems should be justified and documented.
Increased data review is likely to be required for hybrid systems.
Inspectors should verify that a password policy is in place to ensure
that systems enforce good password rules and require strong
passwords. Consideration should be made to using stronger
passwords for systems generating or processing critical data.
Systems where a new password cannot be changed by the user,
but can only be created by the admin, are incompatible with data
integrity, as the confidentiality of passwords cannot be maintained.
Check that user access levels are appropriately defined,
documented and controlled. The use of a single user access level
on a system and assigning all users this role, which per definition
will be the admin role, is not acceptable.
Verify that the system uses authority checks to ensure that only
authorised individuals can use the system, electronically sign a
record, access the operation or computerised system input or output
device, alter a record, or perform the operation at hand.
2. Expectation
Computerised systems should be protected from accidental changes or
deliberate manipulation. Companies should assess systems and their
design to prevent unauthorised changes to validated settings that may
ultimately affect data integrity. Consideration should be given to:
- The physical security of computerised system hardware:
o Location of and access to servers;
o Restricting access to PLC modules, e.g. by locking access
o
panels.
Physical access to computers, servers and media should be
restricted to authorised individuals. Users on a system
should not normally have access to servers and media.
- Vulnerability of networked systems from local and external attack;
- Remote network updates, e.g. automated updating of networked
systems by the vendor.
- Security of system settings, configurations and key data. Access to
critical data/operating parameters of systems should be
appropriately restricted and any changes to settings/configuration
controlled through change management processes by authorised
personnel.
- The operating system clock should be synchronized with the clock
of connected systems and access to all clocks restricted to
authorised personnel.
- Appropriate network security measures should be applied, including
intrusion prevention and detection systems.
- Firewalls should be setup to protect critical data and operations.
Port openings (firewall rules) should be based on the least privilege
policy, making the firewall rules as tight as possible and thereby
allowing only permitting traffic.
Regulated users should conduct periodic reviews of the continued
appropriateness and effectiveness of network security measures, (e.g. by
the use of network vulnerability scans of the IT infrastructure to identify
PI 041-1 42 of 63 1 July 2021