Applying Computer System Security (GAMP)

It is a regulatory requirement that access to computerised systems is limited to authorised users. This not only limited to systems that contain electronic records but all systems that are used to fulfil regulated activities.

This post focuses on the FDA and MHRA / EU requirements regulatory requirements for security management of computerised systems within the pharmaceutical and biotech industries and the application of logical security controls and procedures.

GAMP 5 Operational Appendix O11 provides guidance on security management. This article is designed to provide additional details.

Regulatory Requirements

EU Annex 11 states - 12.1 Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

FDA 21 CFR 211.68(b) states – Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.

Computer Security is not just Part 11

As detailed the requirements for security controls is not only a requirement for compliance with Electronic Records under 21 CFR part 11 but a basic operational requirement for a computerised system.

GAMP 5 provides good basic guidance to the security management of Computerised Systems. This article is designed to supplement the GAMP 5 guidance to achieve compliance with regulatory requirements, based on the Lifecycle of the Computerised System.

Computer System Security Management

Project Phase

During the project phase the security requirements of the computerised system should be documented within the User Requirements Specification (URS).

The basic security controls should be based on company policies and standards. This should include

• Password Complexity Number of characters, use of mixed case, etc.
• Automatic time out (automatic log off)
• Required user levels (Administrator, Engineer, Technician, Power User, Operator, etc.
• Password aging (time period user must change password)
• Number of log in attempts before account is locked
• Users required to change passwords on first logon

Many of these items can be better managed by using the company production Active Directory Domain Controller. This support the centralised management of user accounts and reduces the validation effort during the design and verification phases. These requirements should be traced through the design and verification stages of the project, to ensure that the system is compliant with the requirements and that there is documented evidence to demonstrate that the system is compliant.

Operational Phase

Many software applications including automation, laboratory and IT systems now have has standard configurable security and often based of Windows Security ensuring that compliance can be achieved. It is important that during the Operational Phase (operational life) of the computerised system that controls are applied to ensure that the security is maintained. The controls should be detailed in approved operating procedures. The controls should include

• Issue of passwords (controls to ensure that only authorised, trained users have access)
• Management of lost passwords
• Removal of users (due to leaving the company, changing job roles
• Periodic Review of user accounts
• Management of security incidents

With many computerised systems throughout the business the number of systems can make the management resource hungry. Where controls are centralised through the production Active Directory Domain Controller then the effort required to ensure operational compliance can be reduced. The level of controls applied through the operating history of the computerised system should be based on documented risk assessment with a policy of the controls to be applied against the risk. For example the controls applied to a system which controls a manufacturing process with access to critical parameters should have greater controls over a system that does not. This can reduce the controls applied and also the periodic review of accounts.

Decommissioning

Security should be considered when developing a decommissioning plan where systems will be maintained to provide the ability to recover electronic records and raw data throughout the retention period. For example a laboratory system which is being replaced may have the application and raw data maintained in a virtual environment. Default accounts may need to be configured and documented to the application as at the time the data is required to be accessed in the future original users may not still be with the company or those that are will not remember their password.