Upload
pram29c
View
220
Download
0
Embed Size (px)
Citation preview
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated Electronic System
1/3
9 Must-Have IT SOP's When
Implementing a Regulated Electronic
Sstem
1. System Maintenance SOP
The system maintenance SOP should describe the controls that you have in place to
ensure that appropriate maintenance on your system is carried out in a controlled
way, and on a regular basis. Typically you should look to include a maintenance
schedule, with links to your Change Control SOP. our System Maintenance SOP
should describe the system monitoring procedures that you have in place, as well
as a clear de!nition o" your process "or decommissioning systems. Make sure you
outline your approach to ensure the integrity o" any data contained within the
systems.
#. Physical Security SOP
Physical security "ocuses on controls that you have in place to secure access to your
premises. These controls could include things like management o" key cards and
codes, the management o" your building alarm system and intrusion control etc.
Physical security should also re"erence the environmental controls in place toprotect your data installations$ such as !re detection and suppression, temperature
and humidity controls and so on.
%. &ogical Security SOP
&ogical security is a key area o" "ocus "or #1 C'( Part 11 environments. This SOP
should detail how access to the systems are managed, and include links to any
policies that relate to passwords such as$ password "ormat or ageing, technical
controls to improve security such as password protected screen savers. Other
logical security mechanisms that allow you to ensure data traceability and custodyshould also be described in the &ogical Security SOP. 'inally, systems such as )P*s,
'irewalls and virus protection applications should also be managed through this
procedure.
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated Electronic System
2/3
+. ncident and Problem Management SOP
This SOP should provide you with a process "or managing any incidents or
problems that are e-perienced with regulated computeried systems. Typically you
will need to describe how incidents or problems are recorded, analyed and
resolved. " you are using a bug management system it would be governed by thisSOP. ou should also look at covering the communication mechanisms that need to
be in place.
/. System Change Control SOP
This is one o" the most important activities when managing regulated systems and
also one o" the areas that can present the most problems. The system change
control procedure should be used when changing any component o" a
computeried system. The change control procedure will typically use a "orm to
allow the documentation o" the change control. This "orm is also an important
communication tool. The process should !rst re0uire that the change rationale and
steps be documented. n impact assessment must then be done to determine
what else in the system could be impacted. ny revalidation should also be
documented including any test scripts to be e-ecuted and evidence to produce. t2s
important to de!ne a roll back path. 'inally the review and approval process both
pre and post e-ecution should be clearly de!ned.
3. Con!guration Management SOP
Con!guration management should govern how regulated systems con!guration
should be managed and documented. This SOP is used o"ten in con4unction with
change control. Con!guration changes typically re0uire veri!cation rather than
revalidation. The con!guration management procedure should discuss how
con!guration should be documented and how documentation should be versioned
and maintained. t is also important to de!ne a standard process "or review and
approval o" con!guration changes. 'or more on Con!guration Management, check
this out.
5. 6isaster (ecovery SOP
7nsuring that data is properly protected and that we are able to recover "rom a
disaster in a timely and controlled manner is imperative when dealing with
regulated content and systems. The 6isaster (ecovery SOP should clearly de!ne
what is considered a disaster and provide an overview o" what should be contained
within the disaster recovery plan. The plan will typically be a separate document
http://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentation
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated Electronic System
3/3
and describe the di8erent systems that "all under the plan, how to bring systems
up, communication procedures, escalation and prioritiation o" recovery, supplier
and customer contact in"ormation and the disaster recovery team composition.
This SOP should also have provisions "or periodic testing o" the disaster recovery
plan and how this should be documented.
9. 7lectronic Signature Policy SOP
#1 C'( Part 11 electronic signatures re0uire that individuals sign a non:repudiation
"orm attesting to the "act that their electronic signature is a legally binding
e0uivalent o" their hand written signature. This means that they will need to be
trained on what an electronic signature is and when it can be applied. This is
typically de!ned in the electronic signature policy. The policy will also govern the
non:repudiation "orm and the process o" provisioning electronic signatures.
;.