-
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated
Electronic System
1/3
9 Must-Have IT SOP's When
Implementing a Regulated Electronic
Sstem
1. System Maintenance SOP
The system maintenance SOP should describe the controls that you
have in place to
ensure that appropriate maintenance on your system is carried
out in a controlled
way, and on a regular basis. Typically you should look to
include a maintenance
schedule, with links to your Change Control SOP. our System
Maintenance SOP
should describe the system monitoring procedures that you have
in place, as well
as a clear de!nition o" your process "or decommissioning
systems. Make sure you
outline your approach to ensure the integrity o" any data
contained within the
systems.
#. Physical Security SOP
Physical security "ocuses on controls that you have in place to
secure access to your
premises. These controls could include things like management o"
key cards and
codes, the management o" your building alarm system and
intrusion control etc.
Physical security should also re"erence the environmental
controls in place toprotect your data installations$ such as !re
detection and suppression, temperature
and humidity controls and so on.
%. &ogical Security SOP
&ogical security is a key area o" "ocus "or #1 C'( Part 11
environments. This SOP
should detail how access to the systems are managed, and include
links to any
policies that relate to passwords such as$ password "ormat or
ageing, technical
controls to improve security such as password protected screen
savers. Other
logical security mechanisms that allow you to ensure data
traceability and custodyshould also be described in the &ogical
Security SOP. 'inally, systems such as )P*s,
'irewalls and virus protection applications should also be
managed through this
procedure.
-
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated
Electronic System
2/3
+. ncident and Problem Management SOP
This SOP should provide you with a process "or managing any
incidents or
problems that are e-perienced with regulated computeried
systems. Typically you
will need to describe how incidents or problems are recorded,
analyed and
resolved. " you are using a bug management system it would be
governed by thisSOP. ou should also look at covering the
communication mechanisms that need to
be in place.
/. System Change Control SOP
This is one o" the most important activities when managing
regulated systems and
also one o" the areas that can present the most problems. The
system change
control procedure should be used when changing any component o"
a
computeried system. The change control procedure will typically
use a "orm to
allow the documentation o" the change control. This "orm is also
an important
communication tool. The process should !rst re0uire that the
change rationale and
steps be documented. n impact assessment must then be done to
determine
what else in the system could be impacted. ny revalidation
should also be
documented including any test scripts to be e-ecuted and
evidence to produce. t2s
important to de!ne a roll back path. 'inally the review and
approval process both
pre and post e-ecution should be clearly de!ned.
3. Con!guration Management SOP
Con!guration management should govern how regulated systems
con!guration
should be managed and documented. This SOP is used o"ten in
con4unction with
change control. Con!guration changes typically re0uire
veri!cation rather than
revalidation. The con!guration management procedure should
discuss how
con!guration should be documented and how documentation should
be versioned
and maintained. t is also important to de!ne a standard process
"or review and
approval o" con!guration changes. 'or more on Con!guration
Management, check
this out.
5. 6isaster (ecovery SOP
7nsuring that data is properly protected and that we are able to
recover "rom a
disaster in a timely and controlled manner is imperative when
dealing with
regulated content and systems. The 6isaster (ecovery SOP should
clearly de!ne
what is considered a disaster and provide an overview o" what
should be contained
within the disaster recovery plan. The plan will typically be a
separate document
http://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentationhttp://info.montrium.com/sharepoint-configuration-management-presentation
-
8/19/2019 9 Must-Have IT SOP's When Implementing a Regulated
Electronic System
3/3
and describe the di8erent systems that "all under the plan, how
to bring systems
up, communication procedures, escalation and prioritiation o"
recovery, supplier
and customer contact in"ormation and the disaster recovery team
composition.
This SOP should also have provisions "or periodic testing o" the
disaster recovery
plan and how this should be documented.
9. 7lectronic Signature Policy SOP
#1 C'( Part 11 electronic signatures re0uire that individuals
sign a non:repudiation
"orm attesting to the "act that their electronic signature is a
legally binding
e0uivalent o" their hand written signature. This means that they
will need to be
trained on what an electronic signature is and when it can be
applied. This is
typically de!ned in the electronic signature policy. The policy
will also govern the
non:repudiation "orm and the process o" provisioning electronic
signatures.
;.
