NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study
|
|
- Laura Mills
- 5 years ago
- Views:
Transcription
1 NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study Monica Fanjoy* 109 Fairground Road, Holly Springs, NC 27540, USA Summary Current guidance for compliance with 21 Code of Federal Regulations (CFR) Part 11 requires a risk-based approach that is justified, documented, and addresses potential product quality and safety risks. Based on this guidance, different risk assessment methods can be used to comply with Part 11. This study presents a risk assessment of a Part 11-regulated computerized system using the techniques presented in the first public draft of the National Institute of Standards and Technology s (NIST) Risk Management Guide for Information Technology Systems. Results of this case study evaluation suggest that GXP-regulated industries might strengthen their overall risk management and compliance activities by adopting the NIST framework; however, they would need to address these three challenges: terminology differences, unclear direction with regards to product safety risks, and cumbersome documentation in the regulated environment. Copyright 2004 John Wiley & Sons, Ltd. Key Words computer security; computerized system; data integrity; GXP; NIST; Part 11; risk assessment *Correspondence to: Monica Fanjoy, 109 Fairground Road, Holly Springs, NC 27540, USA. mofanjoy@yahoo.com This study was based on the First Public Exposure Draft of the reference noted as Reference [1]. The draft document is: National Institute of Standards and Technology. Risk Management Guide for Computer Security. NIST Special Publication First Public Exposure Draft, June Introduction Current thinking for compliance with 21 Code of Federal Regulations (CFR) Part 11 (Part 11) requires a risk-based approach that is justified and documented and that addresses potential product quality and safety risks. Different risk assessment methods can be used to comply with Part 11. This study presents a risk assessment of a Part 11-regulated computerized system using the techniques presented in the first public draft of the National Institute of Standards and Technology s (NIST s) Risk Management Guide for Information Technology Systems [1]. This study compares and contrasts the NIST framework with the GXP- and Part 11- regulated environments. This paper presents a direct comparison of the terminology and frameworks used in the two environments. We selected a simple hypothetical GXP case study as a tool to evaluate the effects of the NIST approach in the regulated environment. We applied the NIST approach as outlined in the NIST Risk Management Guide for Information Technology Systems to the case study. We also discuss the implications of using the NIST guidance on risk assessment for computerized systems when used as a tool for Part 11 compliance in a GXP-regulated environment. Comparison of Frameworks and Terminology Table 1 compares major points regarding the framework of the two different approaches. Part 11-GXP requirements are regulatory driven requirements that focus on data integrity. In contrast, NIST is a voluntary program designed to DOI: /qaj.291
2 248 M. Fanjoy help a broad range of industries improve computer security. The different focus is also apparent in the terminology employed within the two frameworks. Table 2 compares specific jargon found in NIST to terminology commonly used in the regulated environment. One of the most distinct differences is the use of the term computer security to mean meeting security goals in NIST and the use of the term security in the GXP environment to mean assuring data integrity. Table 1. Comparison of framework for NIST [1] and 21 CFR Part 11 for risk assessment of computerized systems NIST Draft Guidance 21 CFR Part 11-GXP Requirements Authority Voluntary Regulatory Scope Any industry GXP-regulated industries only Intent Computerized Data integrity system security Critical points No emphasis given Data integrity ensures health/safety Case Study Scenario description and controls The computerized system envisioned for this analysis is owned and operated by a small familyowned company in California that performs GXP-regulated studies. The company has a low turnover rate (less than 5% of the 40 employees turnover annually) and no track record of disgruntled employees. The system includes the server and three wired office client systems networked through a secure domain on the company local area network (LAN). The system supports a database that contains regulated scientific information. Database and network server are commonly used, commercially purchased, and marketed as Part 11 compliant. Controls for the system include those that are described below. Existing controls Existing controls that are intended for use as a simplified example for the case study are listed below. The list is not intended to be comprehensive because many topics (open systems, data retention, etc.) are not addressed. Table 2. Language intersection: summary of terminology differences between NIST and Part 11-GXP risk assessments of computerized systems NIST Draft Guidance GXPs and 21 CFR Part 11 Accountability Trace actions of entity GXPs require signature and date; Part 11 requires user-specific change control Assurance Confidence that goals for Ensuring compliance with GXP accountability, confidentiality, regulatory requirements availability, and integrity are met Availability Availability of data that can lead to Data integrity concerns, record unauthorized use or change retention, and availability for inspection Confidentiality Protection from unauthorized reading Business concern; No GXP regulatory or viewing of information requirement Integrity Protection against unauthorized Data integrity, protection against violation of system or data unauthorized changes Security Having characteristics and mechanisms With regard to GXP and Part 11, the that meet security goals term security refers to data integrity
3 NIST Risk Assessment for Part 11 Compliance 249 Physical and logical controls: Hardware physically secured by limited building access. Terminals and server are located away from window. Equipment is protected from power surges. Firewall. Anti-virus software. Encryption. Access restrictions. Individual-level user accountability: Unique combination of identification code and password for network and software. Periodic checking and rotation of password. Training on good password management. Policy to modify user account immediately following change of responsibility level, employment status, etc. Detection and reporting of unauthorized entry by locking user ID after repeated unsuccessful attempts. Software features include built-in audit trail that provides user accountability. System allows role-specific user capability authorization. Results Likelihood, Impacts, and Risk Risk determination is based on the severity of impacts and the likelihood of occurrence. According to NIST, moderate risk means that the potential problem results in discernable but recoverable unavailability, modification, disclosure, destruction of data or other system assets or loss of system services, resulting in transitory, yet important impact no personal injury. In contrast, the loss of data integrity is critical for GXP systems because it may cause injury to people through inappropriate approval or manufacture. Likelihood analysis Many risks were rated at low or moderate likelihood based on this particular scenario or the previously existing controls indicated in this case study. Rating the likelihood of significant risks from insiders as Low (see Table 3), for instance, is unrealistic in most cases, but management believes it appropriate in this case because this hypothetical scenario describes an exceptionally low personnel turnover rate of less than 5%. Impact assessment The impact assessment categorizes the risks and assigns a valuation that is used in conjunction with the likelihood for the risk determination (see Table 4). Risk determination Risk determination is based on the severity of impacts and the likelihood of occurrence (see Table 3. Likelihood of significant risks Scenario Rating Rationale Hacker Moderate Have experienced viruses etc. Criminal Low Unprocessed scientific data effortful for trained audience, little use to general audience. Data corporate sensitive only, eventually published in public Insider Low Based on low staff turnover rate and high employee satisfaction Chemical spill Low Rare occurrence due to controls Electrical storm Moderate Several systems were affected by storms previously Earthquake Low Rare occurrence on annual basis
4 250 M. Fanjoy Table 4. Impact Assessment, Description, and Categorical Analysis Scenario Impact Categories* Description Valuation Hacker I A C A A Results in discernable but recoverable unavailability, Moderate v c modification, disclosure, destruction of data or other system assets or loss of system services, resulting in transitory, yet important impact no personal injury Criminal I A C A A Same as above Moderate v c Insider I A C A A Unauthorized insider access would have High to v c largest impact such as destruction of data, moderate disclosure, or modification that may include loss of integrity, availability, and confidentiality. Discernability resulting from required audit trails takes this impact from a high to moderate level; if a toggle to turn off the audit trail capability exists and is disabled it could be considered a higher risk. For regulated, studies an insider would have a moderate risk in this situation Chemical spill / Access from several locations minimizes Low, I C A electrical storm / potential impacts. May incur replacement except for earthquake and validation costs. Damage to server undetecmight cause loss of integrity or availability. ted loss of Food/chemicals are prohibited in room function housing server and location is protected. The data are regularly archived on tapes and stored at another location, minimizing potential data loss. An undetected loss of hardware functionality may result in loss of integrity, assurance, and confidentiality *I, Integrity; Av, availability; C, confidentiality; A, assurance; Ac, accountability. Table 5. Risk determination based on combined results of likelihood and impact analysis Scenario Likelihood Impact Risk Determination Hacker Moderate Moderate Moderate Criminal Low Moderate Low Insider Low Moderate Low Chemical spill Low Low Low Electrical storm Moderate Low Low Earthquake Low Low Low Table 5). The risk determination was based on the risk determination construct provided in the NIST guidelines. The construct designates a determination based on the likelihood and impact. Analysis of current controls As suggested by NIST, the existing controls were analyzed by category and type to ensure that a
5 NIST Risk Assessment for Part 11 Compliance 251 Table 6. Categorical control analysis matrix for selected requirements Requirement Category Type Control description Individual-level T D, P Unique combination of identification code and user password for network and software Accountability T, O P Periodic checking and rotation of password M, O P Training on good password management O, M P Policy to modify user account immediately following change of responsibility level, employment status, etc. T, M D Detection and reporting of unauthorized entry by locking user ID after repeated unsuccessful attempts T D Software features include built-in audit trail that provides user accountability T P System allows role-specific user capability authorization T, technical; O, operational; M, management; P, preventive techniques; D, detection and monitoring. full range of controls was used (see Table 6). Based on this review, regulatory requirements are initially satisfied. For simplicity, this analysis assumes that omitted requirements are met. Implementation involves a tiered approach to compliance. Also, a combination of categories (prevention, detection, and monitoring) and types (technical, operational, and management) of control methods were applied. Categories of controls are technical (T), such as access control and antivirus software; operational (O), including training and procedures; and management (M), which prevent or manage risks. Types of controls are preventive techniques (P) and detection and monitoring (D). Residual risk analysis Existing controls were reviewed for any gaps. These residual risks were communicated to responsible management. Table 7 shows the identified gap or risk, provides the compliance recommendation, documents management decision, and provides justification. Implications with good practices The detailed and extensive documentation process proposed by NIST may prove cumbersome in a regulated environment; however, the systematic process reveals inconsistencies that the GXP compliance practices could potentially overlook. In conclusion, GXP-regulated industries might strengthen their overall risk management and compliance activities by adopting the NIST framework; however, they would need to address these three challenges: terminology differences, unclear direction with regards to product safety risks, and cumbersome documentation in the regulated environment. Based on this case study, a system-driven risk assessment such as the NIST framework can provide a comprehensive analysis that reveals discrepancies and gaps within the assurance process and the NIST framework is flexible enough to manage regulatory and business risks in combination. Documentation that synthesizes pertinent information across various documents and procedures at various levels also ensures comprehensive assurance. Integrated and systematic assurance makes sense for high-risk systems because it increases the likelihood of comprehensive assurance; however, the NIST process is extensive and detailed. As a result, the NIST framework may potentially generate a large volume of supporting documentation that would prove cumbersome in a regulated environment. Specifically, creating and archiving documents such as the threat identification, likelihood analysis, impact assessment, risk determination, and control analysis might significantly increase labor time involved in the
6 252 M. Fanjoy Table 7. Simulation of management decisions on residual risk Residual risks Recommendation Management decision Rationale Undetected loss of Use routine system Implement automated Budget does not allow functionality may checks to routinely system integrity check for manual checks, so result in loss of data assess integrity that comes with use automated checks integrity, accountability, Implement a disaster software. Test after on a limited basis. At and assurance recovery policy that occurrence of specified the present, periodic assures functionality events as required by surveillance testing is Add periodic disaster planning also too costly reverification testing policy to preventive surveillance and maintenance The two users Document background Implement policy Both employees have authorized to disable check as preventive regarding audit trail demonstrated the audit trail measure. Implement a use. Background check reliability by 20+ present a high risk policy regarding use is unnecessary expense years with the and disengagement of company audit trail Office client in Move or implement Move to secure Relocating the client shared office space local physical security location is less costly than is not secure from measures in shared remodeling facility employees of office space Company B No indication to Implement policy that Agree Employees are aware employees that equates electronic and of this; however, it is electronic and handwritten appropriate to handwritten signatures document this in a signatures are equal written policy compliance process. Moreover, the NIST framework provides little direction on data integrity and health/safety risks that are inherent in GXPregulated industries and contains language that is inconsistent with terminology set forth in Part 11 s GXP predicates. References 1. National Institute of Standards and Technology (NIST). Risk Management Guide for Information Technology Systems. NIST Special Publication SP nistpubs/800-30/sp pdf
Part 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More information21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)
21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (S) The United States Food and Drug Administration (FDA) defines the criteria under which electronic records and electronic signatures are considered trustworthy,
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationElectronic Data Processing 21 CFR Part 11
Live Webinar on How Does Compliance with 21 CFR Part 11 Ensure Data Integrity & Subject Safety in Clinical Research Wednesday, 19 June 2013 at 10:00 AM PST / 01:00 PM EST ByCharles H. Pierce, MD, PhD,
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More information_isms_27001_fnd_en_sample_set01_v2, Group A
1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationSummary of PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments
www.rx-360.org Summary of PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments Draft Published August 2016 This summary was prepared by the Rx-360 Monitoring
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationData Sharing Agreement. Between Integral Occupational Health Ltd and the Customer
Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationSMS for Part 121 Notice of Proposed Rulemaking (NPRM)
SMS for Part 121 ice of Proposed Rulemaking (NPRM) Safety Attribute Inspection (SAI) Data Collection Tool 8.3.1 Safety Assurance Revision#: 0 Revision Date: 7/19/2012 ELEMENT SUMMARY INFORMATION Scope
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationMorningstar ByAllAccounts Service Security & Privacy Overview
Morningstar ByAllAccounts Service Security & Privacy Overview Version 3.8 April 2018 April 2018, Morningstar. All Rights Reserved. 10 State Street, Woburn, MA 01801-6820 USA Tel: +1.781.376.0801 Fax: +1.781.376.8040
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationStandard: Risk Assessment Program
Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More information21 CFR Part 11 LIMS Requirements Electronic signatures and records
21 CFR Part 11 LIMS Requirements Electronic signatures and records Compiled by Perry W. Burton Version 1.0, 16 August 2014 Table of contents 1. Purpose of this document... 1 1.1 Notes to version 1.0...
More informationCIP Cyber Security Information Protection
A. Introduction 1. Title: Cyber Security Information Protection 2. Number: CIP-011-2 3. Purpose: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationRecords Management and Retention
Records Management and Retention Category: Governance Number: Audience: University employees and Board members Last Revised: January 29, 2017 Owner: Secretary to the Board Approved by: Board of Governors
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationThis draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationAutomation Change Management for Regulated Industries
Automation Change Management for Regulated Industries Achieving Part 11 Compliance A White Paper Synopsis This whitepaper provides information related to FDA regulation 21 CFR Part 11 (Part 11) for organizations
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationGuide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com
: HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More information1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationCompliance Matrix for 21 CFR Part 11: Electronic Records
Compliance Matrix for 21 CFR Part 11: Electronic Records Philip E. Plantz, PhD, Applications Manager David Kremer, Senior Software Engineer Application Note SL-AN-27 Revision B Provided By: Microtrac,
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More information201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description
Do you have a comprehensive, written information security program ( WISP ) WISP) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts ( PI )?
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Lecture 3 Information Security Policy Jan 29, 2008 Introduction Information security policy: What it is How to write it How to implement it How to maintain it Policy
More informationOhio Supercomputer Center
Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationCIP Cyber Security Configuration Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationGuide to the implementation and auditing of ISMS controls based on ISO/IEC 27001
Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001 Information Security Management Systems Guidance series The Information Security Management Systems (ISMS) series of books
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationInternet, , Social Networking, Mobile Device, and Electronic Communication Policy
TABLE OF CONTENTS Internet, Email, Social Networking, Mobile Device, and... 2 Risks and Costs Associated with Email, Social Networking, Electronic Communication, and Mobile Devices... 2 Appropriate use
More informationMobile Working Policy
Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationCIP Cyber Security Security Management Controls. Standard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationABB Limited. Table of Content. Executive Summary
21 CFR Part 11 Electronic Records; Electronic Signatures Guidance for Industry Scope of Application Position Paper: A Summary and Interpretation of the Guidance Note: This document has been prepared based
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationThe Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:
Unit Title: OCR unit number 38 Level: 3 Credit value: 12 Guided learning hours: 100 Unit reference number: Security of ICT Systems D/500/7220 Candidates undertaking this unit must complete real work activities
More informationIntegration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11
OpenLAB CDS Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11 Technical Note Introduction Part 11 in Title 21 of the Code of Federal Regulations includes
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More information