It is of utmost importance that organizations protect the data they produce. The majority of organizations have their data stored in electronic format on electronic systems. This opens the data up to cyberattacks through potential vulnerabilities in hardware and software. There are many ways in which organizations address and implement security measures through technical and procedural controls. This is a constantly evolving field, in which many parties must get involved, when implementing, validating and operating GxP systems that create, control and/or store electronic records and data. A few notable methodologies have been suggested to implement cybersecurity into validating GxP systems in accordance with GAMP, NIST, ISACA and ISO standards.
Currently, ISPE is working with ISACA to create cybersecurity guidance for the industry. Once complete, this guidance will outline measures and controls (procedural and technical) that should be implemented to ensure data integrity and security of electronic records and data. The guidance should also cover ongoing management of cybersecurity including, but not limited to, personnel and their roles, secondary systems that ensure ongoing cybersecurity, and periodic security testing (such as penetration testing). The challenge is in ensuring that these measures are effectively integrated into the existing processes outlined in the organization’s quality management system (QMS). Consideration needs to be given to first integrating cybersecurity into risk and/or criticality assessments, then downstream into system security testing during qualification and/or validation activities.
As the technological landscape evolves, organizations must be more effective in their implementation of cybersecurity measures to ensure the safety of their electronic records and data. These measures must be considered as part of the QMS for all activities involved in the lifecycle of a computerized system. As we wait for the new ISPE guidance, organizations can begin to implement cybersecurity measures in accordance with NIST, ISACA and ISO standards (if they haven’t already). Threats will always exist. The more prepared we are, the safer our data will be.