SOP for Data Backup & Security of the computerized systems

1.0 OBJECTIVE : To provide guidelines for the security of the laboratory computerized systems (equipments) & the data to protect the confidentiality, integrity and availability of the data generated in the computerized systems used in the Quality Control Laboratory.

2.0 SCOPE : This procedure is applicable to all the computerized systems which are used for the routine analytical purposes. It covers the security of the application systems, security of the data generated (backup) & easy retrieval of the stored / achieved data.

3.0 RESPONSIBILITY
3.1 All the analysts working with the computerized systems are responsible to follow the procedure described is this SOP.
3.2 Manager QC or his/her nominee is responsible to assess the requirement to give access to the operating systems, maintain the security of the systems and create backup of the generated data at regular intervals.
3.3 Overall responsibility for training, implementation & follow-up with the QC Manager or his/her designee.

4.0 ACCOUNTABILITY
4.1 Executive Director, Quality

5.0 PRECAUTIONS
5.1 Securely maintain the approved password list under lock & key.
5.2 Do not share the password to the persons who do not have access to the application systems.

6.0 PROCEDURE
6.1 Three levels of security must be maintained:
6.1.1 Physical security of the system hardware and workstations.
6.1.2 Logical access to the application.
6.1.3 Logical access to the operating system, including access to data and program files for the application.
6.2 Physical security of the system hardware and workstation.
6.2.1 The physical security of the system hardware & workstation has to be ensured by placing the system in a secured place. Uninterrupted power supply (UPS) has to be
6.2.2 ensured to protect the system hardware and other sophisticated electrical parts to protect the systems from damage due to fluctuation in power supply.
6.2.3 Only the authorized trained personnel should handle the systems (equipment) as per the equipment specific approved standard operating procedures.
6.3 Logical access to the application.
6.3.1 Access to any application system should be given based on logical need. If a person needs not to perform any analysis with a system, he / she needs not to be given access to that particular system (equipment).
6.3.2 Personnel given access to any particular system has to be trained and documented.
6.3.3 His or her name has to be mentioned in the authorized user list (attached on each system) on the specific application system.
6.4 Logical access to the operating system, including access to data and program files for the application.
6.4.1 Access to any operating system (application software) has to be based on logical need and Manager QC or his/her designee will decide who needs access to what operating system.
6.4.2 All the application systems have to be password protected and the password should be securely maintained under the disposal of Head of QA / Manager QC or his/her designee.
6.4.3 Each system should have three levels of password protection. First one is the operating system which is controlled by the PC attached with the equipment. Second one is the Application software which controls the application & data processing and the program files for the application.
6.4.4 During entering into the application software, there should have two different password protected login modes: (i) User mode and (ii) Administrative mode.
6.4.5 The analysts should have access only in the User mode through password entry.
6.4.6 Only QC Manager or his/her designee should have access to the Administrative mode through password entry (Annexure II).
6.4.7 The analysts, who will be given access to a system (only User mode), will enter the operating system first through giving input of the appropriate password. Then he/she will enter the application software (user mode) through giving input of the set password.
6.4.8 The passwords of all levels of the same system should be different from each other.
6.4.9 The passwords have to be maintained by Manager QC or his/her designee in a log sheet (Form: FQC/300) under lock & key.
6.4.10 The passwords of any operating system should be shared with the authorized analysts only who have access to that particular system.
6.4.11 The passwords of all the levels of all systems has to be changed every after 6 months or whenever required.
6.5 Data Backup & Retrieval
6.5.1 Applications and data need to be protected against potential loss. Therefore, back up at regular intervals is required.
6.5.2 After completion of each analysis followed by data processing and printout, the responsible analyst should transfer the data to the backup folder of the central server backup system within 2 days of the disposition of the batch/lot .
6.5.3 If it is required to retrieve any data from the server back up system, prior permission has to be taken from Head of QA.

Share This Post

Related Articles

© 2024 Pharmaceuticals Index. All rights reserved.