Synergy between ISMS & GxP Compliance for value add in Pharma IT

There always has been some overlaps and confusion between the expectations on Cybersecurity Implementation following NIST/ISO standards and 21 CFR Part 11/Annex 11/ GAMP expectation on Computer System Validation. The contradiction stems from the seemingly different end goals, gatekeepers, and standard for confirming fulfillment of the expectation. While QA Compliance professionals have a mandate for ensuring regulatory compliance and audit readiness for GxP Business Processes/Data for the organization, ISMS (Information Security Management System) Professionals have a mandate of ensuring the 'CIA Triad (Confidentiality, Integrity & Availability) is maintained for end to-end business processes and all relevant data based on risk classification. Furthermore, considering the ISO OSI model( a conceptual model for network communication) as reference point, ISMS professionals have ownership for all 7 Layers (Physical Layer to Application Layer) whereas Quality Unit is mostly focused on Layer 7(Application Layer). On the outset it may seem that there is only narrow overlap of scope in Application Layer. However, in practice there are overlaps that transcends the OSI layer boundaries – this is especially true as Quality Unit is in some cases responsible to enforce requirements not limited to application layer and may not have enough tools and expertise to enforce requirements on lower OSI Layers. For e.g., Annex 11, Point 7.1 requires that’ Data should be secured by both physical and electronic means against damage’ – this requirement cannot be fulfilled without appropriate controls at the Physical layer of the OSI model. Despite the differences and contradictions there are many common elements that provide potential for synergy due to overlaps.

Note: NIST controls have been considered for mapping as its has most exhaustive scope for information security controls. Only NIST to Pharma regulations have been mapped as part of this article and NIST to ISO control mapping has been taken AS-IS from NIST publication[R1].

The strong case for synergy for GxP relevant process and data would mean that rather than duplicate verification for similar requirements derived from different frameworks, requirements could be checked or formally tested by one group and referred by the other group. In terms of control assessments, this would mean translating the similar controls written with different languages under the same item and leveraging each other for evidence required for fulfillment of the control . Also, each group can leverage each other's core expertise and focus on bringing value with their skills and knowledge .

The only issue could be the expectation on evidence fulfillment. While a simple system screenshot showing the required evidence may be considered sufficient by the ISMS group, GXP good documentation practices may expect a more rigorous process. The best approach would be to use industry and organizational best practices independent of which group is performing the checks.

A few cases as below are identified to typify the potential of this synergy:

Security & Authorization

Annex 11 and 21 CFR part 11 outline the need for authentication and authorization requirements. These also form the very core of the ISO expectations and mandate of ISMS professionals in ensuring data integrity & confidentiality. Most of these controls can be taken as access control design requirements during application set up in initial project phase and confirmed by ISMS group. The compliance group can refer to the evidence gathered by ISMS group for concepts of appropriate authentication, password management, authorization set up etc. With the resultant time saved, they can focus and bring in more value to formally validate the role-based training & authorization to specific GxP modules and functionalities in complex enterprise systems.

Audit Log and Audit trails

Audit trails in GxP Compliant computerized systems represent the core expectation from Annex 11 and 21 CFR part 11 in ensuring integrity of GXP Data. While audit logs may refer to logging activity for any changes to system configuration, user authorizations etc, from a GxP audit trail perspective it is most important to log creation and update or any data changes for GxP regulated records. For some systems, GXP Audit trail requirements could potentially be a subset of this data action change audit log . At system level both represent the same if audit logs are configured to maintain traceability of all user activity (rather than only last change) and compliance group should proactively set this expectation. As per GAMP Data Integrity Key Concepts[R4], ‘audit trails should be on from system installation and data should be fully attributable’, however compliance professionals may not be always involved during initial system set up. If the audit trail functionality is confirmed by the ISMS during application set up, the same could be leveraged by compliance group for different projects.

As a simplistic example, most enterprise systems available today offer audit trails as standard or configurable items. Audit trails availability and verification could be done during system set up and configured as enabled for specific modules as and when they go live. Of course, an assessment by quality unit for each case would be required to establish whether the system audit trails can be leveraged AS-IS or with supporting requirements and fitness for intended use. For any additional customization requirements, compliance unit would ensure audit trail requirements are captured and verified at new functionality or table level.

Another aspect for consideration is that the audit log or trail may be enabled however if it is not retained in a secure way and available for review, it does not add any value. ISMS professionals can ensure strict privileged access control to avoid any integrity issues in audit trails. The audit trail retention is discussed in detail in the last point as a consideration item for ISMS professionals.

Protecting Confidential GxP data

For open systems, 21 CFR Part 11 has mention of document encryption requirements for consideration. For closed systems though there is no explicit mention in 21CFR part 11, there is a strong case for encryption for some subset of GXP data. For e.g., Patient details are considered Pll from data privacy perspective and study details are considered confidential thus requiring encryption. In this context ISMS professionals can bring in much more value with their expertise on cryptography concepts for maintaining confidentiality and managing privacy topics. Compliance professionals working closely with the projects can check for masking or anonymization of sensitive GxP Data where production data is exposed (e.g., creating test data or migration mock loads).

Data exchange with other systems

Annex 11 states that computerized systems exchanging data electronically with other systems should include appropriate built-in checks for correct and secure entry and data processing. 21 CFR also alludes to the same with mention of terminal checks.. This is very relevant for ISMS professionals for ensuring integrity of the data exchanged. In respect of ensuring integrity, the compliance group can oversee a formal validation for intended use of the interface (including checksums when required) and requirement for transfer of metadata based on GxP complexity (e.g., audit trails). The ISMS group can contribute more on setting up monitoring of the interface for any failures, considering if any new threats are introduced in interfacing with another system (with different risk classification & security set up) and importantly ensuring confidentiality with use of encryption for data in transit as required.

Data backup & retention requirement

Back up requirement is explicitly mentioned only in Annex 11 while Retention requirements are enumerated in both 21CFR Part 11 and Annex 11. Back up topic is a forte of ISMS professionals with their in-depth knowledge of different data backup procedures, schemes and technical requirements defined for RPO (Recovery Point Objective) and RTO (Recovery Time Objective). Compliance group can use their domain knowledge in verifying that retention requirements are appropriately applied as per GXP requirements and only backup is not retained instead of true archives.

In terms of audit trail retention, though it’s a core GxP expectation, compliance group may not have enough tools to set up preventive controls and thus can leverage experience of the ISMS group to enforce this more accurately.

Above mentioned points are just few examples on the power of synergy. It is pertinent to note here that ISPE has set up a special interest group on IT Cybersecurity as part of GAMP Trademark. It would be interesting to see further discussions on building this synergy between ISMS and GxP Compliance Professionals to bring further value to the Pharma organization. 1 ^,2 ^,3 ^,4

• 1NIST Special Publication 800-53, Revision 5. Security and Privacy Controls for Federal Information Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• 2European Commission. Health and Consumers Directorate-General. EudraLex, “The Rules Governing Medicinal Products in the European Union.” Volume 4, “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use.” Annex 11, “Computerised Systems.” 30 June 2011. https://ec.europa.eu/health/system/files/2016-11/annex11_01-2011_en_0.pdf
• 3TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A - GENERALPART 11ELECTRONIC RECORDS; ELECTRONIC SIGNATURES https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11?toc=1
• 4GAMP RDI Good Practice Guide: Data Integrity - Key Concepts https://ispe.org/publications/guidance-documents/gamp-good-practice-guide-date-integrity-key-concepts