As a validation engineer, why should you be concerned about Cybersecurity? Good question! Today’s headlines are filled with instances of cyber attacks and data breaches impacting some of the largest corporate systems around. As validation engineers, our job is to confirm software quality and that systems meet their intended use. How can you realistically do this without paying any attention to the threat of potential cyber attacks on validated system environment.
As with every system environment, you must ensure your readiness to help prevent a cyber event from occurring. Of course, you can never fully protect your systems to the extent that a cyber attack will never be successful, but you can certainly PREPARE and reduce the probability of this risk. That’s what this article is all about – PREPAREDNESS.
The NIST Cybersecurity Framework was created through collaboration between industry and government and consists of standards, guidelines, and practices to promote the protection of critical infrastructure.
To get a copy of the NIST Cyber Security Framework publication, click here. If you are not familiar with the NIST Cyber Security Framework, you can view an overview video and get a copy of the Excel spreadsheet.
Remember the old addage, “…if its not documented, it did’nt happen…”? You must document controls, processes and strategies to ensure that you are able to defend your readiness assessment for cybersecurity. The NIST Cyber Security Framework is designed to help organizations view cybersecurity in a systematic way as part of your overall risk management strategy for validated systems. The Framework consists of three parts:
- Framework Core – a set of cybersecurity activities, outcomes, and informative references that are common across your validated systems environments. The Framework Core consists of (5) concurrent and continuous Functions which are: (1) Identify, (2) Protect, (3) Detect, (4) Respond, (5) Recover as shown in the figure below.
- Framework Profile – help align your cybersecurity activities with business requirements, risk tolerances, and resources
- Framework Implementation Tiers – a method to view, assess, document and understand the characteristics of your approach to managing cybersecurity risks in validated systems environments. This is assessment is part of your Cybersecurity Qualification (CyQ). Life sciences companies should characterize their level of readiness from Partial (Tier 1) to Adaptive (Tier 4). You can use what ever scale you like in your assessment.
Most companies are adept at RESPONDING to cyber events rather than preventing them. This Framework, as part of your overall integrated risk management strategy for validation. We recommend for validation engineers that you DOCUMENT your strategy to confirm your due diligence with respect to cybersecurity. In my previous blog post, I recommended that in addition to conducting IQ, OQ, PQ, and UAT testing that you also conduct a CyQ readiness assessment.
Cyber threats are a clear and present danger to companies of all sizes and types. As validation engineers, we need to rethink our validation strategies and adapt to changes which can have significant impact on our validated systems environments. Whether you are in the cloud or on-premise, cyber threats are real and may impact you. This problem is persistent and is not going away anytime soon. Readiness and preparedness is the key. Some think that issues concerning cybersecurity are only the perview of the IT team – THINK AGAIN! Cybersecurity is not only an IT problem, it is an enterprise problem that requires an interdisciplinary approach and a comprehensive governance commitment to ensure that all aspects of your validation processes and business processes are aligned to support effective cybersecurity practices.
If you are responsible for software quality and ensuring the readiness of validated you need to be concerned about this matter. The threats are real. The challenges are persistent. The need for greater diligence is upon us. Check out the NIST Cyber Security Framework. Get your cyber house in order.