Cybersecurity Qualification (CyQ)

One topic that has been top of mine for many validation engineers, chief information officers, and executive management is that of Cybersecurity. You may be asking yourself the question why are we talking about Cybersecurity and validation? Recent headlines will inform you as to why this topic should be of great interest to every validation engineer. As validation engineers we spend a lot of time stressing about risk assessments, system security, and qualification of system environments. Our job is supposed to be to validate the system to ensure its readiness for production use. Let me ask a question… How can you ensure that a system is ready for production use if it is not cyber-ready?  This is why we are talking about Cybersecurity in the context of validated systems.

When it comes to computer systems in today’s highly networked environment, Cybersecurity is the elephant in the room. All networked systems may be vulnerable to cyber security threats. Businesses large and small may be subject to cyber-attacks and the exploitation of these vulnerabilities may present a risk to public health and safety if not properly addressed. Although we know these truths all too well, many validation engineers are not even discussing Cybersecurity as part of an overall validation strategy.

There is no company that can prevent all incidences of cyber-attacks but it is critically important that companies began to think seriously about how to protect themselves from persistent cyber criminals determined to inflict as much damage as possible on computer systems in either highly regulated or nonregulated environments. One thing we know about cyber criminals is they are equal opportunity offenders – everyone has a degree of vulnerability. To beat them at their game, you have to be one step ahead of them.

In the validation world, we often refer to validation testing as IQ/OQ/PQ testing.  I would like to submit for your review and consideration another type of enhanced validation testing that we should be doing which is Cybersecurity qualification or as I like to refer to it “CyQ”.  What is a CyQ?  It is confirmation of a system’s protection controls and readiness to prevent a cyber-attack.  In one of my recent blog posts, I declared that …”computer systems validation as we know it is dead!…” Now of course I mean that tongue in cheek!  What I was referring to is that it is time to rethink our validation strategy based on the fact that we need to address the vulnerabilities of today’s cloud-based and on-premise systems with respect to the Cybersecurity risk imposed. We can no longer look at systems the way we did in the 1980s. Many life sciences companies are deploying cloud-based technologies, mobile systems, the Internet of things (IoT) and many other advanced technologies in the pursuit of innovation that may drive greater risk profiles in validated systems.  Incorporating CyQ in your overall validation strategy is one way to address these challenges.

The national Institute of standards and technology (NIST) introduced as cyber security framework. The five elements of the framework are shown in the figure below.

NIST-cybersecurity-framework

As a validation engineer I have studied this framework for its applicability to validated systems.  Each element of the strategy addresses a dimension of your cybersecurity profile.  To conduct a CyQ assessment, you need to examine each element of the cybersecurity framework to determine your readiness in each respective category.  I have developed a CyQ Excel Spreadsheet which examines each element of the framework and allows you to summarize your readiness to prevent a cyber-attack. (if you would like a copy of the CyQ Excel Spreadsheet, please contact me using the contact form and I will happily send it to you).

 

Remember, for validated systems, if it is not documented, it did not happen! Cybersecurity Qualification analysis must be documented.  You must be ready to explain to regulators when it comes to data integrity and systems integrity, what controls you have in place to protect both the data and the systems under your management.

Another consideration in the management of cyber threats is EDUCATION.  The biggest cyber breach may come from the person in the cubicle next to you! You must educate (and document) cyber training and do it on a frequent basis to keep pace.

For your next validation project, address the elephant in the room explicitly.   Cyber threats are not diminishing, they are increasing.  It is important to understand their origin and seriously consider how they can and will impact validated systems.  We can no longer think that IQ/OQ/PQ is sufficient.  While it has served its purpose in times past, we need a more effective strategy to address today’s clear and present danger to validated systems – the next cyber-attack.  It could be YOUR SYSTEM.  Deal with it!

Leveraging the NIST Cybersecurity Framework

As a validation engineer, why should you be concerned about Cybersecurity?  Good question!  Today’s headlines are filled with instances of cyber attacks and data breaches impacting some of the largest corporate systems around.  As validation engineers, our job is to confirm software quality and that systems meet their intended use.  How can you realistically do this without paying any attention to the threat of potential cyber attacks on validated system environment.

As with every system environment, you must ensure your readiness to help prevent a cyber event from occurring.  Of course, you can never fully protect your systems to the extent that a cyber attack will never be successful, but you can certainly PREPARE and reduce the probability of this risk.   That’s what this article is all about – PREPAREDNESS.

The NIST Cybersecurity Framework was created through collaboration between industry and government and consists of standards, guidelines, and practices to promote the protection of critical infrastructure.

To get a copy of the NIST Cyber Security Framework publication, click here.  If you are not familiar with the NIST Cyber Security Framework, you can view an overview video and get a copy of the Excel spreadsheet.

Remember the old addage, “…if its not documented, it did’nt happen…”?  You must document controls, processes and strategies to ensure that you are able to defend your readiness assessment for cybersecurity.  The NIST Cyber Security Framework is designed to help organizations view cybersecurity in a systematic way as part of your overall risk management strategy for validated systems.   The Framework consists of three parts:

  1. Framework Core – a set of cybersecurity activities, outcomes, and informative references that are common across your validated systems environments.   The Framework Core consists of (5) concurrent and continuous Functions which are: (1) Identify, (2) Protect, (3) Detect, (4) Respond, (5) Recover as shown in the figure below.
  2. Framework Profile – help align your cybersecurity activities with business requirements, risk tolerances, and resources
  3. Framework Implementation Tiers – a method to view, assess, document and understand the characteristics of your approach to managing cybersecurity risks in validated systems environments.  This is assessment is part of your Cybersecurity Qualification (CyQ).  Life sciences companies should characterize their level of readiness from Partial (Tier 1) to Adaptive (Tier 4).  You can use what ever scale you like in your assessment.

NIST-cybersecurity-framework

Most companies are adept at RESPONDING to cyber events rather than preventing them.  This Framework, as part of your overall integrated risk management strategy for validation.  We recommend for validation engineers that you DOCUMENT your strategy to confirm your due diligence with respect to cybersecurity.  In my previous blog post, I recommended that in addition to conducting IQ, OQ, PQ, and UAT testing that you also conduct a CyQ readiness assessment.

Cyber threats are a clear and present danger to companies of all sizes and types.  As validation engineers, we need to rethink our validation strategies and adapt to changes which can have significant impact on our validated systems environments.  Whether you are in the cloud or on-premise, cyber threats are real and may impact you.  This problem is persistent and is not going away anytime soon.  Readiness and preparedness is the key.  Some think that issues concerning cybersecurity are only the perview of the IT team – THINK AGAIN!  Cybersecurity is not only an IT problem, it is an enterprise problem that requires an interdisciplinary approach and a comprehensive governance commitment to ensure that all aspects of your validation processes and business processes are aligned to support effective cybersecurity practices.

If you are responsible for software quality and ensuring the readiness of validated you need to be concerned about this matter.  The threats are real.  The challenges are persistent.  The need for greater diligence is upon us.  Check out the NIST Cyber Security Framework.  Get your cyber house in order.

 

How Vulnerable Is Your Validated System Environment?

If you are a validation engineer reading this post, I have a simple question to ask you.. “How vulnerable is your validated systems environment?”  Has anyone ever asked you this question?  How often do you think about the impact of a cyber threat against your validated computer system?  I know… you may be thinking that this is the IT departments responsibility and you don’t have to worry about it.  THINK AGAIN!

If you have picked up in a newspaper lately you will see cyber threats coming from all directions. The White House has been hacked, all companies big and small have been hacked into and from the hacker’s perspective there seems to be no distinction between small medium or large enterprises. In summary, everyone is vulnerable.  The definition of cyber security is the possibility of a malicious attempt to damage or disrupt a computer network or system.

Network applications continue to create new business opportunities and power the enterprise. A recent report suggested that the impact and scale of cyber-attacks is increasing dramatically. The recent leak of government developed malware has given cyber criminals greater capabilities than they had before. IT is struggling to keep pace with the flow of important software security patches and updates and the continuous adoption of new technologies like the Internet of things (IOT) that are creating new vulnerabilities to contend with.

A recent study in 2017 by CSO highlighted the fact that 61% of corporate boards still seasick security as an IT issue rather than a corporate governance issue. This is only one part of the problem. It is not even on the radar of most validation engineers.  You cannot begin to confirm that a system meets its intended use without dealing with the concept of cyber security and its impact on validated systems.

Validated computer systems house GMP and quality information as well as the data required by regulators thus particular scrutiny must be paid to these systems.  Compromise of a validated system may lead to adulterated product and issues which may affect the products quality efficacy and other critical quality attributes of marketed product. Therefore, attention must be paid to validated systems with respect to their unique vulnerability.

As part of the validation lifecycle process we conduct IQ, OQ, and PQ testing as well as user acceptance testing to confirm a system’s readiness for intended use.  I am suggesting that another type of testing be added to the domain of validation testing which is called cyber security qualification or CyQ.

Cyber security qualification is confirmation of a system’s readiness to protect against a cyber attack.

cyq2

You should incorporate CyQ in your validation testing strategy.  It is imperative that your validated systems are protected against a cyber event.  You must document this as well to prove that you have conducted your due diligence.  Given all of the attention to cyber events in the news, you need a strategy to ensure sustained security and compliance.  Are you protecting your validated systems?  If not, you should.

The True Meaning of Software Quality

As a long-time validation engineer, I often ponder questions such as “what does it mean to achieve software quality and is it sustainable over time?”  I ask myself these questions because in today’s systems environments, there are many factors that can impact software quality assurance.

Cyber threats are the elephant in the room.  Most validation projects include IQ/OQ/PQ and UAT testing but do not address cyber threats at all.  Can you really ensure that your validated environments are safe and secure without considering cybersecurity as part of your overall validation strategy?  The International Software Testing Qualifications Board (ISTQB) defines software quality as “…The totality of functionality and features of a software product that bear on its ability to satisfy stated or implied needs…”  Another definition is “…the degree of conformance to explicit or implicit requirements and expectations…”  Finally, IEEE calls software quality “…The degree to which a system, component, or process meets specified requirements, customer, user needs or expectations…”  As shown by the definitions above, software quality is somewhat subjective.

Data integrity is also a critical concern for validated systems.  It is also a key imperative for software quality.  Data integrity is a hot topic lately and generally refers to the accuracy and consistency of information stored in corporate databases, data warehouses or other such constructs.  Data integrity ensures that information is accurate and reliable and in today’s environments, legally defensible.   The accuracy and trustworthiness of data within your systems MUST NOT be in question.

Why is data integrity so important?  Because companies make decisions routinely bases on information housed within corporate databases.

The lack of data integrity over the lifecycle of a system could cause adulterated product to get to the market, incorrect shipping of controlled materials/substances, and a wide variety of  issues affecting the quality, safety and efficacy of a company’s products.  Data integrity is not the purview of technology alone.  To manage data integrity in the broadest sense requires people, processes and technology.

The ALCOA principle as highlighted in the figure below requires that data be attributable to the individual responsible for recording the data/activity.  The “L” in ALCOA means that information must be clear and legible after it is recorded and permanent.  The “C” in ALCOA means that the data must be recorded at the time it was generated.  The “O” means data must be preserved in a unaltered state.  The final “A” in ALCOA means that data must be accurate and reflect the action or observation made.  Modifications must be explained if they are not self-explanatory.

ALCOA picture

No matter what the definition, software quality is all about providing assurance that a system is suitable for its intended use in some way.  We confirm this through testing.  However, it should be noted that testing alone cannot in and of itself ensure software quality.  Testing merely provides a level of assurance or confidence in a software application under specific controlled conditions.

You cannot discuss software quality without a discussion on data integrity.  To derive the true meaning of software quality it is important to consider the following key activities:

  • Establish SOPs That Provide Governance For Software Quality Assurance and Data Integrity
  • Document Everything (if its not documented, it didn’t happen)
  • Establish a Rigorous Software Change Management Process
  • Attain Level 5 Validation Processes Through Automation
  • Enforce Standards For Testing and Documentation
  • Identify Track and Manage Software Quality Metrics and KPIs
  • Conduct Positive and Negative Software Testing

The first step on your way to software quality and data integrity is to establish and follow procedures that provide governance over the process.  You must have procedures that cover everything from validation to data integrity, automation, and everything in between.  Secondly, you must document everything you do to ensure software quality and integrity.  Third, you must establish a rigorous software change management process that helps track and manage all changes made to a cloud-based or on-premise system and who made the changes and why.

Forth, you must drive your organization to Level 5 validation processes.  This is derived from the validation capability maturity model as illustrated in the figure below.

Validation Maturity Model

Level 5 validation means your processes are automated and optimized in a way to ensure quality and compliance.  Fifth, you must enforce all standards for testing and documentation.  This will also require Level 5 automation to achieve your objectives. Sixth, you must identify and track software quality metrics.  You cannot achieve what you don’t measure.  Peter Drucker often said “… you can’t manage what you can’t measure…”  He also said “… what gets measured gets improved…”  You must identify and track metrics to ensure you stay on track.

And finally, in all of your validation testing, conduct positive and negative testing against applications.  The FDA states in the General Principles of Software Validation; Final Guidance For Industry and FDA Staff issued on Jan 11, 2002, that “… A good test case has a high probability of exposing an error; A successful test is one that finds an error…”  This may be somewhat counter-intuitive but I am often stunned at how many validation test scripts are written so that they PASS rather than written to discover an error.  A good software test will reveal errors if written correctly.  When I interrogate applications, I often am looking to reveal problems that may arise during production.

It has been often said that software quality is no accident.  It is the deliberate result of intelligent planning, hard work and rigorous execution.

Software quality is NOT error or bug-free software.  It is about software that is of high quality and sufficiently meets the demands and expectations of the end user community.  AUTOMATION IS KEY.  Automated testing helps easily replicate tests, increases test coverage, reduces errors, improves consistency, and delivers automated traceability enabling more software defects to be discovered and addressed.

The issues surrounding software quality and data integrity are increasing across the globe.  Your organization must be ready to deal with the challenges presented by these issues.  WILL YOUR ORGANIZATION BE READY ?- Think about it.