A couple weeks back, I launched a brief blog series about assessing and mitigating risk with regulated IT systems. This week’s post will cover the first part in a four-part approach you can use to do just that: assess and mitigate risk.
Part One: System Regulated Status
The first step is to determine whether a system is required to comply with industry regulations. Create a standardized set of questions/criteria, along with standardized answer choices, that you can use to evaluate whether a system is regulated. This set of questions should be based on the regulations that govern your organization (i.e., the regulations that govern the places in the world where you conduct regulated business operations).
If a system calculates as being regulated, the way you implement, manage, and even retire that system will need to comply with the governing regulations. If a system calculates as not regulated, but it shares an information technology (IT) network with systems that are regulated, you will need to clearly document how you will protect regulated systems from non-regulated systems.
Stay tuned for the next post in this series, which will focus on determining a regulated system’s risk level. Until then, enjoy a little light reading: The Ultimate Guide to 21 CFR Part 11.