Computer stations unlocked - Office Stations vs Production Stations

L

LesPiles

Hello,


We're a small business supporting C-TPAT.

C-TPAT's requirements has a section regarding Information Technology Security.

This week, I've reinforced a requirement that is also an internal policy : all computers must be locked when unattended. We already know that this requirement is of particular importance for Purchasing dpt., Receiving / Shipping dpts, and Payables. We can also gain from this from an internal point of view in protecting our R&D and Engineering.

My problem is I received an email from Production foreman asking the question if computers used on the production floor (the "brains" of automated machines) should also be locked.

Interesting question. Note that we're not ITAR or requested to follow high level of security. We're not manufacturing missiles !!!

What do you think my answer should be ? I've said to them it's an interesting question and proposed that THEY find the solution.

My opinion is that I could live without but it is surely a best practice to implement. I doubt however that we have to go as far as locking computers used on the production floor, specially if we're at a low level of risk by the nature of the product.

What do you think ? I would be interested to know of you're managed this issue in your plants, specially it you're C-TPAT validated.

Thank you in advance to all that will help ! :)

PS : I'm so gratefull that Elsmar.com is alive again ! Thanks to God ! :)

LesPiles
 

Ninja

Looking for Reality
Trusted Information Resource
... I received an email from Production foreman asking the question if computers used on the production floor (the "brains" of automated machines) should also be locked.

What do you think my answer should be ? I've said to them it's an interesting question and proposed that THEY find the solution.

My opinion is that I could live without but it is surely a best practice to implement.

I'm sure the production foreman loved your response.

My thoughts on your situation are incomplete, since I don't know what type of "automated machines" you are using.

For automated dicing saws...sure, lock them up..why not? (but at the same time, why bother?)
For evaporators of flammable solvents...locking them up adds minutes to the response time in addressing a problem...it may be a safety issue.
For machines that measure, with nothing proprietary at all on them...what are you protecting by locking them out?

C-TPAT is a fine initiative...leading us to protect sensitive things. Are the things you are asking about sensitive? If not, why bother? Just because it is a computer, doesn't mean it is a security issue.

I'm not concerned that a potential terrorist might steal my CMM program, or my list of Safety Data Sheets. My customer list and formulas...they get locked down.

The "best practice" would be the thing that makes you as secure as possible WITHOUT impacting your safety or business operations.
How did your employees take it when you banned all cell phones from the building?
 

Candi1024

Quite Involved in Discussions
Being a medical device manufacturer, we need to show that all of our process parameters are in control, as well as all test data is protected. Therefore we do log in as different users to the computer, and only allow those users qualified to be able to modify the drive that contains test data. The dicing saws are locked to avoid "accidental" changes. If we are unable to lock parameters, we verify they are correct every six months when we do PMs (or sooner based on risk).

I'm actually in charge of the CAPA which is currently reviewing all of our production equipment to ensure we are meeting this requirement.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
The decision to lock computers out when unattended should be made following a determination of the machine(s) vulnerabilities.

Users are the weak link.

1) Do they have access to the Internet, or email, or other part(s) of the network? (Do your recipes live in the machines or in a networked "library?")
2) Do they have access to non-related files or documents that should be protected from loss or unauthorized access?
3) Do they have access to files or documents that can be altered without specific allowable arrangements made?
4) Can files be copied onto another form of media from these computers?

These are "gateway" questions. As always, the answer to "should I protect?" is "it depends;" especially as I have no clear idea what your setup is. The decision to protect is made on the ability, likelihood, and consequences of data loss or disruption. Even the "hassle factor" involved with disruption might outweigh convenience if recovery requires more than just inserting a new disc.

The extent of hassle ranges from nuisance to Sony's epic drama.

:2cents:

P.S.
Don't forget copy machines and some scanners, as the newer ones also have hard drives; what happens to them when you're finished with them? Also, please don't forget that shredding hard copy is not always the end.
 
Top Bottom