Computer stations unlocked - Office Stations vs Production Stations

LesPiles

Involved In Discussions
#1
Hello,


We're a small business supporting C-TPAT.

C-TPAT's requirements has a section regarding Information Technology Security.

This week, I've reinforced a requirement that is also an internal policy : all computers must be locked when unattended. We already know that this requirement is of particular importance for Purchasing dpt., Receiving / Shipping dpts, and Payables. We can also gain from this from an internal point of view in protecting our R&D and Engineering.

My problem is I received an email from Production foreman asking the question if computers used on the production floor (the "brains" of automated machines) should also be locked.

Interesting question. Note that we're not ITAR or requested to follow high level of security. We're not manufacturing missiles !!!

What do you think my answer should be ? I've said to them it's an interesting question and proposed that THEY find the solution.

My opinion is that I could live without but it is surely a best practice to implement. I doubt however that we have to go as far as locking computers used on the production floor, specially if we're at a low level of risk by the nature of the product.

What do you think ? I would be interested to know of you're managed this issue in your plants, specially it you're C-TPAT validated.

Thank you in advance to all that will help ! :)

PS : I'm so gratefull that Elsmar.com is alive again ! Thanks to God ! :)

LesPiles
 
Elsmar Forum Sponsor

Ninja

Looking for Reality
Trusted Information Resource
#2
... I received an email from Production foreman asking the question if computers used on the production floor (the "brains" of automated machines) should also be locked.

What do you think my answer should be ? I've said to them it's an interesting question and proposed that THEY find the solution.

My opinion is that I could live without but it is surely a best practice to implement.
I'm sure the production foreman loved your response.

My thoughts on your situation are incomplete, since I don't know what type of "automated machines" you are using.

For automated dicing saws...sure, lock them up..why not? (but at the same time, why bother?)
For evaporators of flammable solvents...locking them up adds minutes to the response time in addressing a problem...it may be a safety issue.
For machines that measure, with nothing proprietary at all on them...what are you protecting by locking them out?

C-TPAT is a fine initiative...leading us to protect sensitive things. Are the things you are asking about sensitive? If not, why bother? Just because it is a computer, doesn't mean it is a security issue.

I'm not concerned that a potential terrorist might steal my CMM program, or my list of Safety Data Sheets. My customer list and formulas...they get locked down.

The "best practice" would be the thing that makes you as secure as possible WITHOUT impacting your safety or business operations.
How did your employees take it when you banned all cell phones from the building?
 

Candi1024

Quite Involved in Discussions
#4
Being a medical device manufacturer, we need to show that all of our process parameters are in control, as well as all test data is protected. Therefore we do log in as different users to the computer, and only allow those users qualified to be able to modify the drive that contains test data. The dicing saws are locked to avoid "accidental" changes. If we are unable to lock parameters, we verify they are correct every six months when we do PMs (or sooner based on risk).

I'm actually in charge of the CAPA which is currently reviewing all of our production equipment to ensure we are meeting this requirement.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
The decision to lock computers out when unattended should be made following a determination of the machine(s) vulnerabilities.

Users are the weak link.

1) Do they have access to the Internet, or email, or other part(s) of the network? (Do your recipes live in the machines or in a networked "library?")
2) Do they have access to non-related files or documents that should be protected from loss or unauthorized access?
3) Do they have access to files or documents that can be altered without specific allowable arrangements made?
4) Can files be copied onto another form of media from these computers?

These are "gateway" questions. As always, the answer to "should I protect?" is "it depends;" especially as I have no clear idea what your setup is. The decision to protect is made on the ability, likelihood, and consequences of data loss or disruption. Even the "hassle factor" involved with disruption might outweigh convenience if recovery requires more than just inserting a new disc.

The extent of hassle ranges from nuisance to Sony's epic drama.

:2cents:

P.S.
Don't forget copy machines and some scanners, as the newer ones also have hard drives; what happens to them when you're finished with them? Also, please don't forget that shredding hard copy is not always the end.
 
Thread starter Similar threads Forum Replies Date
S Computer System Validation of Bioinformatics Pipeline Qualification and Validation (including 21 CFR Part 11) 5
M Informational USFDA Draft Guidance – Implanted Brain-Computer Interface (BCI) Devices for Patients with Paralysis or Amputation – Non-clinical Testing and Clinical Medical Device and FDA Regulations and Standards News 0
F EMC testing for a system that is provided with a computer IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
D Use of password managers on validated computer systems (21 CFR Part 11) Medical Information Technology, Medical Software and Health Informatics 2
L How to classify this computer-alike IT device EU Medical Device Regulations 2
U CE Marking of Customized Ruggedised Computer Systems Solutions CE Marking (Conformité Européene) / CB Scheme 5
Tagin Can/should SPC be applied to Computer Assembly and Software Imaging? Statistical Analysis Tools, Techniques and SPC 8
Q ISO 9001 Section 7.6 - Computer Software ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
howste ASQ is Transitioning to Computer Based Exams ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 13
R Network/Computer Data Migration Sampling GMP Software Quality Assurance 1
E Computer System Validation - Migrating to SAP Document Control Systems, Procedures, Forms and Templates 5
D SDS (MSDS) for complex products such as a TV, computer, cars, etc Miscellaneous Environmental Standards and EMS Related Discussions 3
N Computer System Access and Security Procedure example wanted 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
Q The ability of computer software to satisfy the intended application ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M Strategy to allow for OTS computer use as part of a Medical Equipment System EU Medical Device Regulations 14
D Validation of Computer and Network Equipment Test System Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
Gman2 Control of Documents and (FORMS) on a Computer Network ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
H ISO 9001:2008 Clause 7.6 Control of Monitoring and Measurement (Computer Software) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Computer System for Inspection Balloons in Technical Drawings Inspection, Prints (Drawings), Testing, Sampling and Related Topics 8
T Class II Medical Device with Software - Change to Computer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
M Is a computer used in hospitals considered a medical device? ISO 13485:2016 - Medical Device Quality Management Systems 17
Marc Shopping for Computer Spyware After Work and Weekend Discussion Topics 4
Q 21 CFR 820.30 - Automated with Computer Software - Applicable? US Food and Drug Administration (FDA) 5
M Options for OTS Computer as part of Medical Equipment System IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
A Is Computer Helpdesk a Special Process ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Marc Computer Viruses Are "Rampant" on Medical Devices in Hospitals World News 0
I Confirmation of Computer Software to satisfy Intended Application Misc. Quality Assurance and Business Systems Related Topics 2
N Complying with ISO 9001 7.6 - Customer Provided Computer and Software ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
E Gages on Computer Screens General Measurement Device and Calibration Topics 2
Marc Life after the Personal Computer After Work and Weekend Discussion Topics 14
A Suggest Computer Aided Quality Assurance (CAQ) software for Medical Devices Quality Assurance and Compliance Software Tools and Solutions 3
F Traceability Requirements for Computer Hardware Equipment under ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 2
B Computer Monitoring - Our company is implementing keyloggers IEC 27001 - Information Security Management Systems (ISMS) 11
X Computer-Aided Detection for Mammography - Class A, B or C? IEC 62304 - Medical Device Software Life Cycle Processes 5
N 7.5.2.1 Validation of the Application of the Computer Software - PLEASE CLARIFY ISO 13485:2016 - Medical Device Quality Management Systems 9
A Best Way for SPC via Optical Comparator with output to Computer for Data Analysis Statistical Analysis Tools, Techniques and SPC 4
K Malware affecting my computer operation After Work and Weekend Discussion Topics 19
S Computer Simulation Validation Tests for Underwater Equipment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
K I.T. Management in Clause 4.2.3? Control of Computer Data Backup and Access Security ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
I CE Mark for Standalone Medical Computer Monitoring Software IEC 62304 - Medical Device Software Life Cycle Processes 5
Marc AIDS Puzzle Solved By Computer Gamers World News 1
M Medical Diagnostic Equipment Control Computer Repair Other US Medical Device Regulations 3
R Medical Device FDA - Classification of a device used as an interface with a computer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
T Medical Device Manufacturer Document Control Computer System Validation Qualification and Validation (including 21 CFR Part 11) 4
somashekar Software Validation vs. Validation of the Application of Computer Software ISO 13485:2016 - Medical Device Quality Management Systems 16
Marc Using an HD TV as a Computer Monitor After Work and Weekend Discussion Topics 17
S Computer Screen Video Capture and Recording Software with Audio After Work and Weekend Discussion Topics 5
S Documentation of Computer Records being Backed Up Records and Data - Quality, Legal and Other Evidence 15
S How to better manage files on a personal computer? After Work and Weekend Discussion Topics 8
S Same computer for RUO and IVD - Same part number for 2 different IVDs EU Medical Device Regulations 2

Similar threads

Top Bottom