Imagine multiple GMP critical systems across different plants, departments and across the globe… No wonder this creates a lot of complexity for the people who control access to these systems.
Authorisation checks for access to systems is often cumbersome and, more importantly, not risk-free. In my experience, the processes around Access Control often face these problems:
- It is manually managed in disparate systems
- Authorisation on access approvals is poorly documented and managed
- Segregation of duties is often completely overlooked, unclear, not documented and subject to change during the life cycle of systems
- Authorisation on access approvals has no relation with training/qualification records
- Emergency or temporary access is not supported and poorly documented
- Access Control is not audit-ready at every moment in time
Needless to say, the problems above can lead to inappropriate, unauthorised access, which ultimately can lead to higher risks in the operation, non-compliance with 21 CFR Part 11 paragraph 11.10(d)/(g)/(i), loss of proprietary information and misuse of systems.
The graph below shows quality and effort of authorisation checks without an automated Access Control tool:
Figure 1: Quality and effort without AC tool
It is clear that this graph is very reactive, and therefore volatile. In a controlled/regulated environment this is of course undesirable.
Creating a business case for automated Access Control
That said, making a case for an automated Access Control system can actually be quite straightforward because you can measure direct impact by recording and analysing:
- The access request process, with requests, changes and their throughput times and documentation
- The efficiency of the approval process
- A list of systems that are (or should be) subject to Access Control
- The internal and external audit findings
- Possible risks of SoD
- Extent of compliance with GMP regulations such as 21 CFR Part 11 (Electronic records; Electronic signatures)
In the following figure, we have mapped the quality and effort of an automated tool onto the same graph. It is obvious that the effort is high when kicking off an implementation project like this, but the return on investment on quality and reduction of effort is achieved relatively quickly.
Figure 2: Quality and effort with AC tool
In my opinion, manually managing Access Control within (large) GMP critical environments is nearly impossible. The risks of non-compliance due to human error increase as new applications are introduced more rapidly and the IT landscape becomes increasingly more complex.
Introducing automated tools can help in structuring the requesting and management process. The additional benefit is that you have an extensive check on the current state.
Looking for help to build your business case? Get in touch!