Friday, March 9, 2012

How Does Someone Go About Stealing My Process (PI) Data?

One savvy prospect asked that question, and it's a great question:

A lot of user requirement specifications (URS) or detailed design specs require data security.

And if keeping your process data secure was not in your company's best interest, it is a requirement to be compliant with the infamous 21 CFR Part 11- the regulation governing how the conditions under which FDA views electronic data the "same as paper."

21 CFR Part 11, Subpart B mandates that the manufacturer

(d) Limiting system access to authorized individuals.

And demands that the use

(k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

In response to securing data and the trade secrets embedded in your company's process data, a lot of time goes into securing the server... We:

  • Create Active Directories and we map them to PI Identities.
  • We have PI Trusts to authorize specific computers
  • We bifurcate our networks and put PI behind fortinets and firewalls.

All this protects the server - but none of it protects your data from theft if you just back up your PI data to a network drive.

You see, if I wanted to steal your company's data, I wouldn't go anywhere NEAR your PI server. I'd go looking for your backup files.

Your backup files contains all the files needed to restore your PI system. If I get these files, I can recreate your PI system on my own box where I have admin rights and mine your data all day long.

As for that prospect... they're now a customer.

No comments: