To lay down a procedure for Standard operating procedure of it password and user privileges for software in laboratory.
This SOP is applicable in Quality Control Department.
|Quality Control||:||To prepare, Review and Check the SOP|
|Quality Assurance||:||To Review and check the Compliance of SOP|
|QA Head/Designee||:||To Approve the SOP|
- ENVIRONMENT, HEALTH AND SAFETY: Not Applicable
- Password: Password is un-spaced sequence of characters used to access the system as unique identity.
- Administrator: Person responsible for controlling access to different user, defining the privileges to the user based on their job responsibilities in software. Administrator is not a software user himself.
- Access: Permission privilege or ability to read, enter update, manage or administrator access to information assets.
- Network: A network of interconnected and interoperable computing device and software which provide seamless access to application and data related to software.
- Information Technology System Administrator: SA is the person responsible for the administration of IT systems and the first level of contact for all matters of IT. Might also be referred as system administration, SA, IT section Head of administrator. SA would work in accordance to the IT manual and report.
- Server: A centre computer connected to the network, which provides shared access to application and data. Servers are located in secure and environmentally controlled location.
- Software: Computer program or code which when executed on a computer, perform a set of business process task or allow to hardware devices and resources.
- Users: Person authorized to use IT resources. Any person or individual cannot access critical data without authorization. SA assigns the users access permissions.
- Preface: Over the last years IT usage in has grown substantially. We initially started laboratory with few standalone PCs. We today have a multiple networks of PCs, Laptops, printers, network devices etc. All interconnected and supporting state of the art applications. Access to corporate application and data is available only for company authorized users. High levels of flexibility and complexity also bring associated risks and thus require a certain level of discipline to use these systems.
- Policy Development: The policy development has been split into two phases. Phase I comprises of network & Data Access, Implementation of user logins at lab, while the phase II incorporates and in case of other branches, Instrumentation, fine tuning of network & Data access. The enforcement time for complete Policy has been put as twelve months from the date of issue.
- Policy Deviations: Any deviations to the policies details in this document would require the written approval of Director.
- Based on diversity, complexity and criticality of application, software should have different level of password controls. To control, access to different set of data or applications to different groups, required data / application should be linked through privileges such that concerned group can be restricted to required data / applications only.
- Password can be set based on the level of security available in the software. The software is classified into two types, single level control and multiple level controls.
- The single level control software contains only one level of security to access and modify e.g. Excel etc. In this case, the responsible person (Administrator) should set the password.
- The multiple levels control software having more than one level of security to access and modify e.g. Chem Station, Open Lab, and Ezchrome. There are four level controls i.e. Level 1, Level 2, Level 3 and Level 4.
- Each user accountable for the selection, confidentially and revision of password required for authentication purpose. Password helps to ensure that only authorized person can access computer systems / Software. Password also helps to determine accountability for all transactions and other changes made in system resources including data.
- A strong password is the first line defense for an individual computer user’s account.
- Creation / Modification / Unlocking / Revoke of User Account and Password
- Before creation of any user account, section head / supervisor should ensure qualification by verifying that training is imparted as per concerned instrument / Software SOP.
- Whenever the person resigns from the job, all software user ID should be disabled, preferably before leaving the organization.
- Do’s and Don’ts to be Followed for Creation and Protection of Password
- Password should be treated as confidential information, keep it secret and safe. Be careful while entering your password with somebody else around.
- The password should contain. Minimum of 6 characters in length or as per system specification. Combination of upper and lower case (e.g. A-a, Z-z) character. Non-alphabetic characters, e.g. digits or punctuation. Alphanumeric characters e.g. a combination of alphabets and numbers e.g. 0,1…..9.a,b,C,d,E,F,g,y,Z etc. May also contains special characters e.g. $, %, @ etc. As the more characters use in password making, make stringent in the password control.
- Choosing a right password is something that may people find difficult, there are so many application that required password that remembering them all can be real problem. Because of this a lot of people choose password very badly. Do choose a password that is easy to key-in. The faster you can type the Password, the more difficult it is for someone to steal it by watching.
- Password should be easy to remember, such that users don’t have to write it down.
- Do not leave the computer attempted with any of the software open, always log off before leaving a computer.
- Computer system screen should get locked whenever left unattended, preferably within three minutes. Wherever possible, modification of screen saver to be disabled for control.
- The password should not be
- Well known or easily accessible users personal information.
- Things located near e.g. computer, monitor, keyboard, printer etc.
- User name, account name, computer name or email address.
- Just numbers of all identical letters.
- Company’s names or geographic location.
- Trivial, predictable or obvious.
- Any of the password examples shown in this SOP or guidelines.
- Old password (at least for a period of 6 months).Do not share password or username with others, not even to system administrator. No employees is allowed to give, tell, or hint their password to another person, including IT staff, administrators, supervisors, other co-workers, friends, or family members, under any circumstances. When receiving technical assistance, do not divulge your password to the IT specialist, but stay with your computer and enter the password yourself whenever required. Password should not be transmitted electronically over the unprotected internet such as via e-mail, SMS or telephonically etc. However password may be used to gain remote access to company resources via company’s secured Network with Authentication. No employee is allowed to keep an unsecured written record of his / her password, either on paper or in an electronic file. If it is necessary to retain, then if hardcopy form is stored, it must be kept in uncontrolled access place. If it is required to be retained in electronic form, it must be in an encrypted file form. Note that the password cache that comes with MS Windows is not secure, so whenever window prompt to “Remember password”, do not save it.Do not allow other people to see your password while typing.
- Change of Password
Follow the following procedure for change of password
first time login, system shall ask for change the password, Change the password
- If an employee either knows or suspects that his / her password has been compromised, he / she must change the password immediately.
- Passwords are not permanent. Password in each individual software must be changed regularly, at least within 90 days (More frequently if your account has access to sensitive information) from the date or assignment of password.
- After 90 days, software should insist the user to change password or should deny the access until the password is changed. Whenever the software does not support above features password change should be controlled manually by designated person.
- Software in which the user does not have the privilege to change the password, in such a case the administrator should access to the user to change the password.
- Whenever the password is changed, the activity should be logged in “Record of Password Revision” by the user to be maintained. for future reference.
- Software that does not have the feature to define validity of password should be monitored to ensure that the users are updating their password within 90 days.
- Security Consideration
- Preferably the software should have the control over the number of unsuccessful logon attempts. The user account should get logged after predetermined (Preferably maximum five) consecutive unsuccessful logon attempt. In such case the user account is locked, administrator should investigate the cause to locking the password and unlocking the password to be maintained.
- IT Administrator (system administrator) for the workstations / server should be a person from IT.
- If the IT Administrator shall be unavailable for longer period e.g. on vacation, the responsibility of the administrator should be assigned to another competent person for that period by Quality Manager. After return of IT administrator, Quality Manager should withdraw the privileges assigned to that person.
- If the IT Administrator resigns from the job, his / her ID should be locked immediately, a new person to be nominated by Quality Manager.
- Privileges Groups: A list of software users / GLP System User, who has access and their level of access (privileges group), should be documented.
- If any of the users leaves the organization or cease to use the software, his / her account should be locked. If his / her responsibility is changed, his / her privilege should be updated accordingly.
- The above all define changes should be recorded with signature and date in the remark column of list.
- Associated with each user ID will be user assigned password, which will be authenticated by the opening system/ application software before access is granted to the user to the IT system/ Information for which the access code is applicable.
- Password Structure:
- All system level passwords must be changed at least quarterly basis.
level password for employees will have minimum age of password is 0 days and
maximum 90 days.
- Password Protection:
- Do not share password with anyone, including SA. All passwords are to be treated as sensitive and confidential information.
- Don’t reveal a password over the phone to anyone
- Don’t reveal a password to co-workers while vacation.
- Try not to use the remember password feature of application.
your password has been compromised, change the password and report to SA.
- Monark Level Password:
Monark Hardware or firmware level password will be locked by IT section. The local IT section will use a ‘supervisor’ level password to protect/ maintain Monark level setting on a client device.
- System And Network Activities
The following activities are strictly prohibited, with no exception:
- Circumventing user authentication or security of any host, network or account.
- Providing information about or lists of Employees to parties outside , Except for official business purpose and after appropriate approval.
- Keeping sexually explicit, Abusive or offensive material on the client device.
- Approval Hardware:
- Client end
- Desktop PC’s
- Printer & Print Servers
- Usage General Guidelines:
Information Use and Ownership:
- While IT section desires to provide a reasonable level of privacy, user should be aware that data they create on the corporate network remains the property. Because of the need to protect the network. IT Section Does not guarantee the privacy of personal information stored on any network.discourages storing of personal data on the Network.Employees are responsible for exercising good judgment; In case of any uncertainly employee should consult SA.No desktop, laptop or any devices of employees, partner or consultants would be allowed to be connected to the network, without the written approval of the SA.All PCs and computer peripherals to carry asset Tag.
Security And proprietary information
- Users should keep password secure and should not share access codes. Authorized users are responsible for the security of their password or access codes.Users are required to logout when they have completed their sessions.All information residing on the Network is proprietary information or its customers, disclosure or copying of the same shall be treated as violation of these Guidelines under the IT Act 2000 of the Indian Government, theft under piracy act as well as piracy criminal prosecution may be launched.
|Annexure Name||Annexure Number||To be used as|
- REVISION HISTORY:
|S. No.||Document No. with Version No.||Superseded Document No. with Version No.||Reference Change Request No.||Page no.||Point No./Section||Description of Change|