Compliance
Results 1 to 8 of 8

Thread: Compliance

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779

    Compliance

    Ok this forum seems a bit dead so I thought I would offer up some advice. I have spent the last 3 years of my professional life hip deep in compliance (HIPPA and SO). This is one area that finding an IT job is relatively easy (not that the job is easy just the demand is high). Compliance for IT for these new laws is mostly document based and basically boils down to these points.

    Documents must be secure (no unauthorized access)
    they must be readily available (if I want it right now I can get it)
    revision control (you know who changed it and when.)

    the systems that have the documents on them must be secure, with strong change control or anything that goes on them. This generally means SQ's (software qualification documents, if how to install a bit of software) and OQ's (operational qualification documents, ie dose it work as intended) for ANYTHING installed on the system

    All documents need to be signed either in a paper copy or by a digital signature of some sort.


    Now you can do a lot of the document storage and security with source control type software (true change, source safe, CSS) but it needs some custom changes to cover all of the bases and well the FDA wants all of the bases covered a better option would be purpose built applications, of which Documentum is the most popular for HIPPA companies (the FDA uses it). If you are trying to break into the IT feild and can get your hands on Documentum, learn it you will basically be guaranteed a job, every big pharma in the country use it and none of them have enough people, our Documentum admins are constantly getting called by headhunters with offers to head else where.

    If there is any interest and after I verify copy right issues I will post a whitepage I co-wrote on this topic for HP.
    Who is more trustworthy then all of the gurus or Buddha’s?

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi bballad,

    You returneth!

    Glad to have you back!

    Eg

  3. #3
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    I don't know if the requirement are the same for compliance to the standards you are referring to but here in the UK we also have to have a retention schedule and a destruction log to cover how long we hold documents and ensuring that the removal of the documents also occurrs.

    Under the DPA we're not allowed to keep any personal information longer than required either to do the task in hand to comply with other legislation (financial records etc).

    I would be interested to read your whitepaper.

    This forum is quite quiet. I don't think that the l33t haxors find auditing and compliance exciting. I can't understand why

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Aspman: My guess is that eleit hackers don't want to make a living in the IT world. Compliance is one of the few fields i see hireingthat isn'tshipping all of the work off shore. Yes HIPPA dose have a retention clause as well, and rules on proper document disposal.
    Who is more trustworthy then all of the gurus or Buddha’s?

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Thanks for the input. Yes, I was concerned when TH13 and myself were petitioning for this forum that it would be quite most of the time, but some valid info will get posted occasionally.

    I would greatly appreciate the sharing of your white paper (for personal/professional AND forum moderator reasons), and welcome the discussion.

    You mention the FDA, and of course I was thinking "Why does the FOOD and drug Administration care about SOx doco?!?"... but of course, you are speaking from the point of working with/for the big Pharma companies...of course the 'Food and DRUG Administration' cares.

    I did some consulting for Pfizer (in Groton) a few years back, on a multi-factor authentication systems migration project. From the size and scope of the facility I was at, and knowing it was just one of MANY facilities...I would not want to be involved in anyway with their Compliance initiatives. Now I know why prescription drugs are so expensive...the cost of compliance and doco revision control for an organization that size has to be astronomical.

    Anyway, welcome back, and if that paper shakes loose from legal, we'd love to see it.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    I need to rewrite the white paper, talked to my partner it was a work for hire type of gig so the copyright gose to HP, not a big deal it was aimed at small/mid size companies, I will rewrite it for techies. I did compliance work for abbott, and tekada HIPPA stuff for both, which I beleive SOX is based on. NOT fun at all, the paperwork at abbott could burry you (yes compliance involves a lot of electronic documnet work, at abbott they keep all of the compliance recordes as hard copies only...dosn;t make much sense to me.)
    Who is more trustworthy then all of the gurus or Buddha’s?

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by bballad
    they keep all of the compliance recordes as hard copies only...dosn't make much sense to me.)
    I dunno, from a completely non-ethical standpoint, it's a good idea...it sounds a lot like Enron and the paper shredders. Have a problem with evidence? Meet my cousin, Anthony, and his partner, Vinny. A couple can's of gasoline and some matches, and your compliance issues go up in smoke, so sad, too bad, but collect on the fire insurance policy.

    Just avoid those insurance and SEC investigators, and you can make out like a bandit.</pun>
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    zencoder: pharmacy world we delt with FDA not SEC. FDA guys are scarry, come in armed, full law enforcment rights of a federal marshal, they go through the same trining as an FBI feild agent, they also have at least two BS degrees one in chem.bio and one CS. An SEC audit I can happply deal with. FDA audit with mister I can lick your signeture off this document its noncompliant (yes this happened) we are going to warn your company and oh ya if we felt like it we could send you to federal prison...I never want to go through one of those again.


    On a side note did you know that those gell ink pens are NOT perminate ink. If you really want to you can lick the gell off the page. I didn't know that either, don't think the office mannager at abbott liked the IT staff because even after this was a knowen fact thats all she would order.
    Who is more trustworthy then all of the gurus or Buddha’s?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides