Professional Documents
Culture Documents
Page Last RA
Page Last RA
Type/reason for
GAP Assessment
Validation
Risk Assessment
Validation
Document Pre-Approval
Signing of this document page of Risk Assessment document indicates agreement with the document. If any
modifications to the procedure become necessary, an addendum shall be prepared and approved. This document
cannot be executed until signed and approved.
Prepared by:
Checked/Reviewed by:
Approved by:
Contents
Issue
Date Author Title/Department Description of Change
Number
2. Objective
The Objective of this document is to conduct the below activities as per the Protocol for GAP
Assessment for Computerized System, Document ID: SLPL/CSV/GAP/001 at Sainor Laboratories
PVT LTD, Unit-II, Pharma Division.
Identifcation of Gaps
Risk Assessment and evaluation of the Gaps
Proposing the mitigation actions
Implementation of mitigation actions
Verification of mitigation actions
3. Scope
This Risk assessment document is limited to the below listed computerized systems used in Quality
Control Laboratory of Sainor Laboratories PVT LTD, Unit-II, Pharma Division as per the protocol for
GAP Assessment for Computerized System, Document ID: SLPL/CSV/GAP/001.
4. Abbreviations
Term Definitions
QC Quality Control
SOP Standard Operating Procedure
Term Definitions
QA - Sainor Laboratories
Likelihood
Risk Class
Low Medium High
High 2 1 1
Severity
Medium 3 2 1
Low 3 3 2
Where:
1 = High
2 = Medium
3 = Low
8.4. Detectability
The purpose of this phase has been to identify if the risk event could be recognized or
detected (Detectability) by other system controls.
Medium Medium (M): The risk may be detected through deployed control
measure/system and the detection is through manual method.
High High (H): The risk can be detected without fail through deployed control
measure/system and the detection system is automated.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
RID-1 PC/QC/HPLC-3 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
quality, patient safety
and data integrity
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
and system
functionality
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
RID-4 PC/QC/HPLC-3 Session expire Session expiry H H L High Required
time not functionality ensures
configured in the system and data
application level security. Unauthorized
user may access the
system due to
improper session time
configuration and data
integrity issues may
occur
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
RID-6 PC/QC/HPLC-3 Account lockout The account lockout H H L High Required
is not configured functionality restricts
in the window the unauthorized
level. access or attempts to
access the system.
Unauthorised access
to the system may
impact the system
security, data integrity
due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
integrity issues may
occur
RID-9 PC/QC/HPLC-3 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-10 PC/QC/HPLC-4 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
quality, patient safety
and data integrity
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
others users are impact the system
waiting till the security, data integrity
timeout due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
integrity issues may
occur
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
disabled in makes easier to guess
windows level the user passwords in
the event of a breach
RID-18 PC/QC/HPLC-4 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-19 PC/QC/HPLC-5 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
quality, patient safety
and data integrity
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
integrity of the data
and system
functionality
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
Quality and Data
integrity issues.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
impact the system and
user security
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
system due to
improper session time
configuration and data
integrity issues may
occur
RID-27 PC/QC/HPLC-5 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
RID-28 PC/QC/HPLC-6 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
quality, patient safety
and data integrity
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
as per SOP in access or attempts to
application level access the system.
Unauthorised access
Once the account to the system may
is locked the impact the system
others users are security, data integrity
waiting till the due to improper
timeout configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
improper session time
configuration and data
integrity issues may
occur
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
impact the system
security, data integrity
due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
disabled in configuration of
windows level password policy
makes easier to guess
the user passwords in
the event of a breach
RID-36 PC/QC/HPLC-6 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-37 PC/QC/UV-2 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
quality, patient safety
and data integrity.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
system privileges and
may impact the
integrity of the data
and system
functionality
RID-39 PC/QC/UV-2 Audit trail option Audit trial option is H H L High Required
not available. not available to track
the data created by
who, when & where
the data is, which
leads to data integrity
issues.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
impact the system
security, data integrity
due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
disabled in configuration of
windows level password policy
makes easier to guess
the user passwords in
the event of a breach
RID-43 PC/QC/UV-2 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-44 PC/QC/STB-2 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
quality, patient safety
and data integrity
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
in application the system and may
level impact the integrity of
the data and system
functionality
RID-47 PC/QC/STB-2 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-48 PC/QC/STB-3 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
quality, patient safety
and data integrity
RID-50 PC/QC/STB-3 System doesn’t Malware can steal the M M L Medium Required
have licensed data and encrypt the
Anti-virus data.
RID-51 PC/QC/GC-1 System is not The system may not H H L High Required
validated work as per intended
purpose and pose the
risk on product
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
quality, patient safety
and data integrity
RID-53 PC/QC/GC-1 One person The same user can H H L High Required
mapped with the review and approve
multiple roles in his/her own method it
the application. leads to data integrity.
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
in the window the unauthorized
level. access or attempts to
access the system.
Unauthorised access
to the system may
impact the system
security, data integrity
due to improper
configuration of
account lockout
Risk
Risk Mitigation
Computer/ Identify Failure Severity Probability Detectability Prioritization
Risk ID Process Gap (Required/
System ID (Risk) H, M, L H, M, L H, M, L Ranking
N/A)
(RPR)
RID-56 PC/QC/GC-1 Password policies Password policy helps H H L High Required
like complexity to enhance the user
and minimum and system security.
length are Improper
disabled in configuration of
windows level password policy
makes easier to guess
the user passwords in
the event of a breach
RID-57 PC/QC/GC-1 System doesn’t Malware can steal the H H L High Required
have licensed data and encrypt the
Anti-virus. data.
RID-1 PC/QC/HPLC-3 System is not The system may not work System should be validated as per Under progress
validated as per intended purpose and intended purpose.
pose the risk on product
quality, patient safety and
data integrity
RID-2 PC/QC/HPLC-3 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP. improper configuration of
were assigned as per
the system privileges and usage.
may impact the integrity of 2. Update the system
the data and system privileges as per the SOP.
functionality
RID-3 PC/QC/HPLC-3 Account lockout is The account lockout 1. Review the Account
not configured as per functionality restricts the lockout policies in SOP
SOP in application unauthorized access or 2. Configure the Account
lockout settings as per
level attempts to access the
SOP
system. Unauthorised
access to the system may
RID-4 PC/QC/HPLC-3 Session expire time Session expiry functionality 1. Review the Session
not configured in ensures the system and data account time policies in
application level security. Unauthorized user SOP
2. Configure the Session
may access the system due
account time settings as
to improper session time per SOP
configuration and data
integrity issues may occur
RID-5 PC/QC/HPLC-3 Password aging is not Password aging will help to 1. Review the password
configured as per enhance the user and policies in SOP
SOP. system security. Improper 2. Configure the Password
aging as per SOP
password configuration
RID-6 PC/QC/HPLC-3 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level. unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
data integrity due to
improper configuration of
account lockout
RID-7 PC/QC/HPLC-3 Session expire time Session expiry functionality Windows should be configured
not configured in ensure the system and data with the Session expire
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-8 PC/QC/HPLC-3 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
disabled in windows configuration of password
level policy makes easier to
guess the user passwords in
the event of a breach
RID-9 PC/QC/HPLC-3 System doesn’t have Malware can steal the data Update the system with licensed
licensed Anti-virus and encrypt the data. Anti-virus.
RID-10 PC/QC/HPLC-4 System is not The system may not work System should be validated as per
validated as per intended purpose and intended purpose.
pose the risk on product
quality, patient safety and
data integrity
RID-11 PC/QC/HPLC-4 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP improper configuration of
were assigned as per
the system privileges and usage.
RID-12 PC/QC/HPLC-4 Account lockout is The account lockout 1. Review the Account
not configured as per functionality restricts the lockout policies in SOP
SOP in application unauthorized access or 2. Configure the Account
lockout settings as per
level attempts to access the
SOP
system. Unauthorised
Once the account is access to the system may
locked the others impact the system security,
users are waiting till data integrity due to
the timeout improper configuration of
account lockout
RID-13 PC/QC/HPLC-4 Session expire time Session expiry functionality 1. Review the Session
not configured in ensures the system and data account time policies in
application level security. Unauthorized user SOP
2. Configure the Session
may access the system due
account time settings as
to improper session time per SOP
configuration and data
integrity issues may occur
RID-14 PC/QC/HPLC-4 Password aging is not Password aging will help to 1. Review the password
configured as per sop enhance the user and policies in SOP
system security. Improper 2. Configure the Password
aging as per SOP
password configuration
may impact the system and
user security
RID-15 PC/QC/HPLC-4 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
RID-16 PC/QC/HPLC-4 Session expire time Session expiry functionality Windows should be configured
not configured in ensure the system and data with the Session expire.
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-17 PC/QC/HPLC-4 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
disabled in windows configuration of password
level policy makes easier to
guess the user passwords in
the event of a breach
RID-18 PC/QC/HPLC-4 System doesn’t have Malware can steal the data Update the system with licensed
licensed Anti-virus and encrypt the data. Anti-virus.
RID-19 PC/QC/HPLC-5 System is not The system may not work System should be validated as per
validated as per intended purpose and intended purpose
pose the risk on product
quality, patient safety and
data integrity
RID-20 PC/QC/HPLC-5 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP improper configuration of
were assigned as per
the system privileges and usage.
may impact the integrity of 2. Update the system
the data and system privileges as per the SOP
functionality
RID-21 PC/QC/HPLC-5 Account lockout is The account lockout 1. Review the Account
not configured as per functionality restricts the lockout policies in SOP
SOP in application unauthorized access or 2. Configure the Account
lockout settings as per
level attempts to access the
SOP
system. Unauthorised
Once the account is access to the system may
locked the others impact the system security,
RID-22 PC/QC/HPLC-5 Session expire time Session expiry functionality 1. Review the Session
not configured in ensures the system and data account time policies in
application level security. Unauthorized user SOP
2. Configure the Session
may access the system due
account time settings as
to improper session time per SOP
configuration and data
integrity issues may occur
RID-23 PC/QC/HPLC-5 Password aging is not Password aging will help to 1. Review the password
configured as per sop enhance the user and policies in SOP
system security. Improper 2. Configure the Password
aging as per SOP
password configuration
RID-24 PC/QC/HPLC-5 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
data integrity due to
improper configuration of
account lockout
RID-25 PC/QC/HPLC-5 Session expire time Session expiry functionality Windows should be configured
not configured in ensures the system and data with the Session expire
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-26 PC/QC/HPLC-5 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
disabled in windows configuration of password
level policy makes easier to
guess the user passwords in
the event of a breach
RID-27 PC/QC/HPLC-5 System doesn’t have Malware can steal the data Update the system with licensed
licensed Anti-virus and encrypt the data. Anti-virus
RID-28 PC/QC/HPLC-6 System is not The system may not work System should be validated as per
validated as per intended purpose and intended purpose
pose the risk on product
quality, patient safety and
data integrity
RID-29 PC/QC/HPLC-6 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP improper configuration of
were assigned as per
the system privileges and usage.
RID-30 PC/QC/HPLC-6 Account lockout is The account lockout 1. Review the Account
not configured as per functionality restricts the lockout policies in SOP
SOP in application unauthorized access or 2. Configure the Account
lockout settings as per
level attempts to access the
SOP
system. Unauthorised
Once the account is access to the system may
locked the others impact the system security,
users are waiting till data integrity due to
the timeout improper configuration of
account lockout
RID-31 PC/QC/HPLC-6 Session expire time Session expiry functionality 1. Review the Session
not configured in ensures the system and data account time policies in
application level security. Unauthorized user SOP
2. Configure the Session
may access the system due
account time settings as
to improper session time per SOP
configuration and data
integrity issues may occur
RID-32 PC/QC/HPLC-6 Password aging is not Password aging will help to 1. Review the password
configured as per sop enhance the user and policies in SOP
system security. Improper 2. Configure the Password
aging as per SOP
password configuration
may impact the system and
user security
RID-33 PC/QC/HPLC-6 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
RID-34 PC/QC/HPLC-6 Session expire time Session expiry functionality windows should be configured
not configured in ensure the system and data with the Session expire
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-35 PC/QC/HPLC-6 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
disabled in windows configuration of password
level policy makes easier to
guess the user passwords in
the event of a breach
RID-36 PC/QC/HPLC-6 System doesn’t have Malware can steal the data Update the system with licensed
licensed Anti-virus and encrypt the data. Anti-virus
RID-37 PC/QC/UV-2 System is not The system may not work System should be validated as per
validated as per intended purpose and intended purpose
pose the risk on product
quality, patient safety and
data integrity.
RID-38 PC/QC/UV-2 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP. improper configuration of
were assigned as per
the system privileges and usage.
may impact the integrity of 2. Update the system
the data and system privileges as per the SOP
functionality
RID-39 PC/QC/UV-2 Audit trail option not Audit trial option is not 1. Application vendor to be
available. available to track the data consulted to understand the
created by who, when & system audit trail
functionality.
where the data is, which
2. Users will be trained on the
leads to data integrity Audit trail functionality
issues. 3. Manual controls such as log
books will be implemented
RID-40 PC/QC/UV-2 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
data integrity due to
improper configuration of
account lockout
RID-41 PC/QC/UV-2 Session expire time Session expiry functionality Windows should be configured
not configured in ensure the system and data with the Session expire
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-42 PC/QC/UV-2 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
disabled in windows configuration of password
level policy makes easier to
guess the user passwords in
the event of a breach
RID-43 PC/QC/UV-2 System doesn’t have Malware can steal the data Update the system with Licensed
licensed Anti-virus and encrypt the data. Anti-virus
RID-44 PC/QC/STB-2 System is not The system may not work System should be validate as per
validated as per intended purpose and intended purpose
pose the risk on product
quality, patient safety and
data integrity
RID-45 PC/QC/STB-2 There is no SOP People may have access to 1. Review the system
available for user unauthorized system privileges in the SOP to
privileges access in functionality due to ensure the appropriate
privileges and groups
application level Unavailable of user
were assigned as per
privileges SOP of the usage.
RID-46 PC/QC/STB-2 Only generic admin People may have access to 1. Windows should allow the
access is available at unauthorized system users to access with the
windows level functionality due to roles and responsibilities.
2. Application vendor to be
improper configuration of
consulted to verify the
the system and it may leads provision of individual
to data integrity issues. logins for the system.
3. System must be upgraded
or manual controls will be
implemented in case of
generic account usage to
be continued.
RID-47 PC/QC/STB-2 System doesn’t have Malware can steal the data Update the system with Licensed
licensed Anti-virus and encrypt the data. Anti-virus
RID-48 PC/QC/STB-3 System is not The system may not work System should validate as per
validated as per intended purpose and intended purpose
pose the risk on product
RID-49 PC/QC/STB-3 Only generic admin People may have access to 1. Windows should allow the
access is available at unauthorized system users to access with the
windows level functionality due to roles and responsibilities.
2. Application vendor to be
improper configuration of
consulted to verify the
the system and it may leads provision of individual
to data integrity issues. logins for the system.
3. System must be upgraded
or manual controls will be
implemented in case of
generic account usage to
be continued.
RID-50 PC/QC/STB-3 System doesn’t have Malware can steal the data Update the system with Licensed
licensed Anti-virus and encrypt the data. Anti-virus
RID-51 PC/QC/GC-1 System is not The system may not work System should validate as per
validated as per intended purpose and intended purpose
pose the risk on product
RID-52 PC/QC/GC-1 Application People may have access to 1. Review the system
privileges are not unauthorized system privileges in the SOP to
matching with the functionality due to ensure the appropriate
privileges and groups
SOP. improper configuration of
were assigned as per
the system privileges and usage.
may impact the integrity of 2. Update the system
the data and system privileges as per the SOP
functionality.
RID-53 PC/QC/GC-1 One person mapped The same user can review 1. System should restrict the
with the multiple and approve his/her own user to review the self-
roles in the method it leads to data actions performed in User
role if possible.
application. integrity.
2. User should be trained to
ensure that review for
self-actions should not be
performed.
RID-54 PC/QC/GC-1 Account lockout is The account lockout Windows should be configured
not configured in the functionality restricts the with the account lockout
window level. unauthorized access or
attempts to access the
system. Unauthorised
access to the system may
impact the system security,
data integrity due to
improper configuration of
account lockout
RID-55 PC/QC/GC-1 Session expire time Session expiry functionality Windows should be configured
not configured in ensures the system and data with the Session expire
Windows level security. Unauthorized user
may access the system due
to improper session time
configuration and data
integrity issues may occur
RID-56 PC/QC/GC-1 Password policies Password policy helps to Windows should be configured
like complexity and enhance the user and with the password policies
minimum length are system security. Improper
RID-57 PC/QC/GC-1 System doesn’t have Malware can steal the data Update the system with licensed
licensed Anti-virus. and encrypt the data. Anti-virus
Note: This section will be updated once after risk mitigation implementation
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-1 PC/QC/HPLC-3 System should be validated
as per intended purpose.
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-4 PC/QC/HPLC-3 1. Review the Session
account time policies
in SOP
2. Configure the
Session account time
settings as per SOP
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-8 PC/QC/HPLC-3 Windows should be
configured with the password
policies
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
settings as per SOP
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-17 PC/QC/HPLC-4 Windows should be
configured with the password
policies
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
settings as per SOP
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-26 PC/QC/HPLC-5 Windows should be
configured with the password
policies
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
settings as per SOP
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-35 PC/QC/HPLC-6 Windows should be
configured with the password
policies
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
2. Users will be trained
on the Audit trail
functionality
3. Manual controls such
as log books will be
implemented in
absence of system
audit trail
functionality.
RID-40 PC/QC/UV-2 Windows should be
configured with the account
lockout
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-44 PC/QC/STB-2 System should be Validate as
per intended purpose
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
implemented in case
of generic account
usage to be
continued.
RID-47 PC/QC/STB-2 Update the system with
Licensed Anti-virus
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
will be
implemented in
case of generic
account usage to
be continued.
RID-50 PC/QC/STB-3 Update the system with
Licensed Anti-virus
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-53 PC/QC/GC-1 1. System should
restrict the user to
review the self-
actions performed in
User role if possible.
2. User should be
trained to ensure that
review for self-
actions should not be
performed.
RID-54 PC/QC/GC-1 Windows should be
configured with the account
lockout
Risk
Computer/System Risk Compliance
Risk ID Risk Mitigation Severity Probability Detectability Prioritization
ID status
Ranking (RPR)
RID-57 PC/QC/GC-1 Update the system with
licensed Anti-virus
Signing of this approval page of this document indicates agreement with the methodology and implementation approach.
If any modifications to the procedure become necessary, an addendum shall be prepared and approved.
Prepared by:
Checked/Reviewed by:
Approved by: