OT Cyber Security

Non-Conformance Management
GSK Operational Technology
OTS-SOP-001 (v1.0)

Table of Contents
Why do we have this procedure?.........................................................................2
Purpose................................................................................................................ 2
In Scope........................................................................................................... 2
Out of Scope.................................................................................................... 2
Who needs to follow it?......................................................................................... 3
Document Audience Scope..................................................................................3
Roles and Responsibilities...................................................................................3
What process steps are involved?.......................................................................5
Key controls......................................................................................................... 5
How do you do it?.................................................................................................. 6
1.0 Managing Non-Conformances......................................................................6
2.0 Managing Remediation Actions.....................................................................8
3.0 Managing Exceptions....................................................................................9
4.0 Scalability...................................................................................................... 9
What monitoring is required for this procedure?................................................9
Management Monitoring (MM):............................................................................9
Glossary................................................................................................................ 10
Where to raise questions, concerns or Issues..................................................11
References............................................................................................................ 12
Referenced Documents......................................................................................12
Additional Related Information...........................................................................12
Administration...................................................................................................... 12
Document Governance......................................................................................12
Version History and Changes.............................................................................13
Appendices........................................................................................................... 13
Appendix 1: Risk and Non-Conformance Decision Tree....................................13
Appendix 2: How to write a Non-conformance (N-C)..........................................14
 Why do we have this procedure?

Purpose
This procedure establishes a process for managing Non-Conformances with OT Control
Documents.
A non-conformance is a divergence from a mandated element of the OT Control Document.
Non-conformance management is an integral part of the system of control and governance.
A systematic, standardised process is required in order to:
 Establish a common language and mechanism for managing, communicating and
escalating OT non-conformances.
 Ensure that responsibilities for managing OT non-conformances are clearly stated,
understood and accepted.

In Scope

Managing Non-Conformances to OT Control Documents

Managing Non-Conformances in the OT System Design Process

Out of Scope

Operational, Strategic and Delivery Risks

Tech Risks and Non-Conformances (these are covered by SOP-IT-0028)

Vulnerabilities identified by TECH tools (integrated in the vulnerability management systems)

Vulnerabilities identified for single systems

Who needs to follow it?

Document Audience Scope

Global Business/Function(s): Specific Audiences:
Operational Technology (OT) – All All GSK Employees, Complementary Workers and
Business Units Contracted Third Parties

Roles and Responsibilities

Roles Key Responsibilities

Non-conformance (N-C) Raise the N-C and record details clearly.

Owner
Conduct analysis using available data to determine severity of
consequence and likelihood of consequence occurring.
Define action plans and support action plan owners to address the N-C.
Ensure N-C records are current, complete and all required information
is populated.
Review N-C with line management.
Approve the N-C to confirm that:
Non-conformance (N-C)
- The situation is primarily a non-conformance with OT Control
Approver
Documents.
- The title and description is written clearly – (see Appendix 2).
- The evaluation scores are suitable for severity of consequence
and likelihood of consequence occurring.
- The selected treatment (accept as is or mitigate) is appropriate.
Review and approve amendments and date extensions.
Review and approve N-C closure.
Confirm ownership of NC (CSO vs BU).

Remediation Action Create the action and ensure all required information is completed.
Owner
Complete activities defined in the action plans on time.
Support N-C Owner to close Non-Conformances.
Communicate progress to management and stakeholders as required.

Remediation Action Approve remediation actions and closure of completed actions.

Roles Key Responsibilities

Approver

Exception Owner Create the exception record and ensure all required information is
completed.

Exception Approver Confirm acceptance of Non-conformance and approve exception.

Business Unit OT Provide input to non-conformances, associated remediation actions and

Security Management exceptions, within area of responsibility and/or accountability.
Perform management review of open non-conformances, associated
open remediation actions and exceptions.
Ensure employees, complementary workers and relevant third parties
are aware of, and comply with this procedure.

Stakeholder Provide input, in area of accountability, to the definition and

endorsement of non-conformances, associated remediation plans and
exceptions.

Cyber Security Office Provide guidance on the interpretation and application of this
Operational Technology procedure.
(CSO OT)
Approve non-conformances, associated remediation actions and
exceptions.
Facilitate management review of open non-conformances, associated
open remediation actions and exceptions.

Subject Matter Expert Provide input, in area of expertise, to the definition and endorsement of
(SME) non-conformances, associated remediation actions and exceptions.
Subject matter experts, include but are not limited to:
 GxP / Quality Compliance Authority (QCA).
 Sarbanes-Oxley (SOX).
 Privacy Leads / Privacy Centre of Excellence.
 Operational Technology (e.g. Automation/Engineering/R&D
Labs).
 What process steps are involved?

Managing Non-Conformances
1

Managing Remediation Actions

2

Managing Exceptions
3

Scalability
4

Symbol Key:
 Critical action; ◙ Monitoring item; Helpful tip

Key controls
The table below summarises the key control statements that will be used to verify compliance to
the procedure.
Control ID Control Name
OTE-1 Non-Conformance identification activities must be conducted.

OTE-2 Non-conformances must be assessed with appropriate subject matter expert

and stakeholder involvement.
OTE-3 Non-conformances must be documented and approved with clear ownership.
OTE-4 Remediation actions and exceptions must be documented, approved and
managed to closure.
OTE-5 Non-conformances must be monitored, periodically reviewed and managed to
closure.
How do you do it?

Step Instructions Responsible

No.

1.0 Managing Non-Conformances

1.1 Identify Non-Conformances Business Unit OT
Perform identification activities as part of routine leadership Security Management
meetings and business operations. OT Personnel
Non-Conformances may be triggered from processes such as
Gap Analysis, Independent Business Monitoring, Management
Monitoring.
1.2 Define Non-Conformance N-C Owner
Identify a non-conformance owner. CSO OT
Engage CSO OT, Business Unit OT Security Management,
Stakeholders and Subject Matter Experts (SMEs) to define the
non-conformance and determine if the impact is Local or Global.
- Local Impact is defined as a non-conformance at a single
or multiple sites within one Business Unit.
- Global Impact is defined as GSK Enterprise-wide
networks or Multiple Business Units.
Minimum information required to define the Non-conformance:
 OT Control Documents and specific security statement or
reference number the N-C relates to.
 Reason for the N-C, including any technical information.
 System Owner, System name and unique identifier (e.g.
from Service Now).
 A description of the system or process description (i.e.
what does the system do or what business process does
it support).
 Identification of host names/devices, infrastructure or
procedures, if applicable.
 Impact of the N-C (i.e. local or global).

Follow the decision tree in Appendix 1 to Determine if the Non-

Conformance also presents a risk.
Step Instructions Responsible
No.
1.3 Agree Rating Score for Non-Conformance N-C Owner
The team defining the Non-Conformance in step 1.2 also agree N-C Approver
the risk rating with the Non-Conformance approver.

See GEC Risk Rating Guidance

1.4  Determine the Treatment Approach N-C Owner
Treatment approach will be:
 Take Action (Remediation) or
 Accept (Exception).
1.5  Record and Approve Non-Conformance N-C Owner
Enter Non-Conformance information into the management N-C Approver
system.
If Non-conformances are to be managed in VQMS (Veeva
Quality Management System):
 The risk title field must be prefixed with OTNC to identify
OT Non Conformance.
 The Area of Impact must be set to “Operational
Technology Security”.
 Consideration must be given to determine if the Non-
Conformance should be restricted from general view.
Ensure Stakeholders and SMEs endorse non-conformances
prior to approval.
 Non-conformances with a Local Impact are to be
approved by CSO OT.
 Non-conformances with a Global Impact require
additional approval by either CSO Leadership Team or
appropriate Subject Matter Experts.
The approver can:
 Request additional information from the N-C Owner prior
to approval.
 Reject the Non-Conformance (Rejected non-
conformances are not required to be recorded; but if
recorded to capture the decision, include the rationale for
rejection).
 Approve the non-conformance and treatment approach.
Step Instructions Responsible
No.
1.6 If treatment approach is to Take Action, go to Section 2 N-C Owner
Managing Remediation Actions
If treatment approach is to Accept Non-Conformance, go to
Section 3 Managing Exceptions
1.7 ◙ Periodically Review Non-Conformances Business Unit OT
Security Management
The non-conformance needs to be monitored periodically, e.g.
for changes to OT Control Documents or technologies
(recommended frequency is at least annually).
1.8  Close Non-Conformance and Approve Closure N-C Owner
The non-conformance can be closed when: N-C Approver
 The Remediation action is approved complete or
 The Exception is approved.

2.0 Managing Remediation Actions

2.1 Define Remediation Action N-C Owner
Identify a remediation action owner and approver.
Engage CSO OT, Management, Stakeholders and Subject
Matter Experts (SMEs) to define the remediation action.
See Glossary for definition of roles.
2.2  Record and Approve Remediation Action Remediation Action
Document actions to be taken and their target completion dates. Owner
Remediation Action
Ensure Stakeholders and SMEs endorse remediation actions
Approver
prior to approval.
Any requests to extend target completion dates will also require
re-approval.
2.3 ◙ Monitor and Progress Actions to Completion Business Unit OT
Security Management
Remediation Action
Owner
2.4 Remediation Action
 Close Remediation Action and Approve Closure Owner
Close the remediation action when all tasks are complete. Remediation Action
Approver

3.0 Managing Exceptions

Step Instructions Responsible
No.
3.1 Define Exception N-C Owner
Identify an exception owner and approver.
Engage CSO OT, Management, Stakeholders and Subject
Matter Experts (SMEs) to define the exception.
See Glossary for definition of roles.
3.2  Record and Approve Exception Exception Owner
Document the rationale for the exception, including details of any Exception Approver
mitigating / compensating controls.
Ensure Stakeholders and SMEs endorse exceptions prior to
approval.
3.3  Close Exception and Approve Closure Exception Owner
The exception can be closed when the non-conformance is Exception Approver
resolved, or no further action will be taken.
The non-conformance needs to be monitored periodically, e.g.
for changes to OT Control Documents or technologies
(recommended frequency is at least annually).

4.0 Scalability
4.1  Non-conformances that can be closed within 30 days of
identification do not need to be recorded. Where appropriate,
actions taken to address these non-conformances can be
recorded elsewhere, e.g. change control.

What monitoring is required for this procedure?

Management Monitoring (MM):

Local managers are accountable for the controls in their area. Management Monitoring is an
ongoing process of assessing that the controls are in place and in use.
This process may involve in-process checks and approvals, or a workplace inspection, or may be a
checklist, or may be a review of data or dashboards, or observation of tasks, or self-assessment.
 Glossary

GSK Global Glossary

GSK Written Standards Glossary

Term Definition
BU Business Unit e.g. Research & Development (R&D), Consumer Health (CH),
Pharma Supply Chain (PSC), Vaccines (Vx)

CSO OT Cyber Security Office Operational Technology (previously known as Tech

Security & Risk, TSR)

Delivery Risk Risks related to achieving the delivery objective

Event Something that has occurred or has the potential to occur.

Exception A record rationalising to accept a non-conformance to control documents.

GxP Good x Practice. Generic term to denote in scope of regulations relating to the
development, manufacture and distribution of our products.

Issue An event that has occurred.

Management Generic term for the system used to manage non-conformance, remediation
System plan and exception records.

Mitigating / A control that reduces the risk associated with an event when full remediation
Compensating is not possible in the foreseeable future.
Control

Non- A non-conformity (gap) to a mandated element of an OT Control Document

Conformance

OT Control OT Cyber Security Standards and underlying OT Procedures which are

Document owned by Cyber Security Office (CSO) or Business Units.

Operational Risk Risk related to an in-use system

QCA Quality/Compliance Authority. Generic term for Business quality roles (GxP &
SOX). An SME in the scope of this procedure.

Risk An event that has the potential to occur but has not yet occurred.
Term Definition
Risk Rating The risk rating is based upon the standard 5x5 matrix.
See GEC Risk Rating Guidance

RMCB Risk Management Compliance Board. RMCBs oversee risk management for
their part of the organisation.

SME Subject matter expert, include but are not limited to:
 GxP
 Sarbanes-Oxley (SOX)
 Security
 Privacy Leads / Privacy Centre of Excellence

SOX Sarbanes-Oxley - financial regulations.

Stakeholder Stakeholders include but are not limited to: Business Owner or delegate

Strategic Risk A risk related to an entire or multiple BU.

System Includes hardware, software, peripheral devices, operating environment,

personnel, and user documentation (e.g. SOPs).
Also known as Computerised System.

Where to raise questions, concerns or Issues

If you are unsure about how to apply this procedure, or feel you need to raise an exception to it
please bring this to the attention of a manager or supervisor.

If you see any violations of this company policy, please

report it through the appropriate Speak Up channels. To find
your local Speak Up integrity line number or to report online,
please visit: www.gsk.com/speakup
References

Referenced Documents
Ref Document ID Doc Title

1 VQD-STD-000375 Operational Technology Security Standard - Overview &

Governance - OTS-STD-002
2 VQD-GUI-013047 OT Cyber Security Non-conformance Guidance

Additional Related Information

Information Where to find it

Training BUS-TSR-GEN-048

Risk Rating Guidance GEC Risk Rating Guidance

Administration

Document Governance
Governance Board Approval OT Standards Design Authority Board

Governance Approval Date 30-JUN-2022

Owner Georges-Henri Leclercq, CSO OT Cyber Security

Author Mandeep Bedi, CSO OT Cyber Security

Technical Approver Mandeep Bedi, CSO OT Cyber Security

Document Alias VQD-SOP-070529

Retain versions in accordance with GSK Records Retention
Records Retention Schedule code GRS071 unless over ridden by an active Legal
Preservation Notices

Version History and Changes

 Version Change Ref. Revision Details

1.0 ITMS_CR_0183 This is the first version of this document

Appendices

Appendix 1: Risk and Non-Conformance Decision Tree

CSO is accountable for Cyber Security Risks that potentially have a GSK Enterprise-wide impact.
CSO is not accountable for other types of OT Risk (e.g. business continuity, patient safety, supply).
Risk ownership of CSO takes precedence over business ownership in case of multiple areas of
impact with equivalent risk ratings.
Appendix 2: How to write a Non-conformance (N-C)
Write the N-C in a way so that anyone unfamiliar with the N-C will understand it when they read it.
The descriptions are required to be as specific as possible and contain factual information only to
allow full understanding of the consequence(s).
Title of N-C - Write the title to capture the essence and it must answer the question “So what?”
N-C Description
Write the description in a condition-consequence format. For example, given a condition, there is a
possibility that a consequence will occur.
Write the description in matter of fact, straightforward language. Avoid the excessive use of
technical terms, abbreviations or jargon.
Use the Risk-Cause-Effect format, for example - There is a risk that – (describe the thing that is at
risk) will not...(be achieved, be successful, occur, etc...) due to/because....
Context - Capture additional information about the what, when, where, how, and why of the N-C