OT Cyber Security Non-Conformance Management
OT Cyber Security Non-Conformance Management
OT Cyber Security Non-Conformance Management
Non-Conformance Management
GSK Operational Technology
OTS-SOP-001 (v1.0)
Table of Contents
Why do we have this procedure?.........................................................................2
Purpose................................................................................................................ 2
In Scope........................................................................................................... 2
Out of Scope.................................................................................................... 2
Who needs to follow it?......................................................................................... 3
Document Audience Scope..................................................................................3
Roles and Responsibilities...................................................................................3
What process steps are involved?.......................................................................5
Key controls......................................................................................................... 5
How do you do it?.................................................................................................. 6
1.0 Managing Non-Conformances......................................................................6
2.0 Managing Remediation Actions.....................................................................8
3.0 Managing Exceptions....................................................................................9
4.0 Scalability...................................................................................................... 9
What monitoring is required for this procedure?................................................9
Management Monitoring (MM):............................................................................9
Glossary................................................................................................................ 10
Where to raise questions, concerns or Issues..................................................11
References............................................................................................................ 12
Referenced Documents......................................................................................12
Additional Related Information...........................................................................12
Administration...................................................................................................... 12
Document Governance......................................................................................12
Version History and Changes.............................................................................13
Appendices........................................................................................................... 13
Appendix 1: Risk and Non-Conformance Decision Tree....................................13
Appendix 2: How to write a Non-conformance (N-C)..........................................14
Why do we have this procedure?
Purpose
This procedure establishes a process for managing Non-Conformances with OT Control
Documents.
A non-conformance is a divergence from a mandated element of the OT Control Document.
Non-conformance management is an integral part of the system of control and governance.
A systematic, standardised process is required in order to:
Establish a common language and mechanism for managing, communicating and
escalating OT non-conformances.
Ensure that responsibilities for managing OT non-conformances are clearly stated,
understood and accepted.
In Scope
Out of Scope
Remediation Action Create the action and ensure all required information is completed.
Owner
Complete activities defined in the action plans on time.
Support N-C Owner to close Non-Conformances.
Communicate progress to management and stakeholders as required.
Approver
Exception Owner Create the exception record and ensure all required information is
completed.
Cyber Security Office Provide guidance on the interpretation and application of this
Operational Technology procedure.
(CSO OT)
Approve non-conformances, associated remediation actions and
exceptions.
Facilitate management review of open non-conformances, associated
open remediation actions and exceptions.
Subject Matter Expert Provide input, in area of expertise, to the definition and endorsement of
(SME) non-conformances, associated remediation actions and exceptions.
Subject matter experts, include but are not limited to:
GxP / Quality Compliance Authority (QCA).
Sarbanes-Oxley (SOX).
Privacy Leads / Privacy Centre of Excellence.
Operational Technology (e.g. Automation/Engineering/R&D
Labs).
What process steps are involved?
Managing Non-Conformances
1
Managing Exceptions
3
Scalability
4
Symbol Key:
Critical action; ◙ Monitoring item; Helpful tip
Key controls
The table below summarises the key control statements that will be used to verify compliance to
the procedure.
Control ID Control Name
OTE-1 Non-Conformance identification activities must be conducted.
4.0 Scalability
4.1 Non-conformances that can be closed within 30 days of
identification do not need to be recorded. Where appropriate,
actions taken to address these non-conformances can be
recorded elsewhere, e.g. change control.
Term Definition
BU Business Unit e.g. Research & Development (R&D), Consumer Health (CH),
Pharma Supply Chain (PSC), Vaccines (Vx)
GxP Good x Practice. Generic term to denote in scope of regulations relating to the
development, manufacture and distribution of our products.
Management Generic term for the system used to manage non-conformance, remediation
System plan and exception records.
Mitigating / A control that reduces the risk associated with an event when full remediation
Compensating is not possible in the foreseeable future.
Control
QCA Quality/Compliance Authority. Generic term for Business quality roles (GxP &
SOX). An SME in the scope of this procedure.
Risk An event that has the potential to occur but has not yet occurred.
Term Definition
Risk Rating The risk rating is based upon the standard 5x5 matrix.
See GEC Risk Rating Guidance
RMCB Risk Management Compliance Board. RMCBs oversee risk management for
their part of the organisation.
SME Subject matter expert, include but are not limited to:
GxP
Sarbanes-Oxley (SOX)
Security
Privacy Leads / Privacy Centre of Excellence
Stakeholder Stakeholders include but are not limited to: Business Owner or delegate
If you are unsure about how to apply this procedure, or feel you need to raise an exception to it
please bring this to the attention of a manager or supervisor.
Referenced Documents
Ref Document ID Doc Title
Training BUS-TSR-GEN-048
Administration
Document Governance
Governance Board Approval OT Standards Design Authority Board
Appendices
CSO is accountable for Cyber Security Risks that potentially have a GSK Enterprise-wide impact.
CSO is not accountable for other types of OT Risk (e.g. business continuity, patient safety, supply).
Risk ownership of CSO takes precedence over business ownership in case of multiple areas of
impact with equivalent risk ratings.
Appendix 2: How to write a Non-conformance (N-C)
Write the N-C in a way so that anyone unfamiliar with the N-C will understand it when they read it.
The descriptions are required to be as specific as possible and contain factual information only to
allow full understanding of the consequence(s).
Title of N-C - Write the title to capture the essence and it must answer the question “So what?”
N-C Description
Write the description in a condition-consequence format. For example, given a condition, there is a
possibility that a consequence will occur.
Write the description in matter of fact, straightforward language. Avoid the excessive use of
technical terms, abbreviations or jargon.
Use the Risk-Cause-Effect format, for example - There is a risk that – (describe the thing that is at
risk) will not...(be achieved, be successful, occur, etc...) due to/because....
Context - Capture additional information about the what, when, where, how, and why of the N-C