What are SoX
Sarbanes Oxley (SoX) issue – an identified weakness or deficiency in the design or operation of a control impacting an in-scope SOx system, and/or supporting infrastructure. A SOx issue is a failure to comply with the controls identified in the IS/IT Controls Framework. A system is considered to be in-scope for SOx if its functionality supports the operation of key business financial processes and controls.
GxP issue – a breach of GxP regulations and/or associated company standards impacting a GxP system, and/or supporting infrastructure. A GxP system may impact product quality, safety or efficacy and is therefore subject to GMP, GLP, GCP and GDP (GxP) regulations. For example, a GxP issue could result in any, or a combination of the following:-
- Negative impact on a laboratory, clinical or manufacturing process
- Loss, corruption or inability to restore GxP data
- Unscheduled GxP system downtime outside of agreed SLAs
- Regulatory agency notification
- Compromise to validation status (e.g. uncontrolled changes to the systems or infrastructure).
Quality issue – a non-conformance to defined policy, related 3rd party policy, standard or procedure or ineffective IS/IT control impacting any computerised system, and/or supporting infrastructure which does not have a regulatory impact (GxP, SOx).
For example, a quality issue could result in any, or a combination of the following:-
- Loss, corruption or inability to restore data
- Unscheduled system downtime outside of agreed SLAs
- Unauthorized changes to production systems or data
- System interfaces to fail
Security issue – a breach of security policy, a failure of security controls or an uncontrolled security related event. Examples include:- Damage, theft or loss of infrastructure (including, but not limited to; laptops, PCs, servers, switches, printers, modems), software or data; Unauthorized access to and/or use of systems, networks or data; Malicious code (including, but not limited to; viruses, worms, trojans); Social engineering (obtaining confidential information through user manipulation); Employee or 3rd party computer misuse.