Implementation of IS Security Standards on Pharmaceutical Manufacturing

Abstract: This thesis addresses the issue of Information Systems (IS) security in pharmaceutical manufacturing which is closely related to the ISA 99 standard. The ISA 99 'Security for industrial Automation and Control Systems' standard is focused on the work for securing process automation systems from IS security threats. The main thought behind the ISA 99 standard is that a high level of IS security in computerized manufacturing environments cannot be achieved through just one project but needs long-term dedication. Therefore the ISA 99 standard suggests the implementation of an IS security program as the best way to reduce IS security risks to process automation systems and to sustain risk reduction over time. The overall objective of the study was to suggest an IS security program suitable for the pharmaceutical manufacturing at the AstraZeneca manufacturing and supply site in Södertälje, Sweden. The suggested IS security program can briefly be described as a long-term strategy for how to perform IS security activities in the manufacturing at the Södertälje site. The security program defines both technical and organizational requirements and recommendations. According to the ISA 99 standard, working with IS security in the process automation systems environment require both technical, cultural and organizational perspectives. The suggested security program therefore recommends the forming of a special group for working with IS security in the manufacturing within Sweden Operations. This group includes employees from different departments such as IS security, IS/IT, process automation systems managers, engineering, operators and managers in production areas as well as quality assurance personnel. The purpose with the group is to make the IS security work more effective through reducing bureaucracy, increasing communication and sharing of knowledge and business perspectives. The security program also presents IS security policies for the production at the Södertälje site. A security policy is a written document or directive that defines how the organization defines and operates IS security in the process automation systems environment. The security policy ensures both management support and understanding of roles and responsibilities for IS security in the process automation systems environment.