Does your Food Defense procedure include digital security?

I have two questions I'd like to see the opinions from my fellow members about:

1) I've come across a lot of manufacturers who only secure the areas in the factory where product is present, or sometimes only where  open product is present, claiming it can't be contaminated when in closed packaging. What do you consider the minimum amount of preventive measures necessary to meet the various standards?

2) On top of that, I rarely see factories take into account their digital security in the food defense procedure.

Do you include protection of your paper documents and digital assets/digital information in your risk analysis or your food defense procedure?

Why or why not?

Greetings SHQuality,

The end products should be monitored up to the point they are on the client's warehouse or stores whatever. There are many ways they can be contaminated even in a metal package. There are incidents around the internet if you search and from a real event here in Greece about 5-6 years ago if I recall correctly, there was a declaration from a let's say "anarchist group" that claimed they had injected chlorine with the use of syringes in the tin cans of a beverage of a well known company, which was distributed to various S/Ms.

The company following their food safety procedures found that it was possible and so they recalled all the products in circulation and destroyed them, with a subsequent increase of warehouse survaillance. Greece isn't plagued so much by food defense incidents but bottomline is there are ways if someone has set his mind to it.

Digital security is also important. What if someone hacks into the software of an automated system and changes parameters, simplest thing causing a malfunction to a pasteurization process? Or alter labelling information, steal them even and use them some shady way (this also falls into food fraud). Maybe I wouldn't take it so far as when applying an ISO 27001 but there should be measures like a strong firewall/defence, backups on company server or cloud, controlled access to personal computers, periodic checks of crucial information that they haven't been altered without authorization etc.

Regards!

We secure our entire building.   Impossible to enter unless you work here, or you're let in, sign in, etc.

Digital wise, we don't have much to worry about.   Our production software isn't an online thing that can be hacked.   PC's are handled by an outside company and they deal with what security measures we do have.   

I always feel lucky to work at a small joint.  I'm sure such controls at a place like Coca Cola are a nightmare to manage.

Before answering your question, let me ask you few questions:

Do you use cleaning/sanitation software? 

Do you use food safety management system software? 

Do you keep a software for keeping your files online/digital? 

Do you use software for inventory control? 

Do you use software to trace backward and trace forward your products? 

Do you use software to schedule your manufacturing or employee time? 

Do you use software to regulate temperature, metal detection and air in your facility? 

and so on

If your answer to the above question is yes. Then, you DO need digital security. Because let's say one of your digital system is impacted by a hacker or technical issue, you might lose control over your operation or safety of the product. 

Building wise, the entire building should be secured.  Only unlocked external doors are truck driver entrances, which are either monitored by staff or open into a locked area or mini with staff, and the front office entrance for receiving visitors.  I'm used to seeing relaxed GMP or sanitation procedures for warehouse storage areas if the excuse is that all product remains sealed when in storage, but security must encapsulate the entire building IMO.

Digital security rests with our IT people.  They protect the servers and network from intrusions just as a matter of protocol on their own, and for the places I've worked for, the theft of documents or hacking of our network wouldn't actually impact the safety of product we produce, so I don't think digital security concerns translate directly to food safety.  Other places might see a risk depending on their process...

Digital security rests with our IT people.  

I think that is a dangerous statement.

They can use the best protocols, but if workers open ransomware emails or leave their PC open for someone without the proper clearance to get a file they shouldn't, they can't work against that.

I think that is a dangerous statement.

 

They can use the best protocols, but if workers open ransomware emails or leave their PC open for someone without the proper clearance to get a file they shouldn't, they can't work against that.

Those concerns are dangerous for the company, sure, but QA staff rarely have the technical expertise to protect a company against ransomware emails or improper computer access.  Company IT is responsible for developing protocols to protect the company against those emails or ensuring company computers/users have controlled access to data (IT can set the computers to automatically lock if not active for x amount of minutes, etc).  But those hazards are different from the Food Defense measures that QA and Production personnel would be able to handle or protect against.

Food Defenses is defined in the US as efforts to prevent intentional food contamination by biological, physical, chemical, or radiological hazards that are not reasonably likely to occur in the food supply.  I guess one example that comes to mind would be if someone were to maliciously hack to override or bypass electronic door locks to allow unauthorized persons into a building.  Your average QA tech is going to be able to add/remove users from the security program controlling those doors, they can review logs to monitor who enters certain areas and question when someone entered somewhere they shouldn't have.  But a hack?  That's going to rest on your IT department having protocols to monitor for such a breech.

I can say I'm speaking from possibly limited experience, but my digital environments where I've worked to date are not related to Food Defense as defined.  It's usually discussed in the Crisis Control program as a matter of business continuity, where a disruption to our computer network would only affect our ability to ship/receive and conduct business, but doesn't pose a significant risk to contamination of product.  I did mention other places might have a risk depending on their processes, so it's something that needs to be evaluated individually, but still the responsibility for that security will rest with your IT departments.

Those concerns are dangerous for the company, sure, but QA staff rarely have the technical expertise to protect a company against ransomware emails or improper computer access.

I'm not saying QA people have the technical expertise, but just saying "IT will handle it" is, in my opinion, a naive approach. The people in the QA department should at least have a general (non-detailed) understanding of what protection IT has put in place to prevent digital problems.

I am a worker who might open a malicious email, so I would expect a procedure in place that requires workers to report suspicious emails to the IT department, for example.