Risk profiling gives PPD real-time view of vulnerabilities

Drug development company PPD built its own risk profiling tool to give all stakeholders a clear view of risk associated with every IT asset.

data analytics / risk assessment / tracking data or trends
ipopba / Getty Images

All businesses understand they face a multitude of risks in today’s world. How they measure that risk, though, often varies across different business functions. Teams dedicated to privacy might view risk differently from those looking at industry-specific regulatory requirements, who will have a different perspective from cybersecurity teams dealing with patching schedules.

For contract research organizaiton PPD (Pharmaceutical Product Development), which provides drug development, laboratory and lifecycle management services to biotech and biopharma companies worldwide, maintaining accurate inventory and understanding the level of risk associated with systems used while conducting clinical trials is vital.

To better view and understand risks, PPD created a new risk profiling system, a project which earned the company a CSO50 award.

Helping everyone understand risk

The project started with the need to inventory and track systems that conduct clinical trials and ensure that security resources were allocated by degree of assessed risk and potential system impact.

“When the system would come through our process, we would have to assess the risk of that system from a regulatory compliance perspective, an information security perspective and a data privacy perspective,” says Brad Wells, executive director of information security at PPD. “Often what we were finding was that it was a challenge for our technology teams to provide insight into the controls that they were applying. So, what we wanted to do is consolidate a lot of the control reviews and processes and generate a profile of the various risks associated with these technology systems.”

Understanding the risks around vulnerabilities is key to ensuring the company and its data are well-protected. It is also a core part of its regulatory compliance requirements and the needs of its customers. Many of the company’s contractual client obligations require it to apply certain controls depending on the type of data that's being processed and to be able to see that those controls are in place.

“There are a lot of different regulations across the globe that deal with needing to be able to understand what systems you're using and what data is in this system. How are we treating that data? Is the system validated?” says Kandice Samuelson, senior director of IT governance at PPD. “For me the project was about gathering that information, so I had that profile and I could show the client that we had in fact looked at all that and we were able to ensure that their data was safe.”

To continue reading this article register now

The 10 most powerful cybersecurity companies