(1) The laboratory must have computer systems and software for sample tracking throughout the laboratory's possession from receipt of the samples through testing, reporting, and disposal.
(2) The laboratory must maintain a system security plan (SSP) for each information system used, including corporate systems and external service provider systems.
(3) The laboratory must have security controls (i.e., management, operations, and technical controls) in place to protect the confidentiality, integrity, and availability of the system and its information.
(4) If the laboratory contracts with an external service provider such as a cloud service provider, the laboratory must show due diligence in verifying that the service provider has procedures in place to protect the confidentiality, integrity, and availability of data for the services that they will perform on behalf of the laboratory.
(5) The laboratory must protect any internal computer systems (e.g., desktops, servers, instrument computers) against electrical power interruptions and surges that can contribute to data loss.
(6) The laboratory must protect any internal computer systems from spyware, viruses, malware, and other attacks through the use of firewalls and by maintaining software security updates.
(7) The laboratory must validate and document changes made to computer systems, software, interfaces, calculations, and security measures prior to implementing for use on samples.
(8) Software testing must include performing manual calculations or checking against another software product that has been previously tested, or by analysis of standards.
(9) The laboratory must have a signed contract or agreement with any external service providers that includes the priority elements of physical, technical, and administrative safeguards to protect their systems and data.