Introducing new software

OrganOx is a class III medical device manufacturer, is regulated by the FDA, Sarbanes Oxley Finance and GDPR Data Protection legislation, and has external Cyber Security Certifications, all of which require us to only use approved suppliers. All suppliers in the supply chain add risk and hidden cost to OrganOx. Hidden costs typically exceed the license cost for small numbers of users.

An approved software list can be found here Approved Software List.xlsx

To add a new supplier the requester needs to meet the requirements of each corporate function, who has their own authoritative process. The requester is by default the OrganOx owner of the system, and will periodically need to provide updated information or perform or participate in security reviews. This guide is a pointer to, and does not supersede those functional / departmental processes.

A Cyber Security Questionnaire (template stored in Master Control) needs to be completed and submitted to IT, this can be completed by either the requester or by the vendor.
This assesses the vendor for basic Cybersecurity to ensure we're using a genuine organisation that takes cybersecurity seriously and is fit for purpose for a multi-million dollar Medical Device Manufacturing company.
If the vendor has certificates such as SOC2, ISO27001 etc, these need to be obtained.
The IT team (Martin Hepworth - Cyber Security Specialist) will help conduct a security review to record the classification of all data, where it is stored, how it is protected, and store the above certificates.
Any systems that stores data must use strong passwords and Multi-Factor Authentication, Single Sign on is even better and lowers the admin for the departmental system owner.
The vendor MUST provide updates to the software to fix security vulnerabilities, our Cybersecurity certification requires CVSS => 7 security vulnerabilities patched with 14 days.
License details and costs must be provided to the IT team, as the IT team has overview of all software and systems regardless of cost centre.
It is rare, but if an organisation does not meet OrganOx's cybersecurity requirements they may be rejected as a supplier.

Legal

Any new contract engagement, including new software needs to be submitted to legal@organox.com via a contract extract (template is stored in Master Control) in accordance with the delegation of authority (also stored in Master Control). Legal must approve all contracts prior to execution.
If data is processed as part of this arrangement, the Legal team will perform an analysis to determine what additional documents, for example a Data Processing Agreement, may be necessary.
If the Company is sharing any sensitive or confidential information, a Non-Disclosure Agreement may be needed. The Legal Department can help guide you on this subject and provide any necessary agreement(s).
The Legal team will require copies of all executed agreements.

Quality

In accordance with SOP07-008 Control of Supply and Supplier Approval, all potential new suppliers should be notified to the Quality supplier management team (sarah.comerford@organox.com and priya.gorasia@organox.com) who will make a judgement on whether or not they are device impacting.
QF-0223 will need to be filled out by the requestor, and QF-0141 will need to be completed by the vendor. The supplier management team will use that information to analyse the impact of the new software on OrganOx products and the quality process. Additional information may be required if the software impacts or interacts with any OrganOx products.

Finance

The supplier must be entered into the SAP ERP system before any payment can be made, accounts@organo x.com can provide a supplier onboarding form.
A quote will be required, against which a purchase order is requested via accounts@organox.com who will need to know the cost centre, and purchasing entity (Ltd, Inc, Europe Ltd)
Purchase of any IT software / licences via a company corporate credit card is strictly forbidden until written approval is received using the above process. Any breach could lead to your corporate card being withdrawn.

All steps need to be completed before the software is used, including for any trial use - if the software is found unsuitable by any department in this process, the supplier may be rejected before the trial stage.