ccess security mechanisms prevent

unauthorized persons from gaining

access to, altering, or deleting
records in a system. Access security
is typically ensured with a number of
behavioral controls or policies that are
backed up and enforced by appropriate
security mechanisms implemented on a
companys information systems.
The first article in this series, which
appeared in the November 1999 issue of
BioPharm, provided an overview of 21 CFR
Part 11, the regulation governing electronic
signatures and records in analytical
laboratories (1). It concluded with key
recommendations for implementing a
paperless record system in analytical labs.
This second installment explains the
practical and technical implications of Part
11 regarding access security, user rights, and
audit trails in data systems that are used in
such labs. It examines the relevance of
appropriate security settings and password
policies on laboratory computers and how
todays chromatographic data systems do or
do not make use of the security settings
available to them. If the access security
functions of a chromatography data system
do not reuse the security mechanisms in the
operating system, managing the security
model of the data system requires additional
administrative effort. We conclude by
discussing the importance of task-specific
access privileges in relation to current work
practices in analytical laboratories not
only to ensure confidentiality, but also to
eliminate human mistakes or accidental loss
of data.
Wolfgang Winter and
Ludwig Huber
Implementing 21 CFR Part 11
in Analytical Laboratories
Part 2: Security Aspects for Systems and Applications
Wol f gang Wi nt er is product manager, data
systems, and corresponding author Ludw i g Huber
is worldwide product marketing manager, HPLC, at
Agilent Technologies GmbH, PO Box 1280 D-
76337, Waldbronn, Germany, +49 7243 602 209,
fax +49 7802 981 948, ludwig_huber@agilent.com.
A
H o w c a n yo u b e su re o n ly a n
a u th o rize d u se r is e n te rin g d a ta
in yo u r syste m ? I s yo u r e le c tro n ic
sig n a tu re yo u rs a lo n e ? A re yo u
su re o p e ra to rs c a n t in va lid a te
yo u r d a ta ? I s yo u r c o m p a n y in
c o m p lia n c e with F D A d a ta
se c u rity re g u la tio n s? T h is se c o n d
a rtic le in th e c o n tin u in g se rie s o n
im p le m e n tin g 2 1 C F R P a rt 1 1 , th e
e le c tro n ic sig n a tu re s a n d re c o rd s
re g u la tio n s, will h e lp a n swe r th o se
q u e stio n s.
Access Security
Procedures should be in place to allow
access into a companys information system
to authorized users only (2). For computer
systems, access can be limited in two ways:
through physical or logical security (3).
Control of physical access to laboratories
is normal in regulated and accredited
facilities. It is difficult for unauthorized
individuals to walk into a quality control lab
at a pharmaceutical company. But does that
mean someone can not access that
companys data systems, and inspect or even
manipulate its data records? Without
dedicated security mechanisms that is,
without logical security built into the
data system, fraud, error, and misuse are
almost unavoidable. FDA has already issued
regulatory citations for such violations
because sloppy security mechanisms affect
the quality of medical device system
regulations. In one example, FDA cited
. . . failure to establish and maintain procedures
to control all documents that are required by 21
CFR 820.40, and failure to use authority checks
to ensure that only authorized individuals can
use the system and alter records, as required by
21 CFR 11.10(g). For example, engineering
drawings for manufacturing equipment and
devices [were] stored in AutoCAD form on a
desktop computer. The storage device was not
protected from unauthorized access and
modification of the drawings. (4)
Whogets access?Secure access to a
companys information system is a decision
for the information technology (IT)
specialists charged with administrating those
systems. Modern operating systems
deployed in the professional IT environment
support many security methods, but
programming those security precautions
requires knowledgeable, careful
management and appropriate configuration.
Without adequate security and password
policies, the proper service release (also
called a service pack, a release that fixes
defects), and appropriate configuration
settings, even an operating environment that
is typically associated with security like
Microsoft Windows NT (NT) is wide
open to the mismanagement of data.
Secure access to an information system
requires user accounts. Each authorized user
on the system is assigned an appropriate
login to the system that typically consists
of a user name or user identification (user
ID) and a password. When assigning login
Regulat ory Mat t ers Regulat ory Mat t ers
Regulat ory Mat t ers
Password Policies
User authentication and the confidentiality
of passwords are void when those ID
parameters are shared between individuals.
The following quote from an FDA warning
letter illustrates that common failure in
complying with the requirements of Part 11.
An employee user name and computer password
were publicly posted for other employees to use
to access the Data Management System. During
the inspection another employee who did not
have an established user name or password was
observed obtaining access to the Data
Management System utilizing the posted user
name and password. Three previous employees,
who had terminated employment in 1997 and
1998, still had access to critical and limited Data
Management System functions on March 18,
1999. (5)
Howcanpasswords bekept secure?In sections
11.200 Identification Mechanisms and
Controls and 11.300 Controls for
Identification Codes/Passwords, 21 CFR
Part 11 states requirements for identification
mechanisms used for executing electronic
signatures: The identification mechanisms
shall be used only by their genuine
owners, and need to be administered and
executed to ensure that attempted use of an
individuals electronic signature by anyone
other than its genuine owner requires
collaboration of two or more individuals.
The technical answer to that FDA
requirement is to implement appropriate
policies that ensure security, integrity,
authenticity, and confidentiality of
identification codes in the computer system.
One common problem with secure
restricts individuals data access to only the
servers, programs, and files they require. It is
also possible to assign private data shares to
each individual, ensuring confidentiality and
file integrity for that individuals work.
System administrators can create
and implement those profiles quickly and
efficiently with appropriate administration
scripts.
One disadvantage of user profiles remains
however. No matter how well the user
profiles are implemented, they are always an
external measure bolted onto the outside of a
data system. The records inside the data
system (the raw data, the results, and the
metadata that transform the former into the
latter) can have intrinsic dependencies that
are difficult or even impossible to control and
manage from the outside. A data system must
manage the integrity and security of its
records using its own internal logic of how
the individual pieces are linked together.
Otherwise the integrity of results and raw
data will depend on the system
administrators experience with and
knowledge of the particular data system.
When selecting a data system to
implement 21 CFR Part 11 regulations,
choose a vendor that offers a specific
organization or revision scheme for the
electronic records your company produces,
maintains, and archives. So-called solutions
based solely on standard file server functions
can depend on manual or semimanual data
organization and will therefore be more
susceptible to human errors than integrated
data organization systems.
credentials, the system administrator uses a
convention that correlates each individual
with an ID, by using the individuals last
name and enough letters of the first name to
make that ID unique within the IT
environment. For example, if my login name
on a corporate UNIX system were
wwinter, my user ID would be combined
with a password that only I would know, and
the combination of my user ID and password
would be unique to my companys system,
so that the combination would become
equivalent to my handwritten signature.
The beauty of that concept is that in most
cases, the unique combination of user ID and
password is already implemented by the
local IT department using conventions and
built-in functions of the operating system; IT
does not have to reinvent the process for the
data system. Therefore, the data system is
compatible with the operating environment
promoted by the local IT department, and
user authentication of data security is
automatic. An ideal data system compliant
with 21 CFR Part 11 would use security
mechanisms provided in the operating
system. That would prevent extra effort in
managing users and their access rights in
and out of the laboratory. Today,
corporations manage complex work groups
or domains that spread across building sites,
cities, or even continents.
Whogets access towhat?Resolving that
question is far trickier than the first. Secure
operating systems typically will use a
mechanism called permissions, granting or
prohibiting each users access to certain
records, files, or programs.
What permissions attempt to address is
how to ensure that users can modify their
own records but only read (not change) the
records of other users. In theory, careful
administration of individual file and
directory permissions can make that happen.
In fact, many current chromatography data
systems require a system administrator to
control and manage access permissions to
individual files and directories on local hard
disks and file servers. That is where user
profiles can become extremely useful.
The Role of User Profiles
User profiles in operating systems such as NT
are helpful in consistently managing the
access rights of a number of users with
different job roles, responsibilities, and
training levels. A well-implemented profile
Figure 1. Password policy settings in Windows NT.
include: (1) Requiring an individual to remain in
close proximity to the workstation throughout
the signing session; (2) use of automatic
inactivity disconnect measures that would
de-log the first individual if no entries or
actions were taken within a fixed short
timeframe; and (3) requiring that the single
component needed for subsequent signings be
known to, and usable only by, the authorized
individual. (7)
When selecting a data system for
implementing 21 CFR Part 11 in the
laboratory, confirm the availability of tools
in the program against impersonation, the
reuse of another users credentials. A
number of analytical vendors have already
published technical notes on that security
issue (8,9).
User Access Rights
The next question deals with what user-
based access restrictions should apply to an
electronic signature (e-sig) compliant data
system according to section 11.10 of the
rule. Apparently, it is insufficient to merely
restrict system access to a group of
individuals without differentiating their
responsibilities, knowledge, or charter.
Users could inadvertently modify system
settings in a way that affects the integrity or
security of the records. That is particularly
true for system administration settings.
Clearly, system administrators need to
adhere to written policies and only a few
users should have system administration-
type access. In comment 83 of the rule, FDA
explains the need for that type of system
access control.
duplicate passwords, once for the operating
system and once for the data system. In
many cases, laboratory data systems provide
only limited or no account policy functions
compared with the functions available in the
operating system. Limited or nonexistent
account security in data programs would
make implementing 21 CFR Part 11
difficult. Laboratories must examine the
different account policies available from
vendors. A vendor solution that directly ties
into the operating system security scheme is
the most pragmatic and future-proof
solution. An upcoming article in this series
will discuss the benefits of such an open and
generic approach when it comes to
integrating additional security and
authentication mechanisms (like encryption
technology or biometrics) in the future.
Howtoprevent access usingappropriatedlogins. A
practical and secure identification system
must cover the potential threat of actions
performed on electronic records by people
using the credentials (user name and
password) of others. That typically takes
place when the first user inadvertently
leaves the computer session open during an
interruption of a task. Another core
requirement of Part 11, stated in comment
63, is to reduce the likelihood that someone
can readily repudiate an electronic signature
as not his or her own, or that the signed
record had been altered. In comment 124 of
the rule, appropriate countermeasures are
explained in greater detail:
The agency believes that, in such situations, it is
vital to have stringent controls in place to
prevent the impersonation. Such controls
passwords is that they can be hard for their
owners to remember. If passwords are easy
to remember, they may be guessed by
another person or identified by an
appropriately designed password cracker
program (6). In the early days of secure
operating systems, system administrators
worked out password policies. Sometimes
the policies resulted in passwords that were
so secure that ordinary users had to write
them down to remember them! In practice, a
trade-off has to be found that protects an
individuals password from external access
but that is nevertheless minimally
convenient for its bearer. See the Password
Policies box.
Operating systems such as NT support
account policies (Figure 1). An account
policy specifies how passwords must be
defined and employed for all user accounts
on a system. It specifically addresses the
issue of locking a user account because of
invalid logon attempts. An important aspect
of an account policy is for a company to
have a common approach to all settings
needed. For example, a company would set
the security policy in the operating system
because such a setting would then be
applicable to all programs residing in its
client PCs.
Managing account settings is typically a
system administration task centrally fulfilled
by corporate IT departments. That
administrative burden is duplicated on the
laboratory data system if its internal security
design does not tie into the security
mechanism of the operating system. Such a
lack of integration results in the need to
manage duplicate user accounts and
SYSTEM integrity m ay
be im peached even if
the electronic records
them selves are not
directly accessed.
Figure 2. Temporarily disabling a user account in user manager of NT.
Regulat ory Mat t ers
also be greatly eliminated by calling the user
back at a preconfigured telephone number
after successful authentication (dial-back).
Service Account Logins
Another frequent concern is logins for
service or maintenance personnel. Most
vendors of chromatography data systems
configure a specific user account on a
particular computer that can be used by the
service engineer during installation,
configuration, and maintenance of the data
system. Especially on data systems that
operate under NT, the vendors service
engineer requires administrator rights to
install software, configure NT services, or
install drivers for instrument-specific
hardware.
The vendors original idea was to protect
data and ensure service by not requiring a
system administrator to be present or to
share his or her login code with the vendors
service engineer. (Under the provisions of
21 CFR Part 11, sharing an administrator
login means the system administrator could
log onto the chromatography data system
using private user names and passwords.
The shared account would not have access
rights within the chromatography data
system, so each particular individual is
traceable and accountable for the data. The
user ID and password of a shared logon
would not qualify as an electronic signature.
Remoteaccess. Many organizations with
continuous operations require remote access
to data systems for call-on-duty laboratory
personnel. If designed carefully, remote
system access fulfills the technical control
requirements for closed system
environments outlined in 21 CFR Part 11,
even if it is established using public service
providers. Such access must be limited to
authorized personnel and must authenticate
users by requiring their user ID and
password. Password security can be
enhanced by using so-called smart-cards that
generate unique passwords that are valid
only for a few minutes and that are
synchronized with a password server on the
dial-in system. Possibilities for misuse can
System access control is a basic security
function because system integrity may be
impeached even if the electronic records
themselves are not directly accessed. For
example, someone could access a system and
change password requirements or otherwise
override important security measures, enabling
individuals to alter electronic records or
read information that they were not authorized
to see. (7)
The term used by the rule is authority
check. Does that necessarily mean a system
administrator must assign and determine the
access privileges for each user? According
to comment 83 of the rule, organizations
do not have to embed a list of authorized signers
in every record to perform authority checks. For
example, a record may be linked to an authority
code that identifies the title or organizational
unit of people who may sign the record. Thus,
employees who have that corresponding code, or
belong to that unit, would be able to sign the
record. (7)
The conclusion of some analytical data
system vendors is that security in data
systems may require user access to be
configurable based on job role or duties.
Each company decides which computer
tasks are permissible for which users
according to their job roles. Tasks that
require an electronic signature are
configurable in the same way, so those
decisions depend on the labs policy, not on
the vendors worldview.
Shareddesktops. One workplace practice
with compliance-related issues is frequently
found in laboratories where multiple users
operate several instruments controlled by the
same computer. For example, in production
or process control environments each
computer often controls multiple
chromatographs used by more than one
operator. In such environments, user
authentication using the NT operating
system login is inconvenient because
changing the currently logged-on user
requires shutting down the current session.
Depending on the data systems
implementation, that could affect data
acquisition from other instruments.
Executing the user profile, establishing
network connections, and restarting the
applications makes that a slow and
inconvenient security method.
A good solution would be a shared logon
to a computer running NT (a shared
desktop) that requires individual operators to
Carefully designed password policies
minimize the possibilities for passwords to
be known to persons other than their
righteous owners. The following guidelines
should be considered in order to establish
an effective and practical password policy.
1. Nobody, including the system
administrator, should know the password
of other users on the system. A compliant
password policy requires users to change
their password when they log on for the
first time.
2. Passwords should have a minimal
length of at least 6 characters. Requiring
more than 8 characters can make
passwords too hard to remember and too
inconvenient to type accurately.
3. Passwords should contain a
combination of letters, numbers, and
punctuations (;,.!-+?_:)
4. Passwords must not use personal
information like names, license plates,
phone numbers because they can be
easily guessed.
5. Passwords should not consist of words
that can be found in a dictionary.
6. Mixing upper case and lower case in the
same password makes it hard to spy
passwords while they are typed
7. A user account should be disabled or
locked after three unsuccessful login
attempts.
8. Passwords should be changed
regularly; six to eight weeks appear to be
practical periods. With shorter periods, the
password change is perceived as a
nuisance, and users are more likely to
write their passwords down in order to
remember them. A good password policy
therefore uses "password aging".
9. The password policy should prevent
users from alternating between two or
three passwords only. The number of
passwords "remembered" by the policy
should be greater than the number of
allowed unsuccessful login attempts (see 7
above). A good password policy uses a
password history of five.
10. An effective password policy only
works if the users appreciate its value. As
expressed by the FDA, company policies
need to exist that hold individuals
accountable for their actions on electronic
records. I handle electronic records with
more care if I am aware that my electronic
signature on that record is legally binding!
PASSWORD POLICIES
repudiate an activity that was signed for by
stating that someone else was working with
the system using that login.) However, some
companies view the existence of a service
account with administrative privileges as a
clear violation of data system security.
Our recommendations for solving that
practical problem follow.
Define and implement the procedural controls
that must be followed by a vendors service
engineer who needs access to your data
system.
Consider creating serviceuser accountsin
your data systems security policies. If a
service user account with administrative
privileges is required for support or
maintenance reasons, create that account on
the systems themselves. Disable the service
user account (Figure 2) when it is not in use.
The authorized system administrator should
enable the service user account only when
the vendors service engineer requires
access to the data system.
For the service account, implement a user
profilethat prevents access to confidential
data on the file servers.
If the data system allows configuring user-
specificaccess rights, disable those rights on the
service account that could affect the security
and integrity of data on that PC by allowing
deletions, reprocessing of analyses, approval
or rejection of results, or modification to
methods, for example.
If the task requires a service or
maintenance engineer to have administrative
rights that would allow execution of tasks
related to data security, his or her activities
shouldbesupervisedby the system
administrator. If the vendors representatives
are adequately trainedon the data integrity
requirements of Part 11, the activities
planned by the service engineer can be
reviewed and preagreed to by the
responsible system administrator without the
necessity to supervise each step.
Access security determines who is allowed to log on to a system
locally or from the network and puts mechanisms in place that
prevent unauthorized persons from gaining access to the computer
system. Most operating systems offer several different types of
access privileges that can be granted or denied to specific users or
groups of users.
Administrativeprivilegeor systemadministrationis the responsibility for
maintaining a multiuser computer system and managing the
security of the computer network for setting new user accounts
and the privileges and access available to specific users, for
example.
Application. A software program that is installed on a computer to
perform certain tasks, which only some employees may be allowed
to access.
Appropriatedloginor impersonation. Someone using an authorization
code, usually user ID and password, of another person, usually to
secure access to network resources for which he or she doesnt
have privileges or authorization. Can be intentional or not.
Audit trail. A computer-generated and timestamped record of who
did what, when. Part 11 requires the audit trail to be generated
independently of the operator. The audit trail must capture all
activities related to creating, modifying, and destroying records on
a system.
Authenticationmechanisms, authority checks, or authorizedsigners. Distinct
from authorization that grants or denies access to a network
resource, authentication programs are used by system
administrators to establish and verify as conclusively as possible
that a person logging in to the network is who he or she claims to
be. FDA says authority checks are to ensure that only authorized
individuals can use the system, electronically sign a record, access
the operation or computer system, input or output device, alter a
record, or perform operations.
Biometrics. Biopharmaceutical scientists may think of biometrics as
the statistical study of biological phenomena. But in computer
security it refers to authentication techniques that rely on
measurable physical characteristics that can be automatically
checked, such as fingerprints, speech, or retinal patterns. FDA
defines biometrics as verifying an individuals identity based on
measurement of the individuals physical feature(s) or repeatable
action(s) where those features and/or actions are both unique to
that individual and measurable.
Closedsystem. An environment in which system access is controlled
by persons responsible for the content of the records on the
system. Most firms regulated by the FDA fall into this category.
Configurationsettings. An overall organizational structure defining how
permissions are configured, with settings allowing one user to only
read a file, but another can execute or run that file, and a third may
be able to write new data into it, for example.
Dataintegrityis the validity of data and its relationships. In order for
electronic records to be trustworthy and reliable, the links between
raw data, metadata, and results must not be compromised or
broken. Without data integrity, it is not possible to reliably
regenerate a previous result.
Disabledaccount. A user account that has its access turned off so that
it is not usable until such time as access is given again.
Electronicsignatures, digital signatures, or e-sigs. According to FDA, an
electronic signature is any symbol or series of symbols executed,
adopted, or authorized by an individual to be the legally binding
equivalent of the individuals handwritten signature. A digital
signature is an electronic signature based upon cryptographic
methods of originator authentication, computed by using a set of
parameters so that the identity of the signer and the integrity of the
data can be verified.
Encryption. Translation of data into secret code is the most effective
way to secure data security. Unencrypted data is called plain text
and encrypted data is referred to as cipher text.
External or remoteaccess. the ability to log on to a network from a
distant location. The system containing data is the host while the
computer at which a user sits is called the remote terminal. Slower
data transfer speeds are the only difference between a remote
station and a workstation connected directly to the network.
IDparametersset authentication and authorization codes usually
related to a user ID and password. The unique set of characters
that enables a user to access files, issue commands, or run
programs.
Inactivity disconnect or lockedsessionis a computer session that freezes
or logs off automatically when no data has been input for a period
of time.
Informationtechnology (IT). The broad field concerned with managing
and processing information, particularly within large companies.
Also referred to as information services (IS) or management
information services (MIS).
SECURITY TALK GLOSSARY OF TERMS
Regulat ory Mat t ers
Reducevalidationeffortsfor biometrics
identification mechanisms by delaying
implementation until they become
pervasive. Wait until operating systems offer
intrinsic functions or standard add-ons.
Define the measures to protect against
impersonation. Your data system can lock a
current session explicitly and automatically
using inactivity timeouts.
Defineaccess rightsaccording to the job role
requirements of your company. To manage
access rights for large groups of users,
define access rights by job role rather than
individually. An ideal data system allows
configuring access rights by user groups.
To Be in Compliance
Here are the main steps to consider and
evaluate to ensure access security in
accordance with 21 CFR Part 11. Use the
security mechanisms of your data system to
control access. Ideally, data systems tie into the
user account database of an operating
system.
Define, implement, and use a password
policy to ensureconfidentialityand authenticity
of individual user passwords. The data
system should either allow defining
password policies or tie into the password
policies of the operating system.
Needless to say, a data system that is
compliant with 21 CFR Part 11 will allow
the assignment of specific access rights by
job role so a service engineer cannot
perform operations that affect data security.
Because critical tasks require an electronic
signature before they are completed, those
tasks can be stopped or undone by the
service engineers if they are initiated by
mistake. Figure 2 shows a screen shot of an
NT user profile with the user account
temporarily disabled, as should be done to
service accounts when not in use.
Integrateddataorganizationsystem, logical security, or internal logic. Data
management planning and configuring that combines the diverse
applications used by a company with the operating system in such
a way that authentication and authorization are achieved most
efficiently and effectively.
Login, logon, or logincredentials, alsouser IDanduser name. Identification
methods that make a computer system recognize users so they
can begin computer sessions, usually user names and passwords.
Metadata, rawdata, andresults. Metadata are important for
reconstructing a final report from raw data. In chromatography,
they include integration parameters and calibration tables. In long
division, 1,000 5 would be the raw data, the work you had to
show on your paper in fourth grade math class would be the
metadata, and 200 would be your result.
Opensystem. An environment in which system access is not
controlled by persons responsible for the content of electronic
records on that system, one with little or no security, authorization,
or authentication.
Operatingsystemor operatingenvironment. The most important program
that runs on the computer performs basic tasks such as
recognizing input from the keyboard, sending output to display
screens, keeping track of files and directories, and controlling
peripherals such as printers. Microsoft Windows NT, LINUX, and
UNIX are operating systems.
Passwordcracker. Ideally, a password is something nobody can guess.
In practice, people choose passwords that are pretty easy to guess,
such as their name or initials. Password cracker programs seek to
guess passwords so that an unauthorized user can break into a
computer system. Though frequently used interchangeably, a
cracker is someone who breaks into a secure system, whereas a
hacker is more interested in learning about computer systems or in
playing pranks than in compromising secure data.
Permissions or privilegesare security codes that define or restrict which
users can read, write, and execute the associated files, directories,
or programs. Some departments only need to look at data, some
need to input data or run programs, and others may not need to
look at the data at all.
Principleof nonrepudiation. The ability to say with confident assurance
that only one user entered specific data or performed specific
actions on a computer system and that the particular user is
identifiable. If more than one user can get into the system in such a
way that the audit trail cannot specify who performed what action,
the principle of nonrepudiation has been violated.
Privatedatashares. Personal directories on a file server that are only
accessible by the owner of the data.
Scripts or adminscripts. Another term for macro or batch file, a script is
a bit of programming that automates tasks. Admin scripts usually
provide tools to help system administrators set up user
permissions for system security.
Security mechanisms or dedicatedsecurity mechanismsrefer to techniques for
ensuring that data stored in a computer cannot be read or
compromised. Most security measures involve encryption or
passwords.
Servers, programs, andfiles. A server is a computer or device on a
network that manages network resources. A file server stores files,
a print server manages printers, a network server manages
network traffic, and a database server processes database
inquiries. A program is an organized list of instructions (like a
recipe) that causes a computer to behave in certain predetermined
ways. Files are collections of data with file names: text files, data
files, program files, or directory files.
Serviceaccount loginor serviceuser account: An account on a computer
system preprogrammed or added so the vendor or maintenance
contractor will have authorization to access various machine
routines to service it.
Servicereleaseor servicepack. Defect-fix releases of an operating
system that address serious issues or defects reported against a
previous release. Service releases need to be installed on top of
the original software.
Shareddesktop, account, or login. A personal computer is often called a
desktop. Shared personal computers, accounts, or logins can
violate the principle of nonrepudiation. If the audit trail is unable to
distinguish between individuals using such shared network
resources, an electronic signature is not valid.
Task-specificaccess or access by jobrole. A system administration tool for
setting up user profiles, assigning users to groups, then assigning
specific permissions to all users of that group. So the manager
group might have privileges to only read the files in QA/QC. But a
certain manager might have write privileges in the fermentation
department she manages as a member of the fermentation
group. Assigning privileges by task or job means that users will be
authorized to use only the network resources they need to do their
job.
SECURITY TALK GLOSSARY OF TERMS(Continued)
If the laboratory setup requires users to
share the same desktop, performuser
authenticationin the chromatography data
system itself, using an individual and unique
combination of user ID and password of
each authorized user. Shared logons to the
data system negate the principle of
nonrepudiation of a signed record; if others
share the logon, a signed record can be
repudiated.
Implement a security policy to createa
dedicateduser account for vendor servicepersonnel. If
at all possible, disable tasks that could affect
the confidentiality or security of the data
stored in the system. Disable the service user
account when it is not in use for service or
maintenance activities. Consider whether
additional procedural controls are necessary
for its use.
Recently, several warning letters and
483s were issued citing 21 CFR Part 11
violations. Although most addressed
electronic batch recordkeeping practices in
pharmaceutical manufacturing, FDA clearly
expects companies to be taking steps
toward compliance and to have a plan in
place (5). That is especially true in the area
of legacy systems, where time is running
out and you have to play a game of catch-
up (5). In the next installment of this series,
planned for BioPharms March 2000 issue,
we will focus on a subject that goes right
into the core of Part 11 to separate the wheat
from the chaff in chromatography data
systems: data integrity.
References
(1) L. Huber, Implementing 21 CFR Part 11 in
Analytical Laboratories: Part 1, Overview and
Requirements, BioPharm 12(11), 2834
(1999).
(2) Code of Federal Regulations, Food and Drugs,
Title 21, Part 11, Electronic Records;
Electronic Signatures (U.S. Government
Printing Office, Washington, DC). Also
Federal Register 62(54), 1342913466.
(3) L. Huber, Validation of Computerized
Analytical Instruments (Interpharm Press, Inc.,
Buffalo Grove, IL, 1995).
(4) Compliance Policy Guide: 21 CFR Part 11;
Electronic Records, Electronic Signatures
(CPG 7153.17) (FDA, Washington, DC)
www.fda.gov/ora/compliance_ref/cpg/cpggenl/
cpg160-850.htm.
(5) Gold Sheet 33(7) (F-D-C Reports Inc., Chevy
Chase, MD, 1999).
(6) M.J. Edwards, The Handy Security Toolkit
Revisited, Windows NT Magazine (October
1999) www.winntmag.com.
(7) Rules and Regulations comment 124,
Federal Register 62(54) (20 March 1997),
pp.13429, from the Federal Register Online,
GPO Access, DOCID:fr20mr97-25.
(8) Implementing Electronic Records and
Signatures with Hewlett-Packards
ChemStation, (Hewlett-Packard, Little Falls,
DE, 1998) publication number 12-5966-
2315E.
(9) Using ChemStation Plus to Comply with FDA
21 CFR Part 11, (Agilent Technologies, Little
Falls, DE, 1999) publication number 5968-
7930E. BP
Agilent Technologies
Publication Number
5980-1306E
Reprinted from BIOPHARM, January 2000 AN ADVANSTAR
#
PUBLICATION Printed in U.S.A.
Copyright Notice Copyright by Advanstar Communications Inc. Advanstar Communications Inc. retains all rights to this article. This article may only be viewed or printed (1) for personal use. User may not
actively save any text or graphics/photos to local hard drives or duplicate this article in whole or in part, in any medium. Advanstar Communications Inc. home page is located at http://www.advanstar.com.