Preventing Impersonation
Despite all the technical controls discussed so far, there is a potential loophole: A user could execute actions on electronic
records using the credentials of another user, either accidentally or intentionally. This could occur when the first user
inadvertently leaves his or her computer session "open" during an interruption of the current task. Measures to reduce the
likelihood of someone repudiating an electronic signature "as not his or her own" are described in comment 124 of the rule.
"The agency believes that, in such situations, it is vital to have stringent controls in place to prevent the impersonation.
Such controls include: (1) Requiring an individual to remain in close proximity to the workstation throughout the signing
session; (2) use of automatic inactivity disconnect measures that would "de-log" the first individual if no entries or actions
were taken within a fixed short timeframe; and (3) requiring that the single component needed for subsequent signings be known
to, and usable only by, the authorized individual."3
Figure 3: Windows 2000 audit policy defining that unsuccessful login events be tracked in the Windows Event Viewer
|
Measures against impersonation should be stated in the specifications for data systems. State-of-the art implementations use
a session-specific inactivity timeout in addition to the password-protected screensaver available in Windows. Session-specific
timeouts will even support shared use of the same desktop computer by different users (a common model in shift-mode operations)
because each session can run under the credentials of the individual user and timeout independently. This specific approach
has been successfully used in implementations of Cerity for Pharmaceutical QA/QC. In this particular example, the "unlock
session" function requires re-authentication of the original user who locked the session. The Windows security subsystem is
used to perform this re-authentication, which means the operating system's security policy settings also apply to the unlock
session screen. If someone tries to unlock the wrong session, they cause the same administrative alert as a failed login attempt.
Figure 3 illustrates an example security policy setting in Windows 2000. Figure 4 shows how an invalid password entered in
the login or session unlock screen triggers an appropriate audit event in the Windows 2000 security event viewer. Furthermore,
if configured, a series of invalid login attempts can actually disable the account.
Figure 4: Security event displayed in Windows 2000 event viewer after an unsuccessful login attempt inot the Cerity application
|
Summary
The main steps that should be considered and evaluated to ensure access security in accordance with 21 CFR Part 11 are summarized
below:
- Identify whether predicate rules and business practices in your work area make specific records subject to 21 CFR Part 11.
- Assess and document the risks that can affect the trustworthiness and reliability of the systems and the electronic records
they manage.
- Use the security mechanisms of your data system to control access. Ideally, the data system ties into the operating system's
user accounts.
- Establish, implement, and use a password policy to ensure confidentiality and authenticity of the individual user passwords.
Ideally, the data system should either allow password policies to be established or it should tie into the password policies
of the operating system.
- Define access rights according to the job role requirements of your operation. To manage access rights for a large group of
users, define access rights by job role rather than individual users. Ideally, the data system should allow configuring access
rights by user groups.
- Define measures to protect against impersonation. Ideally, the data system should lock the current session explicitly and
automatically using an inactivity timeout.
References
1. FDA. Compliance policy guide: 21 CFR Part 11; electronic records, electronic signatures (CPG 7153.17). [Revoked in Federal Register 2003 Feb 25.]
2. F-D-C Reports. The Gold Sheet 33(7).
3. FDA. Code of Federal Regulations, Title 21, Part 11 electronic records; electronic signatures; final rule. Federal Register 1997; 62(54):13429-13466.
|
