Getting a Handle on Access Security for 21 CFR Part 11 - - BioPharm International


Getting a Handle on Access Security for 21 CFR Part 11

BioPharm International

Preventing Impersonation Despite all the technical controls discussed so far, there is a potential loophole: A user could execute actions on electronic records using the credentials of another user, either accidentally or intentionally. This could occur when the first user inadvertently leaves his or her computer session "open" during an interruption of the current task. Measures to reduce the likelihood of someone repudiating an electronic signature "as not his or her own" are described in comment 124 of the rule.

"The agency believes that, in such situations, it is vital to have stringent controls in place to prevent the impersonation. Such controls include: (1) Requiring an individual to remain in close proximity to the workstation throughout the signing session; (2) use of automatic inactivity disconnect measures that would "de-log" the first individual if no entries or actions were taken within a fixed short timeframe; and (3) requiring that the single component needed for subsequent signings be known to, and usable only by, the authorized individual."3

Figure 3: Windows 2000 audit policy defining that unsuccessful login events be tracked in the Windows Event Viewer
Measures against impersonation should be stated in the specifications for data systems. State-of-the art implementations use a session-specific inactivity timeout in addition to the password-protected screensaver available in Windows. Session-specific timeouts will even support shared use of the same desktop computer by different users (a common model in shift-mode operations) because each session can run under the credentials of the individual user and timeout independently. This specific approach has been successfully used in implementations of Cerity for Pharmaceutical QA/QC. In this particular example, the "unlock session" function requires re-authentication of the original user who locked the session. The Windows security subsystem is used to perform this re-authentication, which means the operating system's security policy settings also apply to the unlock session screen. If someone tries to unlock the wrong session, they cause the same administrative alert as a failed login attempt. Figure 3 illustrates an example security policy setting in Windows 2000. Figure 4 shows how an invalid password entered in the login or session unlock screen triggers an appropriate audit event in the Windows 2000 security event viewer. Furthermore, if configured, a series of invalid login attempts can actually disable the account.

Figure 4: Security event displayed in Windows 2000 event viewer after an unsuccessful login attempt inot the Cerity application
Summary The main steps that should be considered and evaluated to ensure access security in accordance with 21 CFR Part 11 are summarized below:

  • Identify whether predicate rules and business practices in your work area make specific records subject to 21 CFR Part 11.
  • Assess and document the risks that can affect the trustworthiness and reliability of the systems and the electronic records they manage.
  • Use the security mechanisms of your data system to control access. Ideally, the data system ties into the operating system's user accounts.
  • Establish, implement, and use a password policy to ensure confidentiality and authenticity of the individual user passwords. Ideally, the data system should either allow password policies to be established or it should tie into the password policies of the operating system.
  • Define access rights according to the job role requirements of your operation. To manage access rights for a large group of users, define access rights by job role rather than individual users. Ideally, the data system should allow configuring access rights by user groups.
  • Define measures to protect against impersonation. Ideally, the data system should lock the current session explicitly and automatically using an inactivity timeout.

References 1. FDA. Compliance policy guide: 21 CFR Part 11; electronic records, electronic signatures (CPG 7153.17). [Revoked in Federal Register 2003 Feb 25.]

2. F-D-C Reports. The Gold Sheet 33(7).

3. FDA. Code of Federal Regulations, Title 21, Part 11 electronic records; electronic signatures; final rule. Federal Register 1997; 62(54):13429-13466.

blog comments powered by Disqus



GPhA Issues Statement on Generic Drug Costs
November 20, 2014
Amgen Opens Single-Use Manufacturing Plant in Singapore
November 20, 2014
Manufacturing Issues Crucial to Combating Ebola
November 20, 2014
FDA Requests Comments on Generic Drug Submission Criteria
November 20, 2014
USP Joins Chinese Pharmacopoeia Commission for Annual Science Meeting
November 20, 2014
Author Guidelines
Source: BioPharm International,
Click here