Hitachi ID IDM Suite supports compliance with 21CFR11
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Hitachi ID IDM Suite supports compliance with 21CFR11

on

  • 922 views

This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical ...

This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical industry.

The Hitachi ID Identity Management Suite™ is then introduced, and its use to comply with the requirements set forth in 21 CFR 11 is described.

Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. This document represents the best understanding by Hitachi ID of the relevance of this legislation to information security, and to identity management in particular.

Statistics

Views

Total Views
922
Views on SlideShare
922
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hitachi ID IDM Suite supports compliance with 21CFR11 Document Transcript

  • 1. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 1 Introduction This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical industry. The Hitachi ID Identity Management Suite is then introduced, and its use to comply with the requirements set forth in 21 CFR 11 is described. Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. This document represents the best understanding of Hitachi ID of the relevance of this legislation to information security, and to identity management in particular. 2 21 CFR 11 21 CFR 11 is a set of rules governing the use of electronic records and digital signatures in business processes and in documents submitted to the FDA under requirements of the Federal Food, Drug and Cosmetic Act and of the Public Health Service Act. Title 21 of the Code of Federal Regulations governs food and drugs. Parts 1 thru 99 are regulated by the Food and Drug Administration (FDA). Part 11 is titled “ELECTRONIC RECORDS; ELECTRONIC SIGNA- TURES.” 21 CFR 11 sets out appropriate methods to manage electronic records and digital signatures, primarily by pharmaceutical companies and their suppliers, in such a manner as to make them equivalent to paper records and handwritten signatures. The 21 CFR 11 includes the following parts: • Subpart A: General Provisions: – The scope, or applicability, of 21 CFR 11. – Implementation, indicating when and how electronic records may be submitted to the FDA. – Definitions of relevant terminology. • Subpart B: Electronic Records: – Controls for closed systems, not intended for public access. – Controls for open systems, accessible by the public. – Signature manifestations and signature/record linking, defining signed documents. • Subpart C: Electronic Signatures: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 2. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – General requirements, indicating how electronic signatures should be managed. – Signature components and controls, defining what constitutes a reasonable signature. – Controls for identification codes/passwords, defining security measures over authentication tech- nology. The 21 CFR 11 came into effect on August 20, 1997. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 3. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3 Relevant Sections 21 CFR 11 relates explicitly to identity management technology, including in the following parts: 3.1 Section 11.10 Controls for closed systems Closed systems are required to employ procedures and controls designed to ensure the authenticity, in- tegrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Identity Management Impact: These controls must include measures to properly grant, authorize and revoke access to users of closed systems. Strong authentication of those users is also essential to meet this requirement. Specific requirements in this section include: • (d) Limiting system access to authorized individuals. Identity Management Impact: Business processes to determine appropriate systems access must be tied to technology that controls that access. • (e) . . . time-stamped audit trails . . . Identity Management Impact: Changes to access to systems – e.g., creating new users, changing user privileges, or terminating access, must be logged and time-stamped. • (g) . . . authority checks to ensure that only authorized individuals can use the system . . . Identity Management Impact: Users must sign into closed systems, and the system must verify that the users are authorized to do so. • (i) . . . persons who develop, maintain, or use electronic record/electronic signature systems have the education, training and experience . . .. Identity Management Impact: Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 4. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3.2 Section 11.50 Signature manifestations Electronic signatures are required to contain, or relate to: • The printed name of the signer. • The date and time . . .. • The meaning . . . [of] the signature. Identity Management Impact: Electronic signatures must contain a unique login ID and a time/date of signature. The context of the signature – such as requesting or authorizing access to a closed system – must be clear. 3.3 Section 11.100 Electronic Signatures – General requirements Requirements for an electronic signature system includes: (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual‘s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the indi- vidual. Identity Management Impact: This means that the process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. 3.4 Section 11.200 Electronic signature components and controls Requirements for electronic signatures that are not biometric include that they: • (a) (1) Employ at least two distinct identification components such as an identification code and pass- word. Identity Management Impact: This confirms that a login ID / password pair is a suitable user identification technology. • (a) (2) Be used only by their genuine owners. Identity Management Impact: Shared login IDs and passwords are forbidden. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 5. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 • (a) (3) Be administered and executed to ensure that attempted use of an individual‘s electronic signa- ture by anyone other than its genuine owner requires collaboration of two or more individuals. Identity Management Impact: Any sharing of login credentials is forbidden. 3.5 Section 11.300 Controls for identification codes/passwords Specific requirements for system login IDs and passwords include: • (a) . . . uniqueness . . . of ID/password pairs. Identity Management Impact: Login IDs must be uniquely assigned to users. • (b) IDs and passwords are . . . periodically checked, recalled, or revised . . . – meaning password aging and periodic review of the suitability of existing login IDs. Identity Management Impact: Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. • (c) . . . electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices . . . . Identity Management Impact: Reasonable procedures must be in place to respond to suspected or reported ID compromises. • (d) . . . transaction safeguards . . . detect and report . . . attempts at their unauthorized use . . .. Identity Management Impact: Intrusion detection, lockout and alarms must be in place. • (e) . . . Initial and periodic testing . . . password information . . .. Identity Management Impact: Strong password quality controls must be applied both initially and over time. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 6. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 4 Impact of 21 CFR 11 on Identity Management The impact of 21 CFR 11 on identity management systems and processes can be summarized in the following requirements: • User identification – Users must sign into closed systems, and closed systems must verify that the users are autho- rized to do so. Login IDs and passwords are one of the suitable authentication technologies. – Login IDs must be unique, and must unambiguously identify a user. • User enrollment and administration – There must be strong, integrated business and technical processes to grant, authorize and re- voke access to users of closed systems. These controls must include time-stamped audit logs. – The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. • Authentication – User authentication to closed systems, and to secured parts of open systems, must be reliable. – Sharing of login credentials is forbidden. – Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. – Strong password quality controls must be applied both initially and over time. • Incident response – Reasonable procedures must be in place to respond to suspected or reported ID compromises. – Intrusion detection, lockout and alarms must be in place. • Vendor qualification – Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 7. Using The Management Suite to Comply with 21 CFR 11 These requirements can be translated into a set of required technical features from a user provisioning system and a password management system: Requirement Identity Management System Feature User identification Users must sign into closed systems, and closed systems must verify that the users are authorized to do so. Login IDs and passwords are one of the suitable authentication technologies. The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Login IDs must be unique, and must unambiguously identify a user. The identity management system must be able to assign globally unique login IDs to new users. User enrollment and administration There must be strong, integrated business and technical processes to grant, authorize and revoke access to users of closed systems. These controls must include time-stamped audit logs. User administration must be either directly linked to an existing authoritative system, such as a human resources (HR) system, and automatically provision users. Alternately, a workflow system must accept requests from, and ensure that it receives appropriate authorizations from, business users. The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. Activation of new users must be secure. Authentication User authentication to closed systems, and to secured parts of open systems, must be reliable. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Sharing of login credentials is forbidden. Credentials must be managed easily enough to eliminate any desire by users to share them. Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Strong password quality controls must be applied both initially and over time. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Incident response Reasonable procedures must be in place to respond to suspected or reported ID compromises. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 8. Using The Management Suite to Comply with 21 CFR 11 Requirement Identity Management System Feature Intrusion detection, lockout and alarms must be in place. Failed authentication attempts should trigger an intruder lockout and an alarm. Vendor qualification Software and hardware vendors must have suitable education and experience before they can provide closed systems. Vendors must be audited for business processes that support 21 CFR 11 compliance. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 9. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 5 Hitachi ID Solutions Meeting 21 CFR 11 Requirements 5.1 The Hitachi ID Identity Management Suite The Hitachi ID Identity Management Suite includes: • Hitachi ID Password Manager: The Total Password Management Solution Password Manager is an integrated solution for managing user credentials, across multiple systems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: – Password synchronization, which reduces the incidence of password problems for users – Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk – Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: – A powerful password policy engine. – Effective user authentication, especially prior to password resets. – Password synchronization, to help eliminate written-down passwords. – Delegated password reset privileges for help desk staff. – Accountability for all password changes. – Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. • Hitachi ID Identity Manager: The User Provisioning and Access Management Solution Identity Manager is an integrated solution for managing identities and security entitlements across multiple systems and applications. Organizations depend on Identity Manager to ensure that users get security entitlements quickly, are always assigned entitlements appropriate to their needs and in compliance with policy and are deactivated reliably and completely when they leave the organization. Identity Manager implements the following business processes to drive changes to users and entitle- ments on systems and applications: – Automation: grant or revoke access based on data feeds. – Synchronization: keep identity attributes consistent across applications. – Self-service: empower users to update their own profiles. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 10. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – Delegated administration: allow business stake-holders to request changes directly. – Certification: invite managers and application owners to review and correct entitlements. – Workflow: invite business stake-holders to approve or reject requested changes. Identity Manager strengthens security by: – Quickly and reliably removing access to all systems and applications when users leave an orga- nization. – Finding and helping to clean up orphan and dormant accounts. – Assigning standardized access rights, using roles and rules, to new and transitioned users. – Enforcing policy regarding segregation of duties and identifying users who are already in viola- tion. – Ensuring that changes to user entitlements are always authorized before they are completed. – Asking business stake-holders to periodically review user entitlements and either certify or re- move them, as appropriate. – Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications. – Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change. Identity Manager reduces the cost of managing users and security entitlements: – Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou- tine, manual user setup and tear-down. – Self-service eliminates IT involvement in simple updates to user names, phone numbers and addresses. – Delegated administration moves the responsibility for requesting and approving common changes, such as for new application or folder access, to business users. – Identity synchronization means that corrections to user information can be made just once, on an authoritative system and are then automatically copied to other applications. – Built-in reports make it easier to answer audit questions, such as “who had access to this system on this date?” or “who authorized this user to have this entitlement?” 5.2 Meeting 21 CFR 11 Requirements As described in Section 4 on Page 6, 21 CFR 11 requires an extensive set of capabilities in systems used by pharmaceutical companies and related parties. The following list captures the technical identity management capabilities required to meet 21 CFR 11 requirements: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 11. Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Password Manager, Identity Manager The Hitachi ID Identity Management Suite has built-in support for over 60 types of target systems, plus a set of flexible agents designed to accelerate integration with custom and vertical market applications. The identity management system must be able to assign globally unique login IDs to new users. Identity Manager A plugin system and an automatically updated identity cache ensure that all new login IDs are globally unique. Automated (de-)provisioning Identity Manager Automated polling of user profile data from authoritative systems such as HR or corporate directories. Rules-based filtering and transformation of this data into automatic updates to target systems, and into open security change requests submitted to an authorization workflow. A security workflow Identity Manager Self-service administration of users, accounts, attributes, group memberships and resource access privileges. Users sign in and submit change requests, which are automatically routed, authorized and applied to managed systems. Activation of new users must be secure. Identity Manager, Password Manager New users are typically activated using a secure (HTTPS-based, authenticated) workflow system. Only the requester, who is typically the new user’s manager, knows the initial password, and users are normally forced to change their password immediately after their first login. Registration of biometrics is actively managed and secured by Password Manager. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Password Manager, Identity Manager Both products support user authentication using strong passwords, tokens, biometrics and PKI certificates. Password Manager also enforces password quality on managed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 12. Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details Credentials must be managed easily enough to eliminate any desire by users to share them. Password Manager, Identity Manager Password synchronization and self-service token management simplify password complexity, and reduce the need for written and shared passwords. A security workflow and automated provisioning make user administration simple, so eliminate a barrier to making security requests for new users. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Password Manager A built-in password policy engine includes over 60 types of rules, plus a regular expression engine, a plugin system, enterprise-wide password aging and open-ended password history. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. Password Manager, Identity Manager An auto-discovery process to collect login ID, group membership and attribute data from managed systems, nightly. A reconciliation process to connect login IDs across systems to individual users, to support global management of passwords, access rights and reporting. Failed authentication attempts should trigger an intruder lockout and an alarm. Password Manager, Identity Manager Both products include a system-wide intrusion detection system, with lockouts and alarms via e-mail, help desk call tracking systems, SMS messages and more. Vendors must be audited for business processes that support 21 CFR 11 compliance. Hitachi ID Hitachi ID has been audited for 21 CFR 11 compliance by Pfizer, Abbott Labs, GE Medical and others. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 13. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 6 Summary As described in this document, 21 CFR 11 introduces formal requirements for companies, such as pharma- ceuticals, that must provide signed electronic documents to the FDA. The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology to implement identity management processes that meet these requirements. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/idsynch/documents/21cfr11/mtech-21cfr11-1.tex Date: November 22, 2003