Docstoc

Easy signature 21 CFR Part 11

Document Sample
Easy signature 21 CFR Part 11 Powered By Docstoc
					                                               Easy Signature 21 CFR Part 11 Supplement




Easy Signature 21 CFR Part 11 Supplement

Version 1.0
Date: 2011-11-01

Introduction

Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic
Signatures sets out the requirements for the creation, modification, maintenance, archival,
retrieval, and transmittal of electronic records and also the use of electronic signatures
when complying with the Federal Food, Drug and Cosmetic Act or any other Food and
Drug Administration (FDA) regulation.

Easy signature is a free digital signature software that enables electronic signing of any
type of file.

This document presents technical elements of Easy Signature for each summary
requirements set out in 21 CFR Part 11.

Notice: It is not possible for any vendor to offer a turnkey 'FDA 21 CFR Part 11
compliant system'. 'FDA 21 CFR Part 11' requires both procedural controls (i.e.
notification, training, SOPs, administration) and administrative controls to be put in
place. It is the responsibility of the user to implement the procedural and administrative
controls.

To discuss and get more information please contact us in www.easysoft.nu.




Free digital signature software – Easy Signature                                         1
                                                                           www.easysoft.nu
                                               Easy Signature 21 CFR Part 11 Supplement

Subpart B – Electronic Records
11.10 Controls for Closed Systems

Section        Section Requirements            Easy Signature technical response
11.10 (a)      Validation of systems to        Easy Signature has been designed, developed
               ensure accuracy, reliability,   and tested to Easy Soft documented
               consistent intended             Product Development lifecycle.
               performance, and the ability    Easy signature is using proven cryptographic safe
               to discern invalid or altered   PKI technology to insure digital hierarchical trust
               records.                        and validity of the record.
11.10(b)       The ability to generate         It is possible to print a signed record with Easy
               accurate and complete           Signature in a readable and electronic form. All the
               copies of records in both       cryptographic details as public keys audit trace is
               human readable and              available and can be reviewed electronically and in
               electronic form suitable for    paper form.
               inspection, review, and
               copying by the FDA.
11.10(c)       Protection of records to        Easy signature does not provide a specific medium
               enable the accurate and         or means to store records. Digitally signatures are
               ready retrieval throughout      basically files that can be stored anywhere.
               the records retention period.
                                               It is the responsibility of the user to insure
                                               protection of records. (e.g. access rights in network,
                                               periodic backup etc).

                                               Easy Signature does however provide AES
                                               encryption that can be used for additional
                                               protection by the end-user.

11.10(d)       Limiting system access to       Easy signature protects the digital signature itself
               authorized individuals.         by a private password and a private digital
                                               signature file. However Easy signature is only a
                                               Free digital signature tool and does not provide a
                                               specific medium or functionality to store records.
                                               (see 11.10c)




Free digital signature software – Easy Signature                                        2
                                                                          www.easysoft.nu
                                              Easy Signature 21 CFR Part 11 Supplement
11.10 Controls for Closed Systems continued

Section        Section Requirements           Easy Signature technical response
11.10 (e)      Use of secure, computer-       Easy signature is using proven cryptographic safe
               generated, time-stamped        PKI technology to insure digital hierarchical trust
               audit trails to                and validity of the record. It is not possible to
               independently record the       obscure signed files. All the audit trail and digital
               date and time of operator      hierarchical trust is recorded in the signed digital
               entries and actions that       file and can be reviewed and copied.
               create, modify, or delete
               electronic records. Record     Notice that the current Easy Signature software
               changes shall not obscure      version does not provide the technical element
               previously recorded            of date and time stamp synchronization (with
               information.                   external servers) and rely on local computer time.
               Such audit trail
               documentation shall be         We recommend that you use free time
               retained for a period of at    synchronization software tools in combination
               least as long as that          with easy signature in your document signature
               required for the subject       procedures, make sure that the time zone is also
               electronic records and shall   clearly documented in the signature.
               be available for agency
               review and copying.
11.10(f)       Use of operational system      Easy Signature have a simple workflow
               checks to enforce permitted    capability and can be implemented to
               sequencing of steps in         ensure that actions is performed in a sequence of
               a process, as appropriate.     steps in a process. It is however needed that the
                                              end user describes these processes in
                                              documentation and procedures.
11.10(g)       Use of authority checks to     Easy Signature security model ensures that users
               ensure that only authorized    with a private unique digital signature file (*.SIG)
               individuals can use the        issued by the "Signature Issuer Responsible" (SIR)
               system, electronically sign    can sign files. The digital hierarchical trust is fully
               a record, access the           maintained. Furthermore the private unique digital
               operation or computer          signature file (*.SIG) is protected by a password.
               system input or output         The end-user can easily introduce authority check
               device, alter a                by defining the "Signature Issuer Responsible"
               record, or perform the         (SIR) and obtaining a certificate from Easy
               operation at hand.             Signature.

                                              Notice that Easy signature is only a free digital
                                              signature tool and does not provide a specific
                                              medium or means to store records. The protection
                                              of files (e.g. shared network, etc) to the public is
                                              the responsibility of the end-user.




Free digital signature software – Easy Signature                                         3
                                                                           www.easysoft.nu
                                           Easy Signature 21 CFR Part 11 Supplement
11.10 Controls for Closed Systems continued…

Section        Section Requirements                   Easy Signature technical response
11.10(h)       Use of device (e.g. terminal) checks   Easy signature is free electronic signature
               to determine, as appropriate, the      software only.
               validity of the source of data input   It does not provide means to determine
               or operational instruction.            validity of the source of data input or
                                                      operational instruction (e.g. Correct
                                                      document title or project ID) other that
                                                      insuring that the digital signature
                                                      procedure is correct and safe.
11.10(i)       Determination that persons who         End-user responsibility.
               develop, maintain, or use electronic
               record/electronic signature systems
               have the education, training, and
               experience to perform their
               assigned tasks.
11.10(j)       The establishment of, and              The user must develop policies and
               adherence to, written policies that    procedures governing accountability
               hold individuals accountable and       (using Easy Signature PKI security
               responsible for actions                model) however, a full audit trail details
               initiated under their electronic       transactions in the system where any
               signatures, in order to deter record   altered or invalid records would be
               and                                    evident through inconsistencies with the
               signature falsification.               digital signature hierarchical trace and
                                                      audit trail. (about record storage Read
                                                      11.10c).
11.10(k)       Use of appropriate controls over       End-user responsibility.
(1)            systems documentation including:
               Adequate controls over the
               distribution of, access to, and use of
               documentation for system operation
               and maintenance.
11.10(k)       Use of appropriate controls over       End-user responsibility.
(2)            systems documentation including:
               Revision and change control
               procedures
               to maintain an audit trail that
               documents
               time-sequenced development and
               modification of systems
               documentation.




Free digital signature software – Easy Signature                                       4
                                                                         www.easysoft.nu
                                               Easy Signature 21 CFR Part 11 Supplement

Subpart B – Electronic Records
11. 3 0 Controls for Open Systems
Section        Section Requirements                     Easy Signature technical response
11.30          Controls for Open Systems                Does not apply. Easy Signature is a closed
                                                        system for intra security.


Subpart B – Electronic Records
11. 5 0 Signature Manifestations
Section        Section Requirements                     Easy Signature technical response
11.50(a)       Signed electronic records shall          Easy Signature allows the user to define 1
(1-3)          contain information associated with      (including a scanned signature), 2 and 3 in
               the signing that clearly indicates all   a digital signature file. All these
               the following:                           information is digitally signed and cannot
               (1) The printed name of the signer;      be altered after a digital signature.
               (2) The date and time when the
               signature was executed; and (3)
               The meaning
               (such as review, approval,
               responsibility, or authorship)
               associated with the signature.
11.50(b)       The items identified in paragraphs       It is possible to print a digital signature
               (a)(1), (a)(2), and (a)(3) of this       that contains all the information (1-3)(a)
               section shall be subject to the same     along with cryptographic public keys.
               controls as for electronic records
               and shall be included as part of any
               human readable form of the
               electronic record (such as
               electronic display or printout).

11. 7 0 Signature/Record Linking
Section        Section Requirements                     Easy Signature technical response
11.70          Electronic signatures and                Easy Signature uses SHA512 hashing of
               handwritten signatures executed to       electronic record, this along with
               electronic records shall be linked to    information in 11.50(a)
               their respective electronic records      (1-3) is digitally signed and there are no
               to ensure that the signatures cannot     ordinary means to remove or copy
               be excised, copied, or otherwise         signatures from/to records.
               transferred to falsify an electronic
               record by ordinary means.




Free digital signature software – Easy Signature                                          5
                                                                            www.easysoft.nu
                                              Easy Signature 21 CFR Part 11 Supplement

Subpart C – Electronic Signatures
11. 1 00 Electronic Signature Components and Control
Section        Section Requirements                Easy Signature technical response
11.100         (a) Each electronic signature shall Each private signature file (*.SIG) has a
               be unique to one individual and     unique public/private key and is fully
               shall not be reused by, or          traceable according to PKI practice. This
               reassigned to, anyone else.         key is private and protected by a personal
                                                   private password that cannot be altered or
                                                   reused or reassigned to anyone else.

Subpart C – Electronic Signatures
11. 2 00 General Requirements
Section       Section Requirements                  Easy Signature technical response
11.200(a)     Electronic signatures that are not    Easy Signature uses a combination of a
(1)           based upon biometrics shall: (1)      private signature file (*.SIG) and an
              Employ at least two distinct          associated password.
              identification components such as
              an identification code and
              password.
11.200(a)     When an individual executes a         The private signature file (*.SIG) and a
(1)(i)        series of signings during a single,   password is required for each signing. By
              continuous period of controlled       design the password and private signature
              system access, the first signing      file is re-authenticated for every signature
              shall be executed using all           event performed.
              electronic signature components;
              subsequent signings shall be
              executed using at least one
              electronic signature component that
              is only executable by, and designed
              to be used only by, the individual.
11.200(a)     When an individual executes one or    See (11.200(a)(1)(i)
(1)(ii)       more signings not performed during
              a single, continuous period of
              controlled system access, each
              signing shall be executed using all
              of the electronic signature
              components.
11.200(a)     Electronic signatures that are not    It is beyond the scope of Easy signature to
(2)           based upon biometrics shall: Be       ensure that users do not provide
              used only by their genuine owners.    others with access to their private
                                                    signature file and password.




Free digital signature software – Easy Signature                                      6
                                                                        www.easysoft.nu
                                              Easy Signature 21 CFR Part 11 Supplement
11. 2 00 General Requirements continued …

Section        Section Requirements                   Easy Signature technical response
11.200(a)      Electronic signatures that are not     For the digital signature to be breached in
(3)            based upon biometrics shall: Be        this manner, it would require the
               administered and executed to           Collaboration of the "Signature Issuer
               ensure that attempted use of an        Responsible" (SIR) and the end user.
               individual’s electronic signature by   Notice that the breach can be traced back
               anyone other than its genuine          to SIR and uniquely identified since every
               owner requires collaboration of two    private signature (*.SIG) file is digitally
               or more individuals.                   unique.
11.200(b)      Electronic signatures based upon       Not applicable. Easy signature does not
               biometrics shall be designed to        use biometrics.
               ensure that they cannot be used by
               anyone other than their genuine
               owners.


Subpart C – Electronic Signatures
11 .300 Controls for Identication Codes/Passwords
Section       Section Requirements                    Easy Signature technical response
11.300(a)     Persons who use electronic              Every private signature (*.SIG) file is
              signatures based upon use of            digitally unique and protected by a
              identification codes in combination     password.
              with passwords shall employ
              controls to ensure their security and
              integrity. Such controls shall
              include: (a) Maintaining the
              uniqueness of each combined
              identification code and password,
              such that no two individuals have
              the same combination of
              identification code and password.
11.300(b)     Ensuring that identification code       The private signature file (*.SIG) contains
              and password issuances are              a unique public and private cryptographic
              periodically checked, recalled, or      key that is valid for a fixed period of time
              revised (e.g., to cover such events     defined by the certificate issued to the
              as password aging).                     “Signature Issuer Responsible" (SIR). The
                                                      private signature file shall be kept safe by
                                                      end-user during this time and is also
                                                      password protected for additional safety.




Free digital signature software – Easy Signature                                       7
                                                                         www.easysoft.nu
                                               Easy Signature 21 CFR Part 11 Supplement
11 .300 Controls for Identication Codes/Passwords       Continued…
Section       Section Requirements                    Easy Signature technical response
11.300(c)     Following loss management               If the private signature (*.SIG) file is lost
              procedures to electronically de-        or stolen a new unique private signature
              authorize lost, stolen, missing, or     (*.SIG) file can be generated. The end-
              otherwise potentially compromised user can make a record of the event and
              tokens, cards, and other devices        all signatures done with the previous
              that bear or generate identification    private signature (*.SIG) file can be traced
              code or password information, and in time.
              to issue temporary or permanent
              replacements using suitable
              rigorous controls.
11.300(d)     Use of transaction safeguards to        See (11.300(c)). Not applicable if related
              prevent unauthorized use of             to a device.
              passwords and/or identification
              codes, and to detect and report in an
              immediate and urgent manner any
              attempts at their unauthorized use
              to the system security unit, and, as
              appropriate, to organizational
              management.
11.300(e)     Initial and periodic testing of         See (11.300(c)). Not applicable if related
              devices, such as tokens or cards,       to a device.
              that bear or generate identification
              code or password information to
              ensure that they function properly
              and have not been altered in an
              unauthorized manner.




Free digital signature software – Easy Signature                                        8
                                                                          www.easysoft.nu

				
DOCUMENT INFO
Shared By:
Stats:
views:23
posted:11/1/2011
language:English
pages:8
Description: Easy signature is a free digital signature software that allows signing of any file type. It is customized for work-flow and internal company documentation. This document describes how Easy Signature responds to FDA 21 CFR Part 11.