Docstoc

vaCTMS 566 Appendeces

Document Sample
vaCTMS 566 Appendeces Powered By Docstoc
					VAHS      CTMS SOP   11/6/2011      1 of 70




vaCTMS Related Appendices for CSP #566

 2. Appendix : CTMS Management

10. Appendix: vaCTMS SOP

39. Appendix: CSP Security White Paper

46. Appendix: Cooperative Studies Program Data Security Policy




                                                                 1
VAHS                CTMS SOP          11/6/2011                     2 of 70



Appendix XX: CTMS Management 3
A. Training and Supervision of Study Personnel ............................................................ 5
C. Data Reporting ............................................................................................................ 6
D. Timeline for Accomplishing Project Tasks ................................................................ 6
Appendix: Information Data Security Considerations for CSP ......................................... 7
Appendix: SOP ................................................................................................................ 11
Quick Look at Important Information............................................................................... 12
Introduction ....................................................................................................................... 14
Definitions......................................................................................................................... 15
System Setup/Installation*................................................................................................ 17
   Technical Specifications and Requirements for Study Clinical Trial Management
   System ........................................................................................................................... 17
   Software and Hardware History.................................................................................... 18
     Desktop (User must specify) ..................................................................................... 18
     Server ........................................................................................................................ 19
     Hardware Specifications ........................................................................................... 19
   Training ......................................................................................................................... 19
   Start up procedures ....................................................................................................... 19
   Technical Support ......................................................................................................... 20
   Lost Passwords.............................................................................................................. 20
Data Collection and Handling ........................................................................................... 20
   Subject Privacy and Confidentiality ............................................................................. 20
   Source Documents ........................................................................................................ 21
     Source Documents on Portal ..................................................................................... 21
     Non-Source Documents on Portal ............................................................................ 21
   Attributability................................................................................................................ 22
   Change Control ............................................................................................................. 22
     Protocols ................................................................................................................... 23
   Audit Trails ................................................................................................................... 23
   Date and Time Stamps .................................................................................................. 25
   Paper Print Out of Portal Information ........................................................................... 25
     Printing list information ............................................................................................ 25
     Printing documents ................................................................................................... 26
System Maintenance ......................................................................................................... 26
Data Backup, Recovery, and Contingency Plans.............................................................. 26
     System failure ........................................................................................................... 26
     Study Replication ...................................................................................................... 26
Security ............................................................................................................................. 26
   Logical Security ............................................................................................................ 26
     Digital Signatures...................................................................................................... 27
     Password ................................................................................................................... 27
     Desktop Security ....................................................................................................... 27
     Server Security .......................................................................................................... 28
     Security Software ...................................................................................................... 28
   Physical Security........................................................................................................... 29
System Dependability ....................................................................................................... 29
System Control.................................................................................................................. 29


                                                                                                                                       2
VAHS                CTMS SOP         11/6/2011                     3 of 70



     Software Version Control ......................................................................................... 29
Training of Personnel ........................................................................................................ 29
     Qualifications ............................................................................................................ 29
     Training ..................................................................................................................... 29
     Documentation .......................................................................................................... 30
Records Inspection ............................................................................................................ 30
     Records inspection .................................................................................................... 30
Certification of Electronic Signatures ............................................................................... 30
     Electronic Signature Certification............................................................................. 30
Detailed System Requirements ......................................................................................... 30
APPENDIX A.                  Sample Letters of Non-Repudiation Agreement .......................... 37
Appendix B HIPAA ......................................................................................................... 44
Appendix: Cooperative Studies Program Data Security Policy ....................................... 45


Appendix : CTMS Management


I.         CTMS Management
After the study is approved, the Study Chairman and Boston CSPCC Informatics, will
prepare an eCTMS Operations Manual which will be provided to the study sites as a
guide to the eCTMS operation and management of the study as well as a technical
reference manual. An eCTMS training session will occur at the study kick-off meeting
for all study participants in order to assure uniformity in Study Portal management and
data collection procedures, and to train the participants in technical procedures. If the
Executive Committee (see Section ___) determines that a procedure must be changed, the
participating sites will be informed by conference call and/or newsletter and an updated
section of the Operations Manual pertinent to the changed procedure will be provided to
all sites. The eCTMS will operate in compliance with Good Clinical Practices and 21
CFR 11 (see Section __).
The Study Coordinator at each study center will record and submit patient data through
an Electronic Data Capture (EDC) system employed by the Boston CSPCC. EDC is a
process by which clinical data is managed through web based electronic data screens. The
system is similar to the paper based approach in that there are case report forms (CRF),
data querying and data correction through a DCF process. The difference is that the tools
used are web based.
The Boston CSPCC will collect and manage some of the study data using a web-based
clinical management software package called InfoPath. InfoPath is specifically designed
to manage the numerous and multifaceted functions involved in a clinical trial.
Accessing the system is as simple as accessing any web page on the internet. A web
address (or URL) will be provided that will allow trained site coordinators and
investigators to access the system with the use of their VA username and password for
data security. The system will allow sites to enter patient data using online CRFs;
receive, review and correct data queries using the online DCF process; track their
patients’ status throughout the study; and allow access to the clinical messaging system.


                                                                                                                                    3
VAHS         CTMS SOP    11/6/2011            4 of 70



Prior to the launch of the study, sites will be initially provided with an EDC training
module that they can view prior to the study kick-off meeting. A formal training will be
provided to all site coordinators and investigators at the study kick-off. The training will
provide an overview of the system and will focus on the elements specific to this clinical
trial. Training will be mandatory to obtain an account to the system. At training, sites
will be provided with a software manual for basic use of the InfoPath software as well as
a manual of operations that will highlight study related features regarding the use of the
software. Each site coordinator and Investigator will receive a user account with a from
Boston CSPCC after formal training. Sites will also receive a web address (or URL)
designated to this study. Coordinators will log into the system with their assigned
username and password. Site users will only have access to the records for the study from
their site. Clinical data will be entered into web based Case Report Forms and directly
placed into the study database. Some queries will run right from the forms, thus
simplifying the data correction process and ultimately improving data quality. Additional
Data Clarifications not captured automatically will be sent by the coordinating center and
resolved within the electronic software package. Site coordinators can make corrections
to data directly through the EDC system. Tracking of DCF submission and resolution is
all managed within the software. Thus the process of data entry, clarification, and
resolution is made easier and more efficient allowing for clinical data management to
occur within a shorter time frame. Data queries and data corrections not automatically
generated through the EDC system will be manually generated by the data manager at the
Boston CSPCC. Any manually generated queries or corrections will be submitted to the
site coordinator through the EDC system using the same process as automatically
generated DCFs.
Serious Adverse events will be handled via the eCTMS …… All Serious Adverse events
must be reported to the Albq CSPCRPCC within 72 hours of notification (Section ___).
Workflow associated with VA CSP adverse event reporting requirements, including
follow up information for ongoing events will be conducted through the system.
Paper forms similar to the electronic case report forms will be provided as a guide for
field collection of data. Self-administer forms and questionnaires will be provided in a
scannable paper form to provide ease of completion for the patient. These forms are
generated using a software package called Teleform. Completed forms will then be
forwarded to the Boston CSPCC and will be scanned, verified and uploaded into the
Datalabs system. Data queries and corrections using Teleform, can then be administered
through the EDC system.
Data collected through EDC will be maintained at VA
S Regional Data Center in Philadelphia, PA with co-location redundant application and
backup at VA’s Regional Data Center in Brookline, NY. Periodically, data will be
checked for any additional inaccurate or out of range values by exporting the data and
running queries using the SAS statistical software package. Since most data corrections
will be generated in real time, it is expected that these additional checks will generate
minimal queries. However, any queries generated through this method will be entered
into the InfoPath system by the data manager and will follow the usual EDC DCF
process. The EDC system maintains an audit trail so all errors or data corrections are
maintained on the server. A cumulative record will be kept of errors and interim progress


                                                                                           4
VAHS         CTMS SOP     11/6/2011            5 of 70



reports regarding data quality will be sent to the Principal Investigators, the Study
Chairman, and to the Data Monitoring Board.
A follow-up schedule will be generated by the Coordinating Center and sent to the Study
Coordinators on a monthly basis to help schedule follow-up visits. To maintain a
consistent quality of measurement and coding among medical centers and to avoid
systematic errors, frequency distributions of all variables relevant to the study hypotheses
will be examined periodically. At regular intervals, and before any analysis is
undertaken, outliers and unusual values will be checked for accuracy.
MAVERIC is compliant with the Federal regulations regarding electronic web-based data
entry systems established by the Food and Drug Administration under 21 CFR part 11.
Part 11 applies to records that are in electronic format that are created, maintained,
modified, archived, retrieved, or transmitted in place of paper formats. Some of the key
controls and requirements include:

      Validation of computerized systems to ensure accuracy, reliability, availability
       and authenticity of required records and signatures.
      Computer-generated, time-stamped audit trails to ensure the trustworthiness and
       reliability of records
      Certification of electronic signatures to guarantee authenticity, validity and
       binding that electronic signatures are equivalent to traditional handwritten
       signatures


Prior to the start of any study using the vaCTMS, extensive study specific validation will
be performed. This process will be documented and placed on file at the Boston CSPCC.


II. Study Organization and Administration
The Boston Cooperative Studies Program Coordinating Center will administer the
vaCTMS for the study.
       A.      Training and Supervision of Study Personnel
The purpose of training study personnel is to (1) orient all study personnel to the
rationale, objectives, study design, and procedures of the proposed research; (2) instruct
study coordinators in reliable administration of study measures and completion of forms
for compiling and transmitting data to the Boston CSPCC; and (3) teach study
coordinators how to use the electronic data capture system employed at the Boston
CSPCC.
The training will occur at a “kick off” meeting organized by the West Haven CSPCC and
led by the Principal Proponent and Executive Committee. The study coordinator and one
clinician from each participating site will attend the training meeting. Study coordinators
will receive extensive training from content experts in reliable administration of vaCTMS
study measures and completion of project data forms.


                                                                                             5
VAHS         CTMS SOP     11/6/2011          6 of 70



       C.      Data Reporting
Management of a multi-center clinical trial requires compilation and reporting of
descriptive statistics for internal use by the West Haven CSPCC and principal
proponents. These informal reports detail subject accrual, adherence to the study
protocol, and measures of quality assurance. Study data will be made accessible to West
Haven CSPCC statisticians and study personnel in an acceptable format for this purpose.
       D.      Timeline for Accomplishing Project Tasks
The proposed study is expected to require 33 months to complete. During this period, the
following tasks will be accomplished, as detailed below and charted in Appendix ___.
               1.       Start-Up Phase (Months 1-3)
The administrative infrastructure for the project will be developed during the start-up
phase. Specific objectives during this phase will include: (1) Development of study
specific vaCTMS portal; (2) preparation of training materials, vaCTMS operation
manuals, and assessment instruments; (3) obtaining vaCTMS related Boston local IRB
approvals for participation; and (4) training staff in the operations of the vaCTMS.




                                                                                          6
VAHS          CTMS SOP   11/6/2011           7 of 70



Appendix: Information Data Security Considerations for CSP


                    Information Data Security Considerations for CSP


                               Table 1 – Data/Information



  Data/Information          Security Exposure             Possible Mitigation Strategies

Study Data, identified   This data, on its own,        None required. Continued vigilance
only by patient          contains no patient           on internal controls.
number                   identifiable information
                         and presents a minimal
                         security risk.

AE/AME Data              This data contains no         Do not store AE/AME data on
                         patient identifiable          portable devices including laptops
                         information. If this          and blackberries. If electronically
                         information is used on its    transmitted, this should be done in a
                         own, it could be              secure manner.
                         manipulated by certain
                         groups, i.e. media, to
                         damage a study or
                         research in general.

Study Publications       On the whole, this            Secure devices that store
(prior to publication)   information is not a risk     unpublished research with
                         for security reasons, but     passwords and/or encryption.
                         study publications should
                         be considered
                         confidential until
                         published.

Site Auditing and        Audits and monitoring of      Do not record any patient
Monitoring Data          study data may result in      identifiable information in audit or
                         patient information being     monitoring reports.
                         accessed and reviewed.

Patient Demographic      Patient address               Do not store patient identifiable
Information              information is being used     information on portable devices.
                         in one trial to send study    Transmission of this data should be
                         medication directly to the    done in a secure manner. Never use
                         patient. Demographic          e-mail to transmit patient
                         data may be collected and     identifiable information.
                         stored at the Statistical


                                                                                              7
VAHS         CTMS SOP    11/6/2011            8 of 70



                         Centers.

Tissue Storage           The information related        The database of patient
                         to the storage of tissue       demographic data must be secured
                         samples does not require       IAW VA regulations and should
                         patient identifiable           never exist on a portable device. E-
                         information. A link,           mail must never be used to transmit
                         using a sample number,         any patient identifiable information.
                         would index into a
                         database of patient
                         demographic information.

Genomics

Employee Information Every center has                   This information should not be
                     personnel data of a                stored on a portable device and this
                     sensitive nature. This             information should not be
                     includes employee’s                transmitted vie e-mail.
                     names, SSN’s, addresses,
                     critical dates.

Strength: CSP            All CSP trials are guided      Protocols provide specific
Research is conducted    by a protocol developed        guidelines on what data is to be
by protocol.             and reviewed by experts        collected, and how it is analyzed
                         in Clinical Trials.            and reported. Patient informed
                                                        consent process is followed and
                                                        local IRB reviews are performed for
                                                        all protocols.




                             Table 2 – Equipment/Hardware



       Equipment            Security Exposure              Possible Mitigation Strategies

Portable devices such   Any device that can be          All laptops should have power-on
as laptops,             removed from the work           user-id/password for access.
Blackberries, PDA’s     place can be lost, stolen or    Laptops should have the current
etc.                    otherwise compromised.          version and latest updates of virus
                                                        protection software, virus
                                                        recognition files and firewall
                                                        software configured by IT. A
                                                        periodic review by IT staff off


                                                                                               8
VAHS         CTMS SOP    11/6/2011            9 of 70



                                                        laptops should be performed to
                                                        determine the absence of malware,
                                                        current versions, etc. No security
                                                        software installed should be disabled
                                                        by the user. Blackberries and other
                                                        portable devices should be password
                                                        protected, at a minimum.

Removable storage       The ability exists to store     Never store any patient and/or
devices such as hard    large amounts of data on        employee identifiable information
drives, thumb drives,   these types of devices.         on removable storage devices. This
floppies, CD’s…..       These devices are easy to       does not include back-up storage
                        lose, misplace or have          tapes created for emergencies and
                        stolen.                         stored in a secure location. Integrate
                                                        security considerations into the
                                                        purchase process for removable
                                                        storage devices that include the
                                                        ability to password protect these
                                                        devices or additional security
                                                        controls as required.

Fax to Fax              Study data is faxed to          Dedicate a secure limited-access
                        Coordinating Centers as         area for the receipt of study related
                        part of daily operations.       faxes.




                           Table 3 – Processes and Operational



       Equipment            Security Exposure               Possible Mitigation Strategies

E-Mail                  E-mail can easily be used       Follow VA guidelines and
                        to transmit patient and/or      procedures in the use of e-mail.
                        employee personal               Never transmit patient and/or
                        information. E-mail is not      employee information via e-mail.
                        a secure method of
                        communication.

Training                The largest percentage of       VA mandated cyber and
                        security related problems       information security training should
                        are caused by employees.        be taken by all employees as
                                                        required. When any study collects
                                                        or utilizes any patient identifiable
                                                        information, additional study
                                                        specific training should be


                                                                                                9
VAHS        CTMS SOP    11/6/2011           10 of 70



                                                       performed to address the specific
                                                       data security issues related to that
                                                       study.

Electronic Data        Unsecured electronic data       CSP should develop a standard
Transmission           transmission can easily be      method of electronic data
                       compromised.                    transmission that is secure,
                                                       maintainable and easy to use.




                                                                                              10
VAHS           CTMS SOP    11/6/2011   11 of 70



Appendix: vaCTMS SOP




VAHCS Electronic Clinical Trial Management System
V.1.1 100804

Manual of Standard Operating Procedures


Study Title

[Study Name]



Study Sponsor

[ ]

Coordinating Center

MAVERIC (151MAV)
150 S. Huntington Ave
Boston, MA 02130
Telephone: 617.232.9500 x. 4201
Facsimile: 617.278.4422



Principle Investigators




Information Technology Officer

David Rose

Boston VAHCS (151MAV)

150 South Huntington Ave

Boston, MA 02130

617.232.9500    x.6143
david.rose@va.gov




                                                    11
VAHS         CTMS SOP   11/6/2011           12 of 70



Quick Look at Important Information



ALL INFORMATION GENERATED DURING THE COURSE OF THIS STUDY MUST BE DOCUMENTED ON THE
PORTAL WITHIN 24 HOURS OF RECIEPT.



DO NOT USE THE STUDY PORTAL UNLESS YOU HAVE ATTENDED, CERTIFIED AND DOCUMENTED SYSTEM
TRAINING.



ONLY DE-IDENTIFIED SUBJECT INFORMATION IS ALLOWED ON THE PORTAL.


THIS STUDY PORTAL DOES NOT TO SERVE AS AN EDC, QUERY RESOLUTION OR ADVERSE EVENT
REPORTING TOOL. ALL CLINICAL DATA, QUERY RESOLUTION AND ADVERSE EVENT REPORTING IS TO BE
COLLECTED ON THE DISTRIBUTED PAPER BASED CASE REPORT FORMS AND MANAGED AS PER THE
INVESTIGATORS BROCHURE.



IF YOU DO NOT HAVE YOUR REAL WRITTEN SIGNATURE ON FILE WITH THE FDA DO NOT USE THE
PORTAL. CONTACT THE STUDY COORDINATOR IMMEDIATELY FOR RESOLUTION.



DO NOT DELETE ANY RECORD THAT HAS BEEN SAVED AS COMPLETED. INSTEAD CREATE A NEW
RECORD AND STATE WHY THE CHANGE WAS MADE IN THE COMMENTS/ANNOTATIONS FIELD
ASSOCIATED WITH THE CHANGED RECORD. IF YOU HAVE INADVERTANTLY DELETED A RECORD
CONTACT THE SYSTEM ADMINISTRATOR IMMEDIATELY.




                                                                                      12
VAHS                CTMS SOP          11/6/2011                     13 of 70



Quick Look at Important Information............................................................................... 12
Introduction ....................................................................................................................... 14
Definitions......................................................................................................................... 15
System Setup/Installation*................................................................................................ 17
   Technical Specifications and Requirements for Study Clinical Trial Management
   System ........................................................................................................................... 17
   Software and Hardware History.................................................................................... 18
     Desktop (User must specify) ..................................................................................... 18
     Server ........................................................................................................................ 19
     Hardware Specifications ........................................................................................... 19
   Training ......................................................................................................................... 19
   Start up procedures ....................................................................................................... 19
   Technical Support ......................................................................................................... 20
   Lost Passwords.............................................................................................................. 20
Data Collection and Handling ........................................................................................... 20
   Subject Privacy and Confidentiality ............................................................................. 20
   Source Documents ........................................................................................................ 21
     Source Documents on Portal ..................................................................................... 21
     Non-Source Documents on Portal ............................................................................ 21
   Attributability................................................................................................................ 22
   Change Control ............................................................................................................. 22
     Protocols ................................................................................................................... 23
   Audit Trails ................................................................................................................... 23
   Date and Time Stamps .................................................................................................. 25
   Paper Print Out of Portal Information ........................................................................... 25
     Printing list information ............................................................................................ 25
     Printing documents ................................................................................................... 26
System Maintenance ......................................................................................................... 26
Data Backup, Recovery, and Contingency Plans.............................................................. 26
     System failure ........................................................................................................... 26
     Study Replication ...................................................................................................... 26
Security ............................................................................................................................. 26
   Logical Security ............................................................................................................ 26
     Digital Signatures...................................................................................................... 27
     Password ................................................................................................................... 27
     Desktop Security ....................................................................................................... 27
     Server Security .......................................................................................................... 28
     Security Software ...................................................................................................... 28
   Physical Security........................................................................................................... 29
System Dependability ....................................................................................................... 29
System Control.................................................................................................................. 29
     Software Version Control ......................................................................................... 29
Training of Personnel ........................................................................................................ 29
     Qualifications ............................................................................................................ 29
     Training ..................................................................................................................... 29
     Documentation .......................................................................................................... 30



DRAFT vaCTMS Protocol Inclusions11/26/2007                     CSP #566        comments: Dave Rose david.rose@va.gov
VAHS               CTMS SOP         11/6/2011                    14 of 70



Records Inspection ............................................................................................................ 30
     Records inspection .................................................................................................... 30
Certification of Electronic Signatures ............................................................................... 30
     Electronic Signature Certification............................................................................. 30
Detailed System Requirements ......................................................................................... 30
APPENDIX A.              Sample Letters of Non-Repudiation Agreement .......................... 37



[Study Name] Electronic Clinical Trial Management System
Standard Operating Procedures


Introduction

This document addresses issues pertaining to computerized systems used to
create, modify, maintain, archive, retrieve, or transmit clinical data intended for
submission to the Food and Drug Administration (FDA). These data form the
basis for the Agency's decisions regarding the safety and efficacy of new human
and animal drugs, biologics, medical devices, and certain food and color
additives. As such, these data have broad public health significance and must be
of the highest quality and integrity.




This SOP is established to document the following operational categories:

                    System Setup/Installation
                    Data Collection and Handling
                    System Maintenance
                    Data Backup, Recovery, and Contingency Plans
                    Security
                    Change Control
                    Alternative Recording Methods (in the case of system unavailability)


FDA established the Bioresearch Monitoring (BIMO) Program of inspections and
audits to monitor the conduct and reporting of clinical trials to ensure that data
from these trials meet the highest standards of quality and integrity and conform
to FDA's regulations. FDA's acceptance of data from clinical trials for decision-
making purposes is dependent upon its ability to verify the quality and integrity of


DRAFT vaCTMS Protocol Inclusions11/26/2007                  CSP #566        comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             15 of 70




such data during its onsite inspections and audits. To be acceptable the data
should meet certain fundamental elements of quality whether collected or
recorded electronically or on paper. Data should be attributable, original,
accurate, contemporaneous, and legible. For example, attributable data can be
traced to individuals responsible for observing and recording the data. In an
automated system, attributability could be achieved by a computer system
designed to identify individuals responsible for any input.

This manual of Standard Operating Procedures addresses how these elements
of data quality are satisfied by the system being used to create, modify, maintain,
archive, retrieve, and transmit clinical data for the VAHCS [Study Name].
Persons using the data from computerized systems should have confidence that
the data are no less reliable than data in paper form.

This document reflects long-standing regulations covering clinical trial records. It
also addresses requirements of the Electronic Records/Electronic Signatures rule
(21 CFR part 11).

These Standard Operating Procedures are to be applied where source
documents are created (1) in hardcopy and later entered into a computerized
system, (2) by direct entry by a human into a computerized system, and (3)
automatically by a computerized system.

Definitions


Audit Trail           means, for the purposes of this guidance, a secure, computer
                      generated, time-stamped electronic record that allows
                      reconstruction of the course of events relating to the creation,
                      modification, and deletion of an electronic record
Certified Copy        means a copy of original information that has been verified, as
                      indicated by dated signature, as an exact copy having all of
                      the same attributes and information as the original.



DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP   11/6/2011             16 of 70




Commit                means a saving action, which creates or modifies, or an action
                      which deletes, an electronic record or portion of an electronic
                      record. An example is pressing the key of a keyboard that
                      causes information to be saved to durable medium.
Computerized          means, for the purpose of this guidance, computer hardware,
System                software, and associated documents (e.g., user manual) that
                      create, modify, maintain, archive, retrieve, or transmit in digital
                      form information related to the conduct of a clinical trial.
CTMS                  means Clinical Trial Management System
Direct Entry          means recording data where an electronic record is the
                      original capture of the data. Examples are the keying by an
                      individual of original observations into the system, or
                      automatic recording by the system of the output of a balance
                      that measures subject’s body weight.
Electronic Case       means an auditable electronic record designed to record
Report Form (e-       information required by the clinical trial protocol to be reported
CRF)                  to the sponsor on each trial subject.
Electronic            means an electronic record into which a subject participating
Patient Diary         in a clinical trial directly enters observations or directly
                      responds to an evaluation checklist.
Electronic            means any combination of text, graphics, data, audio,
Record                pictorial, or any other information representation in digital form
                      that is created, modified, maintained, archived, retrieved, or
                      distributed by a computer system.
Electronic            means a computer data compilation of any symbol or series of
Signature             symbols, executed, adopted, or authorized by an individual to
                      be the legally binding equivalent of the individual's
                      handwritten signature.
Software              means confirmation by examination and provision of objective
Validation            evidence that software specifications conform to user needs



DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             17 of 70




                      and intended uses, and that the particular requirements
                      implemented through the software can be consistently fulfilled.
                      For the purposes of this document, design level validation is
                      that portion of the software validation that takes place in parts
                      of the software life cycle before the software is delivered to
                      the end user.
Source                means original documents and records including, but not
Documents             limited to, hospital records, clinical and office charts,
                      laboratory notes, memoranda, subjects' diaries or evaluation
                      checklists, pharmacy dispensing records, recorded data from
                      automated instruments, copies or transcriptions certified after
                      verification as being accurate and complete, microfiches,
                      photographic negatives, microfilm or magnetic media, x-rays,
                      subject files, and records kept at the pharmacy, at the
                      laboratories, and at medico-technical departments involved in
                      the clinical trial.
Transmit              means, for the purposes of this guidance, to transfer data
                      within or among clinical study sites, contract research
                      organizations, data management centers, or sponsors. Other
                      Agency guidance covers transmission from sponsors to the
                      Agency.



System Setup/Installation*

Technical Specifications and Requirements for Study Clinical Trial
Management System




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS                CTMS SOP      11/6/2011                     18 of 70




 CSP IT eCTMS Technical        Micorosoft® Servers:
      Specifications           Sharepoint Portal Services,
        7/22/2004              Windows 2000, 2003
                               Advanced, IIS-6, SQL 2000.
                                                              IT Coordinating Center




Micorosoft®            Micorosoft®             Micorosoft®               Micorosoft®
Windows                Windows                 Windows                   Windows
2000Professional,      2000Professional,       2000Professional,         2000Professional,    Study Sites...
Office 2003, IE6       Office 2003, IE6        Office 2003, IE6          Office 2003, IE6




Coordinating Center Software Requirements

Sharepoint Portal Server V2, Microsoft Windows 2000 Server and Windows 2003 Advanced Server,
Internet Information Services, SQL Server 2000, any other server packages required to run the developed
software.



Coordinating Center Hardware Requirements

Dell and Micron servers featuring multiple Intel Xeon processors running at speeds up to 3.06 GHz, with
as much as 6 GB RAM, and RAID arrays providing hundreds of gigabytes of fault tolerant storage.



Study Site Software Requirements

Microsoft’s Windows 200 Professional operating system, MS Office Pro 2003, and using Microsoft Internet
Explorer 6.0 (Service Pack 1) as the default web browser



Study Site Hardware Requirements

The target processing environment on the client side requires PC’s running, with Intel processors running
from 450 GHz up to 3.0 GHz, powered by anywhere from 128 to 2056 MB of RAM. Printer-Scanner-
Copier.




*see Detailed System Requirements




Software and Hardware History
The following is a list of software at the time of study startup. An updated list is to be maintained by the
informatics specialist and available for inspection on the Coordinating Center portal.




Desktop (User must specify)
              NAME                                                                     DATE OF SERVICE

Office Professional 2003




DRAFT vaCTMS Protocol Inclusions11/26/2007                   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP      11/6/2011              19 of 70




MacAfee Antiviral



IE6



Other VA




Server
            NAME                                                       DATE OF SERVICE

Sharepoint Sever 2003                                8/17/2004



Windows Server 2003 Standard                         8/17/2004



SQL Server 2000 SP3                                  8/17/2004


McAfee PortalShield                                  8/17/2004


APC UPS Interface Software                           8/17/2004




Hardware Specifications

XEON 2.8GB processor, 1gb memory, 2-36gb drives mirrored, and 3 142gb drives raid 5. Backup to tape,
DVD drive and rack mounted.




Training

All personnel accessing the system must first complete and document training supplied by Coordinating
Center staff.



DO NOT USE THE PORTAL UNLESS YOU HAVE ATTENDED, CERTIFIED AND DOCUMENTED SYSTEM
TRAINING



Start up procedures




DRAFT vaCTMS Protocol Inclusions11/26/2007      CSP #566       comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP      11/6/2011               20 of 70



1. Install Office 2003


VAHCS has ownership of 250,000 licenses for Office 2003. Contact you local hospitals IT department for
installation of you copy of Office 2003 Professional.



2. Download and install IE 6.0 or above


Set browser settings to ―Default‖ setting: On the menu bar select ―Tools‖>‖Internet Options‖>‖Advanced‖
and press the button ―Restore Defaults‖ on the popup window.



3. Logon to your site and change your password


In order to help remember your sites location, save your site as a ―Favorite‖ or set as your homepage
(―Tools‖>‖Internet Options‖>‖General‖ tab>type in [Site URL] into home page field and press ―OK.‖




Technical Support
Detailed help screens are available on the Study Portal. Technical support is available from the study
Informatics Specialists during regular business hours (EST):



VHABHSMAVERIC-IT@va.gov



Emergencies (portal site down or dysfunctional ) call: (617) 513-2482




Lost Passwords

Contact the Study Informatics Specialist to retrieve a lost password.


VHABHSMAVERIC-IT@va.gov



Emergencies (portal site down or dysfunctional ) call: (617) XXX.XXXX




Data Collection and Handling

Subject Privacy and Confidentiality
Any reference to a study subject must be de-identified according to current HIPAA guidelines.



ONLY DE-IDENTIFIED SUBJECT INFORMATION IS ALLOWED ON THE PORTAL.




DRAFT vaCTMS Protocol Inclusions11/26/2007       CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP         11/6/2011             21 of 70




Source Documents

Source documents should be retained to enable a reconstruction and evaluation of the trial. When original
observations are entered directly into a computerized system, the electronic record is the source
document. Clinical investigators should retain either the original or a certified copy of all source
documents sent to a sponsor or contract research organization, including query resolution
correspondence.



THIS STUDY PORTAL DOES NOT TO SERVE AS AN EDC, QUERY RESOLUTION OR ADVERSE EVENT
REPORTING TOOL. ALL CLINICAL DATA, QUERY RESOLUTION AND ADVERSE EVENT REPORTING IS TO BE
COLLECTED ON THE DISTRIBUTED PAPER BASED CASE REPORT FORMS.




Source Documents on Portal
This study will use the portal as the source document for VAHCS retention of all official versions of the
following study related information:



Documents:



    1.   Protocol
    2.   Investigator Brochure
    3.   CTMS Standard Operating Procedures
    4.   Study Brochures and Patient Information


Certified, scanned copies of source documents:



    1.   Approved Informed Consent Templates
    2.   Laboratory certifications
    3.   Pharmacy agreements
    4.   Budget and financial agreements
    5.   Site and study monitoring reports
    6.   Investigator and participant Credentialing, CVs and Licenses


Lists:



    1.   Subject log
    2.   Key Events Log
    3.   Participant Directory
    4.   Telephone Log
    5.   Communications Log
    6.   Training Log



Non-Source Documents on Portal
The following is a list of documents to be maintained on the portal but are not meant to serve as source
documents. Instead they serve a web based downloadable repository of templates of these documents to
facilitate distribution to the field. These documents must be maintained in similar fashion as to other
paper based documents as described in the most recent version of the Investigators Brochure.




DRAFT vaCTMS Protocol Inclusions11/26/2007        CSP #566        comments: Dave Rose david.rose@va.gov
VAHS              CTMS SOP        11/6/2011                   22 of 70




     1.   Case Report Forms
     2.   Queries
     3.   Adverse Events



Attributability

The data entry system is designed to ensure attributability. Therefore, each entry
to an electronic record, including any change, should be made under the
electronic signature of the individual making that entry. However, this does not
necessarily mean a separate electronic signature for each entry or change. For
example, a single electronic signature may cover multiple entries or changes.

Your login information serves as your electronic signature. Changes made to the Portals document
libraries and lists are time stamped and attributed to the currently active log in name. FDA requires a
paper list of all participant signatures be approved by them before any electronic CTMS can be used for
study records. All personnel must have their real written signatures filed with the FDA before participating
in the Study Portal.



IF YOU DO NOT HAVE YOUR REAL WRITTEN SIGNATURE ON FILE WITH THE FDA DO NOT USE THE
PORTAL. CONTACT THE STUDY COORDINATOR IMMEDIATELY FOR RESOLUTION.




Change Control

Any change to a record required to be maintained should not obscure the original information. The record
should clearly indicate that a change was made and clearly provide a means to locate and read the prior
information. Changes to data that are stored on electronic media will always require an audit trail, in
accordance with 21 CFR 11.10(e). Documentation should include who made the changes, when, and why
they were made.



Audit information includes; user id, date & time, filename and actions performed. Administrators can extract audit
information to a file to enable further analysis using tools such as Microsoft Excel.



Document and form libraries (Protocol, Documents I, Documents II, Correspondence)

         Contributors can view, add, edit and delete items.
         Content approval is required by the Study Coordinator for a changed or new document.
         Versions are maintained of all documents.
         An audit trail that cannot be edited or deleted by study personnel is maintained for all document
          and form libraries. The audit trail is a chronological list reporting all changes to the document
          library by event, user, time and date. The audit trail is available for viewing and print out by
          study authorities.


Lists (Event Log, Directory, Subject Log, Training Log, Telephone Log, IT Event Log)




DRAFT vaCTMS Protocol Inclusions11/26/2007               CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP       11/6/2011                23 of 70



Contributors can and view and add items but cannot edit or delete. Once a list item has been saved to
medium it will be retained for the lifecycle of the study. It can however be hidden from public view but
remains accessible to study authorities for review.




DO NOT DELETE ANY RECORD THAT HAS BEEN SAVED AS COMPLETED. INSTEAD CREATE A NEW
RECORD AND STATE WHY THE CHANGE WAS MADE IN THE COMMENTS/ANNOTATIONS FIELD
ASSOCIATED WITH THE CHANGED RECORD.



There are several automated process built into the system enforced by administrative access permissions
to allow automation of audit and change control.



Privileges and rights are distributed according to the user’s role in the study. Accumulative record
indicating, for any point in time, the names of authorized personnel, their titles , and a description of their
access privileges is to be maintained in the ―Directory‖ panel of the local study portal.



Reader- View items

Contributor- View, Add List Items, Edit List Items

Web Designer - View, Add List Items, Edit List Items, Delete List Items, Manage List Permissions

IT Administrator- Change server time stamp, Add-delete users, Control of all system application
functionality



Study and Site Coordinators and Study and Site Investigators are granted ―Contributor‖ privileges.




Protocols
The protocol library cannot be edited, added or deleted at the site level. To ensure commonality of the
active protocol across the study sites, new versions of the protocol are programmatically ―Pushed‖ to all
sites from the Study Coordinating Center Portal for local IRB approval. The site investigators and
coordinators should view the Study Coordinating Center Portal daily for review of new announcements.
Alternatively, the ―Alert‖ functionality of the Portal may be used to provide notification to new
announcements.




Audit Trails
Section 21 CFR 11.10(e) requires persons who use electronic record systems to maintain an audit trail as
one of the procedures to protect the authenticity, integrity, and, when appropriate, the confidentiality of
electronic records.



Persons must use secure, computer-generated, time-stamped audit trails to independently record the date
and time of operator entries and actions that create, modify, or delete electronic records. A record is
created when it is saved to durable media, as described under "commit" in Definitions.




DRAFT vaCTMS Protocol Inclusions11/26/2007           CSP #566      comments: Dave Rose david.rose@va.gov
VAHS             CTMS SOP       11/6/2011                 24 of 70



Audit trails must be retained for a period at least as long as that required for the subject electronic records
(e.g., the study data and records to which they pertain) and must be available for agency review and
copying



Personnel who create, modify, or delete electronic records should not be able to modify the audit trails.



Clinical investigators should retain either the original or a certified copy of audit trails.



FDA personnel should be able to read audit trails both at the study site and at any other location where
associated electronic study records are maintained.



Audit trails should be created incrementally, in chronological order, and in a manner that does not allow
new audit trail information to overwrite existing data in violation of §11.10(e).



V System and viewable on Portal


        Date and author attribution maintained with document versions.
        Explanation of change required to be input into system before edit is
         accepted. (protocols may not be edited on sub sites)


Three levels of Audit trails function to satisfy requirements of 21 CFR 11.



Level One. The Syntergics Audit feature records all changes to documents and lists and is uneditible by
the individual effecting the change. Only designated study IT personnel have the capability to effect a
change to this audit trail. The audit trail may be easily accessed for viewing and is capable of printing out
a list of all changes to system. (describe A). This audit trail describes system level changes to documents
and lists (upload, edit, download, delete, etc.) but does not describe transactional information, for
example changes in the body of text. To capture this information versions of documents are saved
automatically upon saving of the change to the media. These versions are unalterable and may not be
deleted by the individual effecting the change.



Level Two. Audit trail is maintained on portal system lists describing who, what, when and why changes
were made. Only administrator may edit audit trail



Level Three. Redundant backup mirror of studies are preserved monthly.




DRAFT vaCTMS Protocol Inclusions11/26/2007           CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP      11/6/2011                25 of 70




Date and Time Stamps

Controls are in place to ensure that the system's date and time are correct.
Study personnel must log into the system to effect a change on the local time
stamp.

The ability to change the date or time is limited to authorized study personnel and
such personnel should be notified if a system date or time discrepancy are Study
and Site Coordinators and Investigators and designated study Informatics
Officers. Changes to date or time should be documented on the Portals list of
Key Events.

Dates and times are to be local to the activity being documented and should include the year, month, day,
hour, and minute. All dates associated with modifications of Portal libraries and lists are displayed in year,
month, day, hour, and minute. The Agency encourages establishments to synchronize systems to the
date and time provided by trusted third parties. We currently use below two government sites to
synchronize our server clock online, and we use National Institute of Standards and Technology protocol
standards (Please see www.ntp.org).



time-A.timefreq.bldrdoc.gov
time-nw.nist.gov


In addition desktops operating windows 2000 or XP may set their desktop clock
to be synched directly with NIST or Microsoft Windows Network Server.

Access to the remote server clock is restricted to this studies designated
Informatics Officer.

Paper Print Out of Portal Information
Capability is built into the system to maintain paper copies of all information input into the portal’s
document libraries and lists. If users desire to periodically print hard copies of study information this
action is facilitated on the page entitled ―Study Binder‖ accessible from the ―Quick Launch‖ panel of the
portal site’s Home Page.




Printing list information
Be certain that all task panes are open by clicking the down arrow on the links bar of the pane and
selecting ―restore.‖ Press the ―Print‖ button at the top of your screen to begin printing.




DRAFT vaCTMS Protocol Inclusions11/26/2007        CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP       11/6/2011                26 of 70



Printing documents
To print a single document open select to open the document and select to print on the file menu. To print
multiple documents, navigate to the document library window by selecting the document library name on
the library pane’s title bar. Then select ―explorer view‖ under ―views‖ in the left panel of the screen. Then
highlight documents to print and right click mouse to select ―print.‖



System Maintenance

Data Backup, Recovery, and Contingency Plans
Backup and recovery logs will be maintained by system administrators to facilitate an assessment of the
nature and scope of the data loss resulting from a system failure.



    1.   Backup and Recovery Plan Description
             a. Backup and recovery procedures should be clearly outlined in the SOPs and be sufficient
                 to protect against data loss. Records should be backed up regularly in a way that would
                 prevent a catastrophic loss and ensure the quality and integrity of the data. Backups
                 will be performed via Windows backup up once per week and images maintained at an
                 offsite facility.
             b. Backup and recovery logs will be maintained to facilitate an assessment of the nature
                 and scope of data loss resulting from a system failure.




System failure
If the CTMS appears unstable or is unusable contact the system administrator immediately. Photocopies
of forms that duplicate the function of the lists on the study portal arrived with the original study packet
and are to be used as back up until the system is stabilized. Forms needed because a blank has not been
reserved for photocopy purposes will be available from the study coordinator. When the system returns
online and is stable, data from the paper forms must be transferred to the web site. Save all such paper
forms with other study materials as per the Investigators Brochure and training. Your ―electronic
signature‖ on the list item will certify the electronic version as the ―source.‖ Record and describe the
event in the ―Key Events‖ panel of the Portal




Study Replication
After the close of the study the Portal will be saved to DVD where it is available for replication in entirety
and original format. Replication will require a system running Microsoft Sharepoint Server. Instructions
for performing this operation will be on a ―Read Me‖ file available on the DVD. One copy of this DVD will
be given to each participating Principle Investigator to be maintained at the participating site.



Security

Logical Security
The system will remain dedicated to the purpose for which it is intended and validated.



Access to the data at the clinical site is restricted and monitored through the system's software with its
required log-on, security procedures, and audit trail. The data should not be altered, browsed, queried, or
reported via external software applications that do not enter through the protective system software.




DRAFT vaCTMS Protocol Inclusions11/26/2007         CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP      11/6/2011               27 of 70




A cumulative record, for any point in time, the names of authorized personnel,
their titles, and a description of their access privileges is to be maintained and
accessible on the local study portal within the “Directory” panel.

Digital Signatures
FDA requires that individuals have the authority to proceed with data entry. The system is designed such
that users need to enter electronic signatures, as a combined identification codes/passwords at the start
of a data entry session.


The data entry system should also be designed to ensure attributability.
Therefore, each entry to an electronic record, including any change, is be made
under the electronic signature of the individual making that entry. However, this
does not necessarily mean a separate electronic signature for each entry or
change. For example, a single electronic signature may cover multiple entries or
changes.

The printed name of the individual who enters data is displayed by the data entry
screen throughout the data entry session. This is intended to preclude the
possibility of a different individual inadvertently entering data under someone
else’s name.

If the name displayed by the screen during a data entry session is not that of the
person entering the data, then that individual should log on under his or her own
name before continuing.

When someone leaves a workstation, the person should log off the system.
Failing this, an automatic log off will occur for long idle periods.

Password
All efforts must be made to maintain confidentiality of the user’s password.



The password is to be changed at regular intervals of every three months.


Desktop Security
To ensure that individuals have the authority to proceed with data entry, the data entry system is
designed so that individuals need to enter electronic signatures by combined identification
codes/passwords at the start of a data entry session.




DRAFT vaCTMS Protocol Inclusions11/26/2007       CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP        11/6/2011              28 of 70




When someone leaves a workstation, the person should log off the system.
Failing this, an automatic log off will occur for long idle periods. For short periods
of inactivity, an automatic screen saver will occur that prevents data entry until a
password is entered.

Individuals should only work under their own passwords or other access keys
and should not share these with others. Individuals should not log on to the
system in order to provide another person access to the system. If the current
user name displayed by the screen during a data entry session is not that of the
person entering the data, then that individual should log on under his or her own
name before continuing. The printed name of the individual who enters data will
be displayed by the data entry screen throughout the data entry session. This is
intended to preclude the possibility of a different individual inadvertently entering
data under someone else’s name.

Protocol and Informed Consent, Source documents residing on the system are securely maintained on
backup medium


Controls are in place both server side and by VA policy on the desktop to
prevent, detect, and mitigate effects of computer viruses on study data and
software.



Server Security
The Information Security Program in support of this system is based on the International Standards
Organization’s Code of Practice for Information Security Management (ISO17799). Technical security
measures, such as Cisco Pix, provide firewall protection, intrusion detection, and web-publishing rules.
The MAVERIC software assurance team tests and deploys software updates in order to maintain the
highest level of security and software reliability. Software hot-fixes and service packs are tested and
deployed based on their priority and level of risk. Security related hot-fixes are rapidly deployed into the
environment to address current threats. A comprehensive software validation activity ensures software
stability through regression testing prior to deployment.

Finally, Microsoft Gold Certified operations ensure that the proper change management and configuration
management procedures are always followed.




Security Software
McAfee antiviral (desktop)

McAfee Portal Shield (Server)




DRAFT vaCTMS Protocol Inclusions11/26/2007         CSP #566       comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP       11/6/2011               29 of 70



Physical Firewall




Physical Security

Facility Security:

Locked building with electronic intrusion system

Locked cage for second level server security

System Dependability
Because this software is purchased off-the-shelf, validation has been done by the company that wrote the
software (Microsoft, Redmond WA) and this documentation is available through the Coordinating Center’s
quality assurance personnel. Coordinating Center’s quality assurance has performed functional testing
(e.g., by use of test data sets) and researched known software limitations, problems, and defect
corrections.




System Control

Software Version Control
With any change to a new version of software, the change must be updated in this SOP, announced and
distributed to all participating sites. All changes to versions of software will be recorded on the ―IT Event
Log‖ maintained on the Study Coordinator’s Portal.




Training of Personnel


Qualifications
Each person who enters or processes data should have the education, training, and experience or any
combination thereof necessary to perform the assigned functions. Individuals responsible for monitoring
the trial should have education, training, and experience in the use of the computerized system necessary
to adequately monitor the trial.




Training
Training will be provided to individuals in the specific operations that they are to perform.



Training will be conducted by qualified individuals on a continuing basis, as needed, to ensure familiarity
with the computerized system and with any changes to the system during the course of the study.



Online videos of standard portal operations are available to all users of the study portal.




DRAFT vaCTMS Protocol Inclusions11/26/2007         CSP #566       comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP      11/6/2011                30 of 70



Documentation
Employee education, training, and experience will be documented on the ―Training Log‖ list on the Study
Coordinators Portal.




Records Inspection

Records inspection
FDA may inspect all records that are intended to support submissions to the Agency, regardless of how
they were created or maintained. Therefore, systems should be able to generate accurate and complete
copies of records in both human readable and electronic form suitable for inspection, review, and copying
by the Agency. Persons should contact the Agency if there is any doubt about what file formats and media
the Agency can read and copy.



Study Informatics Specialists will provide hardware and software as necessary for FDA personnel to
inspect the electronic documents and audit trail at the site where an FDA inspection is taking place.




Certification of Electronic Signatures

Electronic Signature Certification
As required by 21 CFR 11.100(c), persons using electronic signatures to meet an FDA signature
requirement shall, prior to or at the time of such use, certify to the agency that the electronic signatures
in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of
traditional handwritten signatures.


As set forth in 21 CFR 11.100(c), the certification shall be submitted in paper
form signed with a traditional handwritten signature to the Office of Regional
Operations (HFC-100), 5600 Fishers Lane, Rockville Maryland 20857. The
certification is to be submitted prior to or at the time electronic signatures are
used. However, a single certification may cover all electronic signatures used by
persons in a given organization. This certification is a legal document created by
persons to acknowledge that their electronic signatures have the same legal
significance as their traditional handwritten signatures. An acceptable certification
may take the following form:

"Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of
organization] intends that all electronic signatures executed by our employees, agents, or representatives,
located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures."



Detailed System Requirements




DRAFT vaCTMS Protocol Inclusions11/26/2007        CSP #566        comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP     11/6/2011              31 of 70



Recommended Microsoft Configurations:



Windows Server 2003



Use Microsoft Installation and System requirements.



Windows SQL Server 2000



Use Microsoft Installation and System requirements.




SharePoint Portal Server v2,




Before you install Microsoft SharePoint Portal Server "v2.0" 2, ensure that you have installed the
required hardware and software.



Server Requirements



Hardware Requirements



The following are recommended minimum hardware requirements for the server:



Intel Pentium III-compatible processor

256 megabytes (MB) of random access memory (RAM)

550 MB free hard disk space

Important: The disk must be formatted as NTFS file system.



Program and data file paths cannot be to removable or networked storage. Setup verifies this.



Software Requirements




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566        comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP    11/6/2011             32 of 70



The server must be running one of the following operating systems:



Note: For Microsoft SharePoint Portal Server "v2.0", only Windows Server 2003 Release
Candidate 2 is supported.



Windows Server 2003, Standard Edition, plus the latest service pack

Windows Server 2003, Enterprise Edition, plus the latest service pack

Windows Server 2003, Datacenter Edition, plus the latest service pack

Windows Server 2003, Web Edition, plus the latest service pack



In addition to the operating system, the following operating system components must be installed:



Application Server with the following components:

ASP.NET

Internet Information Services (IIS) with the following components:

Common Files

Internet Information Services Manager

SMTP Service

World Wide Web Service with the following components:

Active Server Pages

World Wide Web Service



All servers in a server farm must run the same version and language of the operating system, and
(where applicable) the same version and language of

Microsoft SQL Server 2000, with the following exception-the configuration database can run
Windows 2000 Datacenter Server or Windows Server 2003, Datacenter Edition, regardless of
what other servers in the farm are running. Setup does not verify this.



Software Coexistence Issues



The document library server component of Microsoft SharePoint Portal Server "v2.0" Beta 2
cannot run on servers on which the following are installed:




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566       comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP     11/6/2011             33 of 70



Microsoft Exchange Server (any version)

Microsoft Site Server (any version)

Microsoft Office Server Extensions

Microsoft Web Storage System (any version)

Microsoft SharePoint Portal Server 2001



Database Requirements



The configuration database can be installed on the following:



SQL Server 2000, plus the latest service pack

SQL Server 2000 Enterprise Edition, plus the latest service pack

SQL Server 2000 Desktop Engine (MSDE 2000)



The server on which the configuration database is installed must be running one of the following
operating systems:



Windows Server 2003, Standard Edition, plus the latest service pack

Windows Server 2003, Enterprise Edition, plus the latest service pack

Windows Server 2003, Datacenter Edition, plus the latest service pack

Windows Server 2003, Web Edition, plus the latest service pack

Windows 2000 Datacenter Server



Network Requirements



Multiple-server configurations are supported only on servers that are members of a Windows NT
4.0, Windows 2000, or Windows Server 2003 domain.



Client Requirements



Hardware Requirements




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566       comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP     11/6/2011             34 of 70



The following are recommended minimum hardware requirements for client computers:



Intel Pentium III-compatible 200 MHz processor

64 MB of RAM

50 MB hard disk space on Windows 98 and Windows NT 4.0, 30 MB disk space on



Windows 2000 and Windows XP

Note: The disk can be formatted as NTFS, FAT, or FAT32.



Software Requirements



Client computers must be running one of the following operating systems:



Windows 98

Windows NT 4, plus the latest service pack

Windows 2000 Professional, Server, or Advanced Server, plus the latest service pack

Windows XP Professional, plus the latest service pack

Note: Windows XP Home Edition is not supported.



Windows Server 2003, plus the latest service pack

Note: For Microsoft SharePoint Portal Server "v2.0" Beta 2, only Windows Server 2003 Release
Candidate 2 is supported.

Note: Computers that document library coordinators use must be running Windows 2000
Professional, Server, or Advanced Server, Windows XP Professional, or Windows Server 2003.
In addition to the operating system, client computers must have the following installed:



Outlook Express 5.01 or later



Browser Requirements



Client computers must also have one of the following Web browsers installed:




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566       comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP      11/6/2011              35 of 70



Microsoft Internet Explorer 5.01 with Service Pack 2 and Q324929. Microsoft Visual Basic
Scripting support is required. This is included in the default installation of Internet Explorer 5.

Internet Explorer 5.5 with Service Pack 2 and Q324929. Microsoft Visual Basic Scripting support
is required.

Internet Explorer 6.0. Microsoft Visual Basic Scripting support is required.

Netscape Navigator 6.02 or later.




Windows SharePoint Services



Server hardware



Intel Pentium III-compatible processor

512 megabytes (MB) of RAM

550 MB of available hard disk drive space



Server software



One of the following operating systems:

Windows Server 2003, Standard Edition

Windows Server 2003, Enterprise Edition

Windows Server 2003, Datacenter Edition

Windows Server 2003, Web Edition



A Web application server with the following components:

Microsoft ASP.NET

Internet Information Services (IIS) 6.0 with the following components:

Common files

Simple Mail Transfer Protocol (SMTP) service

World Wide Web service



Server databases



DRAFT vaCTMS Protocol Inclusions11/26/2007      CSP #566       comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP     11/6/2011             36 of 70




One of the following versions of Microsoft SQL(tm) Server:

SQL Server 2000, with the latest service pack

SQL Server 2000 Enterprise Edition, with the latest service pack

SQL Server 2000 Desktop Engine (MSDE 2000)

SQL Server 2000 Desktop Engine (Windows) (WMSDE)



Network



Multiple server configurations must be members of a Microsoft Windows NT(r) 4.0, Windows
2000, or Windows Server 2003 domain.



Browser Client



One of the following browsers:

Microsoft Internet Explorer 5.01 with Service Pack 2

Internet Explorer 5.5 with Service Pack 2

Internet Explorer 6

Netscape Navigator 6.2 or later




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566       comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP      11/6/2011           37 of 70



APPENDIX A.          Sample Letters of Non-Repudiation Agreement
A letter of Non-Repudiation Agreement for digital signatures must be submitted to the FDA prior
to registering as a transaction partner for the FDA ESG. The letter must be submitted in paper
form (preferably on company letterhead) and signed with a traditional handwritten signature. The
letter must be sent to:


        Office of Regional Operations (HFC-100)
        5600 Fishers Lane
        Rockville, MD20857.


A copy must be sent to:


        Michael Fauntleroy
        Office of the Director (HFM-25)
        Center for Biologics Evaluation and Research
        Food and Drug Administration
        11400 Rockville Pike, Room 4119
        Rockville, MD20857.


The following two letters are provided as samples for a Letter of Non-Repudiation Agreement.
The information in square brackets [] will be provided by the submitter.




SAMPLE LETTER #1



[Company Letterhead]


[Today’s Date]


Office of Regional Operations (HFC-100)
5600 Fishers Lane
Rockville, MD20857


Re: Electronic Signatures


Dear Sir or Madam:




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP     11/6/2011             38 of 70



Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that
[Company Name], [Company Address], intends that electronic signatures executed by our
employees, [List of employee names] are the legally binding equivalent of traditional hand-
written signatures.



Sincerely yours,


[Hand-written signature]


[Name of Company Representative]
[Company Representative Title]



[Employee Name #1]: _________ [Hand-written signature of employee #1]


[Employee Name #2]: _________ [Hand-written signature of employee #2]


[Employee Name #3]: _________ [Hand-written signature of employee #3]


[etc]




SAMPLE LETTER #2



[Company Letterhead]


[Today’s Date]


Office of Regional Operations (HFC-100)
5600 Fishers Lane
Rockville, MD20857


Re: Electronic Signature Certificate Statement


To Whom It May Concern:




DRAFT vaCTMS Protocol Inclusions11/26/2007    CSP #566       comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP     11/6/2011             39 of 70



Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that
[Company Name], intends that all electronic signatures executed by our employees, agents, or
representatives, located anywhere in the world, are the legally binding equivalent of traditional
hand-written signatures.



Sincerely yours,


[Hand-written signature]


[Name of Company Representative]
[Company Representative Title]




DRAFT vaCTMS Protocol Inclusions11/26/2007    CSP #566       comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             40 of 70



Appendix: CSP Security White Paper


VA eCTMS Security White Paper


Recent loss of VA data calls for an assessment of risks and liability for all subject data.
This is a report of assessed vulnerability and security of MAVERIC’s Web based clinical
trial management system (eCTMS) and to provide this information to VA R&D CO for
approval to continue its use as is, or recommendation for change.


   I.      Associate hardware and software (Appendix A)
           Location:
           Boston VAHCS (MAV151)
           13th floor A wing
           150 S. Huntington Ave
           Boston, MA 02118


           Joseph Davis, Boston VA R&D IT Director




   II.     Security Risk


   1.  The CTMS is not behind the VA firewall. Although VA IRM has approved of
      Sharepoint and InfoPath, our system requires other software that is not yet
      approved for deployment behind the VA firewall. Ironically, much of this
      software is necessary to being the system into technical compliance with 21 CFR
      11 guidelines for security of digitally managed clinical trials data. Were the
      system behind VA’s firewall, it would not be available to hospitals enrolling
      subjects outside of VA.
   2. The system uses proprietary 3rd party software that is not open source. Although
      unlikely, such software carries the risk of harboring malicious code that could
      breach the confidentiality of data stored on the system.
   3. The system is on the web. This opens it up to the outside for web based attack.


   III.     Security Features to Mitigate the Risk


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             41 of 70




   1.    All information entered into system regarding any subject enrolled into clinical
        trials has been de-identified according to HIPAA (Appendix B). Even if security
        were breached any identifying reference to actual subjects is unavailable for copy.
   2.   The system is technically compliant with 21 CFR 11 regulations. Examples of
        which include password protection, automatic log outs, lock outs, alerts to
        multiple failed access attempts etc.
   3.   Extensive use of native security features of Sharepoint and InfoPath is in use with
        granular permissions restricting access to individual web sites, lists and document
        libraries.
   4.   The system is behind a CISCO Pix Firewall which mitigates some forms of
        security attack (See diagram of security features. Same configuration as VA
        firewall Appendix C).
   5.   The system does not intersect at any point with VA’s intranet and thus cannot
        serve as a surreptitious entry point to VA subject data maintained on VA’s WAN.
   6.   The system transmits data using the secure messaging of https as opposed to http,
        which results in messages being encrypted to and from the system.
   7.   The system servers are configured according to VA standards of best practice,
        exactly as those servers VA maintains behind the VA firewall (Appendix D).
   8.   All servers are protected by up to date MacAfee antiviral software.
   9.   Physical security of the servers is maintained on campus by VA security
        personnel, servers residing behind alarmed and locked doors with access limited
        to designated IT personnel only, and locked cages.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             42 of 70



21 CFR 11



Section 11.10 describes controls for closed systems, systems to
which access is controlled by persons responsible for the content of
electronic records on that system. These controls include measures
designed to ensure the integrity of system operations and information
stored in the system. Such measures include: (1) Validation; (2) the
ability to generate accurate and complete copies of records; (3)
archival protection of records; (4) use of computer-generated, time-
stamped audit trails; (5) use of appropriate controls over systems
documentation; and (6) a determination that persons who develop,
maintain, or use electronic records and signature systems have the
education, training, and experience to perform their assigned tasks.
Section 11.10 also addresses the security of closed systems and
requires that: (1) System access be limited to authorized individuals;
(2) operational system checks be used to enforce permitted sequencing
of steps and events as appropriate; (3) authority checks be used to
ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer system
input or output device, alter a record, or perform operations; (4)
device (e.g., terminal) checks be used to determine the validity of the
source of data input or operation instruction; and (5) written policies
be established and adhered to holding individuals accountable and
responsible for actions initiated under their electronic signatures, so
as to deter record and signature falsification.
Section 11.30 sets forth controls for open systems, including the
controls required for closed systems in Sec. 11.10 and additional
measures such as document encryption and use of appropriate digital
signature standards

[[Page 13431]]

to ensure record authenticity, integrity, and confidentiality.
Section 11.50 requires signature manifestations to contain
information associated with the signing of electronic records. This
information must include the printed name of the signer, the date and
time when the signature was executed, and the meaning (such as review,
approval, responsibility, and authorship) associated with the
signature. In addition, this information is subject to the same
controls as for electronic records and must be included in any human
readable forms of the electronic record (such as electronic display or
printout).
Under Sec. 11.70, electronic signatures and handwritten signatures
executed to electronic records must be linked to their respective
records so that signatures cannot be excised, copied, or otherwise


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             43 of 70



transferred to falsify an electronic record by ordinary means.
Under the general requirements for electronic signatures, at
Sec. 11.100, each electronic signature must be unique to one individual
and must not be reused by, or reassigned to, anyone else. Before an
organization establishes, assigns, certifies, or otherwise sanctions an
individual's electronic signature, the organization shall verify the
identity of the individual.
Section 11.200 provides that electronic signatures not based on
biometrics must employ at least two distinct identification components
such as an identification code and password. In addition, when an
individual executes a series of signings during a single period of
controlled system access, the first signing must be executed using all
electronic signature components and the subsequent signings must be
executed using at least one component designed to be used only by that
individual. When an individual executes one or more signings not
performed during a single period of controlled system access, each
signing must be executed using all of the electronic signature
components.
Electronic signatures not based on biometrics are also required to
be used only by their genuine owners and administered and executed to
ensure that attempted use of an individual's electronic signature by
anyone else requires the collaboration of two or more individuals. This
would make it more difficult for anyone to forge an electronic
signature. Electronic signatures based upon biometrics must be designed
to ensure that such signatures cannot be used by anyone other than the
genuine owners.
Under Sec. 11.300, electronic signatures based upon use of
identification codes in combination with passwords must employ controls
to ensure security and integrity. The controls must include the
following provisions: (1) The uniqueness of each combined
identification code and password must be maintained in such a way that
no two individuals have the same combination of identification code and
password; (2) persons using identification codes and/or passwords must
ensure that they are periodically recalled or revised; (3) loss
management procedures must be followed to deauthorize lost, stolen,
missing, or otherwise potentially compromised tokens, cards, and other
devices that bear or generate identification codes or password
information; (4) transaction safeguards must be used to prevent
unauthorized use of passwords and/or identification codes, and to
detect and report any attempt to misuse such codes; (5) devices that
bear or generate identification codes or password information, such as
tokens or cards, must be tested initially and periodically to ensure
that they function properly and have not been altered in an
unauthorized manner.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             44 of 70



Appendix B HIPAA




As per 45CFR164.514, to meet the standard for de-identified data under the Privacy Rule,
a data set cannot include any of the following 18 elements:
    1. Names
    2. All geographical subdivisions smaller than a State, including street address, city,
        county, precinct, zip code, and their equivalent geocodes, except for the initial
        three digits of the zip code if according to the current publicly available data from
        the Bureau of the census: a) the geographic unit formed by combining all zip
        codes with the same three initial digits contains more than 20,000 people; and
        b)the initial three digits of a zip code for all such geographic units containing
        20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates directly related to an individual,
        including birth date, admission date, discharge date, date of death; and all ages
        over 89 and all elements of dates (including year) indicative of such age, except
        that such ages and elements may be aggregated into a single category of age 90 or
        older.
    4. Telephone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (VP) address numbers
    16. Biometric identifiers, including finger and voice punts
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS                CTMS SOP          11/6/2011                      45 of 70




Appendix: Cooperative Studies Program Data Security Policy


      Cooperative Studies Program Data Security Policy
                                                 Table of Contents

General Information
Introduction ..................... .. ..............................................................................................................1
I.         Annual Compliance ............................................................................................................1
II.        Mandatory Training .............................................................................................................1
III.       Protected Health Information (PHI).....................................................................................1
IV.        Highly Confidential Protected Health Information (HCPHI) ..............................................3
V.         De-Identified Information ....................................................................................................3
VI.        Reporting Data Security Breaches .......................................................................................4
VII.       Passwords and Accounts ......................................................................................................4
VIII.      Remote Access to the VA Network .....................................................................................5
IX.        Transmission of PHI ............................................................................................................5
X.         Workstation, Laptop and Removable Storage Device Computer Security..........................6
XI.        Server Security .....................................................................................................................7
XII.       Physical and Environmental Security ..................................................................................7
XIII.      Standard Backups... . ............................................................................................................8
XIV.       Local Security Data Plan .....................................................................................................8

Austin Automation Center
I.         Austin Automation Center (AAC) Data) ............................................................................9
II.        Austin Automation Center Data Request Policies................................................................9

References ............................................................................................................... 10

Appendix A
Data Security Staff Roles and Contacts ............................................................................ 12


Attachments
Attachment 1 – General Data Security Compliance Signature Page .............................................13
Attachment 2 – Austin Data Security Compliance Signature Page ...............................................14
Attachment 3 – Authorization to Transport and Utilize Sensitive Information Outside
Protected
        Environments ....................................................................................................................15



DRAFT vaCTMS Protocol Inclusions11/26/2007                     CSP #566         comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             46 of 70




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             47 of 70




                         GENERAL INFORMATION

Introduction
The Cooperative Studies Program (CSP) is committed to the highest standards for data
security and privacy. The purpose of this document is to ensure that all data security
measures and practices are clear within the CSP. All CSP employees, including VA
employees, contractors, WOC staff, fellows, volunteers, and other persons who have
access to the CSP network and/or data, are required to review and sign this Data Security
Policy document. All CSP personnel are expected to properly use and handle research
data and be committed to human subjects protection and privacy.

CSP personnel must abide by all VA policies and additional standards presented in this
document. The latest information regarding the protection of VA research information
can be found at the following website:
http://www1.va.gov/resdev/resources/policies/cybersecurity.cfm. VA directives,
handbooks, and policies can be found at http://www1.va.gov/vhapublications/. CSP
standards set forth in this document must not be reduced or compromised in their intent.
CSP Centers may have additional policies or standards required by their local VA
Medical Center. Furthermore, other data access restrictions and security requirements
may be established by the Institutional Review Board (IRB) of record for the CSP Center.
CSP Center Directors are responsible for ensuring that all applicable policies and
standards are followed by their staff. Each CSP Center will have a local data security
plan that encompasses the policies and standards as outlined in this document.

I. Annual Compliance
All CSP personnel must annually review this document and sign a General Data Security
Compliance Signature Page (Attachment 1) prior to handling any research data within the
Center. The Signature Page must be returned to the CSPCC Data Security Administrator
or designee (See Appendix A – Data Security Staff Roles and Contacts) before access to
CSP networks is provided. For users of the Austin Automation Center’s datasets, the
Austin Data Security Compliance Signature Page (Attachment 2) must also be signed and
returned to the CSP Center Director. After initial signature, the annual deadline for
signing these documents is April 15th. User account access will be disabled if the proper
signature pages have not been obtained every year by this date.

II. Mandatory Training
All CSP personnel must annually complete these annual training courses: “Information
Security Awareness Training”, “VHA Privacy Policy”, “Protection of Human Research
Subjects & Good Clinical Practices”, and “Research Data Security and Privacy”. Options
for fulfilling training requirements can be found at:
http://www.research.va.gov/programs/pride/training/options.cfm


III. Protected Health Information (PHI)

DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             48 of 70




All CSP personnel must preserve the integrity and the confidentiality of individually
identifiable health information according to the law (Public Law 104-191), Health
Insurance Portability and Accountability Act (HIPAA). This data is considered
“protected health information” and shall be
safeguarded in compliance with the requirements of the security and privacy rules and
standards established under HIPAA (VHA Handbook 1605.2 paragraph 2).               All
PHI must be stored on a secure server.

CSP requires that all patient-level or other identifiable person-level data be treated as PHI
unless the dataset does NOT contain any of the data elements that HIPAA considers
protected information, or the dataset has been determined to be statistically de-identified.

HIPAA considers the following identifiers of the individual and of the individual's
relatives, employers, or household members to be PHI:

       (1) names;
       (2) all geographic subdivisions smaller than a state, except for the initial three
       digits of the zip code if the geographic unit formed by combining all zip codes
       with the same three initial digits contains more than 20,000 people;
       (3) all elements of dates except year and all ages over 89;
       (4) telephone numbers;
       (5) fax numbers;
       (6) email addresses;
       (7) social security numbers;
       (8) medical record numbers;
       (9) health plan beneficiary numbers;
       (10) account numbers;
       (11) certificate or license numbers;
       (12) vehicle identifiers and license plate numbers;
       (13) device identifiers and serial numbers;
       (14) URLs;
       (15) IP addresses;
       (16) biometric identifiers;
       (17) full-face photographs and any comparable images;
       (18) any other unique, identifying characteristic or code, except as permitted for
       re-identification in the Privacy Rule.

HIPAA also indicates that data that are stripped of these 18 identifiers are regarded as de-
identified, unless the covered entity has actual knowledge that it would be possible to use
the remaining information alone or in combination with other information to identify the
subject. VA scrambled SSN (SCRSSN) must also be treated as PHI in accordance to
VHA Handbook 1605.1.
PHI belongs to the VA, and therefore is subject to VA policy. Use of PHI by an
individual requires proper authorization and a demonstration of a “need to know”
relevant to the performance of his/her job.


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             49 of 70



PHI shall not be used for any purpose that is not related to the activities carried out by the
research group per approved protocol. Unauthorized or inappropriate use of PHI or lack
of adherence to security policies and procedures will not be tolerated and may result in
fines and disciplinary action, which may include prison time.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             50 of 70




IV. Highly Confidential Protected Health Information
(HCPHI)
As an additional security measure, CSP considers direct patient identifiers such as

           (1) names
           (2) social security numbers
           (3) physical and electronic addresses
           (4) phone numbers (fax, cell, etc.)

to be HCPHI. Security for HCPHI must be maintained in accordance with the National
Institute of Standards and Technology (NIST) Special Publication 800-53 standards for
security controls. At a minimum, access control protection must be used to restrict access
to and safeguard HCPHI data on secure VA server(s). This includes both of the
following classes of files: 1) files containing HCPHI that are actively being used for
subject recruitment and/or data collection purposes; and 2) subject-level crosswalk files
containing HCPHI that have been separated from the analysis files for the study. To the
extent possible, HCPHI must be stored in a separate folder from other related data. It is
also highly recommended that encryption and password protection of folders/files
containing HCPHI be implemented at the local level, subject to the availability of VA
approved FIPS-140-2 compliant encryption software. Check with your local IRM
representative and Information Security Officer regarding approved encryption software
for this purpose.

Special care must be made to protect crosswalks between study ID numbers and names or
actual SSNs, or between actual and scrambled SSNs. The actual and scrambled SSNs are
not to be kept in the same file; CSP requires that separate files be used, with the study ID
number in both files to enable linkages, when necessary.


V. De-Identified Information
To de-identify data under HIPAA, all of the 18 HIPAA data elements outlined in Section
III (Protected Health Information) above must be stripped by a statistician or other person
with appropriate knowledge of and experience with generally accepted statistical and
scientific principles and methods for rendering information not individually identifiable.
This person must also document the method and results of the analysis that justifies such
determination. Data is considered de-identified once such principles and methods have
been applied, and determination has been made that the risk is minimal that the
information could be used, alone or in combination with other reasonably available
information, by a recipient of the information to identify the person whose information is
being used.
A code or other means of record identification can be assigned to allow de-identified
information to be re-identified by the CSP Center provided that the code or other means
of record identification is not derived from or related to information about the individual


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             51 of 70



and is not otherwise capable of being translated so as to identify the individual. The CSP
Center must not use or disclose the code or other means of record identification for any
other purpose and will not disclose the mechanism for re-identification.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             52 of 70




VI. Reporting Data Security Breaches
CSP personnel are required to report any possible breaches in data or computer security
immediately to their supervisor, the Center Director and the CSPCC Data Security
Administrator. The Center Director will immediately report serious breaches (items 3 to
5 below) to the local Information Security Officer (ISO), Study Chairman, local IRB,
study sponsor (if applicable) and the Clinical Science R&D Service Director.
Data security breaches include, but are not limited to:
       (1) Distributing login IDs and passwords to unauthorized individuals
       (2) Neglecting to log off or lock systems when away from workstations
       (3) Inappropriate dissemination of sensitive or restricted data
       (4) Accessing, using, or changing data that are not necessary to perform the
       individual’s job functions or for which the individual has not received permission
       from the data owner
       (5) Theft or loss of PHI or equipment containing PHI.

VII. Passwords and Accounts
All CSP personnel must have their own user account for access to any CSP shared
computing systems. The user's login name and password must never be given to or
shared with any other individual for any reason. The requirements for strong passwords
are as follows:
        (1) Passwords must be at least 8 characters long. (The longer your password, the
        better)
        (2) Passwords must contain at least two letters and one non-letter.
        (3) Passwords must contain characters from at least three of the following four
        categories:
                 1. uppercase letters
                 2. lowercase letters
                 3. numbers
                 4. special characters
        (4) Passwords cannot be your username, your username reversed, or a cyclic shift of
        either of the above. (It’s unlikely such a password would pass the “four categories”
        test in any case.)
        (5) Passwords cannot contain any piece of the "real name" associated with your
        account (for example, user johnj whose name is "John Jones" cannot have
        john!123 or 45JOnes# as his password).
        (6) Passwords must be changed every 90 days.

Upon termination of a research project and/or employment, the CSP staff member and
his/her supervisor have the responsibility of notifying the CSPCC Data Security
Administrator so that access to PHI can be disabled. CSP requires that the CSP staff
member’s supervisor ensures that this notification has occurred. Upon termination of
employment of any CSP staff member, responsibilities for the PHI this person was
working on will be transferred as directed by the individual’s supervisor or the Center
Director.


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             53 of 70




For any study which uses PHI, a project directory and a group of approved users will be
created for that project. The file protections for the project directory (and all sub-
directories) will be set to limit access to the study group. File-level creation, ownership,
permission, and security are the responsibility of each member of the research staff.
System-level permissions such as usernames, passwords, groups, project directories, and
all other system access rights will be managed by the CSPCC Data Security
Administrator or designee.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             54 of 70




VIII. Remote Access to the VA Network
CSP personnel may need remote access to the VA network. CSP requires that access is
made only through One-VA VPN, which is provided by the VA. Access through One-VA
VPN has the same responsibilities to protect sensitive or protected data as access on-site.
In order to meet VA security requirements, computers used to connect to the One-VA
VPN must meet security standards set by VA Directive 6504 and have approved anti-
virus and “personal firewall” software installed and updated prior to using remote
connectivity.

VA Directive 6504 requires vigilance to avoid inadvertent disclosure of PHI. CSP
personnel must always be aware of where they are, who is around them, and what risks
are present. CSP personnel must be aware that if VA work is performed on a computer in
a public area (e.g., hotel, airport), precautions must be taken to ensure that no sensitive
information is visible on the screen that unauthorized individuals can see. CSP personnel
must position themselves and the screen so that the information is not visible to the
public (e.g., privacy screen), or access should be restricted to times when visual privacy
can be controlled. CSP personnel must log out of or lock the computer when not in use.

CSP does not permit the use of wireless or handheld devices to process, store, or transmit
PHI. For information about potential risks, please see
http://vaww.vhaco.va.gov/valnet/Documents/Hotlines/Hotline_June_2003_VA_Wireless
_and_Handheld_Device_Security_Guideline.doc


IX. Transmission of PHI
Business imperatives may require that PHI be transported at times between secure
servers. Within the VA firewall, files can be moved between secure servers using a FIPS
140-2 certified encrypted transmission protocol such as Secure Shell (SSH). When PHI
is transported outside the VA firewall, to a secure server that does not support SSH, or to
an individual, the data files must be encrypted and password protected using a FIPS 140-
2 certified program as required by VA Directive 6504.

Encryption is required if CSP personnel need to transfer or ship a sensitive document
stored on a CD or other media. If sensitive information is shipped, the password used to
decrypt the copy will not be e-mailed, but rather be provided in person or over the phone.
Any use of removable storage media must meet requirements established by VA
Directive 6601.

E-Mail: VA allows PHI to be sent via MS Outlook or Exchange if the message is
secured utilizing encryption and VA authorized PKI security protocol. For HCPHI, the
CSP does not encourage this practice. If a study protocol and/or operations manual
allows transmission of HCPHI by e-mail, the need must be clearly justified and be
approved by the Center Director and the Director, Clinical Science R&D Service.



DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             55 of 70



Faxing PHI: PHI will be faxed only when information needs to be provided immediately
and no other options exist. Before faxing PHI, the following precautions should be taken:
1) the fax number must be verified as being correct by the sender; 2) the CSP staff
member must ensure that faxes containing PHI are not sent to public areas; 3) a
confidentiality statement must be included as a cover sheet in event of an error; and 4)
PHI will not be faxed unless the CSP staff member can establish with certainty that a
receiver is available to immediately receive the faxed information.

Physical Data: A trackable mail system (e.g., Federal Express) must be used for physical
data transfers (e.g., data forms, CDs, disks, etc.)

Data Transfer/Use Agreements need to be implemented when data is to be disclosed
outside the VA or for purposes not specified in the original study protocol. Refer to
VHA Handbook 1605.1 for additional information.


X. Workstation, Laptop and Removable Storage Device
Computer Security
Only VA-owned equipment or equipment configured to meet VA security standards are
permitted to connect to the CSP network, including equipment using remote dial-in and
VPN connections, in accordance with VA Directive 6504. The following procedures will
be followed by all CSP personnel for all on-site workstations, laptop computers and
removable storage devices.

Each networked workstation/laptop will be configured with the local center’s most
current Microsoft Windows operating system to provide workstation/laptop and network
security. Older operating systems are not approved for use since they do not provide
sufficient security protections. Each workstation will have the most current anti-virus
software loaded and active. CSP Centers will have established procedures with local IT
personnel for ensuring that workstation and laptop operating system and software patches
for all research-owned computing systems are installed and tested as needed.

To maintain optimal security and data protections according to VA policy, CSP staff
must log off or activate password protection (lock workstation) at the desktop every time
they leave their workstations, or lock their office doors when they leave if no other
research staff member is present. Workstation locking will be accomplished manually or
through an automatic timer. Each workstation/laptop will have a password protected
screen saver with a time out setting in accordance with local policy. Any workstation
located in a publicly viewable area will have a screen saver time out setting of no more
than one minute. Users must completely log off all systems at the end of the workday.

If the laptop or workstation is used to run programs which access PHI that is stored on a
secure server, the PHI must never be moved to the workstation. The server drive must be
mapped to the workstation to allow the program to be run.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             56 of 70



No sensitive data or PHI can be stored on any device other than a secure server, unless it
is encrypted, explicitly authorized and use specific. This includes PCs, laptops, USB
flash drives, memory sticks, floppy disks, or other external storage devices. Centers will
have written procedures for having these devices reviewed by appropriate IT personnel.

Unless prior authorization is granted by the CSP Center Director, no VA sensitive
information (see VA Directive 6601) can physically be taken off the Center premises. In
those cases where VA sensitive information is required off-site, the data must be
encrypted and password protected using a FIPS 140-2 certified program. Devices storing
VA sensitive information must contain protective features approved by the local senior
Office of Information and Technology official. In addition, Attachment 3 (Authorization
to Transport and Utilize VA Sensitive Information Outside Protected Environments) must
be completed with permissions obtained as per VA Directive 6601 and supplement, USB
Flash Drive User Guide 2.0. Attachment 3 should not be used for long term requests, but
rather for a specific short-term purpose. If remote access to view CSP patient data is
required, it must be done through secured VA virtual private networks (VPN).


XI. Server Security
Server security is essential for the safety of PHI. The following procedures will be
followed by local IT personnel to ensure server operational performance and stability, the
physical protection of network equipment, and the safe and secure storage of PHI in
accordance with NIST 800-53.

CSP Centers will have written processes to have server operating systems evaluated and
software patches installed by appropriate local IT personnel.

All networked servers will be located in a locked server room with essential
environmental controls. Physical access to the server room will be restricted.

Each server will be connected to an uninterrupted power supply (UPS) in the event that
an electric power failure occurs within the facility. The UPS devices will allow the
computer servers to shutdown in a systematic fashion and thereby avoid file corruption,
data loss or damage to the servers. All servers will be configured with redundancy.


XII. Physical and Environmental Security
Physical data with PHI must be stored in a secure location or properly disposed of per
VA policies, e.g., cross-cut shredding of paper documents.

VA Police should provide physical and access control protection to the local facility
buildings. CSP Centers will have written processes developed in conjunction with their
VA Medical Center to have VA Police review the physical security of the center
facilities.


DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             57 of 70




VA equipment such as laptop computers or PCs that are used off-site must be protected
against loss and unauthorized use. The following procedures apply:
    An off-site equipment use agreement must be on file for all VA-owned equipment
        issued to staff for portable or home-based use.
    When not on-site, VA laptops or other portable devices are not to be left in view
        of windows or in unlocked homes, hotel rooms or other facilities when not in use.
    Laptops and other portable devices must be stored in closets, locked cabinets or
        out-of-view areas when not in use. The same protections will be used when at
        home or traveling.
    Laptops, other portable devices or media are to be locked in the trunk of the
        vehicle during transit. Devices are not to be left on a car seat or inside passenger
        compartments unless someone remains in the vehicle. The vehicle and trunk are
        to be locked whenever unattended.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             58 of 70



In the event that VA equipment is lost or stolen, the following procedures apply:
     A police report must be filed immediately (within 24 hours). The loss or theft
        must also be reported to the CSP Center Director, CSPCC Data Security
        Administrator and employee’s supervisor.
     If human subject identifiable data (PHI) is stored on the device, notify the local
        ISO, Study Chairman, local IRB, sponsors (if applicable), and Clinical Science
        R&D Service Director.


XIII. Standard Backups
All CSP research data will be backed up according to the CSP Centers’ local data
security plan. A full server backup of all data and the operating system will be made at
least once a month for off-site storage.

Routine network backups will be retained for specified timeframes within local center
policies and maintained in the offsite storage facility for routine and disaster recovery
purposes. Once the backup media has exceeded the timeframe within the local policy,
backup media are recycled back into the backup routine. Onsite backup media will be
maintained in a fireproof locked safe. Only authorized local IT personnel and the CSP
Center Director will have access to the network backup tapes.


XIV. Local Data Security Plan
Each employee will follow their local CSP Center’s data security plan. This plan will, at
a minimum, address the following:

       -   Where will the data be stored?
       -   Will it be networked?
       -   Will it be protected by a firewall?
       -   How will physical access to the data storage system be restricted?
       -   Who will have access to the data storage system?
       -   How will the data be logically secured? Who will have authority to access the
           data?
       -   Will the data be physically (CDs, DVDs) or electronically (via e-mail or FTP)
           transferred? If so, how will it be protected?
       -   How will electronic media (CDs, DVDs) or printed output with individual
           level data be secured?
       -   What security measures will be taken to protect PHI on removable media?
       -   How will data be backed up?
       -   How will server operating systems be evaluated and software patches
           installed?
       -   What are the contingency plans for disaster recovery?
       -   How will the physical and electronic data be stored or destroyed at the end of



DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             59 of 70



           a project?




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             60 of 70




                         AUSTIN AUTOMATION CENTER
I. Austin Automation Center (AAC) Data
Data received from the Austin Automation Center (AAC) is stored on a server located in
a secure room with controlled access. This server is connected to the VA network behind
the VA firewalls and requires a unique user ID and password combination for access.
AAC users will follow all policies as set forth in http://vaww.aac.va.gov/.

Copies of AAC datasets are NEVER to be copied partially or in their entirety to non-
secure locations. Access is limited to users who are authorized to access AAC data.
Extracts from AAC datasets also require the same high-level of restricted access as the
original dataset. They will be stored in directories that are group protected, and only
users approved to access these extracts will be members of that group. When not in use
for a current research project, any printed AAC data that could be used to identify an
individual will be secured in locked cabinets or will be destroyed by shredding.

The AAC data will not include the actual SSN, although it may contain the VA’s
scrambled SSN. The crosswalk file linking the scrambled and true SSNs will remain at
the Austin Automation Center and copies of this file can not be downloaded to the local
servers. When a research project requires the use of this crosswalk file, only records
pertaining to the study may be downloaded, and the resulting file must be protected as
HCPHI per the policies in this document. Files must not contain both the true and
scrambled SSNs unless absolutely necessary for a project. Use of a study number can
usually eliminate this need.

II. Austin Automation Center Data Request Policies
Only CSP personnel with research projects having current Institutional Review Board
(IRB) and local Research and Development Committee (R&D) approvals may request
Austin data access. Reviews preparatory to research are exempt from IRB approval that
is normally done when planning a CSP study.

Requests to establish new accounts, close accounts, or modify privileges in existing
accounts for the local copies of SAS datasets from the Austin Automation Center (AAC)
will be directed to the CSPCC Data Security Administrator.

The Automated Customer Registration System (ACRS) Time Sharing Request Form (VA
Form 9957) is required to be filled out for Austin data access. Only the access that is
appropriate for the job as described in the HIPAA Minimum Necessary Policy will be
granted. (VHA Directive 6210) All requests must be approved by the Center Director.
For access to real social security numbers and/or names, a special form is also required
and must be signed by the Center Director and the Medical Center Director. These forms
are then sent to VA CSP Central Office.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             61 of 70



The CSPCC Data Security Administrator will document, track, and process the
paperwork and work closely with the local Information Security Officer to expedite these
requests.

If Austin Automation Center Accounts are not accessed at least once every 60 days, they
expire.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP     11/6/2011            62 of 70




                                    REFERENCES
http://aspe.hhs.gov/admnsimp/pl104191.htm. Title II, Subtitle F of the Health Insurance
Portability and Accountability Act. Public Law 104 – 191.

http://privacyruleandresearch.nih.gov/clin_research.asp Clinical Research and the
HIPAA Privacy Rule, U.S. Department of Health and Human Services, National
Institutes of Health.

http://www1.va.gov/VHAPUBLICATIONS/ViewPublication.asp?pub_ID=54.
Automated Information Systems (AIS) Security, VHA Directive 6210, Department of
Veterans Affairs.

http://www.va.gov/pubs/directives/Information-Resources-Management-
(IRM)/6504dir06.htm Restrictions on Transmissions, Transportation, and Use of, and
Access to, VA Data Outside VA Facilities, VA Directive 6504, Department of Veterans
Affairs.

http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=418. VHA Handbook 1200.5
Requirements for the Protection of Human Subjects in Research.



http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=1423 VHA Handbook 1605.1 Privacy
and Release of Information.



http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=412 VHA Handbook
1605.2 Minimum Necessary Standard for Protected Health Information

http://www.va.gov/resdev/fr/hipaa.cfm . The Veterans Health Administration is
committed to conducting research in compliance with all applicable laws and regulations.
To ensure this, the Office of Research and Development is publishing this guidance
document to assist the VHA research community in implementing the requirements of the
HIPAA Privacy Rule (“Privacy Rule”).

http://vaww.va.gov/proj/vapki/documents/VAPKI_Directive_6213.jpg . The VA public
key infrastructure (PKI) Directive 6213.

http://vaww.vhaco.va.gov/valnet/Documents/Hotlines/Hotline_June_2003_VA_Wireless
_and_Handheld_Device_Security_Guideline.doc . The VA Wireless and Handheld
Device Security Guideline.

http://www.va.gov/pubs/directives/General-Management/0730d.pdf Security and Law
Enforcement, VA Directive 0730, Department of Veterans Affairs.

http://www1.va.gov/resdev/resources/policies/cybersecurity.cfm. VA R&D Website



DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP      11/6/2011               63 of 70



containing information on “Protecting VA Research Information.

FIPS 199. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Standards for Security Categorization of Federal Information and Information Systems

FIPS 140-2: http://csrc.nist.gov/cryptval/140-2.htm Security Requirements for
Cryptographic Modules

FIPS 197: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf   Advanced Encryption Standards
(AES)



http://www.fda.gov/ora/compliance_ref/part11/. Title 21—Food and Drugs; Chapter I—Food and Drug
Administration, Department of Health and Human Services; Part 11—Electronic Records; Electronic
Signatures



http://csrc.nist.gov/publications/nistpubs/index.html. National Institute of Standards and Technology
(NIST) 800-53 – Recommended Security Controls for Federal Information Systems can be found on this
webpage



http://csrc.nist.gov/policies/FISMA-final.pdf. Federal Information Security Management Act of 2002



http://www1.va.gov/vapubs/. Website to search for VA Publications/Directives



http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=341. VA Directive 6600 - Responsibility of
Employees and Others Supporting VA in Protecting Personally Identifiable Information (PII)



http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=342. VA Directive 6601 – Removable Storage
media and http://www.research.va.gov/resources/policies/docs/USBFD-User-Guidev2-0.doc. This USB
Flash Drive User Guide is a supplement to VA Directive 6601.




DRAFT vaCTMS Protocol Inclusions11/26/2007       CSP #566        comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             64 of 70




                                      APPENDIX A

              Data Security Staff Roles and Contacts


Local ISO
Contact:
Phone:
Role: Local Information Security Officer
Focus: Contact for information security questions related to the local health care system
and for approval access to Austin datasets. Also contact to report breaches of
information security systems within the VA environment.



Data Security Administrator
Contact:
Phone:
Role: Unix, Data Security, and Network Systems Administration
Focus: Contact for data security and access requests and for access to Austin access.




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             65 of 70




                                                                       ATTACHMENT 1

   GENERAL DATA SECURITY COMPLIANCE SIGNATURE PAGE



I have read, understood and will comply with the CSP Data Security Policy. I am
committed to upholding the highest standards for CSP data security and privacy. I also
agree to comply with all VA data security policies.



Signature___________________________________________
Date____________________

Printed
Name________________________________________________________________
Phone#________________________


Supervisor Name_____________________________________
Date____________________
Phone#_______________________



Center
Director_______________________________________Date____________________
Phone#_______________________




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
VAHS          CTMS SOP    11/6/2011             66 of 70




                                                                       ATTACHMENT 2



       AUSTIN DATA SECURITY COMPLIANCE SIGNATURE PAGE

I have read, understood and will comply with the Austin Data Security Policy.



Signature___________________________________________
Date____________________

Printed
Name________________________________________________________________
Phone#________________________


Data Security
Administrator_____________________________Date___________________
Phone#_______________________


Center Director______________________________________
Date___________________
Phone#_______________________




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov
        VAHS                  CTMS SOP       11/6/2011                   67 of 70




                    ATTACHMENT 3
        Department of
        Veterans Affairs
                                                                                Memorandum


Date:   <date signed>



From:   <Requestor’s Title>



Subj:   Authorization to Transport and Utilize VA Sensitive Information Outside

                    Protected Environments



  To:   Field Information Security Officer



Thru:   <Requestor’s Service/Department Chief>




             1.     In order to accomplish my duties, I require the capability to store, transport and utilize VA sensitive information
                    outside protected environments, as defined by VA Directive 6504. VA information refers to all information,
                    either electronic or paper-based. My personal information follows:
                    <Requestor’s Full Name>

                    <Title>

                  <Home Address>

                    <City, State, Zip>

                    <Home Phone number>



             2.     Justification for the removal of VA sensitive information outside of protected environments (include where and
                    how information will be used, study # and name, and include method of storage media):




             3.     The sensitive information, as defined in VA Directive 6504, I intend to store, transport and utilize includes
                    (check all that apply):




        DRAFT vaCTMS Protocol Inclusions11/26/2007                  CSP #566        comments: Dave Rose david.rose@va.gov
VAHS            CTMS SOP         11/6/2011                     68 of 70



                  Individually identifiable medical, benefits or personnel information

                  Information that can be withheld under the Freedom of Information Act

                  Financial information

                  Research information

                  Investigatory information

                  Commercial information

                  Quality assurance information

                  Law enforcement information

                  Information that is confidential or privileged in litigation

                  Information that could adversely affect the national interest or conduct of

                    federal programs



   4.   The timeframe I will store, transport and utilize VA sensitive information outside protected environments is:


                  30 days

                  180 days

                  One Year



   5.   I acknowledge that the above statements are accurate and are in compliance with VA Directives 6601 and
        6504, Removable Storage Media and Restrictions on Transmission, Transportation and Use of, and Access to,
        VA information outside protected environments.


   6.   I acknowledge this document requires renewal upon expiration of the approval timeframe requested above.




   <requestor signature>




DRAFT vaCTMS Protocol Inclusions11/26/2007               CSP #566         comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP         11/6/2011            69 of 70



                                       Required Concurrence and Approval




       Approved / Disapprove




       ____________________________         _____________

       <first name last name>                        Date

       Director or Designee




       Concur / Do Not Concur




       ____________________________         _____________

       <first name last name>                        Date

       Information Security Officer




       Concur / Do Not Concur




       ____________________________         _____________

       <first name last name>                        Date




DRAFT vaCTMS Protocol Inclusions11/26/2007       CSP #566       comments: Dave Rose david.rose@va.gov
VAHS           CTMS SOP         11/6/2011       70 of 70



       Facility Chief Information Officer




DRAFT vaCTMS Protocol Inclusions11/26/2007   CSP #566      comments: Dave Rose david.rose@va.gov

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:13
posted:11/6/2011
language:English
pages:70