PDF

swipe to navigate

Relevant Sections

21 CFR 11 relates explicitly to identity management technology, including in the following parts:

Section 11.10 Controls for closed systems

Closed systems are required to employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.

IAM Impact

These controls must include measures to properly grant, authorize and revoke access to users of closed systems. Strong authentication of those users is also essential to meet this requirement.

Specific requirements in this section include:

  • (d) Limiting system access to authorized individuals.

    IAM Impact

    Business processes to determine appropriate systems access must be tied to technology that controls that access.

  • (e) ... time-stamped audit trails ...

    IAM Impact

    Changes to access to systems -- e.g., creating new users, changing user privileges, or terminating access, must be logged and time-stamped.

  • (g) ... authority checks to ensure that only authorized individuals can use the system ...

    IAM Impact

    Users must sign into closed systems, and the system must verify that the users are authorized to do so.

  • (i) ... persons who develop, maintain, or use electronic record/electronic signature systems have the education, training and experience ....

    IAM Impact

    Software and hardware vendors must have suitable education and experience before they can provide closed systems.

Section 11.50 Signature manifestations

Electronic signatures are required to contain, or relate to:

  • The printed name of the signer.
  • The date and time ....
  • The meaning ... [of] the signature.

IAM Impact

Electronic signatures must contain a unique login ID and a time/date of signature. The context of the signature -- such as requesting or authorizing access to a closed system -- must be clear.

Section 11.100 Electronic Signatures -- General requirements

Requirements for an electronic signature system includes:

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

IAM Impact

This means that the process of enrolling users in a closed system must be no less secure than the systems' internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity.

Section 11.200 Electronic signature components and controls

Requirements for electronic signatures that are not biometric include that they:

  • (a) (1) Employ at least two distinct identification components such as an identification code and password.

    IAM Impact

    This confirms that a login ID / password pair is a suitable user identification technology.

  • (a) (2) Be used only by their genuine owners.

    IAM Impact

    Shared login IDs and passwords are forbidden.

  • (a) (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

    IAM Impact

    Any sharing of login credentials is forbidden.

Section 11.300 Controls for identification codes/passwords

Specific requirements for system login IDs and passwords include:

  • (a) ... uniqueness ... of ID/password pairs.

    IAM Impact

    Login IDs must be uniquely assigned to users.

  • (b) IDs and passwords are ... periodically checked, recalled, or revised ... -- meaning password aging and periodic review of the suitability of existing login IDs.

    IAM Impact

    Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords.

  • (c) ... electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices ... .

    IAM Impact

    Reasonable procedures must be in place to respond to suspected or reported ID compromises.

  • (d) ... transaction safeguards ... detect and report ... attempts at their unauthorized use ....

    IAM Impact

    Intrusion detection, lockout and alarms must be in place.

  • (e) ... Initial and periodic testing ... password information ....

    IAM Impact

    Strong password quality controls must be applied both initially and over time.

Impact of 21 CFR 11 on Identity Management

The impact of 21 CFR 11 on identity management systems and processes can be summarized in the following requirements:

  • User identification

    • Users must sign into closed systems, and closed systems must verify that the users are authorized to do so. Login IDs and passwords are one of the suitable authentication technologies.

    • Login IDs must be unique, and must unambiguously identify a user.

  • User enrollment and administration

    • There must be strong, integrated business and technical processes to grant, authorize and revoke access to users of closed systems. These controls must include time-stamped audit logs.

    • The process of enrolling users in a closed system must be no less secure than the systems' internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity.

  • Authentication

    • User authentication to closed systems, and to secured parts of open systems, must be reliable.

    • Sharing of login credentials is forbidden.

    • Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords.

    • Strong password quality controls must be applied both initially and over time.

  • Incident response

    • Reasonable procedures must be in place to respond to suspected or reported ID compromises.

    • Intrusion detection, lockout and alarms must be in place.

  • Vendor qualification

    • Software and hardware vendors must have suitable education and experience before they can provide closed systems.

PDF

Comment via LinkedIn