PDF

swipe to navigate

These requirements can be translated into a set of required technical features from a user provisioning system and a password management system:

Requirement IAM Feature
User identification  
Users must sign into closed systems, and closed systems must verify that the users are authorized to do so. Login IDs and passwords are one of the suitable authentication technologies.

The IdM system must integrate with systems that have login IDs and authenticators, including passwords.

Login IDs must be unique, and must unambiguously identify a user.

The identity management system must be able to assign globally unique login IDs to new users.

User enrollment and administration  
There must be strong, integrated business and technical processes to grant, authorize and revoke access to users of closed systems. These controls must include time-stamped audit logs.

User administration must be either directly linked to an existing authoritative system, such as a human resources (HR) system, and automatically provision users. Alternately, a workflow system must accept requests from, and ensure that it receives appropriate authorizations from, business users.

The process of enrolling users in a closed system must be no less secure than the systems' internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity.

Activation of new users must be secure.

Authentication  
User authentication to closed systems, and to secured parts of open systems, must be reliable.

Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems.

Sharing of login credentials is forbidden.

Credentials must be managed easily enough to eliminate any desire by users to share them.

Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords.

New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced.

Strong password quality controls must be applied both initially and over time.

New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced.

Incident response  
Reasonable procedures must be in place to respond to suspected or reported ID compromises.

It must be easy to quickly identify every system account that belongs to a given user, and disable them all.

Intrusion detection, lockout and alarms must be in place.

Failed authentication attempts should trigger an intruder lockout and an alarm.

Vendor qualification  
Software and hardware vendors must have suitable education and experience before they can provide closed systems.

Vendors must be audited for business processes that support 21 CFR 11 compliance.

PDF

Comment via LinkedIn