Re: E-Signatures

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

As a company, we do a lot of 21 CFR Part 11 compliance.  21 CFR Part 11 requires organizations that submit electronic 
signatures to the FDA to meet certain requirements.  Pharmaceutical research entities (or any other entity) are subject 
to the regulation only when electronic signatures are submitted to the FDA.  Many labs and research institutions are 
now asking software vendors to ensure that appropriate controls are available within COTS software solutions to allow 
for 21 CFR Part 11 compliance.  What is very interesting about this regulation is that most of the requirements of the 
regulation are in regards to information security controls protecting the systems that store and transmit electronic 
signatures, rather than the "E-Signature" itself, thus research labs must ultimately protect their information system 
environments.  (Sound familiar with other high profile legislation?)
 
I won't get on my infamous soapbox about managing all regulations in respect to a properly instituted risk management 
plan, but that is how we approach compliance.  Many of our customers whom must be 21 CFR Part 11 compliant have already 
been through FISMA, HIPAA, FERPA, SOX, or other such documentation exercises.  Thus, when we start to review how to 
handle compliance with yet another regulation, we take a risk-based approach.  We assess which information security 
controls are already in place on the systems storing the Electronic Signatures.  From this assessment, we recommend 
further controls, or refer to the previous regulation documentation to prove compliance.  Incidentally, NIST 800 series 
is a TERRIFIC place to start for 21 CFR Part 11 compliance.  We actually took the time to take each of the major 
components of 21 CFR Part 11 compliance and map it to the appropriate NIST 800-53 control to show compliance for 
organizations that already had C&A packages assembled for the systems processing E-Signatures.  This was a really neat 
exercise and an eye opener for some because labs have not been submitting information electronically in order to avoid 
this regulation.  Now, as more and more labs are becoming compliant with more high profile legislation, they are 
extending their compliance to systems housing electronic signatures for submittal to the FDA.
 
Anyway, very interesting topic and a lot of fun to look at!
 
Sarah Stevens
President
Stevens Technologies, Inc.

________________________________

From: Faith Mcgrath [mailto:faith.mcgrath () YALE EDU]
Sent: Thu 1/10/2008 2:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] E-Signatures



I am also interested in what people are using for electronic signatures
if they need to certify that they are in compliance with FDA Electronic
Records; Electronic Signatures regs -- 21 CFR Part 11
(http://www.fda.gov/ora/compliance_ref/part11/). I am just being to do
some background reading on the requirements, but we are beginning to see
this requirement related to pharmaceutical research protocols. Thanks. -fm

Harrold Ahole wrote:
> > Is anyone doing any work with e-signatures within their applications? 
> > I'm not talking about crypto-based digital signatures.  Rather, we
> > need something that is the equivalent of someone signing a piece of
> > paper to attest that the contents are correct.  Some applications
> > we've seen just have something like "type your name in this field to
> > sign this form".  A campus customer is looking for something more
> > comprehensive than that.  What are other people doing short of
> > implementing PKI or using login credentials as a signature?
>
> Well, the first thing to decide is what you want to accomplish.  The US
> Esign law allows "type your name" as a form of electronic signature
> simply because it's very natural to show consent (willful action).
> The first consideration is how do you authenticate the user at the time
> they take this action?  Depending on the application, it could be very
> little, such as if they are requesting the purchase of a transcript, in
> which authentication may not be too high provided they also pay by
> credit card.  If the user is logged into a campus application, you can
> certainly use that as a credential for authentication.
>
> The next consideration is to create a reliable electronic record, one
> that can be shared with all parties involved.  This is typically done
> with digital signatures, but of course other methods are likely
> acceptable if they can be shown to reflect the agreed upon document and
> are stored in a manner suitable to show non-modifiable archived storage
> (such as when paper docs are scanned to microfilm, it's generally
> assumed that the microfilm version is accurate as it's hard to tamper
> with).
>
> Harry


--
Faith McGrath, Associate Director
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087 telefax: 203.737.2859
security () yale edu || security.yale.edu

Please be aware that email communication can be intercepted in
transmission or misdirected. Please consider communicating any sensitive
information by telephone, fax or mail. The information contained in this
message may be privileged and confidential. If you are NOT the intended
recipient, please notify the sender immediately and destroy this
message. If you wish to confirm the content of this message and/or the
identity of the sender please contact me at the phone number given above.