Re: E-Signatures

[Ozzie Paez <ozpaez () SPRYNET COM>]

Sara,
This is very interesting and timely, given the challenging and too often
frustrating environment out there.  One thing for all to remember is that
compliance does not equal security, something often lost on companies after
they spend a great deal of money on regulation driven security compliance.
Just consider that regulations generally change slowly and incrementally,
while new security threats can quickly manifest themselves, evolve and
change their threat profile based on organizational and technology changes.
I have been involved in more than one case where compliance was assumed to
take care of the underlying need, i.e. quality, security, privacy, etc.,
only to have a major threat event compromise an aspect of a regulated
process and ultimately bring the wrath of the regulators.  My experience has
been that those who manage most organizations have such different
backgrounds from us who deal with threats, that they are often at a
disadvantage trying to appreciate these nuances.  But then again, the people
component is always the most challenging link in the chain.

Warm regards,

Ozzie Paez
SSE/CISSP
SDS
303-332-5363

-----Original Message-----
From: Sarah Stevens [mailto:sarah () STEVENS-TECHNOLOGIES COM]
Sent: Thursday, January 10, 2008 11:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] E-Signatures


As a company, we do a lot of 21 CFR Part 11 compliance.  21 CFR Part 11
requires organizations that submit electronic signatures to the FDA to meet
certain requirements.  Pharmaceutical research entities (or any other
entity) are subject to the regulation only when electronic signatures are
submitted to the FDA.  Many labs and research institutions are now asking
software vendors to ensure that appropriate controls are available within
COTS software solutions to allow for 21 CFR Part 11 compliance.  What is
very interesting about this regulation is that most of the requirements of
the regulation are in regards to information security controls protecting
the systems that store and transmit electronic signatures, rather than the
"E-Signature" itself, thus research labs must ultimately protect their
information system environments.  (Sound familiar with other high profile
legislation?)

I won't get on my infamous soapbox about managing all regulations in respect
to a properly instituted risk management plan, but that is how we approach
compliance.  Many of our customers whom must be 21 CFR Part 11 compliant
have already been through FISMA, HIPAA, FERPA, SOX, or other such
documentation exercises.  Thus, when we start to review how to handle
compliance with yet another regulation, we take a risk-based approach.  We
assess which information security controls are already in place on the
systems storing the Electronic Signatures.  From this assessment, we
recommend further controls, or refer to the previous regulation
documentation to prove compliance.  Incidentally, NIST 800 series is a
TERRIFIC place to start for 21 CFR Part 11 compliance.  We actually took the
time to take each of the major components of 21 CFR Part 11 compliance and
map it to the appropriate NIST 800-53 control to show compliance for
organizations that already had C&A packages assembled for the systems
processing E-Signatures.  This was a really neat exercise and an eye opener
for some because labs have not been submitting information electronically in
order to avoid this regulation.  Now, as more and more labs are becoming
compliant with more high profile legislation, they are extending their
compliance to systems housing electronic signatures for submittal to the
FDA.

Anyway, very interesting topic and a lot of fun to look at!

Sarah Stevens
President
Stevens Technologies, Inc.

  _____

From: Faith Mcgrath [mailto:faith.mcgrath () YALE EDU]
Sent: Thu 1/10/2008 2:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] E-Signatures



I am also interested in what people are using for electronic signatures
if they need to certify that they are in compliance with FDA Electronic
Records; Electronic Signatures regs -- 21 CFR Part 11
( http://www.fda.gov/ora/compliance_ref/part11/
<http://www.fda.gov/ora/compliance_ref/part11/> ). I am just being to do
some background reading on the requirements, but we are beginning to see
this requirement related to pharmaceutical research protocols. Thanks. -fm

Harrold Ahole wrote:
> > Is anyone doing any work with e-signatures within their applications?
> > I'm not talking about crypto-based digital signatures.  Rather, we
> > need something that is the equivalent of someone signing a piece of
> > paper to attest that the contents are correct.  Some applications
> > we've seen just have something like "type your name in this field to
> > sign this form".  A campus customer is looking for something more
> > comprehensive than that.  What are other people doing short of
> > implementing PKI or using login credentials as a signature?
>
> Well, the first thing to decide is what you want to accomplish.  The US
> Esign law allows "type your name" as a form of electronic signature
> simply because it's very natural to show consent (willful action).
> The first consideration is how do you authenticate the user at the time
> they take this action?  Depending on the application, it could be very
> little, such as if they are requesting the purchase of a transcript, in
> which authentication may not be too high provided they also pay by
> credit card.  If the user is logged into a campus application, you can
> certainly use that as a credential for authentication.
>
> The next consideration is to create a reliable electronic record, one
> that can be shared with all parties involved.  This is typically done
> with digital signatures, but of course other methods are likely
> acceptable if they can be shown to reflect the agreed upon document and
> are stored in a manner suitable to show non-modifiable archived storage
> (such as when paper docs are scanned to microfilm, it's generally
> assumed that the microfilm version is accurate as it's hard to tamper
> with).
>
> Harry


--
Faith McGrath, Associate Director
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087 telefax: 203.737.2859
security () yale edu || security.yale.edu

Please be aware that email communication can be intercepted in
transmission or misdirected. Please consider communicating any sensitive
information by telephone, fax or mail. The information contained in this
message may be privileged and confidential. If you are NOT the intended
recipient, please notify the sender immediately and destroy this
message. If you wish to confirm the content of this message and/or the
identity of the sender please contact me at the phone number given above.