Hitachi ID IDM Suite supports compliance with 21CFR11

Using The Hitachi ID Management Suite to Comply with 21 CFR 11

1 Introduction

This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR11 for short), and describes how it impacts information security in the pharmaceutical industry.

The Hitachi ID Identity Management Suite is then introduced, and its use to comply with the requirementsset forth in 21 CFR 11 is described.

Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. Thisdocument represents the best understanding of Hitachi ID of the relevance of this legislation to informationsecurity, and to identity management in particular.

2 21 CFR 11

21 CFR 11 is a set of rules governing the use of electronic records and digital signatures in businessprocesses and in documents submitted to the FDA under requirements of the Federal Food, Drug andCosmetic Act and of the Public Health Service Act.

Title 21 of the Code of Federal Regulations governs food and drugs. Parts 1 thru 99 are regulated by theFood and Drug Administration (FDA). Part 11 is titled “ELECTRONIC RECORDS; ELECTRONIC SIGNA-TURES.”

21 CFR 11 sets out appropriate methods to manage electronic records and digital signatures, primarilyby pharmaceutical companies and their suppliers, in such a manner as to make them equivalent to paperrecords and handwritten signatures.

The 21 CFR 11 includes the following parts:

• Subpart A: General Provisions:

– The scope, or applicability, of 21 CFR 11.

– Implementation, indicating when and how electronic records may be submitted to the FDA.

– Definitions of relevant terminology.

• Subpart B: Electronic Records:

– Controls for closed systems, not intended for public access.

– Controls for open systems, accessible by the public.

– Signature manifestations and signature/record linking, defining signed documents.

• Subpart C: Electronic Signatures:

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

http://Hitachi.com/


– General requirements, indicating how electronic signatures should be managed.

– Signature components and controls, defining what constitutes a reasonable signature.

– Controls for identification codes/passwords, defining security measures over authentication tech-nology.

The 21 CFR 11 came into effect on August 20, 1997.



3 Relevant Sections

21 CFR 11 relates explicitly to identity management technology, including in the following parts:

3.1 Section 11.10 Controls for closed systems

Closed systems are required to employ procedures and controls designed to ensure the authenticity, in-tegrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannotreadily repudiate the signed record as not genuine.

Identity Management Impact:

These controls must include measures to properly grant, authorize and revoke access to users of closedsystems. Strong authentication of those users is also essential to meet this requirement.

Specific requirements in this section include:

• (d) Limiting system access to authorized individuals.


Business processes to determine appropriate systems access must be tied to technology that controlsthat access.

• (e) . . . time-stamped audit trails . . .


Changes to access to systems – e.g., creating new users, changing user privileges, or terminatingaccess, must be logged and time-stamped.

• (g) . . . authority checks to ensure that only authorized individuals can use the system . . .


Users must sign into closed systems, and the system must verify that the users are authorized to doso.

• (i) . . . persons who develop, maintain, or use electronic record/electronic signature systems have theeducation, training and experience . . ..


Software and hardware vendors must have suitable education and experience before they can provideclosed systems.



3.2 Section 11.50 Signature manifestations

Electronic signatures are required to contain, or relate to:

• The printed name of the signer.

• The date and time . . ..

• The meaning . . . [of] the signature.


Electronic signatures must contain a unique login ID and a time/date of signature. The context of thesignature – such as requesting or authorizing access to a closed system – must be clear.

3.3 Section 11.100 Electronic Signatures – General requirements

Requirements for an electronic signature system includes:

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual‘s electronicsignature, or any element of such electronic signature, the organization shall verify the identity of the indi-vidual.


This means that the process of enrolling users in a closed system must be no less secure than the systems’internal processes. Enrollment must be grounded in sound identification of users, and clear connection ofpre-enrollment identity to system identity.

3.4 Section 11.200 Electronic signature components and controls

Requirements for electronic signatures that are not biometric include that they:

• (a) (1) Employ at least two distinct identification components such as an identification code and pass-word.


This confirms that a login ID / password pair is a suitable user identification technology.

• (a) (2) Be used only by their genuine owners.


Shared login IDs and passwords are forbidden.



• (a) (3) Be administered and executed to ensure that attempted use of an individual‘s electronic signa-ture by anyone other than its genuine owner requires collaboration of two or more individuals.


Any sharing of login credentials is forbidden.

3.5 Section 11.300 Controls for identification codes/passwords

Specific requirements for system login IDs and passwords include:

• (a) . . . uniqueness . . . of ID/password pairs.


Login IDs must be uniquely assigned to users.

• (b) IDs and passwords are . . . periodically checked, recalled, or revised . . . – meaning passwordaging and periodic review of the suitability of existing login IDs.


Password quality must be verified when new passwords are issued, and when users change theirpasswords. Users must periodically change their passwords.

• (c) . . . electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens,cards, and other devices . . . .


Reasonable procedures must be in place to respond to suspected or reported ID compromises.

• (d) . . . transaction safeguards . . . detect and report . . . attempts at their unauthorized use . . ..


Intrusion detection, lockout and alarms must be in place.

• (e) . . . Initial and periodic testing . . . password information . . ..


Strong password quality controls must be applied both initially and over time.



4 Impact of 21 CFR 11 on Identity Management

The impact of 21 CFR 11 on identity management systems and processes can be summarized in thefollowing requirements:

• User identification

– Users must sign into closed systems, and closed systems must verify that the users are autho-rized to do so. Login IDs and passwords are one of the suitable authentication technologies.

– Login IDs must be unique, and must unambiguously identify a user.

• User enrollment and administration

– There must be strong, integrated business and technical processes to grant, authorize and re-voke access to users of closed systems. These controls must include time-stamped audit logs.

– The process of enrolling users in a closed system must be no less secure than the systems’internal processes. Enrollment must be grounded in sound identification of users, and clearconnection of pre-enrollment identity to system identity.

• Authentication

– User authentication to closed systems, and to secured parts of open systems, must be reliable.

– Sharing of login credentials is forbidden.

– Password quality must be verified when new passwords are issued, and when users change theirpasswords. Users must periodically change their passwords.

– Strong password quality controls must be applied both initially and over time.

• Incident response

– Reasonable procedures must be in place to respond to suspected or reported ID compromises.

– Intrusion detection, lockout and alarms must be in place.

• Vendor qualification

– Software and hardware vendors must have suitable education and experience before they canprovide closed systems.


Using The Management Suite to Comply with 21 CFR 11

These requirements can be translated into a set of required technical features from a user provisioningsystem and a password management system:

Requirement Identity Management System Feature

User identification

Users must sign into closed systems, and closedsystems must verify that the users are authorizedto do so. Login IDs and passwords are one of thesuitable authentication technologies.

The IdM system must integrate with systems thathave login IDs and authenticators, includingpasswords.

Login IDs must be unique, and mustunambiguously identify a user.

The identity management system must be able toassign globally unique login IDs to new users.

User enrollment and administration

There must be strong, integrated business andtechnical processes to grant, authorize and revokeaccess to users of closed systems. Thesecontrols must include time-stamped audit logs.

User administration must be either directly linkedto an existing authoritative system, such as ahuman resources (HR) system, andautomatically provision users.

Alternately, a workflow system must acceptrequests from, and ensure that it receivesappropriate authorizations from, business users.

The process of enrolling users in a closed systemmust be no less secure than the systems’ internalprocesses. Enrollment must be grounded insound identification of users, and clear connectionof pre-enrollment identity to system identity.

Activation of new users must be secure.

Authentication

User authentication to closed systems, and tosecured parts of open systems, must be reliable.

Strong passwords, tokens and biometrics may beused both by the IdM system and by managedsystems.

Sharing of login credentials is forbidden. Credentials must be managed easily enough toeliminate any desire by users to share them.

Password quality must be verified when newpasswords are issued, and when users changetheir passwords. Users must periodically changetheir passwords.

New passwords must be subject to a strengthpolicy, as must changed passwords. Passwordaging must be enforced.

Strong password quality controls must be appliedboth initially and over time.

New passwords must be subject to a strengthpolicy, as must changed passwords. Passwordaging must be enforced.

Incident response

Reasonable procedures must be in place torespond to suspected or reported IDcompromises.

It must be easy to quickly identify every systemaccount that belongs to a given user, and disablethem all.



Requirement Identity Management System Feature

Intrusion detection, lockout and alarms must be inplace.

Failed authentication attempts should trigger anintruder lockout and an alarm.

Vendor qualification

Software and hardware vendors must havesuitable education and experience before they canprovide closed systems.

Vendors must be audited for business processesthat support 21 CFR 11 compliance.



5 Hitachi ID Solutions Meeting 21 CFR 11 Requirements

5.1 The Hitachi ID Identity Management Suite

The Hitachi ID Identity Management Suite includes:

• Hitachi ID Password Manager: The Total Password Management Solution

Password Manager is an integrated solution for managing user credentials, across multiple systemsand applications. Organizations depend on Password Manager to simplify the management of thosecredentials for users, to reduce IT support cost and to improve the security of login processes.

Password Manager includes password synchronization, self-service password reset, enterprise singlesign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics andemergency recovery of full disk encryption keys.

Password Manager reduces the cost of password management using:

– Password synchronization, which reduces the incidence of password problems for users

– Self-service password reset, which empowers users to resolve their own problems rather thancalling the help desk

– Streamlined help desk password reset, to expedite resolution of password problem calls

Password Manager strengthens security by providing:

– A powerful password policy engine.

– Effective user authentication, especially prior to password resets.

– Password synchronization, to help eliminate written-down passwords.

– Delegated password reset privileges for help desk staff.

– Accountability for all password changes.

– Encryption of all transmitted passwords.

To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager.

• Hitachi ID Identity Manager: The User Provisioning and Access Management Solution

Identity Manager is an integrated solution for managing identities and security entitlements acrossmultiple systems and applications. Organizations depend on Identity Manager to ensure that usersget security entitlements quickly, are always assigned entitlements appropriate to their needs and incompliance with policy and are deactivated reliably and completely when they leave the organization.

Identity Manager implements the following business processes to drive changes to users and entitle-ments on systems and applications:

– Automation: grant or revoke access based on data feeds.– Synchronization: keep identity attributes consistent across applications.– Self-service: empower users to update their own profiles.


http://Hitachi-ID.com/Password-Manager


– Delegated administration: allow business stake-holders to request changes directly.– Certification: invite managers and application owners to review and correct entitlements.– Workflow: invite business stake-holders to approve or reject requested changes.

Identity Manager strengthens security by:

– Quickly and reliably removing access to all systems and applications when users leave an orga-nization.

– Finding and helping to clean up orphan and dormant accounts.

– Assigning standardized access rights, using roles and rules, to new and transitioned users.

– Enforcing policy regarding segregation of duties and identifying users who are already in viola-tion.

– Ensuring that changes to user entitlements are always authorized before they are completed.

– Asking business stake-holders to periodically review user entitlements and either certify or re-move them, as appropriate.

– Reducing the number and scope of administrator-level accounts needed to manage user accessto systems and applications.

– Providing readily accessible audit data regarding current and historical security entitlements,including who requested and approved every change.

Identity Manager reduces the cost of managing users and security entitlements:

– Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou-tine, manual user setup and tear-down.

– Self-service eliminates IT involvement in simple updates to user names, phone numbers andaddresses.

– Delegated administration moves the responsibility for requesting and approving common changes,such as for new application or folder access, to business users.

– Identity synchronization means that corrections to user information can be made just once, onan authoritative system and are then automatically copied to other applications.

– Built-in reports make it easier to answer audit questions, such as “who had access to this systemon this date?” or “who authorized this user to have this entitlement?”

5.2 Meeting 21 CFR 11 Requirements

As described in Section 4 on Page 6, 21 CFR 11 requires an extensive set of capabilities in systems usedby pharmaceutical companies and related parties.

The following list captures the technical identity management capabilities required to meet 21 CFR 11requirements:



Required IdM Feature SupportingHitachi IDproducts

Details

The IdM system must integrate withsystems that have login IDs andauthenticators, including passwords.

PasswordManager,IdentityManager

The Hitachi ID Identity ManagementSuite has built-in support for over 60types of target systems, plus a set offlexible agents designed to accelerateintegration with custom and verticalmarket applications.

The identity management system mustbe able to assign globally uniquelogin IDs to new users.

IdentityManager

A plugin system and an automaticallyupdated identity cache ensure that allnew login IDs are globally unique.

Automated (de-)provisioning IdentityManager

Automated polling of user profile datafrom authoritative systems such as HRor corporate directories. Rules-basedfiltering and transformation of this datainto automatic updates to targetsystems, and into open security changerequests submitted to an authorizationworkflow.

A security workflow IdentityManager

Self-service administration of users,accounts, attributes, group membershipsand resource access privileges. Userssign in and submit change requests,which are automatically routed,authorized and applied to managedsystems.

Activation of new users must be secure. IdentityManager,PasswordManager

New users are typically activated using asecure (HTTPS-based, authenticated)workflow system. Only the requester,who is typically the new user’s manager,knows the initial password, and usersare normally forced to change theirpassword immediately after their firstlogin.

Registration of biometrics is activelymanaged and secured by PasswordManager.

Strong passwords, tokens andbiometrics may be used both by the IdMsystem and by managed systems.


Both products support userauthentication using strong passwords,tokens, biometrics and PKI certificates.Password Manager also enforcespassword quality on managed systems.



Required IdM Feature SupportingHitachi IDproducts

Details

Credentials must be managed easilyenough to eliminate any desire by usersto share them.


Password synchronization andself-service token management simplifypassword complexity, and reduce theneed for written and shared passwords.

A security workflow and automatedprovisioning make user administrationsimple, so eliminate a barrier to makingsecurity requests for new users.

New passwords must be subject to astrength policy, as must changedpasswords. Password aging must beenforced.

PasswordManager

A built-in password policy engineincludes over 60 types of rules, plus aregular expression engine, a pluginsystem, enterprise-wide password agingand open-ended password history.

It must be easy to quickly identify everysystem account that belongs to a givenuser, and disable them all.


An auto-discovery process to collectlogin ID, group membership and attributedata from managed systems, nightly. Areconciliation process to connect loginIDs across systems to individual users,to support global management ofpasswords, access rights and reporting.

Failed authentication attempts shouldtrigger an intruder lockout and an alarm.


Both products include a system-wideintrusion detection system, with lockoutsand alarms via e-mail, help desk calltracking systems, SMS messages andmore.

Vendors must be audited for businessprocesses that support 21 CFR 11compliance.

Hitachi ID Hitachi ID has been audited for 21 CFR11 compliance by Pfizer, Abbott Labs,GE Medical and others.



6 Summary

As described in this document, 21 CFR 11 introduces formal requirements for companies, such as pharma-ceuticals, that must provide signed electronic documents to the FDA.

The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology toimplement identity management processes that meet these requirements.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: /pub/wp/idsynch/documents/21cfr11/mtech-21cfr11-1.texDate: November 22, 2003

http://Hitachi-ID.com/

Hitachi ID IDM Suite supports compliance with 21CFR11

Technology

hitachi id systems

identity management

users of closed systems

hitachi id management

use of electronic records

identity management

appropriate systems

open systems