|
The Pharmaceutical industry's desire to use Internet technologies to speed new products' time to market has lead the Food and Drug Administration (FDA) to establish Regulation 21 CFR Part II. This FDA regulation establishes technical and procedural guidelines regarding electronic record keeping and electronic signatures, providing criteria for the agency to accept electronic records and signatures as the equivalent of paper records and handwritten signatures. It covers design and engineering, clinical trials, and manufacturing of new products.
Those affected by Regulation 21 CFR Part II are FDA regulated companies including pharmaceuticals, device, biological, and food industries. Even facilities located outside of the United States may be subject to the regulation (e.g., foreign hospitals involved in clinical trials, or an offshore drug manufacturing plant). Companies in non-compliance with the regulation are subject to one or all of the following: a warning letter, delay in clinical trial/approval process, or shutdown of a manufacturing facility.
FDA Regulation 21 CFR Part II covers both closed and open computer systems. Closed systems are defined as in-house standalone or LAN-based systems without Internet or WAN/extranet access. Open systems are essentially Internet-connected systems, and the requirements for these systems are stricter. The baseline Regulation 21 CFR Part II requirements for closed systems are as follows:
System validation
Generate electronic copies of records Protect records to ensure accuracy
Authentication and access control to systems/data Secure, time-stamped audit trails Role- or task-based authorization
Open systems have additional requirements besides the above baseline ones:
Encryption
Digital signature standards:
Name of signer, day/time, meaning of signature (e.g., record creation, review, approval) Biometrics may be used for digital signatures Digital signatures must be linked technologically to its electronic record Session controls: continuous sessions require password only, while non-continuous require user ID as well; workstation logoff after inactivity
UNIX systems, even when combined with subsystems such as NIS or NIS+, offer only the most rudimentary of security controls?not e nough to meet FDA requirements. The minimal controls UNIX/Linux systems offer put data at risk by not providing enough access control to UNIX/Linux systems or commands and detailed audit logs to track user activities.
Implementation of consistent security policies across UNIX/Linux systems is costly and cumbersome to manage.
Symark PowerPassword, User Management Edition (UME) and PowerBroker offer UNIX/Linux-based solutions that address the risks of UNIX/Linux systems to help meet FDA requirements for open or closed systems. PowerPassword-UME ensures FDA compliance for UNIX/Linux-based electronic records by providing password, login, and password history/reuse policies, as well as detailed auditing to secure UNIX/Linux hosts that store records, as well as providing a high level of password strength for organizations that use passwords as digital signatures. PowerBroker allows only authorized individuals to view, copy or modify records, provides a detailed audit trail of user activities, and can help enforce digital signature policies for UNIX/Linux networks.
PowerPassword-UME and PowerBroker's strengthis in their ability to centrally manage UNIX/Linux authentication and authorization for an entire network, for a few machines or a few thousand, while supporting and extending security for existing environments such as local UNIX/Linux system files, NIS, NIS+ and LDAP. They support 13 UNIX/Linux vendors and more than 30 platforms.
In most networks, numerous users and administrators, developers and testers, all with differing levels of need and responsibility, access the critical applications and data hosted by the system. On some large networks, it is common for as many as 20 administrators to have responsibilities in various areas of a single machine. The manual security administration required by UNIX/Linux systems can be labor-intensive and can cause security breaches. PowerPassword-UME and PowerBroker make it easy to automate the restriction of access appropriately with authentication (identification and admittance of trusted users through login and password management) and authorization (granting of privileges to perform specific tasks and administrative routines).
PowerPassword-UME secures UNIX/Linux networks by ensuring strong user authorization. Its comprehensive password management capability provides each user ID the most granular login access controls:
Day, date, time
To specific hosts/servers
From specified locations (IP addresses, host names)
Using specified methods (ssh, xdm, cde, rsh, rlogin, telnet, rexec)
Once users have logged in, PowerBroker further minimizes security risks on UNIX/Linux networks by helping administrators selectively delegate administrative privileges.
|
