§ 11.10 Controls for closed systems | |
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. | Nsflow, encompassing both on-premise and cloud deployments across testing and production environments, adheres to 21 CFR Part 11, subsection 11.10(a) through rigorous validation protocols. The system is built around a secure SQL database, accessed only by authenticated users within a closed system architecture, ensuring data integrity and confidentiality. Validation efforts are comprehensive and continuous, spanning:
Initial and Periodic Validation: Prior to deployment and at regular intervals, we conduct thorough validations of the system to ensure it meets all requirements for accuracy, reliability, and consistent performance. This includes validating the system’s capability to identify invalid or altered records, safeguarding against data tampering or loss. Documented Validation Activities: All validation processes, from initial deployment through ongoing maintenance in both testing and production environments, are meticulously documented. This documentation includes testing protocols, and results, providing a transparent audit trail of our compliance efforts. Change Control and Configuration Management: Our robust change control and configuration management processes ensure that any modifications to the system are rigorously evaluated, tested, and documented, maintaining the system’s validated state. Audit Trails: The system utilizes secure, computer-generated, time-stamped audit trails to independently record all actions that create, modify, or delete electronic records. This critical feature supports our capability to discern any invalid or altered records, further bolstering our compliance with 21 CFR Part 11, subsection 11.10(a). Through these practices, we maintain a validated system that ensures the integrity, reliability, and security of electronic records, in full compliance with regulatory standards. |
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. | Nsflow fully complies with the requirements of 21 CFR Part 11, subsection 11.10(b), through its record-keeping and reporting functionalities. Specifically, our system captures every user action within the platform, each action meticulously logged with the user’s username, user ID, and a precise timestamp. This comprehensive logging ensures that we maintain accurate and complete records of all activities conducted within the system.
Leveraging these detailed logs, our system is equipped with the capability to generate reports that are both comprehensive and customizable. Reports are produced on demand and can be made in various formats to accommodate different needs, ensuring they are suitable for inspection, review, and copying by regulatory agencies. Our reporting feature allows for the creation of outputs in human-readable formats, such as PDFs or printed documents, as well as in electronic forms, including CSV files or other structured data formats, facilitating easy manual and automated review. |
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. | Nsflow adheres to the requirements of 21 CFR Part 11, subsection 11.10(c), focusing on the protection of records to enable their accurate and ready retrieval throughout the records retention period. This compliance is achieved through a combination of stringent security measures, robust data management practices, and regular system audits, as detailed below:
Data Integrity and Confidentiality: We implement comprehensive security practices to ensure the integrity and confidentiality of records stored within our system. This includes rigorous access controls that limit record access to authorized personnel only, ensuring that data is protected against unauthorized use or disclosure. Regular Backups and Data Recovery: A key component of our compliance strategy is the implementation of regular, scheduled backups of our SQL database. These backups are crucial for data durability, allowing for the rapid restoration of records in case of data loss or corruption. Backup procedures are tested regularly to ensure their effectiveness in data recovery scenarios. Data Retention and Accessibility: Nsflow system is designed to not only secure records but also to maintain their accessibility for the duration of the required retention period. We ensure that documentation available on demand can be accurately and easily retrieved for review, inspection or copying by authorized parties, including regulatory agencies. Continuous Monitoring and Improvement: Our commitment to compliance is ongoing. We continuously monitor our system’s performance and security controls to identify and address potential vulnerabilities. Regular reviews and updates to our practices ensure our system remains in alignment with current regulatory requirements and best practices in data protection. |
(d) Limiting system access to authorized individuals | Nsflow ensures compliance with 21 CFR Part 11, subsection 11.10(d), through stringent access control measures designed to limit system access to authorized individuals. Our comprehensive approach includes the following key components:
User Authentication: Each user is required to authenticate using a unique username and password combination. Our system offers the capability to enforce strong password rules, which can be configured to require a mix of characters, numbers, and symbols,as well as the possibility of periodic password changes, to enhance security. Administrative Device Confirmation: To further secure system access, our policy mandates that an administrator must confirm any new device attempting to connect to the system before it can be used for access. This process ensures that only devices verified by an administrator are permitted to access the system, adding an additional layer of security and control over who can access sensitive information and systems. Access Rights and Roles: We implement role-based access control (RBAC) within our system, which allows for specification of access rights based on individual roles within the organization. This ensures that users are granted access only to the information and functions necessary for their specific job responsibilities, minimizing the risk of unauthorized access to sensitive data. Regular Access Reviews: Our security policies include regular reviews of user access rights and device authorizations. These reviews help to ensure that access permissions remain appropriate over time and that any unnecessary access rights are promptly revoked, especially in cases of role changes or employment termination.Customer data reviews are the responsibility of the customer. |
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. | Nsflow system is designed to comply fully with the 21 CFR Part 11, subsection 11.10(e) requirements, through the implementation of secure, computer-generated, time-stamped audit trails. These audit trails meticulously record all operator entries and actions related to the creation, modification, or deletion of electronic records, ensuring accountability and transparency in data management. The key features of our audit trail system include:
Time-Stamped Records: Each action on the system is automatically recorded with a precise timestamp, including the date and time the action occurred. This provides a clear and chronological record of all interactions with the system. Independence and Security: The audit trails are generated and stored in a manner that maintains their independence from the records they audit. They are protected against unauthorized access, tampering, or deletion, ensuring their integrity and reliability. Non-Obfuscation of Changes: Our system is engineered to ensure that any modifications to electronic records do not obscure previously recorded information. Instead, each change is logged as a new entry in the audit trail, preserving the original record’s integrity while providing a transparent history of modifications. Comprehensive Record-Keeping: The audit trails capture detailed information about each action, including the identity of the operator making the entry, the type of action performed (creation, modification, deletion), and the specific details of the change. This ensures a comprehensive and understandable record of all activities for review. Retention and Accessibility: Audit trail records are retained for a period at least as long as that required for the subject electronic records, in compliance with regulatory requirements. They are stored securely and are readily accessible for agency review and copying upon request, facilitating regulatory inspections and audits. |
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. | Nsflow is engineered to ensure compliance with 21 CFR Part 11, subsection 11.10(f), through the integration of advanced operational system checks. These checks are designed to enforce the correct sequencing of steps and events, thereby maintaining the integrity and reliability of processes within our system. The key components of our approach include:
Workflow Management: Our system employs sophisticated workflow management capabilities that guide users through the required sequence of steps for specific operations. This ensures that tasks are completed in the correct order, preventing procedural errors that could compromise data integrity or system functionality. Conditional Logic: We utilize conditional logic within our system to enforce the execution of events in the appropriate sequence. This means that certain actions can only be performed if prerequisite conditions are met, effectively controlling the flow of operations and ensuring compliance with established protocols. Role-Based Access Controls (RBAC): By implementing role-based access controls, we ensure that only authorized users can initiate, approve, or execute certain steps within a process. This not only supports the enforcement of sequencing but also enhances security by restricting operations to qualified individuals. System Alerts and Notifications: Nsflow system is configured to provide real-time alerts and notifications to users if an attempt is made to perform an action out of sequence. These prompts guide users back to the correct procedural path, thereby preventing accidental deviations from established workflows. |
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | Nsflow incorporates comprehensive authority checks as a fundamental component of our security framework, aligning with the requirements of 21 CFR Part 11, subsection 11.10(g). These checks are designed to verify and enforce the authorization of users for specific actions within the system, including electronic signatures, record alterations, and access to operational functionalities. Key aspects of our approach include:
Context-Sensitive Authorization: Authority checks in our system are context-sensitive, meaning that the system dynamically evaluates a user’s permissions based on the specific action they are attempting to perform. This ensures that permissions are appropriately enforced in real-time, depending on the operation or data access level required. Access Rights and Roles: We implement role-based access control (RBAC) within our system, which allows for specification of access rights based on individual roles within the organization. This ensures that users are granted access only to the information and functions necessary for their specific job responsibilities, minimizing the risk of unauthorized access to sensitive data. Secure Electronic Signature Validation: For actions that require an electronic signature, our system performs an additional layer of authority checks to validate the identity of the signer and ensure they are authorized to sign the specific record in question. This process safeguards against unauthorized record modifications and ensures compliance with electronic signature requirements. Audit Trail Integration: The authority checks are seamlessly integrated with our audit trail system, ensuring that every access attempt and operation performed is logged with details about the user’s authorization status at the time of the action. This creates a traceable record of authority validations, enhancing oversight and accountability. Regular Access Reviews and Updates: To ensure the integrity of authority checks within the Nsflow application, we encourage our tenants to regularly review and update user access rights and permissions. This proactive approach allows for adjustments in authority levels following changes in user roles, responsibilities, or employment status, ensuring that access privileges remain both current and appropriate. While this responsibility falls within the tenants’ purview, we are committed to providing support and guidance to facilitate these essential security measures. |
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | Our web-based system complies with the spirit of 21 CFR Part 11, subsection 11.10(h), through robust measures designed to ensure the security and integrity of data inputs and operational instructions, even in the absence of physical terminals. Given our system’s architecture, which enables remote access via web browsers on various devices, our approach focuses on verifying the security and validity of these remote access points. Key components of our compliance strategy include:
Secure User Authentication: We implement stringent authentication mechanisms for all users accessing the system remotely. This includes mandatory username/password credentials, with the option to enforce complex password policies, ensuring that only authorized users can access the system. Encrypted Data Transmission: All data transmitted between the user’s device and our backend system is encrypted using strong encryption protocols such as TLS (Transport Layer Security). This ensures that data inputs and operational instructions are securely communicated, safeguarding against interception or manipulation. Access Control and Monitoring: Our system uses access control measures to restrict and monitor user activities based on their roles and permissions. This ensures that users can only perform actions that are within their authorized scope, whether accessing data or executing operational commands. Secure Tunneling for Administrator Access: System administrators access the system through secure tunneling mechanisms, such as VPNs (Virtual Private Networks) or SSH (Secure Shell) tunnels. These technologies provide a secure and encrypted channel over which administrators can perform system checks, data reviews, and maintenance tasks, ensuring that their interactions with the system are protected against interception or unauthorized access. Encryption Protocols: The tunneling protocols employed use strong encryption to safeguard data transmission between the administrator’s device and the system. This ensures that any data accessed or commands issued by the administrator remain confidential and tamper-proof during transmission. |
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. | Nsflow adheres to the requirements of 21 CFR Part 11, subsection 11.10(i), by implementing comprehensive measures to ensure that all personnel involved in the development, maintenance, and operation of our electronic record and electronic signature systems possess the necessary education, training, and experience to perform their assigned tasks effectively. Our commitment to this standard is demonstrated through several key initiatives:
Rigorous Hiring Standards: We employ strict hiring criteria to ensure that all new personnel involved with our system—whether in development, maintenance, or user roles—have the relevant educational background and professional experience suited to their responsibilities. Ongoing Training Programs: Recognizing that technology and regulatory standards evolve, we provide ongoing training programs for all relevant staff. These programs cover a wide range of topics, including but not limited to system security, regulatory compliance, data integrity principles, and updates to the 21 CFR Part 11 regulations. This ensures that our team remains knowledgeable and up-to-date with the latest industry standards and best practices. Role-Specific Education: To cater to the diverse functions within our team, we offer role-specific training that is tailored to the unique requirements of each position. For developers, this might include secure coding practices and system architecture design principles. For maintenance personnel, the focus would be on system diagnostics and troubleshooting methodologies. Users of the system receive training on its proper use, including how to securely sign and manage electronic records. Performance Evaluation and Continuous Improvement: We regularly evaluate the performance of our personnel in relation to their understanding and execution of their duties related to our electronic record and electronic signature systems. Feedback from these evaluations is used to identify areas for further training and development, ensuring continuous improvement in competencies and compliance adherence.Comprehensive User Training: We provide all users with comprehensive training covering the proper use of our electronic record and electronic signature systems. This training is tailored to include the creation, modification, review, and electronic signing of records, emphasizing the importance of adhering to established protocols to maintain data integrity and compliance with regulatory standards. Role-Based Access Controls (RBAC): Our system enforces strict role-based access controls, ensuring that users are granted access only to the parts of the system necessary for their role and training level. This approach prevents unauthorized access and operations on electronic records, further securing the integrity of our data. |
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | Not applicable, possible use of software for electrical signatures in documentation depends on individual customer policy. |
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
Nsflow leverages Git, a robust version control system, to ensure full compliance with 21 CFR Part 11, subsection 11.10(k), focusing on the controls over systems documentation. This includes managing the distribution of, access to, and use of documentation for system operation and maintenance, as well as maintaining a comprehensive audit trail for documentation revisions and changes. Our compliance strategy is detailed below:
(1) Adequate Controls Over Documentation Git-Based Version Control: By utilizing Git, we ensure that all system documentation, including operational manuals, maintenance guides, and development records, is meticulously versioned. This allows for precise tracking of changes, including who made the change, what was changed, and when the change was made. Restricted Access: Access to the Git repositories holding system documentation is tightly controlled. Only authorized personnel are granted access based on their roles and responsibilities related to system operation, maintenance, or security. This ensures that sensitive documentation is shielded from unauthorized access. Secure Distribution Mechanisms: Distribution of documentation is managed through Git, which offers secure mechanisms for sharing updates. Authorized users can pull documentation directly from the repository, ensuring they always have access to the latest, authoritative versions. (2) Revision and Change Control Procedures Audit Trail for Document Changes: Git inherently maintains an immutable audit trail for all document changes. This includes detailed commit messages that require contributors to describe the nature of each change, providing a time-sequenced development and modification history of systems documentation. Review and Approval Processes: Changes to documentation undergo a rigorous review and approval process before being merged into the master branch of the repository. This ensures that all modifications are vetted for accuracy, relevance, and compliance with regulatory requirements. Access and Modification Logs: Git’s logging capabilities extend to recording access and modification attempts, providing an additional layer of security and traceability. This enables us to monitor how documentation is used and ensure compliance with established policies. |
§ 11.30 Controls for open systems | |
By classifying our system as a closed system we affirm our commitment to compliance with 21 CFR Part 11 while acknowledging that the specific controls for open systems outlined in Section 11.30 do not apply to our operational environment. Our focus remains on ensuring compliance with all relevant aspects of 21 CFR Part 11 that pertain to closed systems, thereby safeguarding the integrity, security, and confidentiality of our electronic records. | |
§ 11.50 Signature manifestations | |
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. |
In accordance with 21 CFR Part 11, § 11.50, our system ensures that all electronic records requiring a signature include comprehensive signature manifestations. These manifestations are designed to clearly indicate:
The Printed Username of the Signer: Every electronic signature is accompanied by the printed username of the signer, automatically captured by our system at the time of signing. This ensures clear identification and accountability of the individual endorsing the electronic record. The Date and Time When the Signature was Executed: Our system appends a precise timestamp reflecting the date and time of signature execution. This timestamp is generated based on the system’s internal clock, providing an immutable record of when the signature action occurred. The Meaning Associated with the Signature: Instead of requiring users to manually select the meaning or intent of their signature, our system automatically assigns a predefined action context to each signature based on the specific task being performed. This ensures that the purpose of each signature is clearly defined and documented without the need for manual input, accurately reflecting the action taken by the user. |
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). | Nsflow is engineered to adhere to the stipulations of 21 CFR Part 11, section 11.50(b), ensuring that the integrity and accessibility of signature manifestations are maintained across all forms of electronic records, both in electronic displays and in printed outputs. This is achieved through the following measures:
Integrated Signature Information: The printed username of the signer, the precise date and time the signature was executed, and the automatically determined action context associated with each signature are intrinsically linked to the electronic record. This information is managed with the same level of security and control as the electronic records themselves, ensuring consistent integrity and traceability. Human-Readable Displays and Printouts: When an electronic record is displayed on screen or printed, all associated signature information (signer’s username, timestamp, and action context) is automatically included. This ensures that any human-readable form of the electronic record provides a comprehensive view of both the content and the associated signing actions, in compliance with regulatory requirements. Controls for Integrity and Security: The signature manifestations and the electronic records are protected by robust system controls designed to prevent unauthorized access, alteration, or deletion. These controls apply uniformly to the electronic records and the associated signature information, guaranteeing that the integrity of the human-readable forms is preserved. Documentation and Auditability: Our system maintains detailed documentation and audit trails that capture the process by which electronic records and their associated signature information are generated, displayed, and printed on demand. This facilitates audit and inspection activities, ensuring that the requirements of 21 CFR Part 11, section 11.50(b) are met and that compliance can be readily demonstrated. |
§ 11.70 Signature/record linking | |
In alignment with the intent of 21 CFR Part 11, Section 11.70, our system ensures the integrity and non-repudiation of actions taken on electronic records through a robust mechanism that authenticates and logs every change based on authorized user credentials. While our system does not use traditional electronic or handwritten signatures, it achieves the regulation’s objective of linking actions to records in a secure manner that prevents falsification. This is accomplished through the following:
Authenticated Actions: Each action taken on an electronic record is authenticated using the user’s username and password. This ensures that only authorized users can make changes to records, maintaining the security and integrity of the record-keeping process. Automatic Logging of Actions: Upon any change to an electronic record, our system automatically logs detailed information about the action, including the username of the individual who made the change, their user ID, and the precise timestamp of when the change occurred. This automated logging process serves as a digital signature equivalent, securely linking each action to the user who performed it and the specific time it was performed. Immutable Audit Trails: The logs generated by our system are immutable and serve as a comprehensive audit trail of all activities associated with electronic records. This ensures that actions cannot be excised, copied, or otherwise transferred in a manner that would falsify the original record. The audit trail provides a transparent and tamper-evident record that fulfills the intent of signature/record linking as required by 21 CFR Part 11, Section 11.70. System Controls and Security Measures: Additional system controls and security measures are in place to prevent unauthorized access and ensure that the linkage between users and their actions on records cannot be compromised. These measures include rigorous access controls, regular security assessments, and encryption of sensitive data to protect against external and internal threats. |
|
§ 11.100 General requirements | |
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. | Nsflow, designed as a customer-based platform, supports full compliance with the requirements of 21 CFR Part 11, Section 11.100(a), by providing the necessary infrastructure and capabilities. This section mandates that each electronic signature must be unique to one individual and shall not be reused by, or reassigned to, anyone else. While our platform facilitates compliance through robust features and controls, the implementation of specific practices to prevent account sharing and ensure the uniqueness of electronic signatures ultimately resides with our customers. Our approach includes:
Unique User Identification within Customers: Our platform assigns a unique identifier to each user within a customer’s domain, supporting the creation and management of electronic signatures that are unique to each individual. This system design inherently discourages account sharing by tying actions and records securely to individual user identifiers. Customer-Level Policy Enforcement: We provide tools and functionalities that enable our customers to enforce their own policies against the reuse or reassignment of electronic signatures. This includes the ability to manage user accounts, monitor user activity, and enforce password policies and authentication measures. Education and Guidelines for Customers: To support our customers in upholding the integrity of electronic signatures, we offer comprehensive guidelines and best practices on implementing and maintaining unique user access. This includes recommendations for regular audits, user training programs, and strategies to prevent account sharing. Security and Authentication Features: While our platform provides advanced security features, including strong authentication mechanisms, it is the responsibility of each customer to configure these features according to their needs. This ensures that only authorized individuals can use their unique electronic signatures. |
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. | Nsflow platform empowers each customer organization to manage their electronic signature processes within the bounds of 21 CFR Part 11, Section 11.100(b). This section requires the verification of an individual’s identity before establishing, assigning, certifying, or sanctioning their electronic signature. To ensure compliance across our system, we provide a robust framework and tools that enable and support our customers in fulfilling these regulatory obligations:
Customer Responsibility: It is the responsibility of each customer organization to verify the identity of individuals before assigning them an electronic signature. Guidance and Best Practices: To assist customers ents in implementing effective identity verification processes, we provide comprehensive guidance and best practices documentation. This includes recommendations on secure verification methods, data protection considerations, and compliance with relevant laws and regulations. Audit and Compliance Support: Our platform includes auditing features that allow customers to maintain records of identity verification activities. This documentation is crucial for demonstrating compliance with 21 CFR Part 11 requirements and can be instrumental during audits or regulatory reviews. Security and Privacy: While enabling customers to verify individual identities, our system ensures the protection of personal information through stringent security measures. Data encryption, access controls, and privacy policies are in place to safeguard sensitive information throughout the verification process. |
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be signed with a traditional handwritten signature and submitted in electronic or paper form. Information on where to submit the certification can be found on FDA’s web page on Letters of Non-Repudiation Agreement. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. |
Certification Procedure: Customers utilizing electronic signatures within our system are responsible for certifying to the regulatory agency, prior to or at the time of use, that these electronic signatures are intended to serve as the legally binding equivalent of traditional handwritten signatures. We provide guidance and resources to assist customers in preparing and submitting the required certification.
Assistance with Agency Requests: Upon request from the regulatory agency, customers are prepared to provide additional certification or testimony affirming the specific electronic signature’s status as the legally binding equivalent of the signer’s handwritten signature. Our system supports customers in gathering and presenting the necessary documentation and testimony in a timely and efficient manner. Documentation and Record-Keeping: We encourage customers to maintain detailed records of all certifications and related correspondence, including copies of submitted certifications and any additional certifications or testimonies provided to the agency. This documentation serves as tangible evidence of compliance and facilitates prompt response to agency requests. |
§ 11.200 Electronic signature components and controls. | |
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
In alignment with 21 CFR Part 11, Section 11.100(a), our system implements robust measures to govern the use of electronic signatures not based upon biometrics. These measures are designed to provide security, integrity, and accountability in electronic transactions. Here’s how we address each requirement:
Employment of Two Distinct Identification Components: Username and Password: Our system requires users to employ at least two distinct identification components, such as a username and password, to authenticate their electronic signatures. Continuous System Access: During a single, continuous period of controlled system access, the first signing must utilize all electronic signature components. Subsequent signings within the same session can be executed using at least one electronic signature component unique to the individual in the form of acquired signing token. Non-Continuous System Access: For signings not performed during a single, continuous period of controlled system access, each signing must utilize all electronic signature components. Use by Genuine Owners Only: Electronic signatures are strictly used by their genuine owners. The system implements stringent user authentication mechanisms to ensure that only authorized individuals can access and utilize their electronic signature credentials. Administration to Prevent Unauthorized Use: Collaborative Authorization: Attempted use of an individual’s electronic signature by anyone other than its genuine owner is discouraged. Any attempt to share signatures should be controlled by a customer who manages user accounts and the employees who have access to them. System Administration: The administration of electronic signatures is conducted with meticulous attention to detail, ensuring that proper controls and safeguards are in place to prevent misuse or unauthorized access. Customers utilizing electronic signatures within our system are responsible for adhering to these requirements and implementing additional organizational policies and controls as necessary to further enhance security and compliance. |
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. | Not applicable, any use of devices using biometric data is the responsibility of the customer. |
§ 11.300 Controls for identification codes/passwords | |
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. | In accordance with 21 CFR Part 11, Section 11.300(a), our system implements rigorous measures to maintain the uniqueness of each combined username and password, ensuring that no two individuals share the same combination. This critical requirement is fundamental to safeguarding the integrity and security of electronic signatures within our system. Here’s how we address this mandate:
Unique Combination Generation: Upon user registration, our system requires a unique username and strong password. We provide tools for generating strong and secure credentials. Continuous Monitoring and Maintenance: We employ robust monitoring mechanisms to continuously assess the uniqueness of combined username and password pairs within our system. Any instances of duplication or potential conflicts are prevented or promptly detected and resolved through automated processes or manual intervention as necessary. |
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). | In accordance with 21 CFR Part 11, Section 11.300(b), our system implements procedures to ensure that usernames and passwords are periodically checked, recalled, or revised. This proactive approach is essential to maintaining the integrity and security of user access within our system. Here’s how we address this requirement:
Admin Controls: System administrators have the capability to force password updates for users, ensuring compliance with password aging policies and addressing security concerns promptly. Admins can initiate password resets or enforce password changes based on organizational policies and security requirements. Administrators can change the password without the user’s knowledge. Customer Responsibility: While admins have the authority to enforce password updates, customers are responsible for ensuring the periodic changes and revisions of passwords within their respective domains. Customers are encouraged to establish and enforce password management policies tailored to their specific needs, including password aging, complexity requirements, and update frequencies. Customer Support and Guidance: Our system provides cusomers with support and guidance to assist them in implementing effective password management practices. This includes resources on password policy creation, user education, and best practices for password security. |
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. | In alignment with 21 CFR Part 11, Section 11.300(c), our system has established robust loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise compromised tokens, cards, and other devices that bear or generate identification code or password information. Additionally, we ensure the issuance of temporary or permanent replacements using suitable, rigorous controls to maintain the integrity and security of user access within our system. Here’s how we address this requirement:
Immediate Deauthorization: Upon notification of a lost, stolen, or compromised token, card, or device bearing or generating identification code or password information, our system initiates immediate electronic deauthorization procedures. Access privileges associated with the affected device or user are revoked promptly to prevent unauthorized access. Temporary Access Restrictions: In cases where a device is temporarily lost or misplaced, our system enforces access restrictions to mitigate potential security threats. Temporary access privileges associated with the device are suspended until its status can be verified and confirmed by authorized personnel. Rigorous Replacement Controls: In the process of managing temporary or permanent replacements for lost, stolen, or compromised devices, we underscore the importance of customers implementing their own rigorous verification controls. The responsibility of verifying the identity and authorization of individuals requesting device replacements falls to the customers. We recommend the adoption of thorough procedures, potentially including approval workflows, to validate replacement requests and ensure security within their segments of the Nsflow application. |
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. | In adherence to 21 CFR Part 11, Section 11.300(d), our system implements transaction safeguards to prevent unauthorized use of passwords and/or identification codes, prioritizing timely detection and reporting of any unauthorized attempts to the system security unit and organizational management. Here’s how we address this requirement:
Authentication Controls: Our system enforces stringent authentication controls to verify the validity of passwords and/or identification codes during each transaction. This includes password hashing, strong password policies, and secure transmission protocols to protect user credentials. System blocks users after a specified amount of unsuccessful authorization attempts. Access Controls: Access to system functionalities and sensitive data is restricted based on predefined user roles and permissions. Users are granted access only to the resources necessary for their designated roles, minimizing the risk of unauthorized use of passwords and/or identification codes. Periodic Review: In collaboration with our customers, we conduct periodic reviews of user access privileges and transaction logs to identify any irregularities or suspicious activities. These joint reviews are essential for ensuring that passwords and/or identification codes are used appropriately and that any unauthorized attempts are promptly addressed. This cooperative approach enhances the security measures within their segments of the Nsflow application. Manual Monitoring and Reporting: While we do not have real-time monitoring capabilities or automatic alerts, our system relies on manual monitoring by system administrators to detect and investigate potential security incidents. Administrators are trained to recognize signs of unauthorized use of passwords and/or identification codes and prevent such activities. They are responsible for reporting such incidents to the system security unit and organizational management. Escalation Procedures: In the event of confirmed unauthorized use, our system follows predefined escalation procedures to notify appropriate stakeholders, including the system security unit and organizational management. This ensures that security incidents are promptly escalated and addressed at the appropriate levels of authority. |
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. | Periodic Testing: In addition to initial testing, our system performs periodic testing of devices at regular intervals as part of routine maintenance procedures. These periodic tests verify the ongoing functionality and integrity of the devices, helping to detect any potential issues or deviations from expected performance.
Testing Methodology: Our testing methodology encompasses various techniques and procedures tailored to the specific characteristics and functionalities of the devices being evaluated. This may include functional testing, performance testing, security testing, and verification of device integrity through cryptographic methods. Detection of Unauthorized Alterations: During testing, our system employs measures to detect any unauthorized alterations or tampering with the devices. This includes validation of device firmware, checksum verification, and comparison against known secure configurations to identify any discrepancies indicative of unauthorized modifications. |