SlideShare a Scribd company logo

Hitachi ID IDM Suite supports compliance with 21CFR11

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical industry. The Hitachi ID Identity Management Suite™ is then introduced, and its use to comply with the requirements set forth in 21 CFR 11 is described. Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. This document represents the best understanding by Hitachi ID of the relevance of this legislation to information security, and to identity management in particular.

TechnologyBusiness
1 of 13
Download to read offline
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 1 Introduction This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical industry. The Hitachi ID Identity Management Suite is then introduced, and its use to comply with the requirements set forth in 21 CFR 11 is described. Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. This document represents the best understanding of Hitachi ID of the relevance of this legislation to information security, and to identity management in particular. 2 21 CFR 11 21 CFR 11 is a set of rules governing the use of electronic records and digital signatures in business processes and in documents submitted to the FDA under requirements of the Federal Food, Drug and Cosmetic Act and of the Public Health Service Act. Title 21 of the Code of Federal Regulations governs food and drugs. Parts 1 thru 99 are regulated by the Food and Drug Administration (FDA). Part 11 is titled “ELECTRONIC RECORDS; ELECTRONIC SIGNA- TURES.” 21 CFR 11 sets out appropriate methods to manage electronic records and digital signatures, primarily by pharmaceutical companies and their suppliers, in such a manner as to make them equivalent to paper records and handwritten signatures. The 21 CFR 11 includes the following parts: • Subpart A: General Provisions: – The scope, or applicability, of 21 CFR 11. – Implementation, indicating when and how electronic records may be submitted to the FDA. – Definitions of relevant terminology. • Subpart B: Electronic Records: – Controls for closed systems, not intended for public access. – Controls for open systems, accessible by the public. – Signature manifestations and signature/record linking, defining signed documents. • Subpart C: Electronic Signatures: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – General requirements, indicating how electronic signatures should be managed. – Signature components and controls, defining what constitutes a reasonable signature. – Controls for identification codes/passwords, defining security measures over authentication tech- nology. The 21 CFR 11 came into effect on August 20, 1997. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3 Relevant Sections 21 CFR 11 relates explicitly to identity management technology, including in the following parts: 3.1 Section 11.10 Controls for closed systems Closed systems are required to employ procedures and controls designed to ensure the authenticity, in- tegrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Identity Management Impact: These controls must include measures to properly grant, authorize and revoke access to users of closed systems. Strong authentication of those users is also essential to meet this requirement. Specific requirements in this section include: • (d) Limiting system access to authorized individuals. Identity Management Impact: Business processes to determine appropriate systems access must be tied to technology that controls that access. • (e) . . . time-stamped audit trails . . . Identity Management Impact: Changes to access to systems – e.g., creating new users, changing user privileges, or terminating access, must be logged and time-stamped. • (g) . . . authority checks to ensure that only authorized individuals can use the system . . . Identity Management Impact: Users must sign into closed systems, and the system must verify that the users are authorized to do so. • (i) . . . persons who develop, maintain, or use electronic record/electronic signature systems have the education, training and experience . . .. Identity Management Impact: Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3.2 Section 11.50 Signature manifestations Electronic signatures are required to contain, or relate to: • The printed name of the signer. • The date and time . . .. • The meaning . . . [of] the signature. Identity Management Impact: Electronic signatures must contain a unique login ID and a time/date of signature. The context of the signature – such as requesting or authorizing access to a closed system – must be clear. 3.3 Section 11.100 Electronic Signatures – General requirements Requirements for an electronic signature system includes: (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual‘s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the indi- vidual. Identity Management Impact: This means that the process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. 3.4 Section 11.200 Electronic signature components and controls Requirements for electronic signatures that are not biometric include that they: • (a) (1) Employ at least two distinct identification components such as an identification code and pass- word. Identity Management Impact: This confirms that a login ID / password pair is a suitable user identification technology. • (a) (2) Be used only by their genuine owners. Identity Management Impact: Shared login IDs and passwords are forbidden. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 • (a) (3) Be administered and executed to ensure that attempted use of an individual‘s electronic signa- ture by anyone other than its genuine owner requires collaboration of two or more individuals. Identity Management Impact: Any sharing of login credentials is forbidden. 3.5 Section 11.300 Controls for identification codes/passwords Specific requirements for system login IDs and passwords include: • (a) . . . uniqueness . . . of ID/password pairs. Identity Management Impact: Login IDs must be uniquely assigned to users. • (b) IDs and passwords are . . . periodically checked, recalled, or revised . . . – meaning password aging and periodic review of the suitability of existing login IDs. Identity Management Impact: Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. • (c) . . . electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices . . . . Identity Management Impact: Reasonable procedures must be in place to respond to suspected or reported ID compromises. • (d) . . . transaction safeguards . . . detect and report . . . attempts at their unauthorized use . . .. Identity Management Impact: Intrusion detection, lockout and alarms must be in place. • (e) . . . Initial and periodic testing . . . password information . . .. Identity Management Impact: Strong password quality controls must be applied both initially and over time. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 4 Impact of 21 CFR 11 on Identity Management The impact of 21 CFR 11 on identity management systems and processes can be summarized in the following requirements: • User identification – Users must sign into closed systems, and closed systems must verify that the users are autho- rized to do so. Login IDs and passwords are one of the suitable authentication technologies. – Login IDs must be unique, and must unambiguously identify a user. • User enrollment and administration – There must be strong, integrated business and technical processes to grant, authorize and re- voke access to users of closed systems. These controls must include time-stamped audit logs. – The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. • Authentication – User authentication to closed systems, and to secured parts of open systems, must be reliable. – Sharing of login credentials is forbidden. – Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. – Strong password quality controls must be applied both initially and over time. • Incident response – Reasonable procedures must be in place to respond to suspected or reported ID compromises. – Intrusion detection, lockout and alarms must be in place. • Vendor qualification – Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Using The Management Suite to Comply with 21 CFR 11 These requirements can be translated into a set of required technical features from a user provisioning system and a password management system: Requirement Identity Management System Feature User identification Users must sign into closed systems, and closed systems must verify that the users are authorized to do so. Login IDs and passwords are one of the suitable authentication technologies. The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Login IDs must be unique, and must unambiguously identify a user. The identity management system must be able to assign globally unique login IDs to new users. User enrollment and administration There must be strong, integrated business and technical processes to grant, authorize and revoke access to users of closed systems. These controls must include time-stamped audit logs. User administration must be either directly linked to an existing authoritative system, such as a human resources (HR) system, and automatically provision users. Alternately, a workflow system must accept requests from, and ensure that it receives appropriate authorizations from, business users. The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. Activation of new users must be secure. Authentication User authentication to closed systems, and to secured parts of open systems, must be reliable. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Sharing of login credentials is forbidden. Credentials must be managed easily enough to eliminate any desire by users to share them. Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Strong password quality controls must be applied both initially and over time. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Incident response Reasonable procedures must be in place to respond to suspected or reported ID compromises. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Using The Management Suite to Comply with 21 CFR 11 Requirement Identity Management System Feature Intrusion detection, lockout and alarms must be in place. Failed authentication attempts should trigger an intruder lockout and an alarm. Vendor qualification Software and hardware vendors must have suitable education and experience before they can provide closed systems. Vendors must be audited for business processes that support 21 CFR 11 compliance. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 5 Hitachi ID Solutions Meeting 21 CFR 11 Requirements 5.1 The Hitachi ID Identity Management Suite The Hitachi ID Identity Management Suite includes: • Hitachi ID Password Manager: The Total Password Management Solution Password Manager is an integrated solution for managing user credentials, across multiple systems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: – Password synchronization, which reduces the incidence of password problems for users – Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk – Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: – A powerful password policy engine. – Effective user authentication, especially prior to password resets. – Password synchronization, to help eliminate written-down passwords. – Delegated password reset privileges for help desk staff. – Accountability for all password changes. – Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. • Hitachi ID Identity Manager: The User Provisioning and Access Management Solution Identity Manager is an integrated solution for managing identities and security entitlements across multiple systems and applications. Organizations depend on Identity Manager to ensure that users get security entitlements quickly, are always assigned entitlements appropriate to their needs and in compliance with policy and are deactivated reliably and completely when they leave the organization. Identity Manager implements the following business processes to drive changes to users and entitle- ments on systems and applications: – Automation: grant or revoke access based on data feeds. – Synchronization: keep identity attributes consistent across applications. – Self-service: empower users to update their own profiles. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – Delegated administration: allow business stake-holders to request changes directly. – Certification: invite managers and application owners to review and correct entitlements. – Workflow: invite business stake-holders to approve or reject requested changes. Identity Manager strengthens security by: – Quickly and reliably removing access to all systems and applications when users leave an orga- nization. – Finding and helping to clean up orphan and dormant accounts. – Assigning standardized access rights, using roles and rules, to new and transitioned users. – Enforcing policy regarding segregation of duties and identifying users who are already in viola- tion. – Ensuring that changes to user entitlements are always authorized before they are completed. – Asking business stake-holders to periodically review user entitlements and either certify or re- move them, as appropriate. – Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications. – Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change. Identity Manager reduces the cost of managing users and security entitlements: – Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou- tine, manual user setup and tear-down. – Self-service eliminates IT involvement in simple updates to user names, phone numbers and addresses. – Delegated administration moves the responsibility for requesting and approving common changes, such as for new application or folder access, to business users. – Identity synchronization means that corrections to user information can be made just once, on an authoritative system and are then automatically copied to other applications. – Built-in reports make it easier to answer audit questions, such as “who had access to this system on this date?” or “who authorized this user to have this entitlement?” 5.2 Meeting 21 CFR 11 Requirements As described in Section 4 on Page 6, 21 CFR 11 requires an extensive set of capabilities in systems used by pharmaceutical companies and related parties. The following list captures the technical identity management capabilities required to meet 21 CFR 11 requirements: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Password Manager, Identity Manager The Hitachi ID Identity Management Suite has built-in support for over 60 types of target systems, plus a set of flexible agents designed to accelerate integration with custom and vertical market applications. The identity management system must be able to assign globally unique login IDs to new users. Identity Manager A plugin system and an automatically updated identity cache ensure that all new login IDs are globally unique. Automated (de-)provisioning Identity Manager Automated polling of user profile data from authoritative systems such as HR or corporate directories. Rules-based filtering and transformation of this data into automatic updates to target systems, and into open security change requests submitted to an authorization workflow. A security workflow Identity Manager Self-service administration of users, accounts, attributes, group memberships and resource access privileges. Users sign in and submit change requests, which are automatically routed, authorized and applied to managed systems. Activation of new users must be secure. Identity Manager, Password Manager New users are typically activated using a secure (HTTPS-based, authenticated) workflow system. Only the requester, who is typically the new user’s manager, knows the initial password, and users are normally forced to change their password immediately after their first login. Registration of biometrics is actively managed and secured by Password Manager. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Password Manager, Identity Manager Both products support user authentication using strong passwords, tokens, biometrics and PKI certificates. Password Manager also enforces password quality on managed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details Credentials must be managed easily enough to eliminate any desire by users to share them. Password Manager, Identity Manager Password synchronization and self-service token management simplify password complexity, and reduce the need for written and shared passwords. A security workflow and automated provisioning make user administration simple, so eliminate a barrier to making security requests for new users. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Password Manager A built-in password policy engine includes over 60 types of rules, plus a regular expression engine, a plugin system, enterprise-wide password aging and open-ended password history. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. Password Manager, Identity Manager An auto-discovery process to collect login ID, group membership and attribute data from managed systems, nightly. A reconciliation process to connect login IDs across systems to individual users, to support global management of passwords, access rights and reporting. Failed authentication attempts should trigger an intruder lockout and an alarm. Password Manager, Identity Manager Both products include a system-wide intrusion detection system, with lockouts and alarms via e-mail, help desk call tracking systems, SMS messages and more. Vendors must be audited for business processes that support 21 CFR 11 compliance. Hitachi ID Hitachi ID has been audited for 21 CFR 11 compliance by Pfizer, Abbott Labs, GE Medical and others. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Using The Hitachi ID Management Suite to Comply with 21 CFR 11 6 Summary As described in this document, 21 CFR 11 introduces formal requirements for companies, such as pharma- ceuticals, that must provide signed electronic documents to the FDA. The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology to implement identity management processes that meet these requirements. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/idsynch/documents/21cfr11/mtech-21cfr11-1.tex Date: November 22, 2003

Recommended

Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Hitachi ID Systems, Inc.
 
sshGate - OSCON 2011
sshGate - OSCON 2011sshGate - OSCON 2011
sshGate - OSCON 2011Tauop
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
sshGate - RMLL 2011
sshGate - RMLL 2011sshGate - RMLL 2011
sshGate - RMLL 2011Tauop
 
Upgrading from 6.x to 7.x -- Webinar Q&A
Upgrading from 6.x to 7.x -- Webinar Q&AUpgrading from 6.x to 7.x -- Webinar Q&A
Upgrading from 6.x to 7.x -- Webinar Q&AHitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 

Recommended

Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Hitachi ID Systems, Inc.
 
sshGate - OSCON 2011
sshGate - OSCON 2011sshGate - OSCON 2011
sshGate - OSCON 2011Tauop
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
sshGate - RMLL 2011
sshGate - RMLL 2011sshGate - RMLL 2011
sshGate - RMLL 2011Tauop
 
Upgrading from 6.x to 7.x -- Webinar Q&A
Upgrading from 6.x to 7.x -- Webinar Q&AUpgrading from 6.x to 7.x -- Webinar Q&A
Upgrading from 6.x to 7.x -- Webinar Q&AHitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication ManagementHitachi ID Systems, Inc.
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 

More Related Content

More from Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 

More from Hitachi ID Systems, Inc. (20)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Hitachi ID IDM Suite supports compliance with 21CFR11

  • 1. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 1 Introduction This document gives a brief introduction to Title 21 of the Code of Federal Regulations, Volume 11 (21 CFR 11 for short), and describes how it impacts information security in the pharmaceutical industry. The Hitachi ID Identity Management Suite is then introduced, and its use to comply with the requirements set forth in 21 CFR 11 is described. Please note that this document does not constitute legal advice, or a legal interpretation of 21 CFR 11. This document represents the best understanding of Hitachi ID of the relevance of this legislation to information security, and to identity management in particular. 2 21 CFR 11 21 CFR 11 is a set of rules governing the use of electronic records and digital signatures in business processes and in documents submitted to the FDA under requirements of the Federal Food, Drug and Cosmetic Act and of the Public Health Service Act. Title 21 of the Code of Federal Regulations governs food and drugs. Parts 1 thru 99 are regulated by the Food and Drug Administration (FDA). Part 11 is titled “ELECTRONIC RECORDS; ELECTRONIC SIGNA- TURES.” 21 CFR 11 sets out appropriate methods to manage electronic records and digital signatures, primarily by pharmaceutical companies and their suppliers, in such a manner as to make them equivalent to paper records and handwritten signatures. The 21 CFR 11 includes the following parts: • Subpart A: General Provisions: – The scope, or applicability, of 21 CFR 11. – Implementation, indicating when and how electronic records may be submitted to the FDA. – Definitions of relevant terminology. • Subpart B: Electronic Records: – Controls for closed systems, not intended for public access. – Controls for open systems, accessible by the public. – Signature manifestations and signature/record linking, defining signed documents. • Subpart C: Electronic Signatures: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 2. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – General requirements, indicating how electronic signatures should be managed. – Signature components and controls, defining what constitutes a reasonable signature. – Controls for identification codes/passwords, defining security measures over authentication tech- nology. The 21 CFR 11 came into effect on August 20, 1997. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 3. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3 Relevant Sections 21 CFR 11 relates explicitly to identity management technology, including in the following parts: 3.1 Section 11.10 Controls for closed systems Closed systems are required to employ procedures and controls designed to ensure the authenticity, in- tegrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Identity Management Impact: These controls must include measures to properly grant, authorize and revoke access to users of closed systems. Strong authentication of those users is also essential to meet this requirement. Specific requirements in this section include: • (d) Limiting system access to authorized individuals. Identity Management Impact: Business processes to determine appropriate systems access must be tied to technology that controls that access. • (e) . . . time-stamped audit trails . . . Identity Management Impact: Changes to access to systems – e.g., creating new users, changing user privileges, or terminating access, must be logged and time-stamped. • (g) . . . authority checks to ensure that only authorized individuals can use the system . . . Identity Management Impact: Users must sign into closed systems, and the system must verify that the users are authorized to do so. • (i) . . . persons who develop, maintain, or use electronic record/electronic signature systems have the education, training and experience . . .. Identity Management Impact: Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 4. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 3.2 Section 11.50 Signature manifestations Electronic signatures are required to contain, or relate to: • The printed name of the signer. • The date and time . . .. • The meaning . . . [of] the signature. Identity Management Impact: Electronic signatures must contain a unique login ID and a time/date of signature. The context of the signature – such as requesting or authorizing access to a closed system – must be clear. 3.3 Section 11.100 Electronic Signatures – General requirements Requirements for an electronic signature system includes: (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual‘s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the indi- vidual. Identity Management Impact: This means that the process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. 3.4 Section 11.200 Electronic signature components and controls Requirements for electronic signatures that are not biometric include that they: • (a) (1) Employ at least two distinct identification components such as an identification code and pass- word. Identity Management Impact: This confirms that a login ID / password pair is a suitable user identification technology. • (a) (2) Be used only by their genuine owners. Identity Management Impact: Shared login IDs and passwords are forbidden. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 5. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 • (a) (3) Be administered and executed to ensure that attempted use of an individual‘s electronic signa- ture by anyone other than its genuine owner requires collaboration of two or more individuals. Identity Management Impact: Any sharing of login credentials is forbidden. 3.5 Section 11.300 Controls for identification codes/passwords Specific requirements for system login IDs and passwords include: • (a) . . . uniqueness . . . of ID/password pairs. Identity Management Impact: Login IDs must be uniquely assigned to users. • (b) IDs and passwords are . . . periodically checked, recalled, or revised . . . – meaning password aging and periodic review of the suitability of existing login IDs. Identity Management Impact: Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. • (c) . . . electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices . . . . Identity Management Impact: Reasonable procedures must be in place to respond to suspected or reported ID compromises. • (d) . . . transaction safeguards . . . detect and report . . . attempts at their unauthorized use . . .. Identity Management Impact: Intrusion detection, lockout and alarms must be in place. • (e) . . . Initial and periodic testing . . . password information . . .. Identity Management Impact: Strong password quality controls must be applied both initially and over time. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 6. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 4 Impact of 21 CFR 11 on Identity Management The impact of 21 CFR 11 on identity management systems and processes can be summarized in the following requirements: • User identification – Users must sign into closed systems, and closed systems must verify that the users are autho- rized to do so. Login IDs and passwords are one of the suitable authentication technologies. – Login IDs must be unique, and must unambiguously identify a user. • User enrollment and administration – There must be strong, integrated business and technical processes to grant, authorize and re- voke access to users of closed systems. These controls must include time-stamped audit logs. – The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. • Authentication – User authentication to closed systems, and to secured parts of open systems, must be reliable. – Sharing of login credentials is forbidden. – Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. – Strong password quality controls must be applied both initially and over time. • Incident response – Reasonable procedures must be in place to respond to suspected or reported ID compromises. – Intrusion detection, lockout and alarms must be in place. • Vendor qualification – Software and hardware vendors must have suitable education and experience before they can provide closed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 7. Using The Management Suite to Comply with 21 CFR 11 These requirements can be translated into a set of required technical features from a user provisioning system and a password management system: Requirement Identity Management System Feature User identification Users must sign into closed systems, and closed systems must verify that the users are authorized to do so. Login IDs and passwords are one of the suitable authentication technologies. The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Login IDs must be unique, and must unambiguously identify a user. The identity management system must be able to assign globally unique login IDs to new users. User enrollment and administration There must be strong, integrated business and technical processes to grant, authorize and revoke access to users of closed systems. These controls must include time-stamped audit logs. User administration must be either directly linked to an existing authoritative system, such as a human resources (HR) system, and automatically provision users. Alternately, a workflow system must accept requests from, and ensure that it receives appropriate authorizations from, business users. The process of enrolling users in a closed system must be no less secure than the systems’ internal processes. Enrollment must be grounded in sound identification of users, and clear connection of pre-enrollment identity to system identity. Activation of new users must be secure. Authentication User authentication to closed systems, and to secured parts of open systems, must be reliable. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Sharing of login credentials is forbidden. Credentials must be managed easily enough to eliminate any desire by users to share them. Password quality must be verified when new passwords are issued, and when users change their passwords. Users must periodically change their passwords. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Strong password quality controls must be applied both initially and over time. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Incident response Reasonable procedures must be in place to respond to suspected or reported ID compromises. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 8. Using The Management Suite to Comply with 21 CFR 11 Requirement Identity Management System Feature Intrusion detection, lockout and alarms must be in place. Failed authentication attempts should trigger an intruder lockout and an alarm. Vendor qualification Software and hardware vendors must have suitable education and experience before they can provide closed systems. Vendors must be audited for business processes that support 21 CFR 11 compliance. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 9. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 5 Hitachi ID Solutions Meeting 21 CFR 11 Requirements 5.1 The Hitachi ID Identity Management Suite The Hitachi ID Identity Management Suite includes: • Hitachi ID Password Manager: The Total Password Management Solution Password Manager is an integrated solution for managing user credentials, across multiple systems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: – Password synchronization, which reduces the incidence of password problems for users – Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk – Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: – A powerful password policy engine. – Effective user authentication, especially prior to password resets. – Password synchronization, to help eliminate written-down passwords. – Delegated password reset privileges for help desk staff. – Accountability for all password changes. – Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. • Hitachi ID Identity Manager: The User Provisioning and Access Management Solution Identity Manager is an integrated solution for managing identities and security entitlements across multiple systems and applications. Organizations depend on Identity Manager to ensure that users get security entitlements quickly, are always assigned entitlements appropriate to their needs and in compliance with policy and are deactivated reliably and completely when they leave the organization. Identity Manager implements the following business processes to drive changes to users and entitle- ments on systems and applications: – Automation: grant or revoke access based on data feeds. – Synchronization: keep identity attributes consistent across applications. – Self-service: empower users to update their own profiles. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 10. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 – Delegated administration: allow business stake-holders to request changes directly. – Certification: invite managers and application owners to review and correct entitlements. – Workflow: invite business stake-holders to approve or reject requested changes. Identity Manager strengthens security by: – Quickly and reliably removing access to all systems and applications when users leave an orga- nization. – Finding and helping to clean up orphan and dormant accounts. – Assigning standardized access rights, using roles and rules, to new and transitioned users. – Enforcing policy regarding segregation of duties and identifying users who are already in viola- tion. – Ensuring that changes to user entitlements are always authorized before they are completed. – Asking business stake-holders to periodically review user entitlements and either certify or re- move them, as appropriate. – Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications. – Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change. Identity Manager reduces the cost of managing users and security entitlements: – Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate rou- tine, manual user setup and tear-down. – Self-service eliminates IT involvement in simple updates to user names, phone numbers and addresses. – Delegated administration moves the responsibility for requesting and approving common changes, such as for new application or folder access, to business users. – Identity synchronization means that corrections to user information can be made just once, on an authoritative system and are then automatically copied to other applications. – Built-in reports make it easier to answer audit questions, such as “who had access to this system on this date?” or “who authorized this user to have this entitlement?” 5.2 Meeting 21 CFR 11 Requirements As described in Section 4 on Page 6, 21 CFR 11 requires an extensive set of capabilities in systems used by pharmaceutical companies and related parties. The following list captures the technical identity management capabilities required to meet 21 CFR 11 requirements: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 11. Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details The IdM system must integrate with systems that have login IDs and authenticators, including passwords. Password Manager, Identity Manager The Hitachi ID Identity Management Suite has built-in support for over 60 types of target systems, plus a set of flexible agents designed to accelerate integration with custom and vertical market applications. The identity management system must be able to assign globally unique login IDs to new users. Identity Manager A plugin system and an automatically updated identity cache ensure that all new login IDs are globally unique. Automated (de-)provisioning Identity Manager Automated polling of user profile data from authoritative systems such as HR or corporate directories. Rules-based filtering and transformation of this data into automatic updates to target systems, and into open security change requests submitted to an authorization workflow. A security workflow Identity Manager Self-service administration of users, accounts, attributes, group memberships and resource access privileges. Users sign in and submit change requests, which are automatically routed, authorized and applied to managed systems. Activation of new users must be secure. Identity Manager, Password Manager New users are typically activated using a secure (HTTPS-based, authenticated) workflow system. Only the requester, who is typically the new user’s manager, knows the initial password, and users are normally forced to change their password immediately after their first login. Registration of biometrics is actively managed and secured by Password Manager. Strong passwords, tokens and biometrics may be used both by the IdM system and by managed systems. Password Manager, Identity Manager Both products support user authentication using strong passwords, tokens, biometrics and PKI certificates. Password Manager also enforces password quality on managed systems. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 12. Using The Management Suite to Comply with 21 CFR 11 Required IdM Feature Supporting Hitachi ID products Details Credentials must be managed easily enough to eliminate any desire by users to share them. Password Manager, Identity Manager Password synchronization and self-service token management simplify password complexity, and reduce the need for written and shared passwords. A security workflow and automated provisioning make user administration simple, so eliminate a barrier to making security requests for new users. New passwords must be subject to a strength policy, as must changed passwords. Password aging must be enforced. Password Manager A built-in password policy engine includes over 60 types of rules, plus a regular expression engine, a plugin system, enterprise-wide password aging and open-ended password history. It must be easy to quickly identify every system account that belongs to a given user, and disable them all. Password Manager, Identity Manager An auto-discovery process to collect login ID, group membership and attribute data from managed systems, nightly. A reconciliation process to connect login IDs across systems to individual users, to support global management of passwords, access rights and reporting. Failed authentication attempts should trigger an intruder lockout and an alarm. Password Manager, Identity Manager Both products include a system-wide intrusion detection system, with lockouts and alarms via e-mail, help desk call tracking systems, SMS messages and more. Vendors must be audited for business processes that support 21 CFR 11 compliance. Hitachi ID Hitachi ID has been audited for 21 CFR 11 compliance by Pfizer, Abbott Labs, GE Medical and others. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 13. Using The Hitachi ID Management Suite to Comply with 21 CFR 11 6 Summary As described in this document, 21 CFR 11 introduces formal requirements for companies, such as pharma- ceuticals, that must provide signed electronic documents to the FDA. The Hitachi ID identity management suite includes robust, secure, scalable and deployable technology to implement identity management processes that meet these requirements. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/idsynch/documents/21cfr11/mtech-21cfr11-1.tex Date: November 22, 2003