|
21
CFR 11 Sn. |
21
CFR 11 Text |
eInfotree
Compliance
|
eInfotree
Implementation |
|
11.200(a)(2) |
Be
used only by their genuine
owners; and |
Not
Applicable
|
Each
Userid and password
combination is created for
the sole use of the genuine
owner. Corporate policy
would govern the use and
protection of this
combination by each user.
|
|
11.200(a)(3) |
Be
administered and executed to
ensure that attempted use of
an individual's electronic
signature by anyone other
than its genuine owner
requires collaboration of
two or more individuals.
|
|
Collaboration
of two or more individuals
would be required to falsify
an electronic signature. |
|
11.200(b) |
Electronic
signatures based upon
biometrics shall be designed
to ensure that they cannot
be used by anyone other than
their genuine owners.
|
Not
Applicable
|
eInfotree
does not use biometrics, but
can accommodate their use. |
|
11.300
- Controls for
identification
codes/passwords. |
|
11.300 |
Persons
who use electronic
signatures based upon use of
identification codes in
combination with passwords
shall employ controls to
ensure their security and
integrity. Such controls
shall include:
|
|
Refer
Sections 11.300(a) to
11.300(e) below. |
|
11.300(a) |
Maintaining
the uniqueness of each
combined identification code
and password, such that no
two individuals have the
same combination of
identification code and
password.
|
|
Uniqueness
of each userid and password
combination is enforced. |
|
11.300(b) |
Ensuring
that identification code and
password issuances are
periodically checked,
recalled, or revised (e.g.,
to cover such events as
password aging) |
|
User
templates define a password
aging period that can be
applied to users. Passwords
expire at the end of this
password aging period and
must be revised. |
|
11.300(c) |
Following
loss management procedures
to electronically
deauthorize lost, stolen,
missing, or otherwise
potentially compromised
tokens, cards, and other
devices that bear or
generate identification code
or password information, and
to issue temporary or
permanent replacements using
suitable, rigorous controls.
|
|
The
eInfotree administrator has
authority to disable user
accounts and to reset
passwords. Users are
required to modify their
passwords immediately on
login following a password
reset. |
|
11.300(d) |
Use
of transaction safeguards to
prevent unauthorized use of
passwords and/or
identification codes, and to
detect and report in an
immediate and urgent manner
any attempts at their
unauthorized use to the
system security unit, and,
as appropriate, to
organizational management.
|
|
User
templates define the number
of invalid login attempts
for notification. Configured
system administrators/users
are notified once these
criteria are met. System
knowledge of a person's
unavailability can be used
to disable user accounts for
specific time-periods. |
|
11.300(e) |
Initial
and periodic testing of
devices, such as tokens or
cards, that bear or generate
identification code or
password information to
ensure that they function
properly and have not been
altered in an unauthorized
manner. |
Not
Applicable |
Procedural
Control. |
