Regulatory Open Forum

Dear RAPS Community,

Could  anyone of you please explain me the intent of the below subsections of part 11:

Sec. 11.200 Electronic signature components and controls.

(a)(3) Be administered and executed to ensure that the attempted use of an individual's electronic signature by anyone other than its genuine owner requires the collaboration of two or more individuals.

Sec. 11.300 Controls for identification codes/passwords.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).---(whether/not we MUST rotate/cycle passwords):

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Please accept my thanks in advance for your time and efforts.

Bhupinder Singh

------------------------------
Bhupinder Singh
QA/RA Manager (RAC)
San Jose CA
United States
------------------------------

Hello,

Hereafter, extracts from federal register. Hope it will help

S 11.300(b) addresses periodic Issuance changes to ensure against their having been unknowingly compromised. This provision would be met by ensuring that people change their passwords periodically.

For Password aging: The agency cautions, however, that the example should not be taken to mean that password expiration would be the only rationale for revising, recalling, and checking issuances. If, for example, Identification codes and passwords have been copied or compromised, they should be changed.

 

S 11.300(e) FDA wishes to clarify the reason for this proposed requirement, and to emphasize that proper device functioning Includes, ln addition to system access, the correctness of the identifying information and security performance attributes. Testing for system access alone could fall to discern significant unauthorized device alterations. If, for example, a device has been modified to change the identifying Information, system access may still be allowed, which would enable someone to assume the identity of another person. ln addition, devices may have been changed to grant Individuals additional system privileges and action authorizations beyond those granted by the organization. Of Lesser significance would be simple wear and tear on such devices, which result ln reduced performance. For instance, a bar code may not be read With the same consistent accuracy as intended if the code becomes marred, stained, or otherwise disfigured. Access may be granted, but only after many more scannings than desired. The agency expects that device testing would detect such defects. Because validation of electronic signature systems would not cover unauthorized device modifications, or subsequent wear and tear, validation would not obviate the need for periodic testing.

------------------------------
Juliette Schenin-King
GxP Lead Auditor
Rosny-Sous-Bois
France
------------------------------

Original Message:
Sent: 17-Nov-2019 21:16
From: Bhupinder Singh
Subject: 21 Part 11

Dear RAPS Community,

Could  anyone of you please explain me the intent of the below subsections of part 11:

Sec. 11.200 Electronic signature components and controls.

(a)(3) Be administered and executed to ensure that the attempted use of an individual's electronic signature by anyone other than its genuine owner requires the collaboration of two or more individuals.

Sec. 11.300 Controls for identification codes/passwords.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).---(whether/not we MUST rotate/cycle passwords):

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Please accept my thanks in advance for your time and efforts.

Bhupinder Singh

------------------------------
Bhupinder Singh
QA/RA Manager (RAC)
San Jose CA
United States
------------------------------

Thanks, Juliette,

I appreciate your time and efforts.

Bhupinder

------------------------------
Bhupinder Singh
QA/RA Manager (RAC)
San Jose CA
United States
------------------------------

Original Message:
Sent: 18-Nov-2019 03:03
From: Juliette Schenin-King
Subject: 21 Part 11

Hello,

Hereafter, extracts from federal register. Hope it will help

S 11.300(b) addresses periodic Issuance changes to ensure against their having been unknowingly compromised. This provision would be met by ensuring that people change their passwords periodically.

For Password aging: The agency cautions, however, that the example should not be taken to mean that password expiration would be the only rationale for revising, recalling, and checking issuances. If, for example, Identification codes and passwords have been copied or compromised, they should be changed.

 

S 11.300(e) FDA wishes to clarify the reason for this proposed requirement, and to emphasize that proper device functioning Includes, ln addition to system access, the correctness of the identifying information and security performance attributes. Testing for system access alone could fall to discern significant unauthorized device alterations. If, for example, a device has been modified to change the identifying Information, system access may still be allowed, which would enable someone to assume the identity of another person. ln addition, devices may have been changed to grant Individuals additional system privileges and action authorizations beyond those granted by the organization. Of Lesser significance would be simple wear and tear on such devices, which result ln reduced performance. For instance, a bar code may not be read With the same consistent accuracy as intended if the code becomes marred, stained, or otherwise disfigured. Access may be granted, but only after many more scannings than desired. The agency expects that device testing would detect such defects. Because validation of electronic signature systems would not cover unauthorized device modifications, or subsequent wear and tear, validation would not obviate the need for periodic testing.

------------------------------
Juliette Schenin-King
GxP Lead Auditor
Rosny-Sous-Bois
France

Original Message:
Sent: 17-Nov-2019 21:16
From: Bhupinder Singh
Subject: 21 Part 11

Dear RAPS Community,

Could  anyone of you please explain me the intent of the below subsections of part 11:

Sec. 11.200 Electronic signature components and controls.

(a)(3) Be administered and executed to ensure that the attempted use of an individual's electronic signature by anyone other than its genuine owner requires the collaboration of two or more individuals.

Sec. 11.300 Controls for identification codes/passwords.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).---(whether/not we MUST rotate/cycle passwords):

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Please accept my thanks in advance for your time and efforts.

Bhupinder Singh

------------------------------
Bhupinder Singh
QA/RA Manager (RAC)
San Jose CA
United States
------------------------------