Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 98 views

    CFR Vs Iso 27001

    Uploaded by

    Venkata Ramana
    This document outlines controls for electronic records and electronic signatures under the U.S. FDA's CFR Part 11 regulation. It discusses validation of systems to ensure accuracy and reliability. It also covers limiting system access to authorized individuals, use of secure audit trails, and controls for identification codes and passwords. The purpose is to ensure the trustworthiness, integrity, and confidentiality of electronic records and signatures.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd

    CFR Vs Iso 27001

    Uploaded by

    Venkata Ramana
    98 views7 pages
    This document outlines controls for electronic records and electronic signatures under the U.S. FDA's CFR Part 11 regulation. It discusses validation of systems to ensure accuracy and reliability. It also covers limiting system access to authorized individuals, use of secure audit trails, and controls for identification codes and passwords. The purpose is to ensure the trustworthiness, integrity, and confidentiality of electronic records and signatures.

    Original Title

    Cfr vs Iso 27001

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines controls for electronic records and electronic signatures under the U.S. FDA's CFR Part 11 regulation. It discusses validation of systems to ensure accuracy and reliability. It also covers limiting system access to authorized individuals, use of secure audit trails, and controls for identification codes and passwords. The purpose is to ensure the trustworthiness, integrity, and confidentiality of electronic records and signatures.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    98 views7 pages

    CFR Vs Iso 27001

    Uploaded by

    Venkata Ramana
    This document outlines controls for electronic records and electronic signatures under the U.S. FDA's CFR Part 11 regulation. It discusses validation of systems to ensure accuracy and reliability. It also covers limiting system access to authorized individuals, use of secure audit trails, and controls for identification codes and passwords. The purpose is to ensure the trustworthiness, integrity, and confidentiality of electronic records and signatures.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    You are on page 1of 7

    Mapping

    CFR Part 11

    o
    p

    r
    Mapping
    CFR Part 11
    Controls for Closed and open systems
    Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or
    altered records.
    The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for
    inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the
    ability of the agency to perform such review and copying of the electronic records.

    Protection of records to enable their accurate and ready retrieval throughout the records retention period.

    Limiting system access to authorized individuals.

    Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries
    and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded
    information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject
    electronic records and shall be available for agency review and copying.

    Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

    Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the
    operation or computer system input or output device, alter a record, or perform the operation at hand.

    Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational
    instruction.

    Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the
    education, training, and experience to perform their assigned tasks.

    The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions
    initiated under their electronic signatures, in order to deter record and signature falsification.

    Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

    Revision and change control procedures to maintain an audit trail that documents time-sequenced development and
    modification of systems documentation.

    Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their
    genuine owners.
    Controls for identification codes/passwords.
    Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same
    combination of identification code and password.
    Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such
    events as password aging).
    Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially
    compromised tokens, cards, and other devices that bear or generate identification code or password information, and to
    issue temporary or permanent replacements using suitable, rigorous controls.

    Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and
    report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as
    appropriate, to organizational management.

    Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password
    information to ensure that they function properly and have not been altered in an unauthorized manner.
    Ref: https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11
    ISO
    Clause ISO Objective
    A.12 Operations security (12.4.1) To record events and generate evidence

    The organization shall determine its requirements for information


    A.17 Information security aspects of business continuity security and the continuity of information security management
    management
    in adverse situations

    To prevent unauthorized disclosure, modification, removal or


    destruction of information stored on media.
    A.8 Asset management (A 8.3), A.18 Compliance Records shall be protected from loss, destruction, falsification,
    (18.1.3) unauthorized access and unauthorized release, in accordance
    with legislatory, regulatory, contractual and business
    requirements.

    A.9 Access control To ensure authorized user access and to prevent unauthorized
    access to systems and services.

    A.12 Operations security (12.4.1, 12.4.2, 12.4.3) To record events and generate evidence

    Audit requirements and activities involving verification of


    A.12 Operations security (12.7.1) operational systems shall be carefully planned and agreed to
    minimize disruptions to business processes.

    A.9 Access control, Audit, A.12 Operations security To ensure authorized user access and to prevent unauthorized
    access to systems and services.
    (12.4.1) To record events and generate evidence
    Information involved in application service transactions shall be
    A.14 System acquisition, development and protected to prevent incomplete transmission, mis-routing,
    maintenance unauthorized message alteration, unauthorized disclosure,
    unauthorized message duplication or replay.
    A.7 Human resources security (7.2) - competence of To ensure that employees and contractors are aware of and fulfill
    employee their information security responsibilities
    To ensure that employees and contractors are aware of and fulfill
    A.7 Human resources security (7.2.3), A.9 Access their information security responsibilities.
    control (9.3.1) To make users accountable for safeguarding their authentication
    information.

    A.9 Access control (9.1.2, 9.4.1) To limit access to information and information processing
    facilities

    A.12 Operations security (12.4.1) To record events and generate evidence

    To ensure proper and effective use of cryptography to protect the


    A.10 Cryptography (10.1.1), A.9 Access control (9.1.1) confidentiality, authenticity and/or integrity of information.
    To limit access to information and information processing
    facilities

    Clause ISO Objective


    Password management systems shall be interactive and shall
    A.9 Access control (9.4.3) ensure quality passwords.

    A.9 Access control (9.4.3) Password management systems shall be interactive and shall
    ensure quality passwords.
    A.9 Access control (9.4.3) Password management systems shall be interactive and shall
    ensure quality passwords.

    Information involved in application service transactions shall be


    protected to prevent incomplete transmission, mis-routing,
    unauthorized message alteration, unauthorized disclosure,
    A.14 System acquisition, development and
    maintenance (14.1.3), A.12 Operations security (12.4.3) unauthorized message duplication or replay.
    System administrator and system operator activities shall be
    logged and the logs protected and regularly reviewed.

    A.12 Operations security (12.4.1) To record events and generate evidence

    You might also like