On 10/14/06, Lan Barnes <[EMAIL PROTECTED]> wrote:
On Fri, Oct 13, 2006 at 05:23:05PM -0700, Jason Kraus wrote:
> Hello all,
>
> Recently this year the FDA publishes a new 21 CFR 11 guideline. For
those
> that don't know, this standard primarily deals with security regarding
> electronic documents and signatures. One of the recent
> additions/clarifications is that an electronic signature cannot be
falsified
> by a single person. Most software that claims to be 21 CFR 11 compliant
do
> not do this. After all, many of this software has a root account that
has
> full access to the system and do not implement any safeguards against
root
> forging signatures. I was contemplating how it would be done and I was
> thinking perhaps using PGP signatures.
>
> I have two questions, what do you guys think? and does Compiere have the
> feature to somehow PGP sign (or something equivalent) actions done by a
> user? The reason why I am interested in Compiere is that I know that it
is
> being used in an FDA regulated environment and it seems to be the only
open
> source ERP software in that environment.
>
We do what we call "Part 11" signatures at my work in SAP and other
tools. I was unaware of the requirement that no single person could
change it, and I'd like to read it in the original (not doubting you,
just want to know whet they really want).
In practice we do userid/passwd under M$, so it's probably changeable by
anyone savvy and on your network :-(
--
Lan Barnes
Linux Guy, SCM Specialist
Tcl/Tk Enthusiast
Anyone who doesn't believe in miracles isn't a realist.
- Billy Wilder
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Sure thing:
http://www.access.gpo.gov/nara/cfr/waisidx_06/21cfr11_06.html - Check out
11.200 . The actual wording is
"Be administered and executed to ensure that attempted use of an
individual's electronic signature by anyone other than its genuine owner
requires collaboration of two or more individuals."
Perhaps I interpreted this wrong? It seems somewhat illogical as others have
pointed out, there are other kinks in the system that could be exploited by
one person. I believe the purpose of this requirement is such that the
administrator can't simply forge signatures/documents using the powers given
to them.
Note that the change just happened this year (April 1, 2006). I got this
link from an FDA page (
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?CFRPart=11)
where is says: ' The most recent Title 21 CFR information can be found at:
http://www.access.gpo.gov'<http://www.access.gpo.gov/cgi-bin/cfrassemble.cgi?title=200621>.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
