Understanding FDA CFR IT Requirements

How to bring your network and data into compliance with Title 21 Code of Federal Regulations (CFR) Part 11

Background

Title 21 Code of Federal Regulations (CFR) Part 11 regulates the United States’ Food and Drug Administration’s electronic records and signatures by outlining the criteria in which they are considered to be trustworthy and reliable. In effect since August 1997 and often referred to as Part 11, this regulation applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted.

Those subject to Part 11 include manufacturers of food and color additives, animal food additives, human and animal drugs, medical devices for human use, biological products, electronic products and any other FDA-regulated industries. They are required to implement access controls, including audits, system validations, audit trails, electronic signatures, and documentation involved in processing electronic records.

How Varonis Applies to Part 11

Varonis provides a comprehensive system for meeting the information protection controls as they apply to unstructured and semi-structured electronic records, that is, the contents of file servers. In particular, Varonis solutions ensure that access and use of sensitive and important personal electronic records residing on these servers are automatically ratcheted down to need-to-know, and that use of sensitive electronic records is continuously monitored so that organizations have an accurate audit of electronic data use and user access behavior at all times.

Varonis has created a fully integrated suite of products which furnish a complete framework for managing, securing and reporting on all aspects of unstructured and semi structured electronic data use. They are: DatAdvantage, DataPrivilege, DatAlert, IDU Classification Framework, DatAnywhere, and DatAnswers

Key IT Requirements

The following is a table containing sections of Part 11. Where applicable is an explanation describing how Varonis solutions can help maintain that electronic records are trustworthy and reliable.

Requirement Description Varonis Product/Feature
Subpart B – Electronic RecordsSec. 11.10 Controls for closed systemsPersons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Data MaintenanceDatAdvantage audits and stores any file system activity – in a searchable format – for information stored on file servers and Network Attached Storage (NAS) devices, providing assurance that basic preventive controls (permissions) are in place and correctly configured, and detective controls through auditing and analysis of data use. DatAdvantage provides a detailed record of files server contents and how they are used including: files containing sensitive data, folders, access privileges to sensitive files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), and allows to detect likely business owners of data.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. Sensitive and Confidential DataThe Data Classification Framework incorporates content classification information produced by looking within files to find key words, phrases and patterns (i.e., regular expressions) that are of interest to the organization. The IDU Classification Framework also identifies the highest concentrations of sensitive data that are most at risk and provides a clear methodology to safely remediate that risk without manual effort.
(d) Limiting system access to authorized individuals. Access ControlsUse DatAdvantage to run reports to identify, prioritize, and remediate excessive access to sensitive, high-risk data.DataPrivilege helps define the policies and processes that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: it unites all of the parties responsible including data owners, auditors, data users AND IT around the same set of information and it allows organizations to continually monitor the access framework in order to make changes and optimize both for Dodd Frank and for continuous enforcement of warranted access.With DatAdvantage and DataPrivilege, compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. DatAdvantage helps organizations examine and audit the use of privileged access accounts to detect and prevent abuse. With a continual audit record of all file, email, SharePoint, and Active Directory activity, DatAdvantage provides visibility into administrative users’ actions. The log can be viewed interactively or via email reports.DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business. Through DataPrivilege, membership in administrative groups can be tightly controlled, audited and reviewed.DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.(k) Use of appropriate controls over systems documentation including:(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. Varonis ensures the success of audits and examinations and can demonstrate effectiveness of security, operational integrity in a number of ways: Varonis recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege Varonis generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced Varonis DataPrivilege provides a mechanism via a web-based portal which allows to monitor and administer (allow/deny) all access requests to unstructured data. Requestors, data owners, technical controllers, financial controllers are all united in communication and action through this system. With regard to requests to access unstructured data on file shares, all actions taken and rationale for them are recorded. Further, a workflow is enforced (i.e. requests to financial folders go straight to the business owner).Via these capabilities, entities can demonstrate a historical and sustained enforcement of least privilege access and its effects.
Sec. 11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. ConfidentialityPart of the Data Center’s general duties is to ensure that sensitive data remains confidential and unpublished. Appointed to uphold this responsibility is the Information Security Director.The Varonis IDU Classification Framework helps identify sensitive content within the unstructured data of the Data Center, determine who has access to it, who is using it, and who should be responsible (data owners) – all of which are also reportable.Authenticity & IntegrityVaronis ensures the success of audits and examinations and can demonstrate effectiveness of security, operational integrity in a number of ways: Varonis recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege Varonis generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced Varonis DataPrivilege provides a mechanism via a web-based application by which to monitor, administer (allow/deny) all access requests to unstructured data. Requestors, data owners, technical controllers, financial controllers are all united in communication and action through this system. With regard to requests to access unstructured data on file shares, all actions taken and rationale for them are recorded. Further, a workflow is enforced (i.e. requests to financial folders go straight to the business owner). Via these capabilities, entities can demonstrate a historical and sustained enforcement of least privilege access and its effects.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767