+44 191 255 8899 info@totallab.com

Section 2: How to Configure System Security in Windows for GxP Compliance

Introduction – System Security


If you are operating in a 21 CFR Part 11 compliance laboratory then setting up Windows security becomes a major component in setting up your system. Below are some key takeaways we think will help ensure you, the administrator setup your Windows security correctly.

For additional 21 CFR Part 11 implementation see Version Control Compliance Guide, Version Control was built to meet FDA guidelines for GMP/GLP labs from image acquisition to analysis.

Who is this for

  • Quality, Research & Development Manager

Windows System Security

 

Before reading the document please note that the key takeaways that we provide represent our advice on how in regards to the regulation you can implement your Windows security to help compliance with 21 CFR Part 11 regulations. We do not represent any government agency and nothing in the in this guide should be taken as fact. The regulations we provide are true to the publishing date.

 

Regulation

Subpart B – Electronic Records

Sec. 11.10 Controls for closed systems.

(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Key Takeaway

  • Define record retention period.

Regulation

Subpart B – Electronic Records Sec.

11.10 Controls for closed systems.

(e) Use of secure, computer- generated, time, stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Recorded changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Key Takeaway

  • Use Microsoft Windows clock synchronization among all computers in the application.
  • Change the policy setting to determine which users can adjust the time on the devices internal clock and time zone.

Regulation

Subpart B – Electronic Records

Sec. 11.10 Controls for closed systems.

(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Key Takeaway

  • Maintain history of all the security changes.

Regulation

Subpart B – Electronic Records

Sec. 11.70 Record and Signature Linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Key Takeaway

  • Configure system to prevent any deletion or unauthorized copying of files.

Regulation

Subpart B – Electronic Records

11.200 Electronic Signature Components and Controls

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Key Takeaways

  • Use Microsoft Windows password-protected screen saver for inactivity.

Regulation

Subpart B – Electronic Records

Sec. 11.300 Controls for identification codes/passwords.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organisational management.

Key Takeaway

Key Takeaways

User Rights

  • Use microsoft windows clock synchronization among all computers in the application.
  • Change the policy setting to determine which users can adjust the time on the devices internal clock and time zone.

System Security

  • Prevent the last logged-on user name from being displayed in the log on to windows dialog box.
  • Enable automatic lockout after a permitted number of unsuccessful login attempts.
  • Disable group logon.
  • Configure system to prevent any deletion or unauthorized copying of files.
  • Use Microsoft Windows password-protected screen saver for inactivity.
  • Maintain history of all the security changes.
  • Disable automatic login.
  • Enable automatic log-out after a set amount of time of inactivity.

SOP’s

  • Define record retention period.
  • Backup, recovery, archive and restore.
  • SOP to cover operation of capture equipment.
  • SOP for the periodic review of system access logs against list of users.

What’s next?

Setting up your system and permissions for 21 CFR Part 11 compliance can be an easy process, following our guidelines above can be used as a starting point for your compliance needs. If you would like a demonstration of Version Control to help your compliance with 21 CFR Part 11, get in touch.