How to Configure System Security in Windows for GxP Compliance

Section 2

View as PDF

Introduction – Electronic Signature Requirements

If you are operating in a 21 CFR Part 11 compliance laboratory then setting up Windows security becomes a major component in setting up your system. Below are some key takeaways we think will help ensure you, the administrator setup your Windows security correctly.

For additional 21 CFR Part 11 implementation see Version Control Compliance Guide, Version Control was built to meet FDA guidelines for GMP/GLP labs from image acquisition to analysis.

Who is this for

  • Quality, Research & Development Manager

Windows System Security

Before reading the document please note that the key takeaways that we provide represent our advice on how in regards to the regulation you can implement your Windows security to help compliance with 21 CFR Part 11 regulations. We do not represent any government agency and nothing in this guide should be taken as fact. The regulations we provide are true to the publishing date.

Regulation (Subpart B – Electronic Records) Key Takeaway

Sec. 11.10 Controls for closed systems.

(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Define record retention period.

11.10 Controls for closed systems.

(e) Use of secure, computer- generated, time, stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Recorded changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

  • Use Microsoft Windows clock synchronization among all computers in the application.
  • Change the policy setting to determine which users can adjust the time on the devices internal clock and time zone.

Sec. 11.10 Controls for closed systems.

(k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Maintain history of all the security changes.

Sec. 11.70 Record and Signature Linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Configure system to prevent any deletion or unauthorized copying of files.

11.200 Electronic Signature Components and Controls

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Use Microsoft Windows password-protected screen saver for inactivity.

Sec. 11.300 Controls for identification codes/passwords.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organisational management.

  • Enable automatic lockout after a permitted number of unsuccessful login attempts.
  • Prevent the last logged-on user name from being displayed in the log on to windows dialog box.
  • Disable automatic login.
  • Disable password auto-save.

Key Takeaways

User Rights

  • Use microsoft windows clock synchronization among all computers in the application.
  • Change the policy setting to determine which users can adjust the time on the devices internal clock and time zone.

System Security

  • Prevent the last logged-on user name from being displayed in the log on to windows dialog box.
  • Enable automatic lockout after a permitted number of unsuccessful login attempts.
  • Disable group logon.
  • Configure system to prevent any deletion or unauthorized copying of files.
  • Use Microsoft Windows password-protected screen saver for inactivity.
  • Maintain history of all the security changes.
  • Disable automatic login.
  • Enable automatic log-out after a set amount of time of inactivity.

SOP’s

  • Define record retention period.
  • Backup, recovery, archive and restore.
  • SOP to cover operation of capture equipment.
  • SOP for the periodic review of system access logs against list of users.

What's next?

Setting up your system and permissions for 21 CFR Part 11 compliance can be an easy process, following our guidelines above can be used as a starting point for your compliance needs. If you would like a demonstration of Version Control to help your compliance with 21 CFR Part 11, get in touch.

Contact Us

Phone

+44 191 255 8899

Address

Newcastle-Upon-Tyne, UK