How to Configure System Security in Windows for GxP Compliance

If you are operating in a 21 CFR part 11 compliance laboratory then setting up Windows security becomes a major component in setting up your system. Below are some key takeaways we think will help ensure you, the administrator, setup your Windows security correctly.

For additional 21 CFR part 11 implementation see our 21 CFR part 11 Compliance Guide.  And explore our GxP Module software which was built to meet FDA guidelines for GMP/GLP labs from image acquisition to analysis.

Please note, before reading the following that the key takeaways we provide represent our advice in regards to the regulations and how you can implement your electronic signatures to help compliance with 21 CFR part 11 regulations. We do not represent any government agency and nothing in this guide should be taken as fact. The regulations we provide are true to the publishing date.

Subpart B – Electronic Records
Sec. 11.10 Controls for closed systems

Regulation
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Key Takeaways
• Define record retention period.

Regulation
(e) Use of secure, computer- generated, time, stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Recorded changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Key Takeaways
• Use Microsoft Windows Clock Synchronization among all computers in the application.
• Change the policy setting to determine which users can adjust the time on the devices internal clock and time zone.

Regulation
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modi_cation of systems documentation.

Key Takeaways
• Maintain history of all the security changes.

 

Subpart B – Electronic Records
Sec. 11.70 Record and Signature Linking

Regulation
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Key Takeaways
• Configure system to prevent any deletion or unauthorized copying of files.

 

Subpart B – Electronic Records
11.200 Electronic Signature Components and Controls

Regulation
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Key Takeaways
• Use Microsoft Windows password-protected screen saver for inactivity.

 

Subpart B – Electronic Records
Sec. 11.300 Controls for identification codes/passwords

Regulation
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organisational management.

Key Takeaways
• Enable automatic lockout after a permitted number of unsuccessful login attempts.
• Prevent the Last Logged-On User Name from being displayed in the Log On to Windows dialog box.
• Disable automatic login.
• Disable password auto.