| Section | Requirement | eFront |
| 11.10 (b) | The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying | Advanced reports, generated dynamically, include records of user progress and performance. Reports can be downloaded as a CSV. |
| 11.10 (d) | The system shall limit system access to authorized individuals. | Access rights and permissions are controlled by user types. Users must log on in order to gain access to the portal and the features/options available to their specific user type. Additional security steps have been incorporated, tailored for 21 CFR Part 11, e.g. enforce strong password, force password change upon initial login, hide reset password link. Passwords are stored hashed rather than encrypted, so recovering them is impossible. |
| 11.10 (e) | The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information. | Actions performed on eFront are recorded and included in the timeline of each user, containing a timestamp. Timelines can be exported and saved to CSV. |
| 11.10 (f) | The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised). | eFront enforces specific steps when applying certain operations, and each operation triggers a standard set of events that are logged and can be later reviewed. |
| 11.10 (g) | The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand. | Custom user types to authorize permissions and control access rights. Branches, sub-branches, can also control what users can view depending on the branch they are in. Actions performed by users are recorded on the timeline including changes made to records and performing various tasks. |
| 11.10 (h) (1) | The system shall determine, as appropriate, the validity of the source of data input or operational instruction. | Can restrict IP access and file type extensions, to control the validity of data sources. Can include an SSL certificate to ensure all communication is performed over https, thereby eliminating the ability of unauthorized data modification during transmission. CSRF filters are built-in to defend against this type of attack. |
| 11.50 (a) (1), (2), (3) | The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship). | The timeline on eFront records the actions performed, the name of the associated user and their formatted name. |
| 11.50 (b) | The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout). | The three signature items are included in all audit trail reports. |
| 11.70 (a) | The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. | Electronic signatures are linked and protected by user name and password protection. The electronic records can not be manipulated, copied, transferred or falsified. |
| 11.100 (a) | The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else. | Unique usernames are enforced by eFront. |
| 11.200 (a) (1) | The system shall employ at least two distinct identification components such as an identification code and a password. | The system uses a username/password combination for authentication. Passwords can be hardened to prevent brute-force attacks through configurable password complexity rules.
Additionally, Multi-Factor Authentication (MFA) can be enabled to require a second authentication factor during login. This additional verification layer further strengthens user identity validation and helps ensure compliance with electronic signature security requirements. |
| 11.200 (a) (1) (i) | The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access. | All sessions begin with user authentication using their login credentials. When Multi-Factor Authentication is enabled, users must also verify their identity using the configured second factor during login.
The validity of the authenticated session is then verified on each request. |
| 11.200 (a) (1) (i) | The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. | The system will continue to use the originating user id of each request after the first to maintain the security of the session. In addition, CSRF filters ensure that access is not a result of an unauthorized access attempt, via the user's active session. |
| 11.200 (a) (1) (i) | The system shall ensure users are timed out during periods of specified inactivity. | The system allows administrators to configure session timeout intervals. Users are automatically logged out after the defined inactivity period, ensuring that unattended sessions cannot be misused. |
| 11.200 (a) (1) (ii) | The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access. | Users must be re-authenticated for each new session using their authentication credentials. When Multi-Factor Authentication is enabled, the second authentication factor must also be verified during login. |
| 11.200 (a) (3) | The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require a collaboration of two or more individuals. | Electronic signatures are unique to each user account and cannot be shared. System policies and authentication controls help prevent unauthorized use of credentials.
Access privileges are managed through role-based permissions, and administrative oversight is required for privileged account management. |
| 11.300 (a) | The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password. | On eFront, the identification code (username) can not be duplicated, so the combination of identification code and password will always be unique. |
| 11.300 (b) | The system shall require that passwords be periodically revised. | eFront allows administrators to configure a password lifetime interval, after which users are required to change their password. Additionally, the system supports password history enforcement, preventing users from reusing previously used passwords for a configurable number of password changes. This helps ensure that newly selected passwords differ from previously used credentials and strengthens overall password security. |
| 11.300 (d) | The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes. | eFront includes multiple safeguards to prevent unauthorized access, including:
These mechanisms significantly reduce the risk of credential misuse. |
| 11.300 (d) | The system shall detect and report unauthorized use of password and/or identification codes to specified units. | When an account is suspended after multiple failed attempts, the event is logged to timeline. |
eFront - How may we help you?
Was this article helpful?
Recently viewed articles