| 11.10 (b) |
The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying |
Advanced reports, generated dynamically, include records of user progress and performance. Reports can be downloaded as an EXCEL. |
| 11.10 (d) |
The system shall limit system access to authorized individuals. |
Access rights and permissions are controlled by user types. Users must log on in order to gain access to the portal and the features/options available to their specific user type. Additional security steps have been incorporated, tailored for 21 CFR Part 11, e.g. enforce strong password, force password change upon initial login, hide reset password link. Passwords are stored hashed rather than encrypted, so recovering them is impossible. |
| 11.10 (e) |
The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information. |
Actions performed on eFront are recorded and included in the timeline of each user, containing a timestamp. Timelines can be exported and saved to EXCEL. |
| 11.10 (f) |
The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised). |
eFront enforces specific steps when applying certain operations, and each operation triggers a standard set of events that are logged and can be later reviewed. |
| 11.10 (g) |
The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand. |
Custom user types to authorize permissions and control access rights. Branches, sub-portals, can also control what users can view depending on the branch they are in. Actions performed by users are recorded on the timeline including changes made to records and performing various tasks. |
| 11.10 (h) (1) |
The system shall determine, as appropriate, the validity of the source of data input or operational instruction. |
Can restrict IP access and file type extensions, to control the validity of data sources. Can include an SSL certificate to ensure all communication is performed over https, thereby eliminating the ability of unauthorized data modification during transmission. CSRF filters are built-in to defend against this type of attack. |
| 11.50 (a) (1), (2), (3) |
The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship). |
The timeline on eFront records the actions performed, the name of the associated user and their username. |
| 11.50 (b) |
The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout). |
The three signature items are included in all audit trail reports. |
| 11.70 (a) |
The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
Electronic signatures are linked and protected by user name and password protection. The electronic records can not be manipulated, copied, transferred or falsified. |
| 11.100 (a) |
The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else. |
Unique usernames are enforced by eFront. |
| 11.200 (a) (1) |
The system shall employ at least two distinct identification components such as an identification code and a password. |
The system uses a login/pass combination for authorization. The password may be “hardened” so as to be impossible to be guessed by a brute-force attack. |
| 11.200 (a) (1) (i) |
The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access. |
RAll sessions begin with a digital signing in the form of login/pass combination. The validity of the session is ensured on each request. |
| 11.200 (a) (1) (i) |
The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. |
The system will continue to use the originating user id of each request after the first to maintain the security of the session. In addition, CSRF filters ensure that access is not a result of an unauthorized access attempt, via the user's active session. |
| 11.200 (a) (1) (i) |
The system shall ensure users are timed out during periods of specified inactivity. |
Time out can be set and enforced at any required interval. |
| 11.200 (a) (1) (ii) |
The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access. |
Users must be re-authenticated in each non-continuous period of system access using their electronic signature components. |
| 11.200 (a) (3) |
The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require a collaboration of two or more individuals. |
No sharing of electronic signatures is permitted, except for the global administrator. |
| 11.300 (a) |
The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password. |
On eFront, the identification code (username) can not be duplicated, so the combination of identification code and password will always be unique. |
| 11.300 (b) |
The system shall require that passwords be periodically revised. |
eFront allows to specify a lifetime interval for passwords, after which the user must pick another password. |
| 11.300 (d) |
The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes. |
eFront includes advanced safeguards to prevent unauthorized users, such as restricted IPs. It also enforces best practices on password handling like advanced complexity and immediate change upon first login. It will also temporarily suspend an account after multiple failed sign-in attempts. |
| 11.300 (d) |
The system shall detect and report unauthorized use of password and/or identification codes to specified units. |
When an account is suspended after multiple failed attempts, administrators are alerted. |
