For folks in the pharmaceutical business, and operating in North American markets, there are regulatory standards that need to be complied with. These are summarized in the FDA 21 Code of Federal Regulations Part 11 -
(FDA 21 CFR) - this is particularly relevant to Indian companies who have acquired US pharma companies, are present in generics or bulk drugs formulations and even extend to biotech companies and other companies who undertake contract manufacturing for US pharmaceutical companies.

FDA 21 CFR Part 11 became effective in August, 1997,
and affects companies in all FDA-regulated industries,
including, but not limited to, Bio-Pharmaceutical
(Human and Veterinary), Personal Care Products,
Medical Devices and Food and Beverage. The regulation
specifies the FDA requirements for accepting
electronic records in lieu of paper records. So far,
the focus of FDA auditing efforts has mostly focused
on manufacturing, clinical trials and drug
development.

FDA 21 CFR PART 11 key requirements:

FDA 21 CFR Part 11 outlines procedures and controls
for ensuring the authenticity, integrity,
non-repudiation and confidentiality of electronic
records and signatures. The controls themselves
differentiate between “closed systems” and “open
systems”. An example of a closed system would be an
information system that is contained within an
organization’s local area network or Intranet, while
an open system would be one that uses the Internet.

The controls essentially state that “Persons who use
open systems to create, modify, maintain, or transmit
electronic records shall employ procedures and
controls designed to ensure the authenticity,
integrity, and confidentiality of electronic records
from the point of their creation to the point of
receipt, and as appropriate, additional measures such
as encryption and digital signature standards”.
Key IT Security Requirements of FDA 21 CFR Part 11

1. Manage access rights in distributed and
networked environments.
2. Confirm only authorized users have access to
sensitive information and systems.
3. Prevent unauthorized access to computer system
resources.
4. Prevent unauthorized access to information held
in application systems.
5. Confirm only authorized users have access to
sensitive information and systems.
6. Prevent unauthorized access to computer system
resources.
7. Prevent unauthorized access to information held
in application systems.
8. If digital signatures are utilized with the
organization then the controls require that the system
be effectively managed, secured and kept up to date.
9. Put procedures processes and systems in place to
ensure system integrity.
10. Enforce data integrity and privacy while in
transit.

Best Practices Approach

The following is a “best practices” approach to
securing the “inner” network from internal threats,
thereby achieving regulatory compliance. These steps,
coupled with an adequate external perimeter defense,
will establish and maintain a secure “trusted”
internal network environment.

1. Define which security relationships are needed.
2. Segregate the network into security zones to
facilitate easier management.
3. Enforce the established security relationships
within and across the security zones.
4. Perform regular network audits to ensure
security relationships are enforced.
5. Update security relationships as business needs
or compliance issues dictate.
6. Provide an audit trail and reporting to satisfy
regulatory compliance audits.

For more information, visit the FDA’s CFR database section’s Part 11, which deals with electronic records and electronic signatures.

http://www.fda.gov/ora/compliance_ref/part11/

Hope this information is useful,

oRiOn