Adobe Sign and 21 CFR Part 11

Transcription

1 Adobe Sign and 21 CFR Part 11 Today, organizations of all sizes are transforming manual paper-based processes into end-to-end digital experiences speeding signature processes by 500% with legal, trusted electronic signatures. Adobe Sign enables life science organizations to digitize signing processes from document creation, collaboration, and execution to archiving and management while securely handling large volumes of e-signature processes including: Table of contents 1: Overview of 21 CFR Part 11 2: Controls for closed systems 6: Controls for open systems 6: Requirements for executing electronic signatures 10: Work with the digital document leader Managing user identities with role-based authentication Certifying document integrity Verifying e-signatures Maintaining audit trails Integrating with critical business apps and enterprise systems Adobe Sign meets or can be configured to meet compliance requirements for many industry and regulatory standards, including United States (U.S.) Federal Regulation Title 21, Chapter 1, Part 11 commonly referred to as 21 CFR Part 11. Backed by hundreds of security features, processes, and controls, Adobe Sign is compliant with rigorous security standards, including SOC 2 Type 2 (Security & Availability), ISO 27001:2013, PCI DSS, and SAFE-BioPharma. This paper presents a detailed explanation of how Adobe Sign complies with 21 CFR Part 11. For additional technical detail on applicable information system controls in place, the latest Adobe Document Cloud SOC 2 Type 2 attestation report is available upon request from your Adobe account representative. Overview of 21 CFR Part CFR Part 11 defines the requirements for electronic document and signature submissions to the U.S. Food and Drug Administration (FDA). This law specifically details FDA regulations for electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. 21 CFR Part 11 mandates that life science organizations using electronic signatures meet three distinct categories of compliance requirements: 1. Security for closed systems 2. Security for open systems 3. Requirements for executing an electronic signature Under 21 CFR Part 11, a system is defined as either closed or open. A closed system is an environment in which system access is controlled by the individuals who are responsible for the content of the electronic records that are in the system. Conversely, an open system is an environment in which system access is not controlled by individuals who are responsible for the content of electronic records that are in the system. Adobe Sign is generally considered to be an open system; however, customers can also create a closed system for their organization where the customer administrators manage system access and individual users are responsible for the contents of the electronic records.

2 To better understand the compliance requirements of 21 CFR Part 11, the following sections provide detailed summaries of each regulatory clause and how Adobe Sign can be configured to comply with each element. Controls for closed systems Section Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: Subsection 11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern valid or altered records. Adobe Sign implements strict system-level controls combined with document-level controls to ensure that documents have not been tampered with or altered without authorization during and after signing events. All documents are digitally sealed with an Adobe Certificate to provide proof of authenticity for the document when viewed through any PDF viewer. For additional technical detail, please see the Identity and Access Management (IAM), Backup Management (BM), and Systems Monitoring (SM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection 11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA. Adobe Sign provides the ability for authorized users to retrieve digitally signed copies of documents for review, and also provides a system-generated digital audit history of signing events as well as a certificate of completion. The complete version history of the signing process is captured and maintained securely within encrypted storage in the service to allow complete playback of the signature transaction from initiation to completion. All documents are made available in PDF format and can be viewed with a PDF viewer. Subsection 11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. All Adobe Sign documents are encrypted and stored securely on servers in state-of-the-art data centers managed by trusted cloud service providers. A complete audit history is maintained, including dates, times, and who accessed documents. Documents can be downloaded by authorized users at any time during the retention period through a web browser. For additional technical detail, please see control activity DM in the latest Document Cloud SOC 2 Type 2 attestation report and ISO 27001:2013 annex controls A and A

3 Subsection 11.10(d) Limiting access to authorized individuals. Access to the Adobe Sign service is limited to users authorized by the customer system administrator. This ensures that only individuals authorized by the system administration are able to send out and view contents of electronic records. For signers, Adobe Sign supports separate identity verification and data-access authorization scenarios. Identity verification Adobe Sign supports several different forms of identity verification. An organization s account can be set up by the system administrator to mandate the use of any one of the following types of signer identity verification. The signer is prompted to verify their identity with the specified identity-verification method before they can access the document. There are five ways to verify the signer s identity: Digital certificate Adobe Sign may be used in conjunction with any of the leading providers of PKI digital certificates. Such certificates provide the highest possible security in ensuring signer identity as well as compliance with 21 CFR Part 11. Signing password This verification option requires that the signer enter a unique password before being allowed to sign an agreement. The password is set in advance by the person sending the document, and must be communicated to the signer(s) via a different communication system (e.g., mobile phone) before they can access the document. Knowledge-based authentication (KBA) This is a higher level of authentication in which the signer is asked a number of personal questions based on records kept in conjunction with their social security number, e.g., What is your mother s maiden name? The signer must answer all questions correctly or cannot sign the agreement. This option is currently only available for signers in the United States. Adobe Sign partners with LexisNexis to provide this capability. Web identity authentication This authentication method requires the signer to verify their identity by signing in to their account through one of the following services: Facebook, Google, LinkedIn, Twitter, Yahoo, or Microsoft Live. The public profile of the signer is captured as part of the audit history of the document. Signing in to Adobe Sign This verification option requires signers to log in to Adobe Sign with their username and password before being able to view or sign an agreement. Data access authorization Access to electronic records provided through Adobe Sign can also be restricted by placing a password on all signed documents. This option protects all PDF versions of the document. Any copy of the document is encrypted and is unable to be viewed until the password is supplied. Passwords must be communicated via a different communication system (e.g., mobile phone) to all relevant parties before they can open the document. These passwords are embedded into the PDF and are separate from the passwords used to log into Adobe Sign. Adobe Sign cannot recover document passwords. For additional technical detail, please see the Identity and Access Management (IAM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection 11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Any actions that result in the creation, modification, or deletion of an electronic record are audited and logged in the system. The audit information captures the date-time stamp of the action, the user ID of the person performing the action, the IP address from where the action was performed, and the geolocation (if available). The audit information is maintained in the secure system by Adobe Sign throughout the lifecycle of the documents. For additional technical detail, please see the Systems Monitoring (SM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. 3

4 Subsection 11.10(e) Record changes shall not obscure previously recorded information. All actions pertinent to electronic records are logged in the system and maintained by the system. At every step of the process where an electronic record can be potentially modified, the system maintains a snapshot of the state of the record before and after the action. This allows complete recreation of the history of the electronic record. Subsection 11.10(e) Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for FDA review and copying. Adobe Sign retains the complete audit history of the document for all transactions within the system. The audit records are maintained throughout the lifecycle of the electronic records. If records are archived, a digital audit history for each record is also available. Audit history is viewable electronically through the web browser and also available as a PDF document. The audit history is also digitally stamped with the Adobe Certificate to ensure that the history is tamper-proof. The record retention period is indefinite unless otherwise specified by the customer. For additional technical detail, please see the Systems Monitoring (SM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection 11.10(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. The Adobe Sign service allows organizations to define business processes, including sequencing of steps and events, as appropriate for their electronic records. These steps can be enforced throughout the organization to ensure consistency and compliance. Subsection 11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. The Adobe Sign service can be accessed only by individuals authorized by the account administrator for an organization. In addition, the system can be restricted to limit signing authority for electronic records to select individuals within an organization. The identity of the signer can also be verified using one of the mechanisms supported by the service (see Subsection 11.10(d) ). An individual signer receives a secure URL link through when required to sign an agreement, and in addition to the URL link, the signer also needs to verify identity with the identity verification method required for the transaction. For additional technical detail, please see the Identity and Access Management (IAM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. 4

5 Subsection 11.10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. No external devices can be connected directly to the Adobe Sign service. All user access to the service is through a secure web browser session. For additional control, system administrators can also define the sources of data input for electronic records. For additional technical detail, please see control activities NO and IAM in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection 11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Customers are responsible for defining the Standard Operating Procedure (SOP) for their organization and training their employees according to these defined procedures. Adobe Sign provides standard administrative and user training that can be adapted for specific organizational needs. For additional technical detail, please see control activities TA and TA in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection 11.10(j) Written policies shall be established that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Customers are responsible for defining and documenting the SOP for their organization pertaining to electronic records and signatures. Adobe Sign client success and support representatives can assist the account administrators in configuring their accounts per their defined policies to ensure that individuals actions are limited per customer needs. It is the customer s responsibility to ensure that individual employees are properly trained. Subsection 11.10(k)(1) Use of appropriate controls shall be established over systems documentation, including adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Customers are responsible for defining and maintaining access to their SOP documentation. For service-level changes that Adobe Sign performs, such as system maintenance, upgrades, and enhancements, Adobe Sign employs strict change-control practices to ensure that existing customer configurations are maintained. For additional technical detail, please see the Change Management (CHM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. 5

6 Subsection 11.10(k)(2) Use of appropriate controls shall be established over systems documentation, including revision and change-control procedures to maintain a digital audit history that documents time-sequenced development and modification of systems documentation. Customers are responsible for defining and maintaining access to their SOP documentation. For service-level changes that Adobe Sign performs, such as system maintenance, upgrades, and enhancements, Adobe Sign maintains strict change-control practices to ensure that existing customer configurations are maintained. All system modifications are tested and validated on multiple internal systems before they get rolled out to the production environment, with pass/fail criteria defined for each stage. For additional technical detail, please see the Change Management (CHM) control activities section in the latest Document Cloud SOC 2 Type 2 attestation report. Controls for open systems Section The company shall employ procedures and controls designed to ensure the authenticity, integrity, and confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate and additional measures such as document encryption. In addition to all the controls highlighted in Section 11.10, Adobe Sign encrypts all electronic records at rest. All documents retrieved from Adobe Sign are protected with a tamper-evident digital seal to ensure integrity of the document. For additional technical detail, please see control activity DM in the latest Document Cloud SOC 2 Type 2 attestation report and ISO 27001:2013 annex controls A and A Requirements for executing electronic signatures Subsection 11.50(a) Signed electronic records shall contain information associated with the signing that clearly indicates the printed name of the signer, the date and time when the signature was executed, and the meaning (such as review, approval, responsibility, or authorship) associated with the signature. Every document signed with Adobe Sign automatically includes the name of the signer, the date and time of the signature, and the action performed by the user. In addition, the signature manifestation within the document includes a link to a web-based record of the complete audit trail for the electronically signed record. The audit history maintains additional information about each signer. The audit history can also be attached and included with the signed electronic record. Subsection 11.50(b) The items identified in Subsection 11.50(a) shall be subject to the same controls as those for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). The complete audit record for an electronic transaction is available in electronic format as a PDF. The audit record is also digitally sealed with an Adobe Certificate to ensure its integrity. 6

7 Section Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Adobe Sign maintains transactional integrity of the electronic record and the signatures associated with the electronic record. The service maintains strict operational and access controls to prevent tampering with electronic records to ensure that signatures cannot be excised, copied, or transferred. Subsection (a) Each electronic signature shall be unique to one individual and not reused by, or reassigned to, anyone else. Each user is uniquely identified within the system with their address. A signature is associated with a single user within the system. Adobe Sign can require each user to generate their own signature using a mouse (or finger) gesture to guarantee uniqueness of the signature. Subsection (b) Before an organization establishes, assigns, certifies, or otherwise sanctions the individual s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. Adobe Sign offers a variety of methods for verifying the identity of the signer prior to electronically signing the agreement. The mechanism available is listed in Subsection 11.10(d). An account can be configured to ensure that the right level of identity verification is mandated based on the organization s defined SOP. Subsection (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the FDA that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. Prior to completing the signing process, users are presented with the terms of use and consumer disclosures, which they are required to accept before completing and electronically signing a document. The system can be configured to require users to explicitly accept and acknowledge the terms of use and consumer disclosures. For additional technical detail, please see control activity DM in the latest Document Cloud SOC 2 Type 2 attestation report. Subsection (c)(2) Persons using electronic signatures must, upon FDA request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature. Adobe Sign s electronic signatures are legally binding and compliant with electronic signature regulations. Customers need to independently perform additional validations with the FDA. Adobe Sign assists customers with any additional documentation pertaining to the service as needed. Subsection (a)(1) Electronic signatures that are not based upon biometrics shall employ at least two distinct identification components such as an identification code and password. As described in Subsection 11.10(d), Adobe Sign employs a variety of methods to support identity verification of the signer. For an electronic signature, each signer receives a unique URL that includes an identification code sent to the signer s address. In addition to the unique URL, the signer must uniquely identify their identity based on the required mechanism specified for the electronic signature. 7

8 Subsection (a)(1)(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components. Subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. Account administrators for the Adobe Sign service can set up accounts for users within their organization that need to electronically sign records. Each user is required to set up a unique password for their account before being able to use the service to electronically sign contracts and other types of documents. When signing an agreement, each user receives a unique URL for each electronic signature transaction and is required to provide their unique Adobe Sign username and password before being able to sign an agreement. Subsection (a)(1)(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. Each signing requires users to authenticate with their unique username and password prior to signing an agreement. Subsection (a)(2) Electronic signatures that are not based upon biometrics shall be used only by their genuine owners. Each person using the system is required to have a unique username and password. Each organization is responsible for making sure that users are prevented from sharing their credentials with others. Subsection (a)(3) Electronic signatures that are not based upon biometrics shall be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Adobe Sign credentials are unique to each user, and organizational practices should prevent users from sharing their unique credentials. If business practices do require the credentials to be shared, such sharing requires collaboration between the two individuals. Establishing any security practices relevant to such sharing is the responsibility of the customer. Subsection (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Adobe Sign provides biometrics through touchpad signatures. It ensures all the same controls are in place for biometric signers as for standard electronic signatures. 8

9 Section Section addresses controls for identification codes/passwords. The introductory text states: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: Subsection (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Each user is uniquely identified within Adobe Sign by their address and must set a unique password for their Adobe Sign account and log in using their credentials. When signing a document, each user receives a unique URL for that particular document. This unique URL per user per document, combined with the user s credentials, ensures that no two individuals have the same combination of identification code and password. Subsection (b) Ensuring that identification code and password issuances must be periodically checked, recalled, or revised (e.g., to cover such events as password aging). Account administrators can configure the account to require users to change their password at a set regular interval. The configuration also enables minimum password lengths, a password-aging policy, and configuration of the number of failed attempts before a user s account is locked. Subsection (c) Following loss-management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information. The system must issue temporary or permanent replacements using suitable, rigorous controls. It is the responsibility of the customer to develop and document loss-management policies and procedures. Customer-owned devices are outside the scope of the Adobe Sign service. Subsection (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Adobe Sign accounts can be configured by the account administrators to lock out users in the case of multiple unsuccessful password-entry attempts. Subsection (e) Initial and periodic testing of devices such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. The Adobe Sign service does not provide devices that generate identification or password information. 9

10 Work with the digital document leader From the global leader in secure digital document solutions for more than 20 years, Adobe Sign is trusted and used by government agencies and Fortune 1000 companies worldwide. Backed by hundreds of security features, processes, and controls, Adobe Sign is certified compliant with rigorous security standards, including SOC 2 Type 2 (Security & Availability), ISO 27001:2013, PCI DSS, and SAFE-BioPharma. To learn more about how Adobe Sign can benefit your organization, contact your Adobe sales representative today at ADOBE. For more information Solution details: Adobe is pleased to provide information that can help businesses understand the legal framework of electronic signatures. However, Adobe cannot provide legal advice. Any information in this paper is not intended as legal advice and should not serve as a substitute for professional advice. You should consult an attorney regarding your specific legal questions. Adobe Systems Incorporated 345 Park Avenue San Jose, CA USA Adobe, the Adobe logo, and Acrobat are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners Adobe Systems Incorporated. All rights reserved. Printed in the USA. 10/17