Although there is no certification for complying with CFR Title 21 Part 11, the following Microsoft enterprise cloud services have undergone independent, third-party audits, which may help customers in their compliance efforts. These services include:
Azure: Cloud Services, Storage, Traffic Manager, Virtual
Machines, and Virtual Network
Azure DevOps
Intune
Dynamics 365 and Dynamics 365 U.S. Government
Office 365 and Office 365 U.S. Government
Audits, reports, and certificates
The audit reports for SOC 1 and SOC 2 Type 2, ISO/IEC 27001
and ISO/IEC 27018 standards attest to the effectiveness of the controls
Microsoft has implemented and may help customers in their compliance with FDA
CFR Title 21 Part 11.
Frequently asked questions
To whom does the standard apply?
FDA CFR Title 21 Part 11 applies to organizations with
products and services that deal in FDA-regulated aspects of the research,
clinical study, maintenance, manufacturing, and distribution of life science
products.
How do Microsoft enterprise cloud services demonstrate
compliance with FDA CFR Title 21 Part 11?
Using the formal audits prepared by third parties for SOC 1
Type 2, SOC 2 Type 2, ISO/IEC 27001, and ISO/IEC 27018, Microsoft is able to
show how relevant controls noted within these reports address the requirements.
Audited controls implemented by Microsoft help ensure the
confidentiality, integrity, and availability of data, and correspond to the
applicable regulatory requirements defined in Title 21 Part 11 that have been
identified as the responsibility of Microsoft. The qualification guidelines for
Azure and Office 365 detail how Microsoft audit controls correspond to those
requirements.
How can I get copies of the auditor's reports?
The Service Trust Portal provides independently audited
compliance reports. You can use the portal to request audit reports so that
your auditors can compare Microsoft's cloud services results with your own
legal and regulatory requirement.
Can I use Microsoft's compliance in the certification
process for my organization?
Yes. The independent third-party compliance reports of the
IEC/ISO 27001, ISO/IEC 27018, SOC 1, and SOC 2 standards attest to the
effectiveness of Microsoft controls. Microsoft enterprise cloud customers may
use the audited controls described in these related reports as part of their
own CFR Title 21 cfr part 11 on electronic records analysis and qualification efforts. Customers who
build and deploy applications subject to FDA regulation are responsible for
ensuring that their applications meet FDA requirements.
What are Microsoft's responsibilities for maintaining
compliance with this standard?
Microsoft ensures that its enterprise cloud services meet the terms defined within the governing Online Services Terms and applicable Service Level
Agreements (SLAs). These terms define our responsibility for implementing and maintaining controls adequate to secure and monitor the system.
Use Microsoft Compliance Manager to assess your risk
Microsoft Compliance Manager is a feature in the Microsoft
365 compliance center to help you understand your organization's compliance
posture and take actions to help reduce risks. Compliance Manager offers a
premium template for building an assessment for this regulation. Find the
template in the assessment templates page in Compliance Manager. Learn how to
build assessments in Compliance Manager.
Resources
Azure GxP Qualification Guidelines
Code of Federal Regulations Title 21
FDA guidance for industry Part 11: Electronic records and
signatures
Qualification guidelines for Azure
Qualification guidelines for Office 365
Microsoft Common Controls Hub Compliance Framework
Microsoft Online Services Terms
Microsoft Cloud for Government
Compliance on the Microsoft Trust Center
The challenge
The Food and Drug Administration’s (FDA) standards for Title
21 of the Code of Federal Regulations (CFR), also known as the FDA 21 CFR, provide
a clear and concise set of regulations.
A specific focus of FDA 21 CFR is Part 11, which details
regulations for the use of electronic records and electronic signatures. For
many companies that rely on digital data to monitor their products, such as those
in the pharmaceutical, food and healthcare sectors, ensuring compliance with 21
CFR Part 11 is essential.
The most basic definition of 21 CFR Part 11 compliance is
the submission of validation documents to the FDA. These materials contain a
series of tests and reports to support the assessment that your systems and
software are authentic, reliable, and valid.
About Us
DATA INTEGRITY
Issued by the FDA (Food & Drug Administration) in 1997,
the 21 CFR Part 11 final rule is intended to permit the widest possible use of
electronic technology. This is divided into two main sections:
Electronic Records
Electronic Signatures
These are a natural extension to the traditional use of
paper records. Paper records provide data security and can carry handwritten
signatures to indicate that certain data is correct and log events, which took
place. Attempted corruption of either the data or signatures is readily
detectable.
In basic terms the requirement of Electronic Records is to
provide secure data which can provide a high level of confidence as would be
the case with paper records. Electronic signatures require that both operators
and supervisors can electronically identify themselves in such a way as to be
equivalent to handwritten signatures. The rule also permits the use of
biometrics such as fingerprint or retinal scan devices.
The advance in electronic systems offers significant
benefits for data retrieval and storage of data. The FDA developed the 21 CFR
Part 11 rule to describe what they require to be comfortable that the
electronic records and signatures are secure.
21 CFR Part 11 Made Easy!
From plant wide data access security management to single,
secure recorders – let us help you choose a solution that is right for you.
Solutions designed for ease of validation
Minimize validation time and testing by using standard,
built-in features to meet the FDA’s 21 CFR Part 11
Data recording at every level, local and plant wide
Never lose your data with cost-effective, multiple recording
and secure back-up
Centralised security system provides maintenance of user
accounts and passwords from one or multiple locations
Secure local data collection with automatic archiving across
your network – truly designed to keep your data safe
Remediation solutions for legacy systems – „Wrap &
Comply“
Electronic Records
Secure process values and audit trails (alarms, events,
operator actions, log-in/log-out, operator notes, electronic signatures)
Protection of data through binary, compressed and
check-summed records
Accurate time stamps are ensured using automatic Time
Synchronization to a known clock source
Provision for electronically copying data for archive
Export facility providing viewing of secure records in human
readable form
Electronic Signatures
All user actions can be configured to require signing or
require signing and authorization
User specific access according to authority level
Signature element controls unique user signature, password
expiry, minimum password length, automatic log-off, automatic disabling and
notification of failed login attempts
Ensuring unique users by retiring and not deleting accounts
Central Security Manager with full audit trail
No comments:
Post a Comment