developing applications to manage complex … · this whitepaper aims at highlighting how bizapp...

D E V E L O P I N G A P P L I C A T I O N S T O M A N A G E C O M P L E X & R E G U L A T E D P R O C E S S E S By Venki Muthanna

CEO

Given the economy constraints; IT must continuously innovate to find newer & less expensive ways to enable business users. While businesses today are challenged with factors such as shorter time to market, maturity of newer business models, changing regulations, etc… IT faces tremendous pressure due to rapidly evolving technology landscape resulting in skills gap as well as lack of agility in existing legacy systems to cope with these technologies.

C O N T E N T S Introduction 2

Problem Statement 2

Business Scenario 3

Developing CTMS 6

Traditional Approach 7

AppPoint’s approach 8

Ensuring CFR compliancy with BizAPP 9

Summary 20

INTRODUCTION

Unlike productivity applications which are used to manage mundane processes, applications which are used to manage regulated processes not only have to cater to some of the most complex & stringent needs, but also need to adhere to a controlled and auditable product lifecycle.

Most of these applications involve management of mission critical data either in electronic form or paper based formats. This information is managed either using a manual paper based approach or in a digitized format using IT systems.

Enforcing, monitoring as well as auditing compliancy of a process to regulations would revolve around these manual processes and IT systems.

PROBLEM STATEMENT

Traditionally, developing these kinds of IT systems or applications have been expensive, time consuming and risky. Most of these are attributed to technology complexities, skills gap, costs associated with tools, skills acquisition cost, long development cycles and last but not the least the dynamics associated with regulatory rules.

With the maturity in technology and standards, innovative approaches have evolved which enable forward looking organizations to mitigate these challenges in a cost and time sensitive manner.

While the cost of non-compliancy outweighs the cost of ensuring compliancy by many folds, organizations need to continuously innovate on managing this cost.

AppPoint Software Solutions

This whitepaper aims at highlighting how BizAPP Studio – a comprehensive business application infrastructure from AppPoint technology, can be used to develop specialized business applications which are used to manage highly regulated processes such as the ones which need to comply with CFR 111, HIPPA2, SO3X, BASEL, etc…

BUSINESS SCENARIO

CLINICAL TRIALS & SUPPLY CHAIN MANAGEMENT (CTMS/RTSM)

Clinical trials management is one of the most crucial processes to be followed prior to the launch of a new drug. Clinical trials are carried out in multiple phases starting with a test in a laboratory environment followed by trials on animals and eventually in applicable cases extending it to be carried out on humans as test subjects.

The outcomes of these trials have severe impact on future adoption of these drugs. Such tests are usually conducted over a long period of time in phases spanning across multiple locations and at times spread across the globe.

Information captured during these trials are analyzed and scrutinized as per various regional and global regulations before the new drug is launched.

Primarily, these rules define how data pertaining to trials are managed in terms of storage, security as well as usage of the data ensuring traceability & accountability at all points.

Given the volume of information involved and its implication on the trial outcome, organizations have to adopt automation systems to manage them.

While there are numerous factors influencing compliancy and management of costs associated with development and adoption of such automation systems, this whitepaper focuses on –

1 CFR 11 - Regulating how electronic data is managed

2 HIPPA - Controlling information management in health insurance domain

3 SOX - Governing financial controls/reporting

For pharmaceutical companies working in an environment regulated by the US Food and Drug Administration (FDA), it is necessary that applications used to manage such trial data either in electronic form or paper based form has to comply with rules as defined in the Code of Federal Regulations, Title 21 Part 11 (CFR-11)


� Challenges associated with developing business solutions which are used to manage regulated processes, and AppPoint’s approach to address them using its business application infrastructure BizAPP Studio,

� Characteristics of CFR-11 compliant solutions and how solutions developed

using BizAPP addresses these.

SOLUTION OVERVIEW

Clinical trials and supply chain management solutions being referred to in this white paper spans across numerous functional areas seamlessly integrating people, process and information across all of them, ensuring compliancy to numerous regulations and standards.

TRIAL MODELING AND MANAGEMENT

Trial modeling involves transforming the study protocol into a digital metadata representation which would include data models, workflows, security/user-rights models, policies/rules, UI/Form designs, reports/analytics, etc.

These models are further compiled into executable software programs which would be used to manage the trial.

ELECTRONIC DATA CAPTURE (EDC)

EDC is one of the key modules which help streamline the entire trial process starting from study design all the way to collection, management and reporting of clinical trial data.

Clinical trials and supply

chain management

(PMS)

Trial Modeling &

Management

Electronic Data Capture

(EDC)

Medical coding

Management and Monitoring Dashboard

Analytics and

Reporting IWRS RTSM

• Supply chain Modeling

•Randomization

• JIT Distribution & Tracking

Integration

•Biometric • ADS / LDAP

Packaging Artwork

Management

Training and Certification


EDC module includes capabilities to design case report forms (CRF) or digital data entry forms as per the protocol specification and using these forms to capture subject specific trials data in electronic format. The CRFs have their own highly customizable workflows to manage reviews/approvals and revision of the information captured.

MEDICAL CODING

Given that the study would be conducted at numerous sites, it is inevitable that terms used across these could vary. Medical coding is the process in which data captured using CRFs or any other means are correlated to standardized medical terms for proper reporting and analysis. Standard dictionaries are used to perform the mapping; two most commonly used medical dictionaries MedDRA and WHO-DDE are being considered for the solution being implemented.

MANAGEMENT DASHBOARD & USER PORTAL

The portal acts as an interface between all users participating in the trials and the underlying computer system used to automate and manage the process. Given the criticality of the process being managed, roles and responsibility based collaborative portal not only needs to ensure high levels of security, but also needs to be accessible with almost 100% uptime and be scalable to accommodate dynamic usage patterns & distributed user community. The portal needs to facilitate high levels of collaboration and proactive response.

ANALYTICS AND REPORTING

While analyzing and reporting on data managed by any business application is crucial to respond to key events as well as for process optimization and improvement in terms of how it is managed, in case of solutions such as clinical trials they play a key role in ensuring and demonstrating conformance to regulations and accommodating stringent audit needs.

INTERACTIVE WEB RESPONSE SYSTEM (IWRS)

IWRS is an integral part of trial supply chain & logistics management capability which would ensure timely availability of trial drugs at sites where required. IWRS would not only minimize wastages by enabling just-in-time distribution of drugs, but would also act as a real-time input to plan further manufacturing of trial drugs.

RANDOMIZATION AND TRIALS SUPPLY CHAIN MANAGEMENT (RTSM) -

Randomization is a process where the drug under test is either compared to a pre-existing drug or to a placebo. Randomized trials are conducted on two groups of trial subjects, with subjects assigned to each group based on various criteria relevant to the drug under trial.

Trials supply chain management is a highly time & cost sensitive process requiring high levels of optimization, monitoring, auditing and control. Regulatory adherence is a crucial aspect of any trial supply distribution, requiring the creation and control of essential documents, return management, and activities to ensure a seamless as well as timely supply of clinical materials.


INTEGRATION

As is the case with any other enterprise solution, clinical trials management solution also needs to integrate and work with other systems and peripherals deployed within the enterprise. One of the key integration would be with directory services used to manage users, such as ADS and LDAP. Beyond these, in some organizations integration with other solutions such as ERP, CRM, etc... would improve overall process outcome significantly.

Further, integration with peripherals such as Biometric devices would further improve security and authentication.

ARTWORK MANAGEMENT

In general, packaging artworks in a pharmaceutical industry is regulated by regional governing bodies such as FDA. In case of clinical trials drugs, packaging serves a different purpose which has to do with ensuring compliancy to drug dosages and consumption by patients. Also, trial drug packaging needs to handle different scenarios such as those relating to blinded and unblinded studies.

TRAINING AND CERTIFICATION

Given the fact that each study is customized with varying configuration, it is necessary that every individual who is participating in managing the study has to be trained, and where required - educated as well as certified. An integrated training and certification solution offers an optimal way to share information specific to the trial as well as ensure that all individuals involved in managing the trial are qualified and well informed.

DEVELOPING CTMS

Developing any solution would follow a well defined and structured approach, starting with identification of a business need which is then translated into high level requirement specification. These requirements are later converted to software requirements which are then transformed into functional specifications. From the specifications, the design is finalized which is then coded using one of the standard programming languages and then tested. After this is completed the actual customer or user of the system can see it in operation for the first time leading almost always to revisions and retesting. Once in operation, significant maintenance and support efforts are often required to keep everything running well. For instance, if a change to the trial protocol is desired, the program must be revised and revalidated.

Define business

need

Design system

Develop and test

Deploy & maintain

Monitor and identify

change


Unlike normal business solutions, solutions such as CTMS which are governed by regulations have to cope with the dynamics associated with the rules both from the development process perspective as well as from the perspective of the solution itself. Developing solutions such as CTMS not only requires sound functional expertise, but also strong technical skills as well as in-depth understanding of governing regulations.

While there are various approaches to developing complex solutions such as CTMS, from a technology perspective organizations are leaning towards establishing a Business application infrastructure capable of addressing end-to-end needs. Such an application infrastructure comprises of various building blocks broadly classified into integration middleware and application middleware. Below is a high level block diagram of various components of these middleware –

TRADITIONAL APPROACH

Traditionally, organizations with a broad and longer term vision established their own application infrastructure standardizing on how their business needs were addressed. Given the lack of an integrated solution, this involved stitching together numerous tools and technologies. Just as an illustration, below is a set of tools, technologies and

Existing applications & peripheral devices with which solutions like CTMS have to integrate.

Security Model – user rights

responsibility & authority

Portal infrastructure - Collaborative portal for users of varying roles and responsibilities to work with the system.

Workflow/Process automation framework

Reporting framework

Data Repository

Policy framework and rules engine

Integration Middleware

Mon

itor

ing

Document Management

Existing authentication providers - ADS/LDAP

Developm

ent and change managem

ent tools and processes

Information/Data model


methodologies which together could make-up an application infrastructure.

x Integration middleware like Tibco, BizTalk, etc…

x Reporting tools such as crystal

reporting or SQL reporting,

x Rules engine like Microsoft BRMS or iLog,

x Workflow tools such as BizTalk,

WebSphere,

x Portal infrastructures like SharePoint or WebSphere, etc…

x Security and user rights

management infrastructure such as ADS/LDAP or custom ones.

x Development tools and enabling

technologies to tie all of the tools together and maintain them.

CHALLENGES WITH TRADITIONAL APPROACH

o Long development cycles with greater uncertainty, risks, as well as cost & schedule

overrun,

o Lack of agility to accommodate change which in today’s business scenarios is a must-have,

o Dependency on highly skilled resources with expertise across diverse technologies and standards,

o Investment on numerous tools as well as on integrating and maintaining the integration.

APPPOINT’S APPROACH

Given the economics associated with such development process and high levels of risks involved, organizations are embracing new and innovative approaches.

AppPoint’s flagship product is a next generation business application infrastructure - BizAPP Studio, which enables a unique approach to developing business application with high levels of technology abstraction, improving agility with which changes can be accommodated, while accelerating the development process reducing associated cost as well as risks.


Key capabilities of BizAPP Studio addressing the challenges associated with traditional approach are –

� A single unified infrastructure with built-in capabilities eliminating the need to invest on numerous point tools and more importantly on stitching them together and maintaining these integrations,

� Collaborative model driven

development environment with built-in governance framework to develop mission critical business applications with optimal control offering further benefits such as –

o Bridging the skills gap which

has traditionally existed between IT and business users,

o Eliminating technology barriers involved in developing such

highly scalable and mission critical business applications,

o Minimizing investment on highly skilled resources,

o Accelerating development & change

process, improving agility with which business need can be addressed,

o Built-in integration & composition middleware enabling seamless integration of the application being developed with existing LOB applications and processes,

o Accelerate adoption of latest technology, standards, and business models such as Cloud.

ENSURING CFR COMPLIANCY WITH BIZAPP

There are two kinds of systems being governed by CFR Part 11 regulations – Closed Systems – means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Open systems – means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. For this whitepaper, we would look at how BizAPP can be used to address the needs of a closed system from CFR perspective. CFR 11 states that, “persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine”.


Such procedures and controls are governed and monitored and shall include the following:

CONTROLS FOR CLOSED SYSTEMS

As per Sec 11.10 -

(A) VALIDATION OF SYSTEMS TO ENSURE ACCURACY, RELIABILITY, CONSISTENT INTENDED PERFORMANCE, AND THE ABILITY TO DISCERN INVALID OR ALTERED RECORDS.

Intrinsic to BizAPP is a unique approach to developing such complex and mission critical applications eliminating technology and skill barriers. BizAPP significantly improves accuracy, reliability and the consistency with which the solution would perform. For instance,

A model driven development approach with high level of proven and tested technology abstraction eliminates the errors which are traditionally introduced by inconsistent programming based on varying skills and competency;

An integrated roles and responsibility based controlled development environment that restricts all changes to the solution to be made only by authorized individuals;

Built-in activity based review and version control mechanism combined with simulation and change approval process ensures that any and all changes being made to the solution are monitored, controlled and validated before being delivered;

Auto-documentation capability facilitates auditable record keeping of all change/development activities;

Comprehensive project lifecycle management capabilities ensure optimal traceability between requirements, development activities, test cases/executions and deliverables/releases. This simplifies the process of ensuring adherence to computer system validation requirements which includes performing installation, operational and performance quality assurance all through the development process and against any change made.

(B) THE ABILITY TO GENERATE ACCURATE AND COMPLETE COPIES OF RECORDS IN BOTH HUMAN READABLE AND ELECTRONIC FORM SUITABLE FOR


INSPECTION, REVIEW, AND COPYING BY THE AGENCY. PERSONS SHOULD CONTACT THE AGENCY IF THERE ARE ANY QUESTIONS REGARDING THE ABILITY OF THE AGENCY TO PERFORM SUCH REVIEW AND COPYING OF THE ELECTRONIC RECORDS.

All information managed by the solution can be presented in user readable and structured format, either onscreen in the portal or as formatted documents.

Formatted reports can be generated in over a dozen different formats, such as Excel, PDF, JPG, HTML, RTF, etc... These reports are designed using a user friendly graphical interface with a point and click approach. Once designed, these reports can be published and made available to select users in a controlled manner.

(C) PROTECTION OF RECORDS TO ENABLE THEIR ACCURATE AND READY RETRIEVAL THROUGHOUT THE RECORDS RETENTION PERIOD.

All of the information managed by the solution developed using BizAPP are stored in an ODBC compliant relational database with its own security model. The only way the information is accessed is through the solution portal or using open APIs.

Any standard procedure followed by the organization to backup and restore such databases could be adopted.

From traceability perspective, all access to information managed by the solution either from the solution portal or through open APIs are monitored and audited for later reporting purpose. All such access is controlled based on who is accessing it, their roles and responsibilities, as well as various other factors such as where the information is accessed from, status of the application data, etc...

(D) LIMITING SYSTEM ACCESS TO AUTHORIZED INDIVIDUALS.

Access to application data is controlled through multi-tier security architecture which includes a pluggable authentication framework and user rights management infrastructure.

From authentication perspective - While BizAPP includes a built-in user authentication and user rights management capability; it can also integrate with enterprise user management


solutions already used by the organization such as Microsoft Active Directory Services, or any LDAP compliant solutions. In such scenarios, single sign-on capability further improves user identification and experience in terms of accessing the solution developed using BizAPP.

Built-in biometric authentication offers an additional security capability which can be enabled either to authenticate a user when logging into the system or when performing sensitive operation such as approval of a study design.

Re-authentication can be triggered either from the process or based on idle timeout value setup to ensure that current users performing an operation or accessing system data is the same user who had initially logged into the system. BizAPP’s security monitoring capability enables detection of unauthorized access to system information to ensure proactive response to such events.

From the perspective of user rights management, security is enforced in terms of who can see what information, when and from where as well as what the person can do with the data based on role, responsibility, and authority of the user. Beyond these, configurable dynamic rules could be used to control access to application data which is most often based on state of the application.

Further, built-in configurable capabilities such as non-decryptable passwords, password expiry policy enforcement, idle time management ensures prevention of unauthorized access to system.

(E) USE OF SECURE, COMPUTER-GENERATED, TIME-STAMPED AUDIT TRAILS TO INDEPENDENTLY RECORD THE DATE AND TIME OF OPERATOR ENTRIES AND ACTIONS THAT CREATE, MODIFY, OR DELETE ELECTRONIC RECORDS. RECORD CHANGES SHALL NOT OBSCURE PREVIOUSLY RECORDED INFORMATION. SUCH AUDIT TRAIL DOCUMENTATION SHALL BE RETAINED FOR A PERIOD AT LEAST AS LONG AS THAT REQUIRED FOR THE SUBJECT ELECTRONIC RECORDS AND SHALL BE AVAILABLE FOR AGENCY REVIEW AND COPYING.

There are two set of information which is relevant here, one related to the development of the solutions such as CTMS and the other is the information managed by these solutions such as subject data, visit details, etc... in case of CTMS.

While information pertaining to the development process is accessed only through BizAPP’s integrated model driven development environment, information managed using solutions such as CTMS is accessed through a role based portal interface which is integral to all solutions developed using BizAPP or through open APIs exposed by it.

Any access and updates are recorded in terms of who accessed what data, from where and what updates were made, and these recorded information is available for auditing and reporting.

Solutions developed using BizAPP would benefit from several patent pending capabilities one of which is relational versioning which offers a unique way to capture change history.


This would ensure that all changes are tracked and the change history is auditable using the portal interface or can be reported using the built-in reporting interface at any point in time.

(F) USE OF OPERATIONAL SYSTEM CHECKS TO ENFORCE PERMITTED SEQUENCING OF STEPS AND EVENTS, AS APPROPRIATE.

Solutions developed using BizAPP can leverage roles and responsibility based highly configurable workflow infrastructure to define and enforce sequential activities controlling who can do what operation and when, e.g. What a CRA can do as opposed to what a site administrator can do.

BizAPP supports two different kinds of workflow capability addressing varying complexities. One is a traditional state machine based workflow infrastructure and the other is a BPMN compliant process modeling and orchestration capability.

These workflow engines include rules infrastructure based on which automated decision managing, or proactive notification or escalation capabilities can be enabled.

(G) USE OF AUTHORITY CHECKS TO ENSURE THAT ONLY AUTHORIZED INDIVIDUALS CAN USE THE SYSTEM, ELECTRONICALLY SIGN A RECORD, ACCESS THE OPERATION OR COMPUTER SYSTEM INPUT OR OUTPUT DEVICE, ALTER A RECORD, OR PERFORM THE OPERATION AT HAND.

At the core of the security model enabled by BizAPP is a highly configurable roles, responsibility and authority based access control infrastructure which combined with industry leading authentication frameworks such as Microsoft Active Directory Service (ADS), LDAP, etc... offers a robust mechanism to secure access to the system and enable control over operations that users can perform.

Every user in the system is uniquely identified to play a specific role which comes with a well-defined set of responsibilities. For instance, in case of CTMS, typical roles would be CRA, site admin, Pharmacist, CRO, etc..

Further, built-in capabilities such as biometric interface are leveraged to enhance authentication mechanism and improve reliability on authority based control enforcement…

(H) USE OF DEVICE (E.G., TERMINAL) CHECKS TO DETERMINE, AS APPROPRIATE, THE VALIDITY OF THE SOURCE OF DATA INPUT OR OPERATIONAL INSTRUCTION.

Any information managed by solutions developed using BizAPP can only be accessed either using the solution portal or through APIs.


BizAPP has inherent capabilities which would enable administrators to enforce control over systems from where these interfaces can be accessed. Enforcement could be in-bound to a system or its location - for instance, it is possible to limit access to CTMS portal only from authorized systems running within a specific network of a given site where the trial is conducted.

Any access from unauthorized system would trigger necessary alert and initiate an access request approval process. Approval from authorized individuals would then enable the solution to be accessed from those systems.

Beyond controlling access, system captures sufficient access logs to determine who accessed what information from where and the kind of operation they did on it. These logs are auditable and reportable at all times.

(I) DETERMINATION THAT PERSONS WHO DEVELOP, MAINTAIN, OR USE ELECTRONIC RECORD/ELECTRONIC SIGNATURE SYSTEMS HAVE THE EDUCATION, TRAINING, AND EXPERIENCE TO PERFORM THEIR ASSIGNED TASKS.

From BizAPP platform perspective, AppPoint follows a structured approach to recruiting, training and managing the development process. As applicable to solutions being developed using BizAPP, this is addressed in two ways-

From the development process perspective - given the unique model driven approach to developing and changing such complex solutions with high levels of technology and standards abstraction, BizAPP significantly mitigates any skills and consistency related risks and challenges.

From the perspective of solution usage and administration - a built-in and highly customizable LMS system would ensure integrated skills development, training and certification process which when coupled with responsibility based access to various aspects of the solution would ensure optimal control over who can perform what operation within the system.

(J) THE ESTABLISHMENT OF, AND ADHERENCE TO, WRITTEN POLICIES THAT HOLD INDIVIDUALS ACCOUNTABLE AND RESPONSIBLE FOR ACTIONS INITIATED UNDER THEIR ELECTRONIC SIGNATURES, IN ORDER TO DETER RECORD AND SIGNATURE FALSIFICATION.

While the process of establishing and defining any policy is done external to the system being developed, their enforcement and monitoring is done through the system.

Written policies can be centrally managed and made available in the system as documents. Again an integrated training and certification process can be adopted to educate and certify individuals on these policies, limiting their access to the system based on this certification.


(K) USE OF APPROPRIATE CONTROLS OVER SYSTEMS DOCUMENTATION INCLUDING:

BizAPP includes a built-in document management module which any solution developed using it could benefit from. Some of the capabilities of this module are –

o Content search capability,

o Version control mechanism,

o Support for all standard formats,

o Customizable review/approval/publish workflows,

o Flexible storage spanning database, file system and cloud

o Controlled access based on roles, responsibilities and rules

(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

All documents relevant to the solution are delivered to the users using an integrated document management system. Again, leveraging roles and responsibility based infrastructure, access to these documents can be controlled, and audited.

(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Documents pertaining to the development of BizAPP and CTMS solution itself are managed in an industry leading configuration management tool with high levels of security and controlled project and change management. Tools used enable optimal traceability of all related activities.

Documents relating to the CTMS or any such solution such as installation/deployment documents, administration/maintenance & user manuals, IQ, OQ and PQ related artifacts are all managed in a version controlled system and follows internal review/approval process as per AppPoint's quality assurance process. Latest copies of these documents are accessible at all times by customers and their auditors through AppPoint’s project management portal.

SIGNATURE MANIFESTATIONS

As per Sec 11.50 -


(A) SIGNED ELECTRONIC RECORDS SHALL CONTAIN INFORMATION ASSOCIATED WITH THE SIGNING THAT CLEARLY INDICATES ALL OF THE FOLLOWING: (1) THE PRINTED NAME OF THE SIGNER; (2) THE DATE AND TIME WHEN THE SIGNATURE WAS EXECUTED; AND (3) THE MEANING (SUCH AS REVIEW, APPROVAL, RESPONSIBILITY, OR AUTHORSHIP) ASSOCIATED WITH THE SIGNATURE.

All operations performed by users either to view, update or electronically singing any information managed by the system are audited in terms of who performed the operation, when, as well as the nature of operation performed. Optionally, system could be configured to capture additional information to reflect application state or capture comments from user performing the operation.

(B) THE ITEMS IDENTIFIED IN PARAGRAPHS (A)(1), (A)(2), AND (A)(3) OF THIS SECTION SHALL BE SUBJECT TO THE SAME CONTROLS AS FOR ELECTRONIC RECORDS AND SHALL BE INCLUDED AS PART OF ANY HUMAN READABLE FORM OF THE ELECTRONIC RECORD (SUCH AS ELECTRONIC DISPLAY OR PRINTOUT).

Audit information associated with any record is captured and managed as integral part of the record, thereby enabling same level of security and control over it as the record itself. Further, these audit information can be reported on using built-in reporting infrastructure.

SIGNATURE/RECORD LINKING

As per Sec 11.70 -

ELECTRONIC SIGNATURES AND HANDWRITTEN SIGNATURES EXECUTED TO ELECTRONIC RECORDS SHALL BE LINKED TO THEIR RESPECTIVE ELECTRONIC RECORDS TO ENSURE THAT THE SIGNATURES CANNOT BE EXCISED, COPIED, OR OTHERWISE TRANSFERRED TO FALSIFY AN ELECTRONIC RECORD BY ORDINARY MEANS

Audit information being integral to record being audited, system would ensure that the linkage between these can’t be broken or manipulated by ordinary means. Given that these information are being managed in secure and centralized database, the only window to them beyond the read only view offered by the solution is to directly access the database which is again managed using high levels of authority based access control.


GENERAL REQUIREMENTS

As per Sec 11.100 -

(A) EACH ELECTRONIC SIGNATURE SHALL BE UNIQUE TO ONE INDIVIDUAL AND SHALL NOT BE REUSED BY, OR REASSIGNED TO, ANYONE ELSE.

Built-in digital signing is backed by a robust identity management infrastructure which ensures unique identity among individuals accessing the system. Biometric signatures are proven to be unique and are enabled by devices which adhere to standards.

(B) BEFORE AN ORGANIZATION ESTABLISHES, ASSIGNS, CERTIFIES, OR OTHERWISE SANCTIONS AN INDIVIDUAL'S ELECTRONIC SIGNATURE, OR ANY ELEMENT OF SUCH ELECTRONIC SIGNATURE, THE ORGANIZATION SHALL VERIFY THE IDENTITY OF THE INDIVIDUAL.

Organizations adopting biometric or other peripheral digital signing devices would have to ensure that these devices are not being shared among users as well as have a controlled process to issues and audit their usage.

(C) PERSONS USING ELECTRONIC SIGNATURES SHALL, PRIOR TO OR AT THE TIME OF SUCH USE, CERTIFY TO THE AGENCY THAT THE ELECTRONIC SIGNATURES IN THEIR SYSTEM, USED ON OR AFTER AUGUST 20, 1997, ARE INTENDED TO BE THE LEGALLY BINDING EQUIVALENT OF TRADITIONAL HANDWRITTEN SIGNATURES.

When using integrated digital signing capability, organizations can rely on auditable identity management infrastructure to demonstrate compliancy, but where biometric devices are used, additional record keeping, auditing and control would be required to ensure authenticity of the signatures.

The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC–100), 5600 Fishers Lane, Rockville, MD 20857.

Nothing to do with the solution developed using BizAPP or BizAPP itself, mostly a manual process.

Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.


Nothing to do with the solution developed using BizAPP or BizAPP itself, mostly a manual process.

ELECTRONIC SIGNATURE COMPONENTS AND CONTROLS

As per Sec 11.200 -

(A) ELECTRONIC SIGNATURES THAT ARE NOT BASED UPON BIOMETRICS SHALL:

Employ at least two distinct identification components such as an identification code and password.

Biometric signing is an option available to end users with any application developed using BizAPP Studio. But, BizAPP also includes a digital signing capability which is governed by its multitier authentication and authorization infrastructure. In such scenarios BizAPP Studio includes pluggable authentication frameworks which relies on highly secure, non-reversible password policies and standards with a controlled mechanism to reset them.

When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

While BizAPP would mandatorily perform authentication once every time a user tries to access the system, it also offers a configurable approach as to when and how often to perform re-authentication improving authenticity over user actions as well as enhancing control over system access.

Be used only by their genuine owners; and Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

Identity management leveraging biometrics authentication infrastructure would ensure that the identity can’t be tampered under normal circumstances.

While it would be practically impossible for anybody to use another person’s signature with a biometric authentication infrastructure, in cases where built-in authentication and signing capability is used solution can be modeled to enforce additional security criteria such as mandatory signature by 2 or more individuals, etc…


(B) ELECTRONIC SIGNATURES BASED UPON BIOMETRICS SHALL BE DESIGNED TO ENSURE THAT THEY CANNOT BE USED BY ANYONE OTHER THAN THEIR GENUINE OWNERS.

Biometric infrastructure being supported by BizAPP follows industry standards and is certified by international governing bodies.

CONTROLS FOR IDENTIFICATION CODES / PASSWORDS

As per Sec 11.300 -

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(A) MAINTAINING THE UNIQUENESS OF EACH COMBINED IDENTIFICATION CODE AND PASSWORD, SUCH THAT NO TWO INDIVIDUALS HAVE THE SAME COMBINATION OF IDENTIFICATION CODE AND PASSWORD.

BizAPP Studio includes an extendable authentication infrastructure which offers organizations with a choice to use some of the industry leading and standard authentication frameworks such as LDAP, ADS, etc… or leverage a built-in authentication capability. In all of these cases, uniqueness of user ID and password is ensured by respective systems.

(B) ENSURING THAT IDENTIFICATION CODE AND PASSWORD ISSUANCES ARE PERIODICALLY CHECKED, RECALLED, OR REVISED (E.G., TO COVER SUCH EVENTS AS PASSWORD AGING).

Leveraging built-in audit capability as well as highly configurable password policy framework, one can enforce strict control over usage, validity as well as aging of passwords improving security over the system.

(C) FOLLOWING LOSS MANAGEMENT PROCEDURES TO ELECTRONICALLY DEAUTHORIZE LOST, STOLEN, MISSING, OR OTHERWISE POTENTIALLY COMPROMISED TOKENS, CARDS, AND OTHER DEVICES THAT BEAR OR GENERATE IDENTIFICATION CODE OR PASSWORD INFORMATION, AND TO ISSUE TEMPORARY OR PERMANENT REPLACEMENTS USING SUITABLE, RIGOROUS CONTROLS.

While user or system level access can be deactivated in matters of device level control, BizAPP Studio or the solution does not in any way influence how those are managed.

(D) USE OF TRANSACTION SAFEGUARDS TO PREVENT UNAUTHORIZED USE OF PASSWORDS AND/OR IDENTIFICATION CODES, AND TO DETECT AND REPORT IN


AN IMMEDIATE AND URGENT MANNER ANY ATTEMPTS AT THEIR UNAUTHORIZED USE TO THE SYSTEM SECURITY UNIT, AND, AS APPROPRIATE, TO ORGANIZATIONAL MANAGEMENT.

BizAPP inherently handles unauthorized usage by recognizing a pattern either in failed attempts to log into the system or access from un-trusted systems/networks. During these scenarios, system would automatically lock the account for a configurable period of time with an option given to administrators to unlock the account.

(E) INITIAL AND PERIODIC TESTING OF DEVICES, SUCH AS TOKENS OR CARDS, THAT BEAR OR GENERATE IDENTIFICATION CODE OR PASSWORD INFORMATION TO ENSURE THAT THEY FUNCTION PROPERLY AND HAVE NOT BEEN ALTERED IN AN UNAUTHORIZED MANNER.

This is an activity which organizations need to carry out irrespective of the solution being considered here.

SUMMARY

AppPoint’s technology & its unique development approach enables organizations to standardize on how their business management needs are addressed, ranging from integrating disparate systems, extending or modernizing legacy systems to developing new and customized business applications.

Solutions developed using AppPoint’s technology are “cloud ready”, enabling delivery of highly scalable and elastic applications. In scenarios such as CTMS solution, these applications can also be distributed between OnPremise and private/public Cloud leveraging best of both worlds.

While the integrated capabilities of AppPoint’s technology eliminates the need to invest on numerous tools and skills, model driven approach enabled by it would reduce the time to develop the application and hence reduce cost and risks associated with such development activities.

© 2012 AppPoint Software Solutions. All rights reserved. BizAPP Studio and other AppPoint products and services as well as their respective logos are trademarks or registered trademarks of AppPoint Software Solutions. All other company names, products and services used herein are trademarks or registered trademarks of their respective owners. The information published herein is subject to change without notice. This publication is for informational purposes only, without representation or warranty of any kind, and AppPoint Software Solutions shall not be liable for errors or omissions with respect to this publication.