View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000095310000-006: Mappingspublic2010-01-28 21:292012-02-09 23:10
ReporterClaude Lafond Assigned ToRandy Armstrong  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.00 
Fixed in Version1.02 
Summary0000953: Inconsistent security requirement
Description

Part 6 Annex D Overview states:
D.1 Overview
This appendix describes an XML Schema which can be used to read and update the security settings for a UA application. All UA applications shall support ocnfiguration by importing/exporting documents that conform to the schema defined in this Annex.

In the first sentence the XML schema is a suggestion, in the second, it is mandatory. Which one is right?
Keep in mind that using a ASCII file for configuring important things like security is almost forbidden by the 21 CFR Part 11 regulation used in the pharmaceutical industry.
So, this annex SHALL be normative only.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

user2

2010-03-30 16:23

  ~0001617

Discussed in telecon. Agreed wording of second sentence should not include SHALL. If desired, a profile would make this requirement mandatory.

The current content of the XML file does not expose sensitive data (private keys or passwords) and the import would only be allowed by administrators, so we don't see any reason it would not be allowed by CRF 11.

Randy Armstrong

2011-02-28 06:21

administrator   ~0002291

This is an export/import format. Not a config file. A seperate utility could be used to convert to whatever format is required by regulation.

If this is not allowed then how do the regulators expect apps to be configured?

Claude Lafond

2011-03-01 16:03

reporter   ~0002294

21 CFR does not like "ASCII" files that can change the behaviors or the security of the system IF they can be easily modified by an unauthorized person.
As long as this format is used only for import / export, not as a configuration file, there is no problem. It will be the responsibility of the server vendor to:
1) Make sure that only an authorized person may perform import/export operation, which is the case.
2) This imported file is not used as configuration file or at very minimum it is not accessible to unauthorized person on the server.
3) For audit purpose, the server vendor provides a way to guarantee that the exported file content as not been tempered, electronic signing or something else, it will be ok.

Randy Armstrong

2011-03-07 09:41

administrator   ~0002326

The spec clearly gives applications the option of using an import/export utility for updates.

Randy Armstrong

2011-05-24 11:02

administrator   ~0002770

Made the schema optional. Should not be an issue.

Issue History

Date Modified Username Field Change
2010-01-28 21:29 Claude Lafond New Issue
2010-03-30 16:21 user2 Status new => assigned
2010-03-30 16:21 user2 Assigned To => Randy Armstrong
2010-03-30 16:23 user2 Note Added: 0001617
2011-02-28 06:21 Randy Armstrong Note Added: 0002291
2011-02-28 06:21 Randy Armstrong Status assigned => feedback
2011-03-01 16:03 Claude Lafond Note Added: 0002294
2011-03-01 18:05 Randy Armstrong Status feedback => assigned
2011-03-07 09:41 Randy Armstrong Status assigned => resolved
2011-03-07 09:41 Randy Armstrong Resolution open => fixed
2011-03-07 09:41 Randy Armstrong Note Added: 0002326
2011-05-24 11:02 Randy Armstrong Status resolved => closed
2011-05-24 11:02 Randy Armstrong Note Added: 0002770
2012-02-09 23:10 Jim Luth Fixed in Version => 1.02