The Infrastructure Audit Trail and Part 11 Pamela Campbell Senior Consultant, Validation DataCeutics, Inc. campbelp@dataceutics.com February 28, 2003 DataCeutics, Inc. 2003
Why am I Qualified to Make this Presentation? 5 years as a software developer. 15 years of system administration and data center management background. (including 5 in DOD secure environment). 10+ years of validation and compliance experience.
Sec. 11.10 (e) (e) Use of secure, computer-generated, timestamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
What Does This Mean? To protect the public health we as a industry must be able to account for the accuracy of our data. We must know where it came from Who collected it Why they changed it What was changed Why these events took place And at what time each occurred.
Why Are Audit Trails Important They show where data is from. They show what has happened to the data and who did it. They should that you are in control of your data.
Where Do Audit Trails Hide? In the application / database In the operating system
Audit Trails in the Application Many application audit trails are incomplete even though they claim to by Part 11 compliant. They miss parts of predicate rules that require the initialing of changes and updates. Example: queries and query responses, data cleaning.
Audit Trails Stored on the Infrastructure WNT / Windows 2000 Event Logs (all server machines) Novell Container Auditing and Console logs (conlog) UNIX (LINUX) log files stored in /var/log OpenVMS accounting, security and operator logs Web Service software
WNT / Windows 2000 Examples Via Visual Basic programs can write to event logs IIS writes security events to the security event log. Exchange writes security events to the security event log
Sample Security Log Event
Sample Record as Text 1/26/2003 11:56:37 AM Security Success Audit Logon/Logoff 528 ASSET4027\campbellp ASSET4027 "Successful Logon: User Name: Domain: Logon ID: Logon Type: 2 Logon Process: campbellp ASSET4027 User32 Authentication Package: (0x0,0x1CF986) Negotiate Workstation Name: ASSET4027 "
Security Log Sample Properties
How Can This Help You? If you have a COTS product that is not Part 11 compliant but configurable add code to write to logs If creating your own application use existing OS logs instead of adding complexity by adding new logs.
What Does Not Work Coded audit trails The FDA auditor will not be able to dump tables to translate the codes. Audit trails that can not be printed or stored on removable media and read without the creating application. If using system logs do not let logs be periodically over written logs must be copied and archived to match data retention requirements.
Other Tips Using log gathering tools to pull logs into a non-modifiable storage and archiving location. Use system and log monitoring tools to provide notification of attempts to circumvent logs and security.
Other Reasons Why the Audit Trail is Important Security Sec. 11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. Sec. 11.10(d) Limiting system access to authorized individuals. Sec. 11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Last, But Important Things! Make sure someone in the data center is monitoring your audit trails. Make sure your data center staff receives validation training! Also help your staff understand the end product that actually brings in the money that pays their salary. Give them a reason to take pride in the validation and compliance process.