MySign Electronic Signature



Similar documents
1. WHAT IS THE PURPOSE OF THIS ADVISORY CIRCULAR (AC)?

DRAFT Advisory Circular

Adobe PDF for electronic records

Digital Signatures on iqmis User Access Request Form

Cross-Media Electronic Reporting Regulation (CROMERR)

Electronic records and electronic signatures in the regulated environment of the pharmaceutical and medical device industries

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

Self-Assessment of eresearch Compliance with 21 CFR Part 11, Electronic Record; Electronic Signatures

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Signature Authentication

January 30, 2014 Mortgagee Letter

rsdm and 21 CFR Part 11

User Guide for CBER s Electronic Signature Process

POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE FDA 21 CFR 11 ALPHATRUST PRONTO ENTERPRISE PLATFORM

CoSign for 21CFR Part 11 Compliance

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Assessment of Vaisala Veriteq vlog Validation System Compliance to 21 CFR Part 11 Requirements

The Impact of 21 CFR Part 11 on Product Development

Using Entrust certificates with Adobe PDF files and forms

ELECTRONIC SIGNATURE REQUIREMENTS FOR LENDERS

HKUST CA. Certification Practice Statement

Oracle WebCenter Content

InfinityQS SPC Quality System & FDA s 21 CFR Part 11 Requirements

DeltaV Capabilities for Electronic Records Management

Electronic Signature, Attestation, and Authorship

Profession Practice Advice for the Profession

Online Timesheets Guide for Contractors

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

How To Protect The Time System From Being Hacked

DeltaV Capabilities for Electronic Records Management

Compliance Matrix for 21 CFR Part 11: Electronic Records

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

Supplier IT Security Guide

Empower TM 2 Software

21 CFR Part 11 Compliance Using STATISTICA

SolidWorks Enterprise PDM and FDA 21CFR Part 11

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Virtual Code Authentication User s Guide. June 25, 2015

OBM (Out of Band Management) Overview

10 Tips for Selecting the Best Digital Signature Solution

Implementation of 21CFR11 Features in Micromeritics Software Software ID

Electronic Document and Record Compliance for the Life Sciences

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Is there a fee to use U-Deposit? No, U-Deposit is a free*, convenient service provided to UNITED SA Federal Credit Union members.

U.S. DEPARTMENT OF EDUCATION

Authentication of Hardcopy and Electronic Professional Documents

Design Professionals Guide to Creating and Processing Electronic Construction Documents

Revu validates and signs documents based on the Windows Certificate Store and the PKCS #12 standards. Revu also supports Adobe CDS signatures.

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

A ChemoMetec A/S White Paper September 2013

The United States Office Of Personnel Management eopf Human Resources Specialist Training Manual for eopf Version 4.0.

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

itrust Medical Records System: Requirements for Technical Safeguards

Authentication of Documents/Use of Professional Stamps

Digital Certificate for Corporate Internet Banking - User Guide

Visa Business Debit Card Application

IBM Client Security Solutions. Client Security User's Guide

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Alfresco CoSign. A White Paper from Zaizi Limited. March 2013

Guidelines for the use of electronic signature

ELECTRONIC DELIVERY OF BANK STATEMENTS/NOTICES CONSENT AND AGREEMENT

Full Compliance Contents

ScreenMaster RVG200 Paperless recorder FDA-approved record keeping. Measurement made easy

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Ministry of Civil Aviation Egyptian Civil Aviation Authority. EAC No. 00_6. Issue 5, Rev. 0 Dated May, 2012 Page 1

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Aloaha Sign! (English Version)

Digital Signatures in a PDF

Procedure for How to Enroll for Digital Signature

APGO GUIDANCE ON DOCUMENT AUTHENTICATION. Table of Contents

esign Online Digital Signature Service

GENERAL AVIATION AIRPORT RULES AND REGULATIONS

Date: 9/30/15 AC No: Initiated by: AFS-300 Change: 0

PDMP User s Guide. Oregon Health Authority Prescription Drug Monitoring Program

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Sponsor Site Questionnaire FAQs Regarding Maestro Care

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

State of Arizona Policy Authority Office of the Secretary of State

White Paper: Financial Services Compliance

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

DRAFT. Date: DRAFT Initiated by: AFS-300

REAL TIME, ALL IN ONE

Case CATalyst is digital-signature ready! Introduction What are digital signatures?... 3

The Virginia Electronic Notarization Assurance Standard

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

SUPPLIER SECURITY STANDARD

Software Manual Part IV: FDA 21 CFR part 11. Version 2.20

Merchant Payment Card Processing Guidelines

Select a topic below to be automatically directed to that section:

Transcription:

MySign Electronic Signature Advisory Circular Compliance Matrix FAA AC 120 78, Dated 10/29/02 1

AC 120 78 Section 5, 6 and 8 Gulfstream CMP MySign Digital Signature Compliance 5. What is an acceptable electronic signature? See Below a. General. Before recent changes to permit the use of electronic signatures, handwritten signatures were used on any required record, record entry, or document. The electronic signature s purpose is identical to that of a handwritten signature or any other form of signature currently accepted by the FAA. The handwritten signature is universally accepted because it has certain qualities and attributes (e.g., subparagraph c(4)(d) below concerning employee termination) that should be preserved in any electronic signature. Therefore, an electronic signature should possess those qualities and attributes that guarantee a handwritten signature s authenticity. Use of two factor authentication (username/password login plus digital signature PIN) guarantees digital signature authenticity along with required system authorization (access rights must be first granted by system administrator). Password and digital signature PIN are always under the sole control of the signatory. Corresponding data is stored in encrypted form at MyCMP secure data center. b. Forms of Electronic Signatures. See Below (1) An electronic signature may be in the following forms. A digital signature A digitized image of a paper signature A typed notation An electronic code Any other unique form of individual identification that can be used as a means of authenticating a record, record entry, or document. MyCMP s digital signature consists of an electronic transaction stamp associated with the item being signed off that is the result of a positive identification of the signatory via password and digital signature PIN authentication. The password, digital signature PIN, transaction stamp, and snapshot of data associated with the digital signature are all cross referenced to a specific, and unique, user ID. (2) Not all identifying information found in an electronic system may constitute a signature. For example, the entry of an individual s name in an electronic system may not constitute an electronic signature. Other guarantees equal to those of a handwritten signature should be provided. Digital signature PIN, along with a username/password, will be used to authenticate a user and associate the user with their MyCMP user ID. The PIN and password are under the sole control of the signatory. 2

c. Attributes of an Acceptable Electronic Signature. First and foremost, an electronic signature must be part of a well designed program. This program should, at a minimum, consider the following. The digital signature capability is fully integrated and relies on the MYCMP existing security and data integrity processes. (1) Uniqueness. An electronic signature should retain those qualities of a handwritten signature that guarantee its uniqueness. A signature should identify a specific individual and be difficult to duplicate. A unique signature provides evidence that an individual agrees with a statement. An electronic system cannot provide a unique identification with reasonable certainty unless the identification is difficult for an unauthorized individual to duplicate. An acceptable method of proving the uniqueness of a signature is by using an identification and authentication procedure that validates the identity of the signatory. For example, an individual using an electronic signature should be required to identify himself or herself, and the system that produces the electronic signature should then authenticate that identification. Acceptable means of identification and authentication include the use of separate and unrelated identification and authentication codes. These codes could be encoded onto badges, cards, cryptographic keys, or other objects. Systems using PINs or passwords also are an acceptable method of ensuring uniqueness. The digital signature PIN will be used as a separate and unrelated method of identifying and authenticating the user. In conjunction with the digital signature PIN requirement, the user must supply a username/password to initially access the system thus providing two factor authentication. In addition to authentication, the user must have the proper authorization within the system for the sign off action requested. Additionally, a system could use physical characteristics, such as a fingerprint, handprint, or voice pattern, as a method of identification and authorization. (2) Significance. An individual using an electronic signature should take deliberate and recognizable action to affix his or her signature. Acceptable, deliberate actions for Specific actions in the CMP System, such as the signing of a work card or return to service document, will require additional authentication in the form of a digital signature. When additional authentication is required the user will be prompted to 3

creating a digital electronic signature include, but are not limited to, the following: Badge swipes Signing an electronic document with a stylus Typing specific keystrokes Using a digital signature use their digital signature PIN (which must be preceded by a successful username/password login). This specific action will not be completed if the credentials are not provided. (3) Scope. The scope of information being affirmed with an electronic signature should be clear to the signatory and to subsequent readers of the record, record entry, or document. Handwritten documents place the signature close to the information to identify those items attested to by a signature. However, electronic documents may not position a signature in the same way. It is therefore important to clearly identify the specific sections of a record or document that are affirmed by a signature from those sections that are not. Acceptable methods of marking the affected areas include, but are not limited to, highlighting, contrast inversion, or the use of borders or flashing characters. Additionally, the system should notify the signatory that the signature has been affixed. The user should be asked to ensure that the identified material is, in fact, what is being signed for after affixing the signature. The user also should be able to retrieve a report listing all places where his or her digital electronic signature has been applied. The FAA is not concerned with the computer technology used to accomplish the above tasks. Instead, the FAA concern is with the accuracy of the record and that the signatory is fully aware of what he or she is signing. When applying a digital signature in the CMP system, the material being signed is clearly identified on the page to clearly identify the scope of the signature. After the signature has been applied through use of the digital signature PIN, a transaction stamp is applied and is visible in the user interface. This stamp is a hyperlink which allows the user to retrieve a detailed statement concerning the authenticity of the signature and the data associated with that signature. (4) Signature Security. The security of an individual s handwritten signature is maintained by ensuring that it is difficult for another individual to duplicate or alter it. An electronic signature should maintain an equivalent level The security of the digital signature is maintained via the integrity of the username/password and digital signature PIN. The password and PIN are under the sole control of the signatory and are never accessible to any other person and are 4

of security. An electronic system that produces signatures should restrict other individuals from affixing another individual s signature to a record, record entry, or document. Such a system enhances safety by preventing an unauthorized individual from certifying required documents, such as an airworthiness release. never displayed as plain text (i.e., the data is always encrypted). (a) A corresponding policy and management structure must support the computer hardware and software that delivers the information. This policy and management structure is in place. See Gulfstream MyCMP Architecture description document (available upon request) for hardware and software description, security and data integrity measures, and operating procedures. (d) The system should contain restrictions and procedures to prohibit the use of an individual s electronic signature when the individual leaves or terminates employment. This should be done immediately upon notification of the change in employment status. Two safeguards exist. When a user leaves, the user access will be disabled preventing the employee from access to any part of the system including digital signatures. The user access is disabled, but not removed, because the employee's digital signature may be electronically tied to past signature transactions. In addition, the user's digital signature PIN capability will be purged from the system. (e) Procedures should be established allowing the organization to correct documents that were electronically signed in error. The signature should be invalidated anytime a superseding entry is made on the same document. (The entry should be voided but remain in place. Reference to a new entry should be made and electronically signed and dated). Once items have been digitally signed, the record is locked and the item contents cannot be edited. This prevents alteration of a digitally signed record. Items which have been digitally signed off and locked can have the signature removed by the signatory only. Any item retracted in this manner will have the digital transaction stamp marked as removed (although the removed transaction stamp remains in the database) and the item will be open to editing. The edited item will then need to be re signed digitally. A complete transaction record is available for all digital signature activities including the removal of a signature and the re signing. (5) Non repudiation. An electronic signature should prevent a signatory from denying that he or she affixed a signature to a specific record, record entry, or document. The more difficult it is to duplicate a signature, the likelier the signature was created by the signatory. The Two factor authentication (username/password and digital signature PIN) is used for authentication. Gulfstream MyCMP acts as the trusted third party and holds the private encryption keys for both the password and the digital signature PIN. In addition, the digital signature stamp contains an encrypted record of the signed data that is separate from data record in the system (i.e., a separate snapshot of the data). 5

system s security features that make it difficult for others to duplicate signatures or alter signed documents usually ensure that a signature was indeed made by the signatory. Many off the shelf computer software packages, such as Adobe Acrobat, contain a self sign utility. Although such computer software can provide an electronic signature for individuals or a group of individuals participating in an electronic signature program, a self sign utility by itself cannot be used. However, it can become the basis of a digital signature program if the public and private keys are issued and controlled by a trusted third party. Signature authentication includes a comparison of the snapshot data contained in the digital signature stamp to database fields associated with signature. (6) Traceability. An electronic signature should provide positive traceability to the individual who signed a record, record entry, or any other document. The electronic signature will contain the unique MyCMP user ID that acts as a primary key identifying the user who signed the document. Key user information is also stored in the digital signature stamp data so that key information can be captured at the time of the signing (i.e., username, full name, cert number). d. Other Acceptable Forms of Signature/Identification. Although this AC specifically addresses electronic signatures, other types of signatures, such as a mechanic s stamp, may also be acceptable to the FAA. If identification other than a handwritten signature is used, access to that identification should be limited to the named individual only. For example, the individual should secure a mechanic s stamp when it is not in use. Similarly, a computer entry used as a signature should have restricted access that is limited by an authentication code that is changed periodically. Access to issued stamps or authentication codes should be limited to the user. Although a signature may take many forms, the FAA emphasizes that not all electronic entries may satisfy the criteria to qualify the entry as an acceptable signature. Digital signature PIN, along with a username/password, will be used to authenticate a user and associate the user with their MyCMP user ID. The PIN and password are under the sole control of the signatory. The PIN and password must be updated at least every 6 months. e. Compliance with Other Regulatory Requirements. Although the FAA now permits the use of electronic signatures to meet certain FAA operational and maintenance requirements, any computer hardware used to generate the When digital signatures are in use, the reports contain additional features to safeguard the authenticity of the documents. First, digital signature stamps are used in the document specifying the date the digital signature was applied and the user that 6

required documents and records must continue to meet current regulatory requirements. A proper signature affixed to an improperly created document still results in a document that does not meet regulatory requirements. Methods and procedures used to generate an electronic signature must therefore meet all regulatory requirements for a recordkeeping system to be used by owners, operators, or maintenance personnel. In addition, electronic signatures should only be used to satisfy the maintenance and operational requirements relating to this AC. Electronic signatures may not be considered acceptable in other areas covered by 14 CFR having more specific applicability (i.e., legal depositions and various other applications). Although the acceptance of electronic signatures will foster the use of electronic recordkeeping systems, the FAA continues to accept paper documents to satisfy current regulatory requirements. applied the signature. There is a watermark embedded behind the digital signature stamp to indicate the presence of an authenticated digital signature. All documents are in secure and protected PDF format and have an electronic reference to a secured snapshot of the digitally signed content stored at the Gulfstream MyCMP data center (archived daily, weekly, and monthly). 6. How does an operator or individual receive FAA approval to use an electronic signature? a. Announcing Intent to Use Electronic Signatures. Certificate holders and operators intending to use electronic signatures should consult with their local FSDO or CHDOs before implementing an electronic system. To obtain FAA approval, the certificate holder or operator must submit a letter to the appropriate FSDO or CHDO (see Appendix 1 for sample letter) describing the proposed system and include the proposed section or revision to the operator s manual. This compliance matrix can be used in conjunction with the operator s letter of intent to receive FAA approval. b. Description of Electronic System and Proposed Manual Changes. The electronic system description should explain how electronic signatures will be used in the operator s maintenance and operational activities. The proposed manual section or revision should clearly state who in the organization has authority and the overall responsibility for implementing, modifying, revising, and monitoring the electronic signature computer This compliance matrix together with the MySign Electronic Signature Specification is available to support the approval process. 7

software. In addition, the operator s manual must explain how electronically signed documents required aboard an aircraft will be transferred (in accordance with the appropriate regulations) prior to the aircraft s operation. Required documents include aircraft maintenance releases, dispatch releases, etc. c. FAA Approval Process. The appropriate FAA Principal Inspector will review the electronic signature proposal. If the proposed electronic hardware and computer software system meets the elements of this AC, the inspector will make the appropriate entry on the operator s operation specifications. For a part 91 operator, the FSDO will review the operator s proposed procedures. If the procedures are acceptable, the FSDO will provide the operator with a letter of acceptance (see Appendix 2 for sample letter). Gulfstream MyCMP is available to support the operator's electronic signature and recordkeeping proposal to the FAA. 8. How does an operator or individual receive FAA approval to use an electronic recordkeeping system? a. Announcing Intent to Use Electronic Recordkeeping. Certificate holders and operators intending to use electronic recordkeeping should consult with their local FSDO or CHDO before implementing an electronic system. To obtain FAA approval, the certificate holder or operator must submit a letter to the appropriate FSDO or CHDO (see Appendix 1 for sample letter) describing the proposed system and include the proposed section or revision to the operator s manual. This compliance matrix along with MySign Electronic Signature Specification can be used in conjunction with the operator s letter of intent. b. Description of Electronic System and Proposed Manual Changes. The electronic system description should explain how the electronic recordkeeping will be used in the operator s maintenance and operational activities. The proposed manual section or revision should clearly state who in the organization has authority and the overall responsibility for implementing, modifying, revising, and monitoring the electronic See the MySign Electronic Signature and operator s letter of intent. 8

recordkeeping computer software. c. FAA Approval Process. The appropriate FAA Principal Inspector will review the electronic recordkeeping proposal. If the proposed electronic hardware and computer software system meets the elements of this AC, the inspector will make the appropriate entry on the operator s operation specifications. For a part 91 operator, the regulations do not require FAA approval; however, if the part 91 operator wants to submit its electronic system to the local FSDO, the FSDO will review the operator s proposed procedures. If the procedures are acceptable, the FSDO will provide the operator with a letter of acceptance (see Appendix 2 for sample letter). Gulfstream MyCMP is available to support the operator's electronic signature and recordkeeping proposal to the FAA. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information