SharePoint Configuration Guidance for 21 CFR Part 11 Compliance - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

SharePoint Configuration Guidance for 21 CFR Part 11 Compliance

Description:

Since the release of the Microsoft Office SharePoint Server 2007, compliance has been a major focus of the Microsoft Office System. That focus continues with SharePoint 2010 and includes additional functionality that further enhances compliance capabilities. – PowerPoint PPT presentation

Number of Views:675
Slides: 79
Provided by: sck12345

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: SharePoint Configuration Guidance for 21 CFR Part 11 Compliance


1
SharePoint Configuration Guidance for 21 CFR Part
11 Compliance
April 2012
Microsoft Corporation
Health and Life Sciences Industry Unit
Paragon Solutions
Health and Life Sciences Practice
2
Draft - SharePoint Configuration Guidance v0.9j
Table of Contents
Introduction
4
Acknowledgements
6
Architectural Approaches to Compliance
7
Use Cases for 21 CFR Part 11 Compliance
9
Electronic Signature Use Cases
9
Single Signature Use Case
9
Multiple Signature Use Case
10
Digital Signatures Use Cases
11
Single Signature Use Case
11
Multiple Signature Use Case
11
User Authentication Use Case
12
Architecture for 21 CFR Part 11 Compliance
13
Windows Server 2008 R2
13
Active Directory Domain Services
13
Active Directory Rights Management Server
13
Active Directory Certificate Services
14
What is XAdES?
14
Time stamping and XAdES-T signatures
15
Active Directory Federation Services
15
SQL Server 2008 R2
16
SharePoint Designer
16
SharePoint 2010 Architecture for Compliance
16
Database Security
17
Configuring the Electronic Signature Use Cases
19
Administrator Configuration for Single Signatures
19
Configure document library templates
19
Configure Document Library Version Histories
22
Configure Document Templates for Workflow and
Signatures
23
Create workflows for electronic signatures
26
Create a Signature Page
33
Set Policies for the Document Library
35
Configure Document Templates for Workflow and
Multiple Signatures
41
Create workflows for multiple electronic
signatures
44
Create a Signature Page
51
Set Permissions for the Document Library
51
Set Policies for the Document Library
52
Digital Signatures Use Case
52
Administrator Configuration for Digital
Signatures
52
Configure Document Library Templates
52
Configure Document Library Version Histories
53
Configure Document Templates for Workflow and
Digital Signatures
53
Create workflows for digital signatures
56
Add or Change a Collect Signatures Workflow
56
Add or change a Collect Signatures workflow for a
library or content type
56
Start a Collect Signatures workflow on a document
or workbook
58
Create a Signature Page
59
Set Permissions for the Document Library
59
Set Policies for the Document Library
59
View the Version Histories for Digital Signatures
59
2
3
Draft - SharePoint Configuration Guidance v0.9j
21 CFR Part 11 Requirements
62
Subpart B Electronic Records
63
11.10 Controls for Closed Systems
63
11.10 (a) Validation of Systems
63
11.10 (b) Record Review and Inspection
65
11.10 (c) Records protection and retrieval
65
11.10 (d) System Access
66
11.10 (e) Audit Trail
68
11.10 (f) Operational System Checks
68
11.10 (g) Protect records from unauthorized
access
68
11.10 (h) Data Input Validation
69
11.10 (i) Training
69
11.10 (j) Electronic Signature Policy
69
11.10 (k) System control
70
11.30
Controls for Open Systems
71
11.50
Signature Manifestations
72
11.50 (a) Signature Manifestation
72
11.50 (b) Control of signature information
72
11.70
Signature/Record Linking
73
Subpart C Electronic Signatures
73
11.100
General Requirements
73
11.100 (a) Uniqueness
73
11.100 (b) Identity Verification
74
11.100 (c) Legal Certification
74
11.200 Electronic Signature Components and
Controls
74
11.200 (a) Non-biometric Signatures
74
11.200 (b) Biometric Signatures
75
11.300
Controls for Identification Codes/Passwords
75
11.300 (a) Uniqueness of identity
75
11.300 (b) Password Policy
75
11.300 (c) Deactivation of Users
76
11.300 (d) Unauthorized use of passwords or
identification codes
76
11.300 (e) Identification Code Device Testing
77
Systems Validation and Compliance
78
3
4
Draft - SharePoint Configuration Guidance v0.9j
Introduction
Since the release of the Microsoft Office
SharePoint Server 2007, compliance has been a
major focus of the Microsoft Office System. That
focus continues with SharePoint 2010 and includes
additional functionality that further enhances
compliance capabilities.
In addition to the audit trails and document
level security that were introduced in SharePoint
2007, there are now enhanced capabilities for
document and records compliance. These enhanced
features include
? Records center document libraries can be
placed anywhere in a site collection ? In-place
records management in any document library
? Centrally managed and distributed content
types and taxonomies
? Centrally managed policies and workflow
enforced on content types
? Workflow can promote a document from loose
collaboration to a formally
declared and managed record, including the
capability for electronic signatures. ?
Multi-stage records disposition
? Centralized audit trails and audit trail
reporting that is easily configured with
no additional coding necessary.
While these features can be applied to a broad
range of regulations, including Sarbanes- Oxley
and HIPAA, they also apply to 21 CFR Part 11.
Thus the Microsoft Office SharePoint Server 2010
when combined with other Microsoft technologies,
including Active Directory, Information Rights
Management, and (optionally) the Microsoft
PKI system, provides a system that may be
configured to assist with 21 CFR Part
11 compliance.
In a departure from previous whitepapers on the
topic, we approach this document a bit of a
different way
1. Describe the overall SharePoint architecture
needed to support compliance
a. Including both conceptual and product-level
architectures
2. Provide a set of use cases for compliance and
then detail the configurations necessary to
support those use cases.
3. Provide a mapping between 21 CFR Part 11 and
the configurations detailed as part of the use
cases that support each individual line of the
regulation.
This approach will be more useful for those
involved in the validation effort as it
provides the use cases and then the
configurations necessary for validation.
Of course, software cannot be compliant by
itself, so SharePoint 2010 and other
Microsoft technologies must be used in
conjunction with a broader compliance
framework, including appropriate configurations,
policies, procedures and validation documentation
that are the responsibility of the implementing
party.
4
5
Draft - SharePoint Configuration Guidance v0.9j
Disclaimer
The information contained in this document
represents the current view of Microsoft Corporati
on on the issues discussed as of the date of
publication. Because Microsoft must respond to
changing market conditions, it should not be
interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes
only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is
the responsibility of the user. Without
limiting the rights under copyright, no part of
this document may be reproduced, stored in or
introduced into a retrieval system, or
transmitted in any form or by any
means (electronic, mechanical, photocopying,
recording, or otherwise), or for any
purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications,
trademarks, copyrights, or other
intellectual property rights covering subject
matter in this document. Except as
expressly provided in any written license
agreement from Microsoft, the furnishing of
this document does not give you any license to
these patents, trademarks, copyrights, or other
intellectual property.
2011 Microsoft Corporation. All rights
reserved.
Microsoft, Microsoft Office 2010, Microsoft
SharePoint 2010, Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft Rights Management
Services, Active Directory, Windows Server 2008
R2, Windows 7, Windows Vista, Windows XP,
Microsoft Windows, Microsoft Certificate
Lifecycle Manager, Microsoft Visual Studio,
Microsoft Forefront are either registered
trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.
The names of actual companies and products
mentioned herein may be the trademarks of their
respective owners.
5
6
Draft - SharePoint Configuration Guidance v0.9j
Acknowledgements
As with any effort of this size, there are a
myriad of persons involved in its development. In
this case, the efforts of Paragon Solutions
(http//www.consultparagon.com) in
the development of the demonstration system,
SharePoint configurations, workflows, SharePoint
Designer configurations and sample source code,
all of which were absolutely essential for this
project to be successful.
It is also necessary to acknowledge the Life
Sciences Industry Unit members who wrote and
reviewed the configuration text, the use cases,
regulation interpretation and guided the
development of the end product.
Finally, it is necessary to acknowledge the
efforts of the Microsoft Consulting Services on
the 2007 version of this whitepaper, portions of
which remain intact especially in the section
that maps each part of 21 CFR Part 11 to the
needed configuration step.
6
7
Draft - SharePoint Configuration Guidance v0.9j
Architectural Approaches to Compliance
When considering regulatory compliance, whether
it be for eDiscovery, Part 11, DDMAC, SOX, or any
other regulation, the most important step in the
process is planning the architecture. While the
SharePoint system is eminently flexible, that
flexibility can also pose challenges down the
road if you take a wholly haphazard approach. A
good plan, consistently applied, will take you
far and avoid pitfalls.
When building the plan it is important, first and
foremost, to understand the overall
capabilities of the platform. In this case, it
is important to understand that SharePoint has a
plethora of capabilities in the Enterprise
Content Management (ECM) space.
Foundational ECM
Human Centric Workflow
Document Records Management Management
Web Content Rich Media Document Management Managme
nt Output
E-Mail Archiving
Supplemental ECM
Embrace and Extend Workloads with Partners
Transactional Content
Physical Records Business Process Management Mana
gement
Scanning and Archiving and Industry Specific
Capture Library Services Solutions
Management
Equally matched by the capabilities Foundational
ECM capabilities in SharePoint are the plethora
of partners that embrace and extend the
SharePoint platform. These include vendors that
provide out-of-the-box Part 11 and GxP
compliance, vendors that provide capabilities for
scientists through electronic lab notebooks and
LIMS systems, even vendors that provide
manufacturing and plant floor monitoring
capabilities - all on SharePoint. These are in
addition to the workloads listed in the graphic
above.
For the purposes of Part 11 compliance, we will
be looking at the features that
Microsoft categorizes as Records Management.
For planning Records Management systems, the
implementer will need to factor in a couple key
considerations
? Policies Workflow
? File Archival Plan - In-Place Records vs.
Centrally Archived ? Managed Metadata and the
Taxonomy Term Store
Managed Metadata and the Taxonomy Term Store
provide more flexibility to the end
user as well as the system administrator when it
comes to Metadata. Users are no
longer simply consigned to setting the metadata
through dialog boxes at upload time, but can
actually set the metadata for a document during
the authoring process. Similarly,
7
8
Draft - SharePoint Configuration Guidance v0.9j
content managers have the ability to manage the
metadata, through hierarchical means, and
propagate those terms throughout a site
collection.
The decision whether to use in-place records or
centrally archived records becomes crucial when
configuring the system for Part 11 compliance.
In this document, the workflows and
configurations demonstrate both approaches, by
using in-place records for most electronic and
digital signature workflows, but then using a
central archive record store once a documents
lifecycle has run its course.
Policies and workflow are central to configuring
SharePoint 2010 for compliance with any
regulation. In this whitepaper we will discuss
at length the use of workflow for electronic and
digital signatures, as well as the use of
policies to determine which documents need
signatures.
Given those key considerations, the balance of
this document will be split into two parts
1. A discussion of configuring SharePoint 2010
for Part 11 compliance
a. Utilize a Use Case methodology so the
document can be used providing guidance for your
own validation efforts
b. Provide the architecture to support the Use
Cases
c. Detail the workflow and policies for
electronic signatures
d. Detail the workflow and policies for digital
signatures
e. The promotion of records to in-place and
centrally managed records
2. Mapping 21 CFR Part 11 to the areas of the
previous use case to demonstrate how SharePoint
meets those regulations
8
9
Draft - SharePoint Configuration Guidance v0.9j
Use Cases for 21 CFR Part 11 Compliance
In this section we will detail common use cases
that require 21 CFR Part 11 compliance and then
will step through the configuration of the system
for that use case.
There is another use case allowed for in Part 11,
namely Biometric based signatures. While the
combination of Windows 7, Active Directory and
hardware manufacturers provide for this
capability which can be extended to SharePoint,
it is so uncommon a method of authentication and
signature that it wont be dealt with in this
context.
Electronic Signature Use Cases
The following use cases will detail the
configurations and resulting process for
applying an electronic signature to a document
either in a single signature scenario or in
a multiple signature scenario.
Single Signature Use Case
To support the use case where the process
requires a single electronic signature
per document the site administrator will
? Configure document library templates for
electronic signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for
embedded signatures (optional) ? Create
workflows for Electronic Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library ?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed or versioned documents modified ?
Create a customized page that captures the
username and password for the electronic
signature
o Twelve lines of source code (provided) are
used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added
to the SharePoint Designer page created for the
signature workflow.
Note This system details use of an optional
embedding of the signature into the
Word Document, providing a visible record in the
document itself of the signature process.
The user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
9
10
Draft - SharePoint Configuration Guidance v0.9j
? Author the document to make necessary
changes ? Save the document to the library
? Submit the document for workflow approval
? Sign the document as part of the approval
workflow
? View the audit trail (workflow history) of
the document library
Multiple Signature Use Case
To support the use case where the process
requires multiple electronic signatures
per document the site administrator will
? Configure document library templates for
electronic signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
which turns on audit trails.
o Create and add document templates for
embedded signatures (optional) ? Create
workflows for Electronic Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library ?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed or versioned documents modified ?
Create a customized page that captures the
username and password for the electronic
signature
o Twelve lines of source code (provided) are
used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added
to the SharePoint Designer page created for the
signature workflow.
Note This system details use of an optional
embedding of the signature into the
Word Document, providing a visible record in the
document itself of the signature process.
Each signing user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes ? Save the document to the library
? Submit the document for workflow approval
? Sign the document as part of the approval
workflow
? View the audit trail (workflow history) of
the document library
10
11
Draft - SharePoint Configuration Guidance v0.9j
Digital Signatures Use Cases
The following use cases will detail the
configurations and resulting process for applying
a digital signature to a document either in a
single signature scenario or in a
multiple signature scenario.
Single Signature Use Case
To support the use case where the process
requires a single digital signature per document
the site administrator will
? Configure document library templates for
digital signatures
o Update the document library with appropriate
columns for workflow
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for digital
signatures ? Create workflows for Digital
Signatures
o Utilize SharePoint Designer (if designed)
o Attach the workflow to the document library ?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed
These configurations will enable the user to
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes ? Save the document to the library
? Submit the document for workflow approval ?
Sign the document in Office 2010 client
? Save the document to the document library as
part of the workflow
? View the audit trail (workflow history) of
the document library
Multiple Signature Use Case
To support the use case where the process
requires a single digital signature per document
the site administrator will
? Configure document library templates for
digital signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for
embedded signatures
11
12
Draft - SharePoint Configuration Guidance v0.9j
? Create workflows for Digital Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library ?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed
The user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes ? Save the document to the library
? Submit the document for workflow approval ?
Sign the document in Office 2010 client
? Save the document to the library as part of
the workflow
? View the audit trail (workflow history) of
the document library
User Authentication Use Case
Security and access control are central concepts
for compliance. With the new reality
of cross-company collaboration, authentication
control is even more important.
However this is also more straightforward, as
there are clear instructions in other
Microsoft documents on the use of Active
Directory and Active Directory Federation Services
with the use of SharePoint that a discussion
here is not necessary.
12
13
Draft - SharePoint Configuration Guidance v0.9j
Architecture for 21 CFR Part 11 Compliance
Given the use cases detailed above, there are a
few key architectural components that are
required in order to provide 21 CFR Part 11
compliance. As we detail each of
these architectural components we will see how
Microsoft technologies, when used together can
provide compliance with many different
regulations, but only as configured
and implemented in the end-user's system and in
the context of the implementers requirements.
Windows Server 2008 R2
Windows Server is the basis for all the
components needed for regulatory compliance. Some
of the key compliance features of Windows Server
2008 R2
? The ability to provide detailed IQ reports
when used with a software distribution system
such as Microsoft Systems Center Configuration
Manager
? The ability to provide detailed OQ reports
when used with the systems
management provided through Microsoft Systems
Center Operations Manager.
? The ability to provide Network Access
Protection which enforces health
requirements by monitoring and assessing the toll
of client computers when they attempt to connect
or communicate on a network. Client computers
that are not in compliance with the health policy
can be provided restricted network access until
their configuration is updated and brought into
compliance with policy.
? The concept of server roles allows server
administrators to quickly and easily
configure any Windows -- based server to run a
specific set of tasks and remove extraneous 0S
code from system overhead. Windows Server 2008 R2
further extends this model would support work
more rules in a broadening of current
role support. The Server Core installation option
is important to mention here as it only includes
necessary components for running applications
such as SharePoint.
Active Directory Domain Services
Part of Windows Server 2008 R2 Core
Infrastructure is Active Directory Domain
Services. While SharePoint can utilize an LDAP
system, Active Directory provides the means to
manage the identities and relationships that make
up your organization's network in a way that is
easily integrated with the rest of your
Microsoft-based infrastructure. It gives
out-of-the-box functionality needed to centrally
configure and administer system, user, and
application settings.
Active Directory Rights Management Server
The next component in the identity and access
management system is Active Directory Rights
Management Services (AD RMS). With AD RMS you
can augment and organizations security strategy
by protecting information through a persistent
usage
13
14
Draft - SharePoint Configuration Guidance v0.9j
policies, which remain with the information, no
matter where it is moved. You can use AD RMS to
help prevent sensitive information such as
clinical trial reports, site monitoring
documentation or even e-mails from intentionally
or accidentally getting into the wrong hands.
In SharePoint 2010 this is configured through the
Information Rights Management (IRM) screen which
can be applied at the document library or
document library template level.
It is important to note that users do not have to
have Office installed to read protected documents
and messages. SharePoint 2010 with Web
Applications understands rights management, so
any user with access to a browser and rights to
the document can view the document.
It is also important to note that users do not
need to reside within your organization, as long
as they are granted appropriate rights. Any user
with a Hotmail account or a LiveID can be granted
access to a document and then able to view it
through a SkyDrive account or through e-mail.
Active Directory Certificate Services
Active Directory Certificate Services provides
customizable services for issuing and
managing certificates used in software security
systems employing public key
technologies. Active directory certificate
services cast that allows organizations to
deploy a digital certificate infrastructure,
creating a Web of authentication between
devices, users, and applications.
AD CD is a role in Windows Server, which provides
an integrated public key infrastructure (PKI)
that enables capabilities such as digital
signatures, strong authentication, and secure
communications.
These certificates when used in conjunction with
Office 2010 provide the ability to sign Microsoft
Office documents which are compliant with the
XML-DSign and XAdES standards for digital
signatures. Since XAdES forms the basis of other
standards such as Safe BioPharma, this system can
be integrated into a SAFE-compliant system in
a fairly straightforward manner.
What is XAdES?
XAdES (XML Advanced Electronic Signatures) is a
set of tiered extensions to XML-DSig, the levels
of which build upon the previous to provide more
and more reliable digital signatures.
By implementing XAdES, Office complies with the
European Union Advanced Electronic Signature
Criteria in Directive 1999/93/EC as well as a new
Brazilian government directive which defines
XAdES as the accepted standard for digital
signing in Brazil.
Office 2010 can create different levels of XAdES
signatures on top of XML-DSig signatures
14
15
Draft - SharePoint Configuration Guidance v0.9j
Time stamping and XAdES-T signatures
Time stamping digital signatures (XAdES-T
signatures) is an important scenario we focused
on in Office 2010. In order to create a time
stamped signature, youll need to
? Set up a timestamp server that complies with
RFC 3161.
? Configure signature policy to let the client
systems know where to locate the
timestamp server. Youll also need to add the
timestamp servers root certificate to the root
certificate store.
Once everything is configured, you can just
create signatures like you normally would.
A timestamp from a trusted timestamp server
extends the life of your signature, because even
after the certificate expires, the timestamp
proves that the certificate had not expired at
the time of signing. As a result, time stamping
protects against certificate expiration, and if
the certificate was revoked after the signature
was applied, the signature is still valid.
Active Directory Federation Services
While not a hard and fast requirement for Part 11
compliance, ADFS provides simplified access and
single sign-on for on premises and cloud-based
applications in the enterprise, across
organizations, and on the web. In the case of
access to compliant SharePoint sites, it allows
IT administrators and end users to grant access
to known entities, even users outside their
organizational boundaries.
ADFS and SharePoint together accomplish this by
using SAML 2.0 standard claims- based
authentication and security. Once the ADFS
servers of two organizations are pointed at
each other through a simple configuration, end
users from both
15
16
Draft - SharePoint Configuration Guidance v0.9j
organizations are free to collaborate,
participate in workflow and even execute
electronic or digital signatures in both
organizations SharePoint sites.
SQL Server 2008 R2
Microsoft SQL Server 2008 R2 is a complete set of
enterprise ready technologies and tools that
provide the database and business intelligence
technologies for SharePoint and many of the other
Microsoft platforms.
As a database management platform, SQL Server
2008 R2 manages databases more efficiently and
effectively. It provides your people with
built-in tools for greater control and oversight.
It manages at scale, automate automates tasks,
and streamlines troubleshooting.
As the business intelligence platform, it is a
comprehensive platform for business
intelligence that includes enhanced reporting,
deeper and more powerful analysis, rich data
modeling, master data management capabilities,
and full integration with Microsoft Office.
Microsoft SQL Server 2008 R2 also provides the
database and business intelligence
platform for SharePoint 2010. This better
together capability means that not only does SQL
Server store the objects and configurations of
SharePoint, but it also provides on- demand and
self-service business intelligence, list
generation and PowerPivot capabilities.
SharePoint Designer
SharePoint Designer is the mechanism the IT
Professionals and Power Users can use to create
workflows, design custom pages and other tasks
that are not available in the SharePoint
interface itself.
SharePoint 2010 Architecture for Compliance
When you bring all the pieces and parts together,
you end up with a general architecture for
compliance that includes capabilities for
workflow, electronic and digital
signatures, document retention and archival and
audit trails or histories to prove that the
signatures and documents are valid.
16
17
Draft - SharePoint Configuration Guidance v0.9j
Windows Server 2008 R2
SQL Server 2008 R2
Active
Directory
Rights
Management Services
SharePoint 2010
Certificate Services
Electronic Document Policy Records Digital
Workflow
Mgmt
Mgmt Mgmt Signature
Workflow
FAST
Enterprise Search
While the overall architectural components are
important, it is also key to identify
proper organization, sizing of the server farm,
navigation and other concepts. Those
elements are largely outside scope of this
document.
For information on the concepts of sizing,
navigation and geographical disbursement, please
visit http//msdn.microsoft.com as well as
http//www.microsoft.com/itshowcase for best
practice information on SharePoint implementation
on an enterprise scale.
Database Security
21 CFR 11.10(d) notes that access to IT
applications must be limited to authorized
individuals. In addition to internal safeguards
built into a computerized system,
external safeguards and policies should be put in
place to ensure that access to the computerized
system and to the data is restricted to
authorized personnel. Staff should be kept
thoroughly aware through training and procedures
of system security measures and the importance of
limiting access to authorized personnel.
Procedures and controls should be put in place to
prevent the altering, browsing, querying, or
reporting of data via external software
applications that do not enter through the
protective system software. IT guidelines,
standard operating procedures and controls
typically ensure that access to back-end servers
and applications is controlled.
There is a potential security issue where a
person with elevated permissions to the
WSS-Content-Database could alter records in the
database table and impact the Signed
17
18
Draft - SharePoint Configuration Guidance v0.9j
Person, Date signed, and Purpose of Signing
tables. Per typical IT operating measures, people
with elevated permissions are typically
authorized and working under strict operating
procedures. The likelihood of malicious changes
is low. However, if someone did alter the
underlying database tables, SharePoint will not
recognize these changes hence the signature
would become invalidated.
If this is viewed as a security issue not handled
well enough by internal IT operating
procedures, there are options. To fix this issue,
an encryption key can be generated and stored in
the document library. This key would be used to
determine if changes were made to the document
properties using SQL update. A hash key can be
generated using the following columns from the
document library
? Signer Name
? Purpose of Signing
? DateTime (of signing)
? Version of the Document ? Document Status
A timer service can run to check approved
documents to see if any changes were made in the
WSS-Content-Database. The encryption key is
examined, and any changes noted will invalidate
the document. If the document is found to be
invalid, a workflow will be invoked to send an
email to the signer and/or an administrator to
note that the document has been changed by an
unknown person and hence the document is invalid.
There are other options for achieving this level
of check and balance to ensure that a malicious
activity at the database level is discovered and
accounted for. However, for most organizations
internal IT operating procedures preclude
unauthorized access to servers and applications.
18
19
Draft - SharePoint Configuration Guidance v0.9j
Configuring the Electronic Signature Use Cases
Electronic signatures are a central component to
21 CFR Part 11 compliance. As
specified in the use cases, well detail two
mechanisms for electronic signatures
single signature documents and documents that
require multiple signatures.
In both use cases the configuration chosen makes
a few key decisions
? While not necessary, the electronically
signed documents will contain a
representation of the signature that includes
the name of the signing party, the date of the
signature and the reason for signing.
? Once signed, the document will be protected
through Rights Management, so that the signed
version cannot be tampered with, but it may also
be used to create another version.
? The electronic signature will remain in the
document as well as in the audit trail/version
history of that document.
? Workflow can take the final electronically
signed document and copy it to the records
center for final disposition and archival.
Administrator Configuration for Single Signatures
To support the use case where the process
requires a single electronic signature
per document the site administrator will do the
following tasks
Configure document library templates
The first task is to select the document library
to be enabled for electronic signatures.
19
20
Draft - SharePoint Configuration Guidance v0.9j
Once in the target document library, click on the
Library Tab in the Ribbon Bar. This brings you
to the Document Library Settings page which
enables you to add the necessary columns for
electronic signatures.
Navigation Steps to Add Columns
To add columns in the document library Click
Library Tools gt Library gt Document
Library Settings and Create columns
The following columns will be added
? Username
? Purpose of Signature
? Document Status (needed for workflow
processing) ? Date Signed
? Signers
To add columns in the document library Click
Library Tools gt Library gt Document
Library Settings and Create columns
20
21
Draft - SharePoint Configuration Guidance v0.9j
After adding the necessary columns, while still
in the Document Library Settings, click on
Versioning Settings.
This brings you to Document Library gt Document
Library Settings gt Versioning Settings screen
which enables you to control the versioning for
the document library.
21
22
Draft - SharePoint Configuration Guidance v0.9j
Click Yes under Require content approval for
submitted documents
Click Create major versions, or other settings
as needed by your companys policies and
procedures.
Configure Document Library Version Histories
After adding the necessary columns, while still
in the Document Library Settings, click on
Versioning Settings.
This brings you to Document Library gt Document
Library Settings gt Versioning Settings screen
which enables you to control the versioning for
the document library.
Click Yes under Require content approval for
submitted documents
Click Create major versions, or other settings
as needed by your companys policies and
procedures.
Once you click Submit for the Versioning
Settings screen, you will be returned
to Document Library gt Document Library Settings
screen.
This turns on the "audit trail functionality,
which allows users to be able to view the
audit trail of the system through simple reports.
In the Document Library those changes can be
reflected in the document view itself on a
document by document basis.
22
23
Draft - SharePoint Configuration Guidance v0.9j
For Centralized Audit Reporting, and
administrator would need to turn on this
feature under gt Site Actions gt Site Settings gt
Site Collection Audit Settings.
Configure Document Templates for Workflow and
Signatures
In order to set the document templates needed for
electronic signatures, click on
Advanced Settings in the Document Library gt
Document Library Settings screen.
23
24
Draft - SharePoint Configuration Guidance v0.9j
In Document Library gt Document Library Settings
gt Advanced Settings Screen click Edit Template
in the Document Template section under the
Template URL dialog.
This will launch the template editor in Microsoft
Word. Click on the Insert tab in the
Ribbon Bar. On the Insert Tab, click on the
Quick Parts gt Document Property dialog and
pull-down.
24
25
Draft - SharePoint Configuration Guidance v0.9j
Drag and drop the fields DateSigned,
DocumentStatus, PurposeOfSignature, Username
and other fields added to the document library
to support electronic signatures.
This then results in a document that has a
signature line added in through metadata.
Note that this document, once signed, can be
protected via Rights Management Service so that
it cannot be modified once signed, even if
e-mailed or a thumbdrive used to copy the
document elsewhere.
Once Rights Management has been set up for a
SharePoint site, setting rights on any given
document is as simple as having the document
inserted or created in a document library with
specific rights.
Those permissions - or rights - are then
inherited by all the documents in that library,
or items in a list. This means that with the
appropriate rights set on the document
library, as shown in this document, you have the
ability to lock down documents - with or without
a formal records declaration - and prevent those
documents from being changed by those without
permissions.
25
26
Draft - SharePoint Configuration Guidance v0.9j
Create workflows for electronic signatures
In order to create the workflows necessary to
support electronic signatures, you will need to
open SharePoint Designer.
Once in SharePoint Designer, click on the File
tab, then the Open Site button. If the site is
displayed in the Recent Sites, then click to open
that site.
26
27
Draft - SharePoint Configuration Guidance v0.9j
To create an electronic signature workflow, click
on the Workflows link under NavigationgtSite
Objects.
27
28
Draft - SharePoint Configuration Guidance v0.9j
Once the workflow tab is open, click on the
Workflows tab in the Ribbon Bar, then click on
the List Workflow button.
To configure the workflow for the electronic
signature document library, click on
the appropriate document library name in the
List Workflow pull-down.
28
29
Draft - SharePoint Configuration Guidance v0.9j
In creating the workflow, the first step is to
add condition checks for Approval Status.
This will use the Content Approval Status Column
in the list library. This condition check will
determine if the document is Approved, Rejected,
or if the document is already signed.
29
30
Draft - SharePoint Configuration Guidance v0.9j
You can then define the e-mail message that can
be sent to the users involved in the workflow.
This is configured through steps during the
SharePoint design Workflow creation process. (see
define e-mail Message below)
30
31
Draft - SharePoint Configuration Guidance v0.9j
To do this, simply go to Actions gt Send an Email
31
32
Draft - SharePoint Configuration Guidance v0.9j
32
33
Draft - SharePoint Configuration Guidance v0.9j
Note, again, that the document, when placed into
a library can inherit the permissions - and
Information Rights Management Policies through
RMS. Since RMS is not an inherently necessary
part of Part 11 compliance, please see the MSDN
documents on the topic.
Create a Signature Page
The one area of SharePoint that requires
customized code to comply with current guidance
on 21 CFR Part 11 is on the Signature Page.
Many other federal regulations utilize electronic
signatures. But 21 CFR Part 11 is the only one
with a concept of a signing password, where the
user re-authenticates in order to validate the
signing event. In most other federal
regulations, it is sufficient for the user to a)
be authenticated and then during the signing
event simply type in their full name as evidence
that they are signing the record.
To meet the re-authentication for the signing
event, in this case, simply requires 12 lines of
code. Creating the signing page with all the
buttons requires more code - but that can be done
through other methods besides code, including
SharePoint designer. The primary step here is
attaching the authentication code to the
workflow.
The code itself is relatively straightforward.
Written in C, the basic idea of the code is to
take the users username and password and
authenticate against LDAP - this is done in the
ValidateActiveDirectoryLogin function below
/// ltsummarygt
/// Method to validate user for a given
credentials /// lt/summarygt
/// ltparam name"domain"gtlt/paramgt
33
34
Draft - SharePoint Configuration Guidance v0.9j
/// ltparam name"username"gtlt/paramgt /// ltparam
name"password"gtlt/paramgt
/// ltreturnsgtBoolean returns true if
successlt/returnsgt
protected Boolean ValidateActiveDirectoryLogin(str
ing domain, string username, string password)

Boolean success false
System.DirectoryServices.DirectoryEntry Entry
new
System.DirectoryServices.DirectoryEntry("LDAP//"
domain, username, password) DirectorySearcher
searcher new DirectorySearcher (Entry)
searcher.SearchScope System.DirectoryServices.Se
archScope.Subtree try

searcher.Filter "(SAMAccountName" username
")" searcher.PropertiesToLoad.Add("cn")
System.DirectoryServices.SearchResult results //
userFullName
searcher.FindOne()
results.GetDirectoryEntry().Properties"CN".Value
.ToString() success (results ! null )

catch (Exception ex)
success false
lblMessage.Text "Error " ex.Message
return success
Full source code for all the functions will be
provided as an appendix to this whitepaper. Using
the provided source code, the signature page
appears as follows.
34
35
Draft - SharePoint Configuration Guidance v0.9j
Though not required, as the signature is stored
with the document in SharePoint, it is a nice
touch that helps users know that a signature has
been applied to a given document. Thus, in the
solution provided, code was added to append the
signature to the document itself. In addition,
the document is protected by rights management as
part of the workflow cycle, so that no changes
can be made to the document once signed.
It is important to note that this is still an
electronic signature and not a digital
signature. The configuration methods for digital
signatures are provided later in the document.
Set Permissions for the Document Library
SharePoint 2010 has the ability to set
permissions on the Document level,
Document Library level and site level.
To set permissions for a document library,
Navigate to your document library gt click
on Library gt Library Permissions
Set Policies for the Document Library
One of the more important aspects of configuring
SharePoint 2010 for 21 CFR part 11 compliance is
configuring sitewide policies that dictate
permission levels and rules. This is done to
prevent users particularly content administrators
from changing permission levels that would
invalidate the compliance of any given document
library.
To configure site wide auditing
Go to Site Actions gt Site Settings gt Site
Collection Audit Settings
35
36
Draft - SharePoint Configuration Guidance v0.9j
To add stage properties for a document library
goto Document library settings gt Information
Management Policy Settings
Click Change Resource link to change staging
properties for the documents library
36
37
Draft - SharePoint Configuration Guidance v0.9j
On clicking the hyper link Add Retention stage
the below popup will be shown to configure the
document into Records Center.
Note that the Content Organizer can also be used
to send records into the records center that are
subject to Part 11 compliance based on their
content-type.
37
38
Draft - SharePoint Configuration Guidance v0.9j
Once delivered to its final destination after
approval, the document is automatically declared
a record.
38
39
Draft - SharePoint Configuration Guidance v0.9j
Navigate to gt Site Actions gt Site Settings gt
Record Declaration Settings for globally setting
this throughout the site.
The last step in the process is creating the
Custom Permission Levels for Site Roles,
so Versioning, Content Approval Settings, and
Workflow cant be manipulated.
39
40
Draft - SharePoint Configuration Guidance v0.9j
This is an important consideration for Part 11
compliance, as it assures - with
proper configuration - that the audit histories,
electronic signatures and other vital
information for compliance is not changed in any
fashion.
This configuration of SharePoint and workflow has
all records transferred to their
preferred locations via the records retention
policies based on the Signed Doc
attribute. When the Document becomes approved,
then the attribute is set as a record inside
the workflow.
To see more on the process of transferring
signed documents to the records center, please
see http//technet.microsoft.com/en-us/library/ee4
24395.aspx
40
41
Draft - SharePoint Configuration Guidance v0.9j
Once in the target document library, click on the
Library Tab in the Ribbon Bar. This brings you
to the Document Library Settings page which
enables you to add the necessary columns for
electronic signatures.
The following columns will be added, which
include the single signature columns as well as
additional columns for multiple signatures
? Username
? Purpose of Signature
? Document Status (needed for workflow
processing) ? Date Signed
? Signers
? Additional fields as outlined below.
The steps for setting version history and version
control are the same as for creating single
electronic signatures.
Configure Document Templates for Workflow and
Multiple Signatures
In order to set the document templates needed for
multiple electronic signatures in a single
document, click on Advanced Settings in the
Document Library gt Document Library Settings
screen.
41
42
Draft - SharePoint Configuration Guidance v0.9j
In Document Library gt Document Library Settings
gt Advanced Settings Screen click Edit Template
in the Document Template section under the
Template URL dialog.
This will launch the template editor in Microsoft
Word. Click on the Insert tab in the
Ribbon Bar. On the Insert Tab, click on the
Quick Parts gt Document Property dialog and
pull-down.
Drag and drop the fields DateSigned,
DocumentStatus, PurposeOfSignature, Username
and other fields added to the document library
to support electronic signatures.
42
43
Draft - SharePoint Configuration Guidance v0.9j
This then results in a document that has a
signature line added in through metadata.
Note that this document, once signed, can be
protected via Rights Management Service so that
it cannot be modified once signed, even if
e-mailed or a thumbdrive used to copy the
document elsewhere.
43
44
Draft - SharePoint Configuration Guidance v0.9j
Create workflows for multiple electronic
signatures
In order to create the workflows necessary to
support electronic signatures, you will need to
open SharePoint Designer.
Once in SharePoint Designer, click on the File
tab, then the Open Site button. If the site is
displayed in the Recent Sites, then click to open
that site.
44
45
Draft - SharePoint Configuration Guidance v0.9j
To create an electronic signature workflow, click
on the Workflows link under NavigationgtSite
Objects.
Once the workflow tab is open, click on the
Workflows tab in the Ribbon Bar, then click on
the List Workflow button.
45
46
Draft - SharePoint Configuration Guidance v0.9j
To configure the workflow for the electronic
signature document library, click on
the appropriate document library name in the
List Workflow pull-down.
46
47
Draft - SharePoint Configuration Guidance v0.9j
In creating the workflow, the first step is to
add condition checks for Approval Status.
This will use the Content Approval Status Column
in the list library. This condition check will
determine if the document is Approved, Rejected,
or if the document is already signed.
47
48
Draft - SharePoint Configuration Guidance v0.9j
You can then define the e-mail message that can
be sent to the users involved in the workflow.
Go to Actions gt Send an Email and Confgure
properties approprately
48
49
Draft - SharePoint Configuration Guidance v0.9j
49
50
Draft - SharePoint Configuration Guidance v0.9j
Again, it is important to note that while not
necessary for Part 11 compliance, the use
of Rights Management Service in conjunction with
SharePoint will ensure that the rights become
part of the document itself, originally applied
as part of workflow or when a document is loaded
into the document library.
50
51
Draft - SharePoint Configuration Guidance v0.9j
The instructions for updating SharePoint for
Information Rights Management can be found on
MSDN.
Create a Signature Page
The signature page for multiple signatures is the
same as for single signatures.
The final signed document with the signatures
appears as follows
Set Permissions for the Document Library
The methods for setting permissions for the
document library are the same as for
single signatures.
To set permissions for a document libray,
navigate to the document library gt click
on Library gt Library Permissions
51
52
Draft - SharePoint Configuration Guidance v0.9j
Set Policies for the Document Library
The methods for setting policies for the document
library are the same for multiple signatures as
they are for single signatures.
Digital Signatures Use Case
The following scenarios detail configuring
SharePoint 2010 and Office 2010 to use
digital signatures based on X.509 Certificates.
Note that the provisioning and deployment
of those signatures are outside the scope of this
document.
Configuring Digital Signatures in SharePoint and
Office 2010 is far simpler than
configuring electronic signatures and provides a
higher level of security and assurance than
simple electronic signatures, even with the added
features detailed earlier in this document.
In fact, SharePoint 2010 comes with an out of the
box Approval Workflow called a
Collect Signatures workflow. This document
will utilize a variant of that workflow for the
Digital Signatures use case.
Administrator Configuration for Digital
Signatures
Similar steps are required for creating workflows
for Digital Signatures as they are for Electronic
Signatures.
Configure Document Library Templates
Creating the document library templates is
essential, as this provides the signature blocks
that will be used during the X.509 certificate
signature process.
52
53
Draft - SharePoint Configuration Guidance v0.9j
As with the electronic signatures, you first
select the document library that will be used for
the Digital Signatures. When there, click on the
Library Tools gt Library tab in the Ribbon Bar.
This brings you to the Document Library
Settings page which enables you to add the
necessary columns for digital signatures.
The following column will be added
? Document Status (needed for workflow
processing) ? Date Signed
? Signers
Configure Document Library Version Histories
While digital signatures are more secure than
electronic signatures, it is still important
to create and set version histories for the audit
trail capabilities of the document library.
The steps for doing this are the same as for
configuring electronic signatures.
Configure Document Templates for Workflow and
Digital Signatures
Setting the document templates for digital
signatures is straight forward. In the
Document Library gt Document Library Settings
screen, click on Advanced Settings
In Document Library gt Document Library Settings
gt Advanced Settings Screen click Edit Template
in the Document Template section under the
Template URL dialog.
53
54
Draft - SharePoint Configuration Guidance v0.9j
This will launch the template editor in Microsoft
Word.
The first step in adding a digital signature to
the document is by going to the Office
2010 BackStage by clicking on the File tab in
the Ribbon Bar. Then under Protect Document
click on Add Digital Signature.
Once the Digital Signature is added, youll want
to navigate to the section of the
document that will contain the signature. To
insert the Signature at that location, Click on
the Insert tab in the Ribbon Bar. Click on the
Signature Line drop down.
54
55
Draft - SharePoint Configuration Guidance v0.9j
This will enable you to insert a signature block
or multiple signature blocks. In addition, this
drop down provides for multiple signature
providers. This enables different certificates.
Once inserted, an unsigned signature block - or
multiple blocks - looks as such
The signature block can also be a stamped
signature, such as would be done for a SAFE
BioPharma logo.
In Signing a document, the user is prompted for
Comment which is generally used as the Purpose
for Signing. It is also possible to create a
custom signature event, such as one for SAFE
BioPharma that is located at http//www.codeplex.c
om/safe
Once used by the signer, the signature block
appears as such
Note that digitally signing a document also makes
that document read-only. Saving the document and
making any changes invalidates and removes the
signature (but not the unsigned signature block)
from the document.
55
56
Draft - SharePoint Configuration Guidance v0.9j
Also important to discuss is the role of Rights
Management, which can be applied to a document
before the signature process, further protecting
the document from change.
Create workflows for digital signatures
Creating workflows that utilize digital
signatures is actually more straightforward than
for electronic signatures. These workflows can
either be created in SharePoint itself,
or through SharePoint Designer.
In fact, as mentioned previously, SharePoint 2010
contains out of the box workflows for digital
signatures, in this called Collect Signatures.
The MSDN Article used to configure this part of
the document can be found at
http//office.microsoft.com/en-us/sharepoint-serve
r-help/use-a-collect-signatures- workflow-HA010154
428.aspx
Along with more basic articles on approval
workflow
http//office.microsoft.com/en-us/sharepoint-desig
ner-help/understand-approval- workflows-in-sharepo
int-2010-HA101857172.aspx?CTT1
Add or Change a Collect Signatures Workflow
Before a Collect Signatures workflow can be used,
it must be added to a library or content type to
make it available for document or items in a
specific location.
The Collect Signatures workflow is intended
primarily for use in libraries and can be
started only on documents that open in Office
Word 2007 or Office Excel 2007. You
must have the Manage Lists permission to add a
workflow to a library or content type. In most
cases, site administrators or individuals who
manage specific lists or libraries perform this
task.
The availability of the workflow within a site
varies, depending on where it is added
? If you add a workflow directly to a library,
it is available only for documents in
that library.
? If you add a workflow to a list content type
(an instance of a site content type that was
added to a specific library), it is available
only for items of that content type in the
specific library with which that content type is
associated. ? If you add a workflow to a site
content type, that workflow is available for
any items of that content type in every list and
library to which an instance of that
site content type was added. If you want a
workflow to be widely available across libraries
in a site collection for items of a specific
content type, the most efficient way to achieve
this result is by adding that workflow directly
to a site content type.
Add or change a Collect Signatures workflow for a
library or content type
If you want to add a Collect Signatures workflow
to a library or content type, or if you
want to change a Collect Signatures workflow that
is already associated with a library or content
type, you follow the same steps.
56
57
Draft - SharePoint Configuration Guidance v0.9j
1. To go to the Add a Workflow page or the
Change a Workflow page for the library or
content type to which you want to add a workflow,
do one of the following
o For a library
1. Open the library to which you want to add or
change a workflow.
On the Settings menu
, click the settings for the type of
library that you are opening.
For example, in a document library, click
Document Library Settings.
2. Under Permissions and Management, click
Workflow settings.
o For a list content type
1. Open the library that contains the instance
About PowerShow.com