SharePoint Configuration Guidance for 21 CFR Part 11 Compliance

1
SharePoint Configuration Guidance for 21 CFR Part
11 Compliance
April 2012
Microsoft Corporation
Health and Life Sciences Industry Unit
Paragon Solutions
Health and Life Sciences Practice
2
Draft - SharePoint Configuration Guidance v0.9j
Table of Contents
Introduction
4
Acknowledgements
6
Architectural Approaches to Compliance
7
Use Cases for 21 CFR Part 11 Compliance
9
Electronic Signature Use Cases
9
Single Signature Use Case
9
Multiple Signature Use Case
10
Digital Signatures Use Cases
11
Single Signature Use Case
11
Multiple Signature Use Case
11
User Authentication Use Case
12
Architecture for 21 CFR Part 11 Compliance
13
Windows Server 2008 R2
13
Active Directory Domain Services
13
Active Directory Rights Management Server
13
Active Directory Certificate Services
14
What is XAdES?
14
Time stamping and XAdES-T signatures
15
Active Directory Federation Services
15
SQL Server 2008 R2
16
SharePoint Designer
16
SharePoint 2010 Architecture for Compliance
16
Database Security
17
Configuring the Electronic Signature Use Cases
19
Administrator Configuration for Single Signatures
19
Configure document library templates
19
Configure Document Library Version Histories
22
Configure Document Templates for Workflow and
Signatures
23
Create workflows for electronic signatures
26
Create a Signature Page
33
Set Policies for the Document Library
35
Configure Document Templates for Workflow and
Multiple Signatures
41
Create workflows for multiple electronic
signatures
44
Create a Signature Page
51
Set Permissions for the Document Library
51
Set Policies for the Document Library
52
Digital Signatures Use Case
52
Administrator Configuration for Digital
Signatures
52
Configure Document Library Templates
52
Configure Document Library Version Histories
53
Configure Document Templates for Workflow and
Digital Signatures
53
Create workflows for digital signatures
56
Add or Change a Collect Signatures Workflow
56
Add or change a Collect Signatures workflow for a
library or content type
56
Start a Collect Signatures workflow on a document
or workbook
58
Create a Signature Page
59
Set Permissions for the Document Library
59
Set Policies for the Document Library
59
View the Version Histories for Digital Signatures
59
2
3
Draft - SharePoint Configuration Guidance v0.9j
21 CFR Part 11 Requirements
62
Subpart B Electronic Records
63
11.10 Controls for Closed Systems
63
11.10 (a) Validation of Systems
63
11.10 (b) Record Review and Inspection
65
11.10 (c) Records protection and retrieval
65
11.10 (d) System Access
66
11.10 (e) Audit Trail
68
11.10 (f) Operational System Checks
68
11.10 (g) Protect records from unauthorized
access
68
11.10 (h) Data Input Validation
69
11.10 (i) Training
69
11.10 (j) Electronic Signature Policy
69
11.10 (k) System control
70
11.30
Controls for Open Systems
71
11.50
Signature Manifestations
72
11.50 (a) Signature Manifestation
72
11.50 (b) Control of signature information
72
11.70
Signature/Record Linking
73
Subpart C Electronic Signatures
73
11.100
General Requirements
73
11.100 (a) Uniqueness
73
11.100 (b) Identity Verification
74
11.100 (c) Legal Certification
74
11.200 Electronic Signature Components and
Controls
74
11.200 (a) Non-biometric Signatures
74
11.200 (b) Biometric Signatures
75
11.300
Controls for Identification Codes/Passwords
75
11.300 (a) Uniqueness of identity
75
11.300 (b) Password Policy
75
11.300 (c) Deactivation of Users
76
11.300 (d) Unauthorized use of passwords or
identification codes
76
11.300 (e) Identification Code Device Testing
77
Systems Validation and Compliance
78
3
4
Draft - SharePoint Configuration Guidance v0.9j
Introduction
Since the release of the Microsoft Office
SharePoint Server 2007, compliance has beena
major focus of the Microsoft Office System. That
focus continues with SharePoint2010 and includes
additional functionality that further enhances
compliance capabilities.
In addition to the audit trails and document
level security that were introduced inSharePoint
2007, there are now enhanced capabilities for
document and recordscompliance. These enhanced
features include
? Records center document libraries can be
placed anywhere in a site collection? In-place
records management in any document library
? Centrally managed and distributed content
types and taxonomies
? Centrally managed policies and workflow
enforced on content types
? Workflow can promote a document from loose
collaboration to a formally
declared and managed record, including the
capability for electronic signatures.?
Multi-stage records disposition
? Centralized audit trails and audit trail
reporting that is easily configured with
no additional coding necessary.
While these features can be applied to a broad
range of regulations, including Sarbanes-Oxley
and HIPAA, they also apply to 21 CFR Part 11.
Thus the Microsoft OfficeSharePoint Server 2010
when combined with other Microsoft technologies,
includingActive Directory, Information Rights
Management, and (optionally) the Microsoft
PKIsystem, provides a system that may be
configured to assist with 21 CFR Part
11compliance.
In a departure from previous whitepapers on the
topic, we approach this document a bitof a
different way
1. Describe the overall SharePoint architecture
needed to support compliance
a. Including both conceptual and product-level
architectures
2. Provide a set of use cases for compliance and
then detail the configurations necessary to
support those use cases.
3. Provide a mapping between 21 CFR Part 11 and
the configurations detailed as part of the use
cases that support each individual line of the
regulation.
This approach will be more useful for those
involved in the validation effort as it
providesthe use cases and then the
configurations necessary for validation.
Of course, software cannot be compliant by
itself, so SharePoint 2010 and other
Microsoft technologies must be used in
conjunction with a broader compliance
framework, including appropriate configurations,
policies, procedures and validationdocumentation
that are the responsibility of the implementing
party.
4
5
Draft - SharePoint Configuration Guidance v0.9j
Disclaimer
The information contained in this document
represents the current view of MicrosoftCorporati
on on the issues discussed as of the date of
publication. Because Microsoftmust respond to
changing market conditions, it should not be
interpreted to be acommitment on the part of
Microsoft, and Microsoft cannot guarantee the
accuracy ofany information presented after the
date of publication.
This White Paper is for informational purposes
only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION INTHIS DOCUMENT.
Complying with all applicable copyright laws is
the responsibility of the user. Without
limiting the rights under copyright, no part of
this document may be reproduced, stored inor
introduced into a retrieval system, or
transmitted in any form or by any
means(electronic, mechanical, photocopying,
recording, or otherwise), or for any
purpose,without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications,
trademarks, copyrights, or other
intellectual property rights covering subject
matter in this document. Except as
expressly provided in any written license
agreement from Microsoft, the furnishing of
thisdocument does not give you any license to
these patents, trademarks, copyrights, orother
intellectual property.
2011 Microsoft Corporation. All rights
reserved.
Microsoft, Microsoft Office 2010, Microsoft
SharePoint 2010, Microsoft Word, MicrosoftExcel,
Microsoft PowerPoint, Microsoft Rights Management
Services, Active Directory,Windows Server 2008
R2, Windows 7, Windows Vista, Windows XP,
Microsoft Windows,Microsoft Certificate
Lifecycle Manager, Microsoft Visual Studio,
Microsoft Forefront areeither registered
trademarks or trademarks of Microsoft Corporation
in the United Statesand/or other countries.
The names of actual companies and products
mentioned herein may be the trademarksof their
respective owners.
5
6
Draft - SharePoint Configuration Guidance v0.9j
Acknowledgements
As with any effort of this size, there are a
myriad of persons involved in its development.In
this case, the efforts of Paragon Solutions
(http//www.consultparagon.com) in
thedevelopment of the demonstration system,
SharePoint configurations, workflows,SharePoint
Designer configurations and sample source code,
all of which wereabsolutely essential for this
project to be successful.
It is also necessary to acknowledge the Life
Sciences Industry Unit members who wroteand
reviewed the configuration text, the use cases,
regulation interpretation and guidedthe
development of the end product.
Finally, it is necessary to acknowledge the
efforts of the Microsoft Consulting Serviceson
the 2007 version of this whitepaper, portions of
which remain intact especially in thesection
that maps each part of 21 CFR Part 11 to the
needed configuration step.
6
7
Draft - SharePoint Configuration Guidance v0.9j
Architectural Approaches to Compliance
When considering regulatory compliance, whether
it be for eDiscovery, Part 11, DDMAC,SOX, or any
other regulation, the most important step in the
process is planning thearchitecture. While the
SharePoint system is eminently flexible, that
flexibility can alsopose challenges down the
road if you take a wholly haphazard approach. A
good plan,consistently applied, will take you
far and avoid pitfalls.
When building the plan it is important, first and
foremost, to understand the overall
capabilities of the platform. In this case, it
is important to understand that SharePointhas a
plethora of capabilities in the Enterprise
Content Management (ECM) space.
Foundational ECM
Human CentricWorkflow
Document RecordsManagement Management
Web Content Rich Media DocumentManagement Managme
nt Output
E-MailArchiving
Supplemental ECM
Embrace and Extend Workloads with Partners
Transactional Content
Physical Records Business Process Management Mana
gement
Scanning and Archiving and Industry Specific
Capture Library Services Solutions
Management
Equally matched by the capabilities Foundational
ECM capabilities in SharePoint are theplethora
of partners that embrace and extend the
SharePoint platform. These includevendors that
provide out-of-the-box Part 11 and GxP
compliance, vendors that providecapabilities for
scientists through electronic lab notebooks and
LIMS systems, evenvendors that provide
manufacturing and plant floor monitoring
capabilities - all onSharePoint. These are in
addition to the workloads listed in the graphic
above.
For the purposes of Part 11 compliance, we will
be looking at the features that
Microsoftcategorizes as Records Management.
For planning Records Management systems,the
implementer will need to factor in a couple key
considerations
? Policies Workflow
? File Archival Plan - In-Place Records vs.
Centrally Archived? Managed Metadata and the
Taxonomy Term Store
Managed Metadata and the Taxonomy Term Store
provide more flexibility to the end
user as well as the system administrator when it
comes to Metadata. Users are no
longer simply consigned to setting the metadata
through dialog boxes at upload time, butcan
actually set the metadata for a document during
the authoring process. Similarly,
7
8
Draft - SharePoint Configuration Guidance v0.9j
content managers have the ability to manage the
metadata, through hierarchical means,and
propagate those terms throughout a site
collection.
The decision whether to use in-place records or
centrally archived records becomescrucial when
configuring the system for Part 11 compliance.
In this document, theworkflows and
configurations demonstrate both approaches, by
using in-place recordsfor most electronic and
digital signature workflows, but then using a
central archiverecord store once a documents
lifecycle has run its course.
Policies and workflow are central to configuring
SharePoint 2010 for compliance withany
regulation. In this whitepaper we will discuss
at length the use of workflow forelectronic and
digital signatures, as well as the use of
policies to determine whichdocuments need
signatures.
Given those key considerations, the balance of
this document will be split into two parts
1. A discussion of configuring SharePoint 2010
for Part 11 compliance
a. Utilize a Use Case methodology so the
document can be used providing guidance for your
own validation efforts
b. Provide the architecture to support the Use
Cases
c. Detail the workflow and policies for
electronic signatures
d. Detail the workflow and policies for digital
signatures
e. The promotion of records to in-place and
centrally managed records
2. Mapping 21 CFR Part 11 to the areas of the
previous use case to demonstrate how SharePoint
meets those regulations
8
9
Draft - SharePoint Configuration Guidance v0.9j
Use Cases for 21 CFR Part 11 Compliance
In this section we will detail common use cases
that require 21 CFR Part 11 complianceand then
will step through the configuration of the system
for that use case.
There is another use case allowed for in Part 11,
namely Biometric based signatures.While the
combination of Windows 7, Active Directory and
hardware manufacturersprovide for this
capability which can be extended to SharePoint,
it is so uncommon amethod of authentication and
signature that it wont be dealt with in this
context.
Electronic Signature Use Cases
The following use cases will detail the
configurations and resulting process for
applyingan electronic signature to a document
either in a single signature scenario or in
amultiple signature scenario.
Single Signature Use Case
To support the use case where the process
requires a single electronic signature
perdocument the site administrator will
? Configure document library templates for
electronic signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for
embedded signatures (optional)? Create
workflows for Electronic Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed or versioned documents modified?
Create a customized page that captures the
username and password for the electronic
signature
o Twelve lines of source code (provided) are
used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added
to the SharePoint Designer page created for the
signature workflow.
Note This system details use of an optional
embedding of the signature into the
WordDocument, providing a visible record in the
document itself of the signature process.
The user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
9
10
Draft - SharePoint Configuration Guidance v0.9j
? Author the document to make necessary
changes? Save the document to the library
? Submit the document for workflow approval
? Sign the document as part of the approval
workflow
? View the audit trail (workflow history) of
the document library
Multiple Signature Use Case
To support the use case where the process
requires multiple electronic signatures
perdocument the site administrator will
? Configure document library templates for
electronic signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
which turns on audit trails.
o Create and add document templates for
embedded signatures (optional)? Create
workflows for Electronic Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed or versioned documents modified?
Create a customized page that captures the
username and password for the electronic
signature
o Twelve lines of source code (provided) are
used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added
to the SharePoint Designer page created for the
signature workflow.
Note This system details use of an optional
embedding of the signature into the
WordDocument, providing a visible record in the
document itself of the signature process.
Each signing user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes? Save the document to the library
? Submit the document for workflow approval
? Sign the document as part of the approval
workflow
? View the audit trail (workflow history) of
the document library
10
11
Draft - SharePoint Configuration Guidance v0.9j
Digital Signatures Use Cases
The following use cases will detail the
configurations and resulting process for applying
adigital signature to a document either in a
single signature scenario or in a
multiplesignature scenario.
Single Signature Use Case
To support the use case where the process
requires a single digital signature perdocument
the site administrator will
? Configure document library templates for
digital signatures
o Update the document library with appropriate
columns for workflow
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for digital
signatures? Create workflows for Digital
Signatures
o Utilize SharePoint Designer (if designed)
o Attach the workflow to the document library?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed
These configurations will enable the user to
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes? Save the document to the library
? Submit the document for workflow approval?
Sign the document in Office 2010 client
? Save the document to the document library as
part of the workflow
? View the audit trail (workflow history) of
the document library
Multiple Signature Use Case
To support the use case where the process
requires a single digital signature perdocument
the site administrator will
? Configure document library templates for
digital signatures
o Update the document library with new columns
o Set the Content Approval Status
o Set the Document Version History settings
o Create and add document templates for
embedded signatures
11
12
Draft - SharePoint Configuration Guidance v0.9j
? Create workflows for Digital Signatures
o Utilize SharePoint Designer
o Attach the workflow to the document library?
Set the policies for the document template
o Create custom security for the content-type
o Set permissions on the content-type so that
regulated documents cannot have the version
history changed
The user will
? Navigate from the their project page to the
document management library for that project
? View the documents currently in process and
the workflow status of each document
? Author the document to make necessary
changes? Save the document to the library
? Submit the document for workflow approval?
Sign the document in Office 2010 client
? Save the document to the library as part of
the workflow
? View the audit trail (workflow history) of
the document library
User Authentication Use Case
Security and access control are central concepts
for compliance. With the new reality
ofcross-company collaboration, authentication
control is even more important.
However this is also more straightforward, as
there are clear instructions in other
Microsoft documents on the use of Active
Directory and Active Directory FederationServices
with the use of SharePoint that a discussion
here is not necessary.
12
13
Draft - SharePoint Configuration Guidance v0.9j
Architecture for 21 CFR Part 11 Compliance
Given the use cases detailed above, there are a
few key architectural components thatare
required in order to provide 21 CFR Part 11
compliance. As we detail each of
thesearchitectural components we will see how
Microsoft technologies, when used togethercan
provide compliance with many different
regulations, but only as configured
andimplemented in the end-user's system and in
the context of the implementersrequirements.
Windows Server 2008 R2
Windows Server is the basis for all the
components needed for regulatory compliance.Some
of the key compliance features of Windows Server
2008 R2
? The ability to provide detailed IQ reports
when used with a software distribution system
such as Microsoft Systems Center Configuration
Manager
? The ability to provide detailed OQ reports
when used with the systems
management provided through Microsoft Systems
Center Operations Manager.
? The ability to provide Network Access
Protection which enforces health
requirements by monitoring and assessing the toll
of client computers when theyattempt to connect
or communicate on a network. Client computers
that are notin compliance with the health policy
can be provided restricted network accessuntil
their configuration is updated and brought into
compliance with policy.
? The concept of server roles allows server
administrators to quickly and easily
configure any Windows -- based server to run a
specific set of tasks and removeextraneous 0S
code from system overhead. Windows Server 2008 R2
furtherextends this model would support work
more rules in a broadening of current
rolesupport. The Server Core installation option
is important to mention here as itonly includes
necessary components for running applications
such as SharePoint.
Active Directory Domain Services
Part of Windows Server 2008 R2 Core
Infrastructure is Active Directory Domain
Services. While SharePoint can utilize an LDAP
system, Active Directory provides themeans to
manage the identities and relationships that make
up your organization'snetwork in a way that is
easily integrated with the rest of your
Microsoft-basedinfrastructure. It gives
out-of-the-box functionality needed to centrally
configure andadminister system, user, and
application settings.
Active Directory Rights Management Server
The next component in the identity and access
management system is Active DirectoryRights
Management Services (AD RMS). With AD RMS you
can augment andorganizations security strategy
by protecting information through a persistent
usage
13
14
Draft - SharePoint Configuration Guidance v0.9j
policies, which remain with the information, no
matter where it is moved. You can useAD RMS to
help prevent sensitive information such as
clinical trial reports, sitemonitoring
documentation or even e-mails from intentionally
or accidentally getting intothe wrong hands.
In SharePoint 2010 this is configured through the
Information Rights Management (IRM)screen which
can be applied at the document library or
document library template level.
It is important to note that users do not have to
have Office installed to read protecteddocuments
and messages. SharePoint 2010 with Web
Applications understands rightsmanagement, so
any user with access to a browser and rights to
the document can viewthe document.
It is also important to note that users do not
need to reside within your organization, aslong
as they are granted appropriate rights. Any user
with a Hotmail account or a LiveIDcan be granted
access to a document and then able to view it
through a SkyDriveaccount or through e-mail.
Active Directory Certificate Services
Active Directory Certificate Services provides
customizable services for issuing and
managing certificates used in software security
systems employing public key
technologies. Active directory certificate
services cast that allows organizations to
deploya digital certificate infrastructure,
creating a Web of authentication between
devices,users, and applications.
AD CD is a role in Windows Server, which provides
an integrated public keyinfrastructure (PKI)
that enables capabilities such as digital
signatures, strongauthentication, and secure
communications.
These certificates when used in conjunction with
Office 2010 provide the ability to signMicrosoft
Office documents which are compliant with the
XML-DSign and XAdESstandards for digital
signatures. Since XAdES forms the basis of other
standards suchas Safe BioPharma, this system can
be integrated into a SAFE-compliant system in
afairly straightforward manner.
What is XAdES?
XAdES (XML Advanced Electronic Signatures) is a
set of tiered extensions to XML-DSig,the levels
of which build upon the previous to provide more
and more reliable digitalsignatures.
By implementing XAdES, Office complies with the
European Union Advanced ElectronicSignature
Criteria in Directive 1999/93/EC as well as a new
Brazilian governmentdirective which defines
XAdES as the accepted standard for digital
signing in Brazil.
Office 2010 can create different levels of XAdES
signatures on top of XML-DSigsignatures
14
15
Draft - SharePoint Configuration Guidance v0.9j
Time stamping and XAdES-T signatures
Time stamping digital signatures (XAdES-T
signatures) is an important scenario wefocused
on in Office 2010. In order to create a time
stamped signature, youll need to
? Set up a timestamp server that complies with
RFC 3161.
? Configure signature policy to let the client
systems know where to locate the
timestamp server. Youll also need to add the
timestamp servers root certificateto the root
certificate store.
Once everything is configured, you can just
create signatures like you normally would.
Atimestamp from a trusted timestamp server
extends the life of your signature, becauseeven
after the certificate expires, the timestamp
proves that the certificate had notexpired at
the time of signing. As a result, time stamping
protects against certificateexpiration, and if
the certificate was revoked after the signature
was applied, thesignature is still valid.
Active Directory Federation Services
While not a hard and fast requirement for Part 11
compliance, ADFS provides simplifiedaccess and
single sign-on for on premises and cloud-based
applications in theenterprise, across
organizations, and on the web. In the case of
access to compliantSharePoint sites, it allows
IT administrators and end users to grant access
to knownentities, even users outside their
organizational boundaries.
ADFS and SharePoint together accomplish this by
using SAML 2.0 standard claims-based
authentication and security. Once the ADFS
servers of two organizations arepointed at
each other through a simple configuration, end
users from both
15
16
Draft - SharePoint Configuration Guidance v0.9j
organizations are free to collaborate,
participate in workflow and even execute
electronicor digital signatures in both
organizations SharePoint sites.
SQL Server 2008 R2
Microsoft SQL Server 2008 R2 is a complete set of
enterprise ready technologies andtools that
provide the database and business intelligence
technologies for SharePointand many of the other
Microsoft platforms.
As a database management platform, SQL Server
2008 R2 manages databases moreefficiently and
effectively. It provides your people with
built-in tools for greater controland oversight.
It manages at scale, automate automates tasks,
and streamlinestroubleshooting.
As the business intelligence platform, it is a
comprehensive platform for business
intelligence that includes enhanced reporting,
deeper and more powerful analysis, richdata
modeling, master data management capabilities,
and full integration with MicrosoftOffice.
Microsoft SQL Server 2008 R2 also provides the
database and business intelligence
platform for SharePoint 2010. This better
together capability means that not only doesSQL
Server store the objects and configurations of
SharePoint, but it also provides on-demand and
self-service business intelligence, list
generation and PowerPivotcapabilities.
SharePoint Designer
SharePoint Designer is the mechanism the IT
Professionals and Power Users can use tocreate
workflows, design custom pages and other tasks
that are not available in theSharePoint
interface itself.
SharePoint 2010 Architecture for Compliance
When you bring all the pieces and parts together,
you end up with a general architecturefor
compliance that includes capabilities for
workflow, electronic and digital
signatures,document retention and archival and
audit trails or histories to prove that the
signaturesand documents are valid.
16
17
Draft - SharePoint Configuration Guidance v0.9j
Windows Server 2008 R2
SQL Server 2008 R2
Active
Directory
Rights
Management Services
SharePoint 2010
Certificate Services
Electronic Document Policy Records Digital
Workflow
Mgmt
Mgmt Mgmt Signature
Workflow
FAST
Enterprise Search
While the overall architectural components are
important, it is also key to identify
properorganization, sizing of the server farm,
navigation and other concepts. Those
elementsare largely outside scope of this
document.
For information on the concepts of sizing,
navigation and geographical disbursement,please
visit http//msdn.microsoft.com as well as
http//www.microsoft.com/itshowcasefor best
practice information on SharePoint implementation
on an enterprise scale.
Database Security
21 CFR 11.10(d) notes that access to IT
applications must be limited to authorized
individuals. In addition to internal safeguards
built into a computerized system,
externalsafeguards and policies should be put in
place to ensure that access to thecomputerized
system and to the data is restricted to
authorized personnel. Staff shouldbe kept
thoroughly aware through training and procedures
of system security measuresand the importance of
limiting access to authorized personnel.
Procedures and controlsshould be put in place to
prevent the altering, browsing, querying, or
reporting of data viaexternal software
applications that do not enter through the
protective system software.IT guidelines,
standard operating procedures and controls
typically ensure that access toback-end servers
and applications is controlled.
There is a potential security issue where a
person with elevated permissions to the
WSS-Content-Database could alter records in the
database table and impact the Signed
17
18
Draft - SharePoint Configuration Guidance v0.9j
Person, Date signed, and Purpose of Signing
tables. Per typical IT operating measures,people
with elevated permissions are typically
authorized and working under strictoperating
procedures. The likelihood of malicious changes
is low. However, if someonedid alter the
underlying database tables, SharePoint will not
recognize these changeshence the signature
would become invalidated.
If this is viewed as a security issue not handled
well enough by internal IT operating
procedures, there are options. To fix this issue,
an encryption key can be generated andstored in
the document library. This key would be used to
determine if changes weremade to the document
properties using SQL update. A hash key can be
generatedusing the following columns from the
document library
? Signer Name
? Purpose of Signing
? DateTime (of signing)
? Version of the Document? Document Status
A timer service can run to check approved
documents to see if any changes were madein the
WSS-Content-Database. The encryption key is
examined, and any changesnoted will invalidate
the document. If the document is found to be
invalid, a workflow willbe invoked to send an
email to the signer and/or an administrator to
note that thedocument has been changed by an
unknown person and hence the document isinvalid.
There are other options for achieving this level
of check and balance to ensure that amalicious
activity at the database level is discovered and
accounted for. However, formost organizations
internal IT operating procedures preclude
unauthorized access toservers and applications.
18
19
Draft - SharePoint Configuration Guidance v0.9j
Configuring the Electronic Signature Use Cases
Electronic signatures are a central component to
21 CFR Part 11 compliance. As
specified in the use cases, well detail two
mechanisms for electronic signatures
singlesignature documents and documents that
require multiple signatures.
In both use cases the configuration chosen makes
a few key decisions
? While not necessary, the electronically
signed documents will contain a
representation of the signature that includes
the name of the signing party, thedate of the
signature and the reason for signing.
? Once signed, the document will be protected
through Rights Management, so that the signed
version cannot be tampered with, but it may also
be used to create another version.
? The electronic signature will remain in the
document as well as in the audit trail/version
history of that document.
? Workflow can take the final electronically
signed document and copy it to the records
center for final disposition and archival.
Administrator Configuration for Single Signatures
To support the use case where the process
requires a single electronic signature
perdocument the site administrator will do the
following tasks
Configure document library templates
The first task is to select the document library
to be enabled for electronic signatures.
19
20
Draft - SharePoint Configuration Guidance v0.9j
Once in the target document library, click on the
Library Tab in the Ribbon Bar. Thisbrings you
to the Document Library Settings page which
enables you to add thenecessary columns for
electronic signatures.
Navigation Steps to Add Columns
To add columns in the document library Click
Library Tools gt Library gt Document
LibrarySettings and Create columns
The following columns will be added
? Username
? Purpose of Signature
? Document Status (needed for workflow
processing)? Date Signed
? Signers
To add columns in the document library Click
Library Tools gt Library gt Document
LibrarySettings and Create columns
20
21
Draft - SharePoint Configuration Guidance v0.9j
After adding the necessary columns, while still
in the Document Library Settings, clickon
Versioning Settings.
This brings you to Document Library gt Document
Library Settings gt Versioning Settingsscreen
which enables you to control the versioning for
the document library.
21
22
Draft - SharePoint Configuration Guidance v0.9j
Click Yes under Require content approval for
submitted documents
Click Create major versions, or other settings
as needed by your companys policiesand
procedures.
Configure Document Library Version Histories
After adding the necessary columns, while still
in the Document Library Settings, clickon
Versioning Settings.
This brings you to Document Library gt Document
Library Settings gt Versioning Settingsscreen
which enables you to control the versioning for
the document library.
Click Yes under Require content approval for
submitted documents
Click Create major versions, or other settings
as needed by your companys policiesand
procedures.
Once you click Submit for the Versioning
Settings screen, you will be returned
toDocument Library gt Document Library Settings
screen.
This turns on the "audit trail functionality,
which allows users to be able to view the
audittrail of the system through simple reports.
In the Document Library those changes canbe
reflected in the document view itself on a
document by document basis.
22
23
Draft - SharePoint Configuration Guidance v0.9j
For Centralized Audit Reporting, and
administrator would need to turn on this
featureunder gt Site Actions gt Site Settings gt
Site Collection Audit Settings.
Configure Document Templates for Workflow and
Signatures
In order to set the document templates needed for
electronic signatures, click on
Advanced Settings in the Document Library gt
Document Library Settings screen.
23
24
Draft - SharePoint Configuration Guidance v0.9j
In Document Library gt Document Library Settings
gt Advanced Settings Screen clickEdit Template
in the Document Template section under the
Template URL dialog.
This will launch the template editor in Microsoft
Word. Click on the Insert tab in the
Ribbon Bar. On the Insert Tab, click on the
Quick Parts gt Document Property dialogand
pull-down.
24
25
Draft - SharePoint Configuration Guidance v0.9j
Drag and drop the fields DateSigned,
DocumentStatus, PurposeOfSignature,Username
and other fields added to the document library
to support electronicsignatures.
This then results in a document that has a
signature line added in through metadata.
Note that this document, once signed, can be
protected via Rights Management Serviceso that
it cannot be modified once signed, even if
e-mailed or a thumbdrive used to copythe
document elsewhere.
Once Rights Management has been set up for a
SharePoint site, setting rights on anygiven
document is as simple as having the document
inserted or created in a documentlibrary with
specific rights.
Those permissions - or rights - are then
inherited by all the documents in that library,
oritems in a list. This means that with the
appropriate rights set on the document
library,as shown in this document, you have the
ability to lock down documents - with orwithout
a formal records declaration - and prevent those
documents from being changedby those without
permissions.
25
26
Draft - SharePoint Configuration Guidance v0.9j
Create workflows for electronic signatures
In order to create the workflows necessary to
support electronic signatures, you willneed to
open SharePoint Designer.
Once in SharePoint Designer, click on the File
tab, then the Open Site button. If thesite is
displayed in the Recent Sites, then click to open
that site.
26
27
Draft - SharePoint Configuration Guidance v0.9j
To create an electronic signature workflow, click
on the Workflows link underNavigationgtSite
Objects.
27
28
Draft - SharePoint Configuration Guidance v0.9j
Once the workflow tab is open, click on the
Workflows tab in the Ribbon Bar, then clickon
the List Workflow button.
To configure the workflow for the electronic
signature document library, click on
theappropriate document library name in the
List Workflow pull-down.
28
29
Draft - SharePoint Configuration Guidance v0.9j
In creating the workflow, the first step is to
add condition checks for Approval Status.
This will use the Content Approval Status Column
in the list library. This condition checkwill
determine if the document is Approved, Rejected,
or if the document is alreadysigned.
29
30
Draft - SharePoint Configuration Guidance v0.9j
You can then define the e-mail message that can
be sent to the users involved in theworkflow.
This is configured through steps during the
SharePoint design Workflowcreation process. (see
define e-mail Message below)
30
31
Draft - SharePoint Configuration Guidance v0.9j
To do this, simply go to Actions gt Send an Email
31
32
Draft - SharePoint Configuration Guidance v0.9j
32
33
Draft - SharePoint Configuration Guidance v0.9j
Note, again, that the document, when placed into
a library can inherit the permissions -and
Information Rights Management Policies through
RMS. Since RMS is not aninherently necessary
part of Part 11 compliance, please see the MSDN
documents onthe topic.
Create a Signature Page
The one area of SharePoint that requires
customized code to comply with currentguidance
on 21 CFR Part 11 is on the Signature Page.
Many other federal regulations utilize electronic
signatures. But 21 CFR Part 11 is theonly one
with a concept of a signing password, where the
user re-authenticates inorder to validate the
signing event. In most other federal
regulations, it is sufficient forthe user to a)
be authenticated and then during the signing
event simply type in their fullname as evidence
that they are signing the record.
To meet the re-authentication for the signing
event, in this case, simply requires 12lines of
code. Creating the signing page with all the
buttons requires more code - butthat can be done
through other methods besides code, including
SharePoint designer.The primary step here is
attaching the authentication code to the
workflow.
The code itself is relatively straightforward.
Written in C, the basic idea of the code isto
take the users username and password and
authenticate against LDAP - this is donein the
ValidateActiveDirectoryLogin function below
/// ltsummarygt
/// Method to validate user for a given
credentials/// lt/summarygt
/// ltparam name"domain"gtlt/paramgt
33
34
Draft - SharePoint Configuration Guidance v0.9j
/// ltparam name"username"gtlt/paramgt/// ltparam
name"password"gtlt/paramgt
/// ltreturnsgtBoolean returns true if
successlt/returnsgt
protected Boolean ValidateActiveDirectoryLogin(str
ing domain, stringusername, string password)

Boolean success false
System.DirectoryServices.DirectoryEntry Entry
new
System.DirectoryServices.DirectoryEntry("LDAP//"
domain, username, password) DirectorySearcher
searcher new DirectorySearcher (Entry)
searcher.SearchScope System.DirectoryServices.Se
archScope.Subtreetry

searcher.Filter "(SAMAccountName" username
")"searcher.PropertiesToLoad.Add("cn")
System.DirectoryServices.SearchResult results//
userFullName
searcher.FindOne()
results.GetDirectoryEntry().Properties"CN".Value
.ToString() success (results ! null )

catch (Exception ex)
success false
lblMessage.Text "Error " ex.Message
return success
Full source code for all the functions will be
provided as an appendix to this whitepaper.Using
the provided source code, the signature page
appears as follows.
34
35
Draft - SharePoint Configuration Guidance v0.9j
Though not required, as the signature is stored
with the document in SharePoint, it is anice
touch that helps users know that a signature has
been applied to a given document.Thus, in the
solution provided, code was added to append the
signature to the documentitself. In addition,
the document is protected by rights management as
part of theworkflow cycle, so that no changes
can be made to the document once signed.
It is important to note that this is still an
electronic signature and not a digital
signature.The configuration methods for digital
signatures are provided later in the document.
Set Permissions for the Document Library
SharePoint 2010 has the ability to set
permissions on the Document level,
DocumentLibrary level and site level.
To set permissions for a document library,
Navigate to your document library gt click
onLibrary gt Library Permissions
Set Policies for the Document Library
One of the more important aspects of configuring
SharePoint 2010 for 21 CFR part 11compliance is
configuring sitewide policies that dictate
permission levels and rules. Thisis done to
prevent users particularly content administrators
from changing permissionlevels that would
invalidate the compliance of any given document
library.
To configure site wide auditing
Go to Site Actions gt Site Settings gt Site
Collection Audit Settings
35
36
Draft - SharePoint Configuration Guidance v0.9j
To add stage properties for a document library
goto Document library settings gtInformation
Management Policy Settings
Click Change Resource link to change staging
properties for the documents library
36
37
Draft - SharePoint Configuration Guidance v0.9j
On clicking the hyper link Add Retention stage
the below popup will be shown toconfigure the
document into Records Center.
Note that the Content Organizer can also be used
to send records into the recordscenter that are
subject to Part 11 compliance based on their
content-type.
37
38
Draft - SharePoint Configuration Guidance v0.9j
Once delivered to its final destination after
approval, the document is automaticallydeclared
a record.
38
39
Draft - SharePoint Configuration Guidance v0.9j
Navigate to gt Site Actions gt Site Settings gt
Record Declaration Settings for globallysetting
this throughout the site.
The last step in the process is creating the
Custom Permission Levels for Site Roles,
soVersioning, Content Approval Settings, and
Workflow cant be manipulated.
39
40
Draft - SharePoint Configuration Guidance v0.9j
This is an important consideration for Part 11
compliance, as it assures - with
properconfiguration - that the audit histories,
electronic signatures and other vital
informationfor compliance is not changed in any
fashion.
This configuration of SharePoint and workflow has
all records transferred to their
preferred locations via the records retention
policies based on the Signed Doc
attribute.When the Document becomes approved,
then the attribute is set as a record inside
theworkflow.
To see more on the process of transferring
signed documents to the records center,please
see http//technet.microsoft.com/en-us/library/ee4
24395.aspx
40
41
Draft - SharePoint Configuration Guidance v0.9j
Once in the target document library, click on the
Library Tab in the Ribbon Bar. Thisbrings you
to the Document Library Settings page which
enables you to add thenecessary columns for
electronic signatures.
The following columns will be added, which
include the single signature columns as wellas
additional columns for multiple signatures
? Username
? Purpose of Signature
? Document Status (needed for workflow
processing)? Date Signed
? Signers
? Additional fields as outlined below.
The steps for setting version history and version
control are the same as for creatingsingle
electronic signatures.
Configure Document Templates for Workflow and
Multiple Signatures
In order to set the document templates needed for
multiple electronic signatures in asingle
document, click on Advanced Settings in the
Document Library gt DocumentLibrary Settings
screen.
41
42
Draft - SharePoint Configuration Guidance v0.9j
In Document Library gt Document Library Settings
gt Advanced Settings Screen clickEdit Template
in the Document Template section under the
Template URL dialog.
This will launch the template editor in Microsoft
Word. Click on the Insert tab in the
Ribbon Bar. On the Insert Tab, click on the
Quick Parts gt Document Property dialogand
pull-down.
Drag and drop the fields DateSigned,
DocumentStatus, PurposeOfSignature,Username
and other fields added to the document library
to support electronicsignatures.
42
43
Draft - SharePoint Configuration Guidance v0.9j
This then results in a document that has a
signature line added in through metadata.
Note that this document, once signed, can be
protected via Rights Management Serviceso that
it cannot be modified once signed, even if
e-mailed or a thumbdrive used to copythe
document elsewhere.
43
44
Draft - SharePoint Configuration Guidance v0.9j
Create workflows for multiple electronic
signatures
In order to create the workflows necessary to
support electronic signatures, you willneed to
open SharePoint Designer.
Once in SharePoint Designer, click on the File
tab, then the Open Site button. If thesite is
displayed in the Recent Sites, then click to open
that site.
44
45
Draft - SharePoint Configuration Guidance v0.9j
To create an electronic signature workflow, click
on the Workflows link underNavigationgtSite
Objects.
Once the workflow tab is open, click on the
Workflows tab in the Ribbon Bar, then clickon
the List Workflow button.
45
46
Draft - SharePoint Configuration Guidance v0.9j
To configure the workflow for the electronic
signature document library, click on
theappropriate document library name in the
List Workflow pull-down.
46
47
Draft - SharePoint Configuration Guidance v0.9j
In creating the workflow, the first step is to
add condition checks for Approval Status.
This will use the Content Approval Status Column
in the list library. This condition checkwill
determine if the document is Approved, Rejected,
or if the document is alreadysigned.
47
48
Draft - SharePoint Configuration Guidance v0.9j
You can then define the e-mail message that can
be sent to the users involved in theworkflow.
Go to Actions gt Send an Email and Confgure
properties approprately
48
49
Draft - SharePoint Configuration Guidance v0.9j
49
50
Draft - SharePoint Configuration Guidance v0.9j
Again, it is important to note that while not
necessary for Part 11 compliance, the use
ofRights Management Service in conjunction with
SharePoint will ensure that the rightsbecome
part of the document itself, originally applied
as part of workflow or when adocument is loaded
into the document library.
50
51
Draft - SharePoint Configuration Guidance v0.9j
The instructions for updating SharePoint for
Information Rights Management can befound on
MSDN.
Create a Signature Page
The signature page for multiple signatures is the
same as for single signatures.
The final signed document with the signatures
appears as follows
Set Permissions for the Document Library
The methods for setting permissions for the
document library are the same as for
singlesignatures.
To set permissions for a document libray,
navigate to the document library gt click
onLibrary gt Library Permissions
51
52
Draft - SharePoint Configuration Guidance v0.9j
Set Policies for the Document Library
The methods for setting policies for the document
library are the same for multiplesignatures as
they are for single signatures.
Digital Signatures Use Case
The following scenarios detail configuring
SharePoint 2010 and Office 2010 to use
digitalsignatures based on X.509 Certificates.
Note that the provisioning and deployment
ofthose signatures are outside the scope of this
document.
Configuring Digital Signatures in SharePoint and
Office 2010 is far simpler than
configuring electronic signatures and provides a
higher level of security and assurancethan
simple electronic signatures, even with the added
features detailed earlier in thisdocument.
In fact, SharePoint 2010 comes with an out of the
box Approval Workflow called a
Collect Signatures workflow. This document
will utilize a variant of that workflow forthe
Digital Signatures use case.
Administrator Configuration for Digital
Signatures
Similar steps are required for creating workflows
for Digital Signatures as they are forElectronic
Signatures.
Configure Document Library Templates
Creating the document library templates is
essential, as this provides the signatureblocks
that will be used during the X.509 certificate
signature process.
52
53
Draft - SharePoint Configuration Guidance v0.9j
As with the electronic signatures, you first
select the document library that will be usedfor
the Digital Signatures. When there, click on the
Library Tools gt Library tab in theRibbon Bar.
This brings you to the Document Library
Settings page which enables youto add the
necessary columns for digital signatures.
The following column will be added
? Document Status (needed for workflow
processing)? Date Signed
? Signers
Configure Document Library Version Histories
While digital signatures are more secure than
electronic signatures, it is still important
tocreate and set version histories for the audit
trail capabilities of the document library.
The steps for doing this are the same as for
configuring electronic signatures.
Configure Document Templates for Workflow and
Digital Signatures
Setting the document templates for digital
signatures is straight forward. In the
Document Library gt Document Library Settings
screen, click on Advanced Settings
In Document Library gt Document Library Settings
gt Advanced Settings Screen clickEdit Template
in the Document Template section under the
Template URL dialog.
53
54
Draft - SharePoint Configuration Guidance v0.9j
This will launch the template editor in Microsoft
Word.
The first step in adding a digital signature to
the document is by going to the Office
2010BackStage by clicking on the File tab in
the Ribbon Bar. Then under ProtectDocument
click on Add Digital Signature.
Once the Digital Signature is added, youll want
to navigate to the section of the
document that will contain the signature. To
insert the Signature at that location, Clickon
the Insert tab in the Ribbon Bar. Click on the
Signature Line drop down.
54
55
Draft - SharePoint Configuration Guidance v0.9j
This will enable you to insert a signature block
or multiple signature blocks. In addition,this
drop down provides for multiple signature
providers. This enables differentcertificates.
Once inserted, an unsigned signature block - or
multiple blocks - looks as such
The signature block can also be a stamped
signature, such as would be done for aSAFE
BioPharma logo.
In Signing a document, the user is prompted for
Comment which is generally used asthe Purpose
for Signing. It is also possible to create a
custom signature event, such asone for SAFE
BioPharma that is located at http//www.codeplex.c
om/safe
Once used by the signer, the signature block
appears as such
Note that digitally signing a document also makes
that document read-only. Saving thedocument and
making any changes invalidates and removes the
signature (but not theunsigned signature block)
from the document.
55
56
Draft - SharePoint Configuration Guidance v0.9j
Also important to discuss is the role of Rights
Management, which can be applied to adocument
before the signature process, further protecting
the document from change.
Create workflows for digital signatures
Creating workflows that utilize digital
signatures is actually more straightforward than
forelectronic signatures. These workflows can
either be created in SharePoint itself,
orthrough SharePoint Designer.
In fact, as mentioned previously, SharePoint 2010
contains out of the box workflows fordigital
signatures, in this called Collect Signatures.
The MSDN Article used to configure this part of
the document can be found at
http//office.microsoft.com/en-us/sharepoint-serve
r-help/use-a-collect-signatures-workflow-HA010154
428.aspx
Along with more basic articles on approval
workflow
http//office.microsoft.com/en-us/sharepoint-desig
ner-help/understand-approval-workflows-in-sharepo
int-2010-HA101857172.aspx?CTT1
Add or Change a Collect Signatures Workflow
Before a Collect Signatures workflow can be used,
it must be added to a library orcontent type to
make it available for document or items in a
specific location.
The Collect Signatures workflow is intended
primarily for use in libraries and can be
started only on documents that open in Office
Word 2007 or Office Excel 2007. You
must have the Manage Lists permission to add a
workflow to a library or content type. Inmost
cases, site administrators or individuals who
manage specific lists or librariesperform this
task.
The availability of the workflow within a site
varies, depending on where it is added
? If you add a workflow directly to a library,
it is available only for documents in
that library.
? If you add a workflow to a list content type
(an instance of a site content type that was
added to a specific library), it is available
only for items of that content type in the
specific library with which that content type is
associated.? If you add a workflow to a site
content type, that workflow is available for
any items of that content type in every list and
library to which an instance of that
site content type was added. If you want a
workflow to be widely available across libraries
in a site collection for items of a specific
content type, the most efficient way to achieve
this result is by adding that workflow directly
to a site content type.
Add or change a Collect Signatures workflow for a
library or contenttype
If you want to add a Collect Signatures workflow
to a library or content type, or if you
want to change a Collect Signatures workflow that
is already associated with a library orcontent
type, you follow the same steps.
56
57
Draft - SharePoint Configuration Guidance v0.9j
1. To go to the Add a Workflow page or the
Change a Workflow page for the library or
content type to which you want to add a workflow,
do one of the following
o For a library
1. Open the library to which you want to add or
change a workflow.
On the Settings menu
, click the settings for the type of
library that you are opening.
For example, in a document library, click
Document Library Settings.
2. Under Permissions and Management, click
Workflow settings.
o For a list content type
1. Open the library that contains the instance