NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2003-q2

RE: SUS server

From: Hibbs, Ted (THibbs5prime.com)
Date: Tue Apr 08 2003 - 12:38:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just gotta jump in on this since we are working to get under 21 CFR
Part 11

Hold on, here comes two paragraphs of the legal stuff... ;^(

The regulation states, "Persons who use closed systems to create,
modify, maintain, or transmit electronic records shall employ procedures
and controls designed to ensure the authenticity, integrity, and, where
appropriate, the confidentiality of electronic records, ... Such
procedures and controls shall include the following:... (a) Validation
of systems to ensure accuracy, reliability, consistent intended
performance, and the ability to discern invalid or altered records....
(d) Limiting system access to authorized individuals." A Closed System
is defined as, "Closed System means an environment in which system
access is controlled by persons who are responsible for the content of
electronic records that are on the system." I can agree that, if 2K SP3
licensing grants M$ access to the machine, the machine cannot be
considered a closed system under this part of the rule.

However, there are also provisions for an "Open System" under this rule.
An "Open System means an environment in which system access is not
controlled by persons who are responsible for the content of electronic
records that are on the system." In an Open System, "Persons who use
open systems to create, modify, maintain, or transmit electronic records
shall employ procedures designed to ensure the authenticity, integrety,
and, as appropriate, the confidentiality of electronic records from the
point of their ceration to the point of their receipt. ...additional
measures such as document encryption and use of appropriate digital
signature standards to ensure ... Authentickty, integrety, and
confidentiality." So there are options to keep the system under 21 CFR
Part 11 and still grant access to the system. The rule appears to
address databases more than complete systems, but their wording cannot
limit the access to just the databases.

So as I see it, you have two options: Keep the system as a closed
system by closing the link between your system and M$ either logically
as in routing tables and firewalls, or physically as in no wire from
your closed system to any external system. Or define the system as an
open system and employ encryption and digital signatures so that anyone
who can get into the system cannot read or modify the encrypted files.

Mind you, I don't have access to the most current FDA rulings on this,
but will attempt to get additional information as to whether they have
addressed this question.

Ted

-----Original Message-----
From: Evan Mann [mailto:emannpinnaclefinancial.com]
Sent: Tuesday, April 08, 2003 9:02 AM
To: focus-mssecurityfocus.com
Subject: RE: SUS server

I've read the 21 CFR Part 11 spec and no where in the documents I've
read does it make indications as to what controls you need on your
systems in terms of updates to your OS and OS related files. 21CFR Part
11 is all about document control and/or electronic signatures on
resources related to your medical business, not what can or cannot be
done to the operating system itself.

Granted, I've not read the MS Licensing on 2K SP3 and XP SP1, but unless
it states that MS has unrestricted access to your actual files on your
system, then it shouldn't be an issue with 21 CFR Part 11.

-----Original Message-----
From: Thane Walkup [mailto:twalkupquorumreview.com]
Sent: Tuesday, April 08, 2003 10:41 AM
To: focus-mssecurityfocus.com
Subject: RE: SUS server

Note that this still won't resolve the issue with 2k SP3 and XP SP1 -
the language of the license seems to give Microsoft unfettered access to
update your machines at will, not just via SUS. I'm not claiming that
Microsoft has a backdoor into XP or 2000, just saying that the language
of the license lets them do that.

Thanks,
Thane

-----Original Message-----
From: Brian W. Spolarich [mailto:bspolarichnephrostherapeutics.com]
Sent: Monday, April 07, 2003 11:31 AM
To: Thane Walkup; focus-mssecurityfocus.com
Subject: RE: SUS server

Thane Walkup wrote:
> One VERY good reason not to run SP3 is possible HIPAA and 21CFR11
> regulation issues - since the license for SP3 technically gives
> Microsoft unfettered access to your PC, any company under those
> regulations could be in violation of those regulations.
>
> This affects just about any medical facility.

One can configure the SUS client to point at an internal SUS server
via Active Directory GPOs. I suspect that if you point it at a
non-functional URL the auto-update component will essentially be
disabled, and it may be possible to disable it completely via GPO
(haven't looked).

-bws

<b>
----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers
of technology including filtering embedded and attached file content.
Rid your enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------
</b>

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]