1. 11 June 2004© 2004 Wimmer Systems, Inc. 1 Cryptography Facilitates Record Security and Integrity Presented By Derek Wimmer President Wimmer Systems, Inc. P.O. Box 739 Liberty, Missouri 64069

2. © 2004 Wimmer Systems, Inc.2 11 June 2004 Presenter Background Derek Wimmer  Microbiologist and Quality Assurance Auditor in the Pharmaceutical Industry 1994 - 1999  Software vendor specializing in 21 CFR 11 solutions 1999 - present DaCS™  First commercial Part 11 solution specifically for Microsoft® Excel  In production use since 2001  Used by major pharmaceutical companies worldwide  Utilizes cryptographic methods to help ensure electronic record security and integrity

3. © 2004 Wimmer Systems, Inc.3 11 June 2004 Topic of Presentation What requirements would preserve record security and integrity and ensure that records are suitable for inspection, review, and copying by the agency?

4. © 2004 Wimmer Systems, Inc.4 11 June 2004 Preserving Record Security and Integrity Preservation  During use period (within the electronic record system)  During retention period (within archives and outside the system)  During submission period (outside owner’s control) USAGE RETENTIONSUBMISSION

5. © 2004 Wimmer Systems, Inc.5 11 June 2004 Preserving Record Security and Integrity Security - preventing alteration  Active controls Limiting access to record Limiting ability to alter Relies on physical or computerized controls  Passive controls Ability to detect alteration Threat of repercussions Relies on psychological controls (deterrence)

6. © 2004 Wimmer Systems, Inc.6 11 June 2004 Integrity - means of ensuring fidelity (detecting alteration)  Reference Compare to “master” copy Master copy must be available  Fingerprinting Compare to mathematical transformation or cryptographic method Method must be available to do so Preserving Record Security and Integrity

7. © 2004 Wimmer Systems, Inc.7 11 June 2004 DaCS™ Integrity Check Methodology PASSFAIL A0-13-C4-DE B6-09-FF-01A0-13-C4-DE  = 1. Generate secure digital signature of file data. 2. Embed digital signature in file. 3. Later, excise signature and generate new signature of file data. 4. Compare new signature to embedded signature.

8. © 2004 Wimmer Systems, Inc.8 11 June 2004 Suitable for Inspection, Review, and Copying by the Agency Must be able to remove the record from the system You can’t rely on system’s controls to provide security and integrity May require conversion of the record to different and unknown formats Record is out of the owner’s control

9. © 2004 Wimmer Systems, Inc.9 11 June 2004 Why Cryptographic Fingerprinting Methods Meet Requirements Preservation  Fingerprint can be archived or transmitted with record  Does not require control system to maintain Security  Deters record alteration by virtue of being able to detect alteration  Secure cryptographic methods are available Integrity  Allows verification of record fidelity Suitability for Inspection Activities  Independent of control system  Allows for portability of records

10. © 2004 Wimmer Systems, Inc.10 11 June 2004 Burden of Requirement Technological burden is LOW  Secure algorithms and methods are publicly available ...are already built into commercial operating systems ...can be used for no licensing cost  …have been commonly used in multiple applications  …infrastructure for some applications already built Implementation burden is REASONABLE  Must put resources into applying methods to records  May require implementing new or existing infrastructure Burden is LESS THAN no requirement  Clarifies acceptable methods  Reduces need for resource-intensive controls Burden can be REDUCED by  Application of public/free methodologies  Use of commercial systems  Spreading burden over large number of systems