Hi all,
I would like some thoughts on having an older GxP system that exposes
the passwords to the system administrator. The system does not employ
e-sigs. Would you consider this a severe compliance exposure or one
that could be mitigated by stating that this is not a high risk
because only a few individuals would have access to this information,
yada, yada?
I have my own thoughts on this but would like to see others weigh in.
Thanks in advance for any feedback.
Hi Eng1
Sounds like your risk exposure is rather high from both a general IT Security perspective as well as Part 11.
If the password can be seen (even by our trusted Sys. Admin) - it still must be stored somewhere. Most likely it exists in the data repository either in the User security record or in another associated table. Even if your system employs a one-way encryption process with ‘salting’ using SHA-2, etc - there is a representation of the password somewhere. Problem is that if the database is compromised - someone could gain the credentials and execute transactions in the system through the front-end. With or without functionality that insures non-repudiation (e-sig) - you are exposed.
Usually, the system allows the Sys Admin to change a password for the user - but not see what is there. They might see a series of asterisks in the field in the Administration panels. The user might call and indicate they forgot their password. The Admin might change it to something like ‘Winter08’ and inform the user. The added step of protection is that the User MUST change the password again on the initial login. Prevents the Sys Admin from knowing the password beyond the initital reset transaction request from the user.
So - what happens if the Sys Admin is not very nice. Lets say you have these controls that require the user to change their password after the reset and there exists the encryption, etc. If the Sys Admin decides at night to open another user’s record, change the password, and then login as that user - they could gain access with the other users account. The compensating controls are: The user would not be able to login in when they arrived at work and would complain. Secondly, the system needs to track (audit) all transactions - which include password resets and general updates to user records. Furthermore - there needs to be a process of inspecting these logs by someone other than one Sys Admin resource.
Your system sounds like it does not posses these capabilities which is an issue. To address these items - you need to identify the gaps and look for some form of compensating controls that can mitigate the risks/impacts. Lastly - a technical solution might be required to look at possibly eliminating the ability to see the clear-text passwords in the app.