Reg-Part 11 security levels

Pl guide me in right way to comply with part 11 requirements.

Oracle ERP software was validated retrospectively and PQ completed in validation instance which is closed from live instance.

Now we are in implementation stage as per validation recommedations.

We have tested and verified the password mangement, password no re-use, session timeout, password failure limt and password expiry.

Now we are in confusion that what is the exact applicable limit for all the above sessions. i.e.,

What is exact limit for session timeout

What is the exact limit for password no-reuse

What is exact limit for password failure limit

what is the limit for password expiry

Pl provide me any justifiable values for the above controls

I think that these values have some limitations.

G.Tarakeswara Rao

As far as I know there is no regulation behind the amount of time that a session needs to last. This will depend on the requirement that was set out in your design documents. There should be a corresponding test in your testing documentation to verify the session time is working correctly.

For password failure limit the norm seems to be 3 attempts for an application and usually 5 for network login, again this depends on the policy your company sets out.

For password no-reuse I’m not sure exactly what this means please clarify.

Password expiry is usually between 60 to 90 days again this depends on your policy.

Hope this helps

Q1:What is exact limit for session timeout

Its usually set at 15 minutes where there is no activity

Q2:What is the exact limit for password no-reuse

I have it set as you cannot re-use the same password for 10 times, but you can set it at anything you want.

Q3:What is exact limit for password failure limit

Its usually set as failed after 3 attempts.

Q4:what is the limit for password expiry

60-90 days, longer depending on your access level. Say it was a simple piece of software and you only had the options to press start or stop then you could have a limit of 120 days or even longer.


Just a follow-up note from Graham’s and Ruth’s posts…

One of the things that’s continually hammered home regarding Part 11 is that decisions should be risk based. Ruth’s post alluded to it with the mention of security levels.

I believe (and please correct me if I’m wrong) that the numbers cited by both Graham and Ruth are generally considered de-facto standards and are not driven by either regulation or published standard. It is conceivable (to me, at least) that a risk analysis for a particular system could conclude that users would never have to change their password!

You are responsible for demonstrating that you have sufficient controls for your system and sufficiency is determined by your risk analysis. If you arbitrarily choose password controls without any backing from a risk analysis, an auditor would be able to pick your system apart if they were so inclined. Now, given the current state of Part 11 enforcement, that may not be so likely if you choose to use the de-facto standards cited above (they are sound policies) without any supporting rationale. Just be careful and don’t be caught unaware.

Dear Graham,

Sorry for late reply, i am active with TGA audit

For password no-reuse I’m not sure exactly what this means please clarify

This meand that user should not use the recently used passwords up to how manydays.

This will be in dyas only. After 5 or 10 or 15 dyas. If we given for 3 days. then user can not change the passwrd to re-used password with in the 3 days. after 3 days it will allows to use the same password.

I think you can understand now about password no-reuse.

Tarakeswara Rao