Controls for closed systems
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
© Protection of records to enable their accurate and ready retrieval throughout the record retention period.
(d) Limiting system access to authorized individuals
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) location checks to determine, as appropriate, the validity of the source of data input or operational instruction.
(i) Confirmation that persons who develop, maintain, or use electronic signature systems has the education, training and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies which hold individuals accountable and liable for actions initiated under their electronic signatures, so as to deter record and signature falsification.
(k) Use of appropriate systems documentation controls including:
i Adequate controls over the distribution access to, and use of documentation for system operation and maintenance.
j Records revision and change control procedures to maintain an electronic audit trail that documents time-sequencing development and modification of records.