Literary Warrant for Functional Requirement #8
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation Department of Health and Human Services Food and Drug
Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures;
Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the authenticity, integrity,
and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the
signed record as not genuine. Such procedures and controls shall include the following: (g) Use of
authority checks to ensure that only those individuals who have been so authorized can use the system,
electronically sign a record, access the operation or device, alter a record, or perform the operation at
hand.
Citation Department of Health and Human Services Food and Drug
Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures;
Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the authenticity, integrity,
and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the
signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting
system access to authorized individuals.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Adequate safeguards over access to the use of assets and records, such as secured facilities
and authorization for access to computer programs and data files.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Proper authorization of transactions and activities ...assigning different people the
responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets
Citation 36 CFR Part 1234 -- Electronic Records Management. Subpart C -- Standards for
the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.26
Extract Agencies shall implement and maintain an effective records security program that incorporates the
following: (a) Ensures that only authorized personnel have access to electronic records.
Citation Statements on Auditing Standards 53. The Auditor's Responsibility to Detect and Report Errors
and Irregularities
Pages .12
Extract The auditor should assess the risk of management misrepresentation by reviewing information
obtained about risk factors and the internal control structure. Matters such as the following may be
considered...Are there indications that management has not developed or communicated adequate
policies and procedures for security of data or assets, such as...allowing unauthorized personnel to have
ready access to data or assets.
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-4
Extract Accountability encompasses the ability to trace each transaction or event back to a responsible
individual. The ability to hold individuals accountable for their actions or inaction is an essential
element of any control system.
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.07
Extract Control procedures that are relevant to a financial statement audit include those that relate to :
Proper authorization of transactions and activities.
Citation The Institute of Internal Auditors Research Foundation;Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-4
Extract Specific management and audit questions related to EUC [END USER COMPUTING] include the
following: Have adequate control policies and procedures been established and implemented to prevent
unauthorized changes to data files and application programs?
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-43
Extract Data ownership functions as a control only to the extent that the people who know how the data
are used are responsible for determining the level of controls over the data. The controls are of the
following types: Specification of personnel to be allowed access and the types of access
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-44
Extract Unauthorized Access - Unauthorized access can refer to either of the following: Users who have
gained access to database areas for which they have no authorization
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-55
Extract The review of EFT may entail significant testing of manual and management controls. Other
system-specific aspects of an EFT system that the internal auditor should consider reviewing include the
following: Verify that proper identification and authentication controls are present and that instructions
from unauthorized users are rejected and flagged for appropriate followup.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 75,76
Extract Authorization controls. These controls, which ensure that transactions are properly authorized,
range from simple user Ids and passwords, to joint custody and split knowledge of access keys, to
segregation of entry and release functions, to sophisticated techniques, such as digital signatures and
challenge and response added to dial access.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
9, Security, 1991
Pages 9-48
Extract Access Control Software - Controls include the following: * Access to the system is restricted to
authorized individuals. * Users/application programs are limited to the specific types of data access
(e.g., read, update) required to perform their functional responsibilities.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 270
Extract Input authorization is achieved in different ways depending on whether the system is on-line or
batch. In an on-line environment, the user should be required to go through an identification and
authentication process just to get into the system. Beyond this point of entry, the application system
should determine the type of input the user is authorized to initiate.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 16
Extract Identification and authentication - is the security service that helps ensure that the LAN is accessed
by only authorized individuals.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 19
Extract According to [NCSC87], access control can be achieved by using discretionary access control or
mandatory access control. Discretionary access control is the most common type of access control used
by LANs. The basis of this kind of security is that an individual user, or program operating on the
user's behalf is allowed to specify explicitly the types of access other users (or programs executing on
their behalf) may have to information under the user's control.)
Citation "Digital Signature Standard (DSS)" Category: Computer Security; Subcategory: Cryptography.
Federal Information Processing Standards Publication 186 (U.S. Department of Commerce/Technology
Administration and National Institute of Standards and Technology, 19 May 1994)
Pages 2, 3
Extract Applications: The DSA authenticates the integrity of the signed data and the identity of the
signatory. The DSA may also be used in proving to a third party that data was actually signed by the
generator of the signature. The DSA is intended for use in electronic mail, electronic funds transfer,
electronic data interchange, software distribution, data storage, and other applications which require
integrity and data origin authentication.
Citation "`GOSIP' Government Open Systems Interconnection Profile" `NVLAP' National Voluntary
Laboratory Accreditation Program (U.S. Department of Commerce/ Technology Administration and
National Institute of Standards and Technology, NIST Handbook 150-12)
Pages B-12
Extract All measuring and testing equipment having an effect on the accuracy or validity of calibrations or
tests shall be calibrated and/or verified before being put into service. The laboratory shall have an
established program for the calibration and verification of its measuring and test equipment.
Citation "`GOSIP' Government Open Systems Interconnection Profile" `NVLAP' National Voluntary
Laboratory Accreditation Program (U.S. Department of Commerce/ Technology Administration and
National Institute of Standards and Technology, NIST Handbook 150-12)
Pages B-13
Extract Calibration certificates shall, wherever applicable, indicate the traceability to national standards of
measurement and shall provide the measurement results and associated uncertainty of measurement
and/or a statement of compliance with an identified metrological specification.
Citation Condition of Participation: Medical Records Services, Health Care Financing Administration, 42
CFR, Chapter 4, 482.24
Extract (c) Standard: Content or record. The medical record must contain information to justify admission
and continued hospitalization, support for the diagnosis, and describe the patient's progress and response
to medications and services. (1) All entries must be legible and complete, and must be authenticated
and dated promptly by the person (identified by name and discipline) who is responsible for ordering,
providing, or evaluating the service furnished.
Citation Condition of Participation: Medical Records Services, Health Care Financing Administration, 42
CFR, Chapter 4, 482.24
Extract (i) The author of each entry must be identified and must authenticate his or her entry.
Citation "Federal Rules of Evidence" Article VIII. Historical Notes and Commentary
Extract The element of unusual reliability of business records is sa ID variously to be supplied by
systematic checking, by regularity and continuity which produce habits of precision, by actual
experience of business in relying upon them, or by a duty to make an accurate record as part of a
continuing job or occupation.
Citation Cross-Industry Working Team. Electronic Commerce in the NII
Pages 5.1.2
Extract Authenticity -- The system should ensure that the parties, objects, and information are real and not
fraudulent or forged. To be sure that users are negotiating and exchanging proper objects with proper
parties, the transacting parties, devices, and controlling and exchanged objects all need to be
authenticated -- that is, verified that they are who or what they claim to be and that none of the
information or objects have been illegally tampered with or modified. This requires mechanisms such as
digital signatures, passwords and biometrics, and certification hierarchies.
Citation Cross-Industry Working Team. Electronic Commerce in the NII
Pages 5.1.4
Extract Once authenticated, users need to be authorized for requested services and information. User
authorizations can be provided as a blanket binary approval or granted only under or for specified
conditions, time intervals, and/or prices. Authorizations can be provided to designated individuals or to
designated organizational representatives. Thus, it is often desirable to authorize a user in terms of her
location and organizational function/role, as well as on the basis of her individual identity.
Citation Saltman, R. Good security practices for electronic commerce, including electronic data
interchange.
Extract Specific activities must be undertaken to assure that electronic documents are authentic, are
properly authorized ...
Citation Saltman, R. Good security practices for electronic commerce, including electronic data
interchange.
Pages 21
Extract The following are basic objectives for the security of EDI transaction sets: ... 5) Recipient
authentication. The sender can verify that the intended recipient received the document.
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 95
Extract The primary concern [for EDI] still pivots on the reliability of an electronic record and whether an
electronic record's existence and authenticity can be validated.
Citation United States. General Services Administration. Information Resources Management Service.
Electronic forms systems analysis and design. 1993.
Pages 15
Extract One of the major concerns of electronic forms system analysts is the authentication of the data or
information on electronic forms (including electronic signature in many cases). To be effective,
authentication programs must be part of an overall security program. An agency must ensure that only
persons who have a need to know and have proper delegations of authority and clearances can complete
and "sign" electronic forms.
Citation 19 USC Sec. 1484 Customs Duties Chapter 4 - Tariff Act Of 1930 Subtitle III - Administrative
Provisions Part III - Ascertainment, Collection, and Recovery of Duties Sec. 1484. Entry of
merchandise
Extract d) Signing and contents Entries shall be signed by the importer of record, or his agent, unless filed
pursuant to an electronic data interchange system. If electronically filed, each transmission of data shall
be certified by an importer of record or his agent, one of whom shall be resident in the United States for
purposes of receiving service of process, as being true and correct to the best of his knowledge and
belief, and such transmission shall be binding in the same manner and to the same extent as a signed
document. The entry shall set forth such facts in regard to the importation as the Secretary may require
and shall be accompanied by such invoices, bills of lading, certificates, and documents, or their
electronically submitted equivalents, as are required by regulation.