Security Requirements in the Life Sciences (Biotechnical) Industry
Ian Dobson introduced new member Mike Jerbic, who is developing a liaison with the I3C
(Interoperable Informatics Infrastructure Consortium), and is contributing a presentation
on Security Regulations and Requirements for the Life Sciences (biotech – I3C)
industry.
In his presentation, Mike addressed the following
areas:
- Security drivers and threats in the drug development industry
- FDA (US Food & Drugs Administration) regulatory interests - food, drugs/medicines,
medical devices biologics (vaccines, blood products), animal feed & drugs, cosmetics,
radiation-emitting devices
- the FDA moves towards a paperless environment, and the expected benefits in reduced
process time and improved information exchange & controls
- Security and Electronic Signature Standards, and security threats the FDA is concerned
to cover
- the FDA answer - 21 CFR Part 11, addressing general provisions, electronic records, and
electronic signatures. Note the differentiation between electronic signatures and digital
signatures. Mike reviewed the impacts of 21 CFR Part 11 in detail, with particular aspects
being clarified during discussion.
Mike's personal conclusions were:
- The FDA is suspicious of information submitted to it and therefore
has high standards for data authenticity/integrity and submitter
accountability
- Software is not assumed to work and must be validated for use. This
is a big issue - where to draw the line?
- People don’t know what to audit. How far in the "system"
do you go to achieve who did what when?Non compliant lab equipment is
and will be a problem as paper output becomes obsolete
- Other Federal agencies will follow the FDA’s lead and use 21 CFR
11 as a modelSystem validation, especially of integrated software from
multiple vendors, remains a substantial challenge to manage
effectively
- What’s next:
- Compliance costing industry much more than anticipated
- Movement to a "risk-based" approach
- Change of leadership within the FDA – different perspectives?
- A new release of the rules and regulations sometime in the
future
Mike identified other biotech security concerns:
- Key "ordinary issues" are hard for this community to solve
- secure email, single signon (including integrating Kerberos with PKI).
The Open Group Security Forum can help here.
- The Life Sciences community doesn’t know what needs to be secured
- it is run by researchers, not IT practitioners
- National Security, Bioterrorism, Scientific Openness - all issues
affecting concerns over disclosure of scientific information. These
can only be effectively addressed through policies.
- "Endpoint security" – anonymous access of the genomic
and other information and services
- HIPAA Security Regulations – privacy regulated. Security
"sufficient to ensure privacy"; security regulations could
come in future (45 CFR Part 142, Security and Electronic Signature
Standards; proposed rule put forward August 12 1998 - no finalization)
Mike perceives that this Life Sciences industry sector is looking for help to satisfy
their IT security requirements for conformance to all these regulatory and professional
conduct issues, and he is providing them with consultancy on it. he sees opportunity for
us to produce a Manager's Guide on how to do information security basics for professionals
in vertical market sectors - biotech, law, etc. Such a Guide would bridge the IT security
understanding gap between our published Managers Guide to Information Security (MGIS) and
their vertical sector's business needs. This industry sector is also interested in
directories, electronic messaging/email, and architecture, so there are also potential
opportunities for collaboration in these Open Group areas of Forum activity.
Secure Mobile Architecture (SMA) Requirements
The Mobile Management Forum (MMF) has created a SMA Requirements document, which has
been made available to Security Forum members for their review and comment in preparation
for the Burlingame meeting. This joint session with the Mobile Management Forum was
intended to allow joint review of the security issues in their mobile architecture
document.
For the report for this joint session held on Thursday 14.00-15.30, see the link to the
MMF's meeting reports for that day.
Extensions to Identity Management Business Scenario
Ian Dobson reported that Martin Roe has joined the Security Forum and will contribute
extensions to the existing published Identity Management Business scenario, as a Security
Forum contribution to the joint Identity Management work program involving the Directory
Interoperability Forum, the Mobile Management Forum, and the Messaging Forum. In recent
Identity Management teleconferences, Ian and Martin have explained their objectives, and
received confirmation from the participants, led by IDM Chairman Chris Apple, that these
objectives align well with those of our joint Identity Management program.
In Martin's absence from this Burlingame meeting, Ian presented a summary of what this this activity will deliver and why it
represents significant added value.
The extensions will decompose the wide range of different Identity Management related
problems and issues identified in the existing business scenario, into discrete parts,
focusing each part to be specific to end-users' business (functional) requirements that
seem to need identity management capabilities, embodying a mix of pure online identity
management, physical identification, and hybrid identification, to arrive at realistic
requirements. In keeping with the pure business requirements approach that is the essence
of business scenarios, these extensions will not presuppose that “Identity
Management” itself is a business requirement, and will describe business operations
that end users (individual or corporate) need or wish to achieve and why. Particular
attention will be paid to:
- the requirements of individuals who want to make available certain information about
themselves, for use by other people
- the requirements of a resource owner/holder who wants to provide a service to applicants
but wants to make business judgements on each applicant so as to decide whether they are
appropriate clients to do business with.
The draft revised business scenario will be developed in consultation and peer review
with the Identity Management joint program members, over a period leading up to end
April'03.
Managers Guide to Secure Email
Ian Dobson reported that progress on this proposed joint Managers Guide with the
Messaging Forum has been delayed due to the lead author (Russ Chung, American Eagle)
having other priorities. However, work on it, delayed since a teleconference on it in
Nov'02 is now about to resume. Russ has advised Ian that he expects to produce a draft
before the next meeting (Austin, Tx, USA, 30 April - 1 May 2003).
In brief discussion, it was noted that the Secure Messaging Challenge demonstrated
successful exchange of "confidential" (strongly encrypted) email, and we must be
clear that confidentiality is not all that a reader would normally expect from a Guide
with the title "Secure". Ian will convey this expectation to Russ and the
Messaging Forum Chair and Director.
Ian will liaise with Russ to monitor progress, and will keep the Security Forum members
in formed.
White Paper on Access Control
Ian Dobson advised that when he undertook this work item prior to the Boston Conference
in July 2002 he had expected to create an Access Control business scenario. However, the
members' workshop in Boston had not produced sufficient input to enable him to develop a
draft business scenario for review at the the Cannes Conference (Oct 2002). Despite some
further input in the Cannes meeting, and a further teleconference (which was unsuccessful
in producing further input), there remains insufficient input to create a business
scenario.
Accordingly, he is generating a White Paper on Access Control. He expects to make this
available for review by the end of Feb'03. It follows a similar structure to that for Open
Group business scenarios, so hopes it will form a substantial basis for future development
to become one.
Security Forum Roadmap & Future Work Plans
Ian Dobson presented a summary of the Security Forum's currently planned deliverables
for 2003, and noted that visibility of these is maintained at our Web page http://www.opengroup.security/planning.htm.
The current planned deliverables are as follows:
- Technical Guide to Security Design Patterns - by March 2003.
- Business Guide to Data Privacy - by February 2003.
- Business Guide to Identity/Authentication - Q103
- Access Control White Paper - draft by February 2003
- Evaluation of opportunity for Manager's Guide on how to do information security basics
for professionals in vertical market sectors (biotech, law, etc)
- Evaluation of opportunity for Business Guide on Secure Email, based on Secure Messaging
Challenge - Q103
- Extended Identity Management business scenario – Q203
- Intrusion Attack & Response Workshop Scenario White Paper - Q103
Plans for Next Meeting (Austin)
The Security Forum discussed The Open Group's proposed shape for the members meeting in
Austin, Texas, USA on 30 April - 1 May 2003, and in this light it proposes that its
contributions to the public sessions will be:
- Monday morning plenary: review of the strategy and current work plan for the Security
Forum and its cross-functional projects with other Open Group Forums - 20 minute
presentation.
- Open session of 1.5 hours, comprising a presentation with time for Q&A on the
Security Forum's new approach for Architecting Security for the Whole Enterprise, in the
context of the Boundaryless Information Flow. This presentation will incorporate use of
the TOGAF methodology, and the reference architecture and family of architectures
concepts.
We expect to use the remaining time to run working sessions on all our ongoing
projects, including the joint projects with the Real-Time Security Group on protection
profiles, the Identity Management project, and the Messaging Forum's Guide to Secure
Email.
Security Requirements in the Life Sciences (Biotechnical) Industry
Mike will manage the liaison between The Open Group and the I3C, to identify and cultivate
mutual business in the areas of IT security, directories, electronic messaging/email,
architecture, and certification, and will call on the relevant Open Group Forum Directors
and Sales to support him in developing these potential business opportunities.
Secure Mobile Architecture (SMA) Requirements
Monitor development of security solutions in the mobile space
Extensions to Identity Management Business Scenario
Martin Roe to proceed with developing these extensions as planned, with appropriate review
by the Identity Management project members through regular teleconferences.
Managers Guide to Secure Email
Security Forum to monitor the ongoing work on this Guide being developed in the Messaging
Forum. Ian Dobson will convey to Guide author (Russ Chung) the Security Forum observation
that the Secure Messaging Challenge demonstrated successful exchange of
"confidential" (strongly encrypted) email, and we must be clear that
confidential email is not all that a reader would normally expect from a Guide with the
title "Secure Email".
White Paper on Access Control
Ian Dobson to deliver draft document by end Feb'03
Review of Security Forum Roadmap & Future Work Plans
Ian Dobson to update the Security Forum Web page and progress work to produce the planned
deliverables on time.
