security policy question

John Brazier prunesquallor at proproco.co.uk
Tue Mar 5 17:47:37 GMT 2013 

Brian essentially has it. It looks to me like someone in "management" has
been spending ill-advised money with Consultants. They've ended up trying to
somehow restrict their liabilities with regard to digital signatures.

Why don't you innocently ask the following questions:
0. What do they mean by transaction (this has a financial implication: an
agreement need not require finance)?
1. Does "personal password and code" mean the equivalent of a digital
signature? 
2. If so, to what standard - the FDA or the more than one that's floating
about in Germany?
3. If this is an electronic signature, are they willing to provide a
declaration that their entire system meets 21 CFR Part 11 (FDA: the most
common signature 'standard')?
4. How does the application of a signature work within their systems, how do
they specify a signature manifestation, and is the application of the
signature 21 CFR Part 11 compliant?

... at this point they'll either fire you or back off.

TTFN

JB


>> I have no confidence that it wouldn't be trivial for someone to get 
>> hold of my user-name and password by methods which don't involve me 
>> being irresponsible.
>> 
>> Any advice would be very helpful before i make a nuisance of myself.

Brian Morrison said:

>Do you have some sort of access token, such as a smartcard or similar?

>I have noticed that our local health centre people all have to insert their
cards into a card reader slot on their keyboards, if this token must be
present to process any >transactions then it makes the task of keeping it
out of other people's hands a little easier in that there is a physical
device to protect rather than virtual authentication >tokens (which will be
just your password unless your user name is not related to your real life
identity).

>Do you know what else is done to protect your login details? I would ask
about this as without knowing this information it is effectively impossible
for you to be >responsible for access to systems you don't know about and
don't control.

More information about the ukcrypto mailing list