Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Microsoft Corporation
Paragon Solutions
Acknowledgements ........................................................................................................................................... 2
Finally, it is necessary to acknowledge the efforts of the Microsoft Consulting Services on the 2007 version of
this whitepaper, portions of which remain intact especially in the section that maps each part of 21 CFR Part
11 to the needed configuration step.
When building the plan it is important, first and foremost, to understand the overall capabilities of the
platform. In this case, it is important to understand that SharePoint has a plethora of capabilities in the
Enterprise Content Management (ECM) space.
Foundational ECM
Document Records Web Content Rich Media Document Human Centric E-Mail
Management Management Management Managment Output Workflow Archiving*
Supplemental ECM
Embrace and Extend Workloads with Partners
Transactional
Physical Records Business Process Scanning and Archiving and Industry Specific
Content
Management Management Capture Library Services Solutions
Management
Equally matched by the capabilities Foundational ECM capabilities in SharePoint are the plethora of partners
that embrace and extend the SharePoint platform. These include vendors that provide out-of-the-box Part
11 and GxP compliance, vendors that provide capabilities for scientists through electronic lab notebooks and
LIMS systems, even vendors that provide manufacturing and plant floor monitoring capabilities – all on
SharePoint. These are in addition to the workloads listed in the graphic above.
For the purposes of Part 11 compliance, we will be looking at the features that Microsoft categorizes as
Records Management . For planning Records Management systems, the implementer will need to factor in a
couple key considerations:
Managed Metadata and the Taxonomy Term Store provide more flexibility to the end user as well as the
system administrator when it comes to Metadata. Users are no longer simply consigned to setting the
metadata through dialog boxes at upload time, but can actually set the metadata for a document during the
authoring process. Similarly, content managers have the ability to manage the metadata, through
hierarchical means, and propagate those terms throughout a site collection.
Policies and workflow are central to configuring SharePoint 2010 for compliance with any regulation. In this
whitepaper we will discuss at length the use of workflow for electronic and digital signatures, as well as the
use of policies to determine which documents need signatures.
Given those key considerations, the balance of this document will be split into two parts:
a. Utilize a Use Case methodology so the document can be used providing guidance for
your own validation efforts
b. Provide the architecture to support the Use Cases
There is another use case allowed for in Part 11, namely Biometric based signatures. While the combination
of Windows 7, Active Directory and hardware manufacturers provide for this capability which can be
extended to SharePoint, it is so uncommon a method of authentication and signature that it won’t be dealt
with in this context.
o Set permissions on the content-type so that regulated documents cannot have the version
history changed or versioned documents modified
Create a customized page that captures the username and password for the electronic signature
o Twelve lines of source code (provided) are used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added to the SharePoint Designer page created for
the signature workflow.
Note: This system details use of an optional embedding of the signature into the Word Document, providing
a visible record in the document itself of the signature process.
View the documents currently in process and the workflow status of each document
o Set the Document Version History settings which turns on audit trails.
o Set permissions on the content-type so that regulated documents cannot have the version
history changed or versioned documents modified
o Twelve lines of source code (provided) are used to call the LDAP store to authenticate the
signature before storing it with the record.
o The source code for authentication is added to the SharePoint Designer page created for
the signature workflow.
Note: This system details use of an optional embedding of the signature into the Word Document, providing
a visible record in the document itself of the signature process.
Each signing user will:
Navigate from the their project page to the document management library for that project
View the documents currently in process and the workflow status of each document
Navigate from the their project page to the document management library for that project
View the documents currently in process and the workflow status of each document
o Set permissions on the content-type so that regulated documents cannot have the version
history changed
View the documents currently in process and the workflow status of each document
The ability to provide detailed OQ reports when used with the systems management provided
through Microsoft Systems Center Operations Manager.
The ability to provide Network Access Protection which enforces health requirements by monitoring
and assessing the toll of client computers when they attempt to connect or communicate on a
network. Client computers that are not in compliance with the health policy can be provided
restricted network access until their configuration is updated and brought into compliance with
policy.
The concept of server roles allows server administrators to quickly and easily configure any
Windows-based server to run a specific set of tasks and remove extraneous 0S code from system
overhead. Windows Server 2008 R2 further extends this model would support work more rules in a
broadening of current role support. The Server Core installation option is important to mention
here as it only includes necessary components for running applications such as SharePoint.
In SharePoint 2010 this is configured through the Information Rights Management (IRM) screen which can
be applied at the document library or document library template level.
AD CD is a role in Windows Server, which provides an integrated public key infrastructure (PKI) that enables
capabilities such as digital signatures, strong authentication, and secure communications.
These certificates when used in conjunction with Office 2010 provide the ability to sign Microsoft Office
documents which are compliant with the XML-DSign and XAdES standards for digital signatures. Since
XAdES forms the basis of other standards such as Safe BioPharma, this system can be integrated into a SAFE-
compliant system in a fairly straightforward manner.
What is XAdES?
XAdES (XML Advanced Electronic Signatures) is a set of tiered extensions to XML-DSig, the levels of which
build upon the previous to provide more and more reliable digital signatures.
By implementing XAdES, Office complies with the European Union Advanced Electronic Signature Criteria in
Directive 1999/93/EC as well as a new Brazilian government directive which defines XAdES as the accepted
standard for digital signing in Brazil.
Office 2010 can create different levels of XAdES signatures on top of XML-DSig signatures:
Once everything is configured, you can just create signatures like you normally would. A timestamp from a
trusted timestamp server extends the life of your signature, because even after the certificate expires, the
timestamp proves that the certificate had not expired at the time of signing. As a result, time stamping
protects against certificate expiration, and if the certificate was revoked after the signature was applied, the
signature is still valid.
ADFS and SharePoint together accomplish this by using SAML 2.0 standard claims-based authentication and
security. Once the ADFS servers of two organizations are “pointed” at each other through a simple
configuration, end users from both organizations are free to collaborate, participate in workflow and even
execute electronic or digital signatures in both organizations SharePoint sites.
As the business intelligence platform, it is a comprehensive platform for business intelligence that includes
enhanced reporting, deeper and more powerful analysis, rich data modeling, master data management
capabilities, and full integration with Microsoft Office.
Microsoft SQL Server 2008 R2 also provides the database and business intelligence platform for SharePoint
2010. This “better together” capability means that not only does SQL Server store the objects and
configurations of SharePoint, but it also provides on-demand and self-service business intelligence, list
generation and PowerPivot capabilities.
SharePoint Designer
SharePoint Designer is the mechanism the IT Professionals and Power Users can use to create workflows,
design custom pages and other tasks that are not available in the SharePoint interface itself.
Rights
Management
Services
SharePoint 2010
Certificate
Services
Electronic &
Document Records Digital
Policy Mgmt Workflow
Mgmt Mgmt Signature
Workflow
FAST
Enterprise
Search
While the overall architectural components are important, it is also key to identify proper organization, sizing
of the server farm, navigation and other concepts. Those elements are largely outside scope of this
document.
For information on the concepts of sizing, navigation and geographical disbursement, please visit
http://msdn.microsoft.com as well as http://www.microsoft.com/itshowcase for best practice information on
SharePoint implementation on an enterprise scale.
Database Security
21 CFR 11.10(d) notes that access to IT applications must be limited to authorized individuals. In addition to
internal safeguards built into a computerized system, external safeguards and policies should be put in place
to ensure that access to the computerized system and to the data is restricted to authorized personnel. Staff
should be kept thoroughly aware through training and procedures of system security measures and the
importance of limiting access to authorized personnel. Procedures and controls should be put in place to
prevent the altering, browsing, querying, or reporting of data via external software applications that do not
enter through the protective system software. IT guidelines, standard operating procedures and controls
typically ensure that access to back-end servers and applications is controlled.
There is a potential security issue where a person with elevated permissions to the WSS-Content-Database
could alter records in the database table and impact the Signed Person, Date signed, and Purpose of Signing
tables. Per typical IT operating measures, people with elevated permissions are typically authorized and
working under strict operating procedures. The likelihood of malicious changes is low. However, if someone
did alter the underlying database tables, SharePoint will not recognize these changes; hence the signature
would become invalidated.
Signer Name
Purpose of Signing
Document Status
A timer service can run to check approved documents to see if any changes were made in the WSS-Content-
Database. The encryption key is examined, and any changes noted will invalidate the document. If the
document is found to be invalid, a workflow will be invoked to send an email to the signer and/or an
administrator to note that the document has been changed by an unknown person and hence the
document is invalid.
There are other options for achieving this level of check and balance to ensure that a malicious activity at the
database level is discovered and accounted for. However, for most organizations internal IT operating
procedures preclude unauthorized access to servers and applications.
The electronic signature will remain in the document as well as in the audit trail/version history of
that document.
Workflow can take the final electronically signed document and copy it to the records center for
final disposition and archival.
Once in the target document library, click on the Library tab in the Ribbon Bar. This brings you to the
Document Library Settings page which enables you to add the necessary columns for electronic signatures.
To add columns in the document library click Library Tools > Library > Document Library Settings >
Create columns.
Username
Purpose of Signature
Signers
To add columns in the document library click Library Tools > Library > Document Library Settings >
Create columns.
Click Create major versions, or other settings as needed by your company’s policies and procedures.
This brings you to Document Library > Document Library Settings > Versioning Settings screen which
enables you to control the versioning for the document library.
Under Require content approval for submitted documents, click Yes.
Click Create major versions, or other settings as needed by your company’s policies and procedures.
Once you click Submit for the Versioning Settings screen, you will be returned to Document Library >
Document Library Settings screen.
This turns on the audit trail functionality, which allows users to be able to view the audit trail of the system
through simple reports. In the Document Library those changes can be reflected in the document view itself
on a document by document basis.
This will launch the template editor in Microsoft Word. Click on the Insert tab in the Ribbon Bar. On the
Insert Tab, click on the Quick Parts > Document Property dialog and pull-down.
This then results in a document that has a signature line added in through metadata.
Note that this document, once signed, can be protected via Rights Management Service so that it cannot be
modified once signed, even if e-mailed or a thumb drive used to copy the document elsewhere.
Once Rights Management has been set up for a SharePoint site, setting rights on any given document is as
simple as having the document inserted or created in a document library with specific rights.
Those permissions—or rights—are then inherited by all the documents in that library, or items in a list. This
means that with the appropriate rights set on the document library, as shown in this document, you have the
ability to lock down documents—with or without a formal records declaration—and prevent those
documents from being changed by those without permissions.
Once in SharePoint Designer, click on the File tab, then the Open Site button. If the site is displayed in the
Recent Sites, then click to open that site.
Once the workflow tab is open, click on the Workflows tab in the Ribbon Bar, and then click on the List
Workflow button.
To configure the workflow for the electronic signature document library, click on the appropriate document
library name in the List Workflow pull-down.
Many other federal regulations utilize electronic signatures. But 21 CFR Part 11 is the only one with a
concept of a signing password , where the user re-authenticates in order to validate the signing event. In
most other federal regulations, it is sufficient for the user to a) be authenticated and then during the signing
event simply type in their full name as evidence that they are signing the record.
To meet the re-authentication for the signing event, in this case, simply requires 12 lines of code. Creating
the signing page with all the buttons requires more code—but that can be done through other methods
besides code, including SharePoint designer. The primary step here is attaching the authentication code to
the workflow
The code itself is relatively straightforward. Written in C#, the basic idea of the code is to take the users
username and password and authenticate against LDAP—this is done in the ValidateActiveDirectoryLogin
function below:
/// <summary>
/// Method to validate user for a given credentials
/// </summary>
/// <param name= domain ></param>
/// <param name= username ></param>
/// <param name= password ></param>
/// <returns>Boolean returns true if success</returns>
Full source code for all the functions will be provided as an appendix to this whitepaper.
Using the provided source code, the signature page appears as follows.
It is important to note that this is still an electronic signature and not a digital signature. The configuration
methods for digital signatures are provided later in the document.
To set permissions for a document library, navigate to your document library, and then click on Library >
Library Permissions.
Go to Site Actions > Site Settings > Site Collection Audit Settings
To add stage properties for a document library go to Document library settings > Information
Management Policy Settings.
The last step in the process is creating the Custom Permission Levels for Site Roles, so Versioning, Content
Approval Settings, and Workflow can’t be manipulated.
This configuration of SharePoint and workflow has all records transferred to their preferred locations via the
records retention policies based on the Signed Doc attribute. When the Document becomes approved, then
the attribute is set as a record inside the workflow.
For more information on the process of transferring signed documents to the records center, see
http://technet.microsoft.com/en-us/library/ee424395.aspx
The following columns will be added, which include the single signature columns as well as additional
columns for multiple signatures:
Username
Purpose of Signature
Date Signed
Signers
The steps for setting version history and version control are the same as for creating single electronic
signatures.
This will launch the template editor in Microsoft Word. Click on the Insert tab in the Ribbon Bar, and then
click on the Quick Parts > Document Property dialog and pull-down.
Drag and drop the fields DateSigned, DocumentStatus, PurposeOfSignature, Username and other fields
added to the document library to support electronic signatures.
Once in SharePoint Designer, click on the File tab, then the Open Site button. If the site is displayed in the
Recent Sites, then click to open that site.
Once the workflow tab is open, click on the Workflows tab in the Ribbon Bar, then click on the List
Workflow button.
In fact, SharePoint 2010 comes with an out of the box Approval Workflow called a “Collect Signatures”
workflow. This document will utilize a variant of that workflow for the Digital Signatures use case.
As with the electronic signatures, you first select the document library that will be used for the Digital
Signatures. When there, click on the Library Tool >Library tab in the Ribbon Bar. This brings you to the
Document Library Settings page which enables you to add the necessary columns for digital signatures.
The following column will be added:
Document Status (needed for workflow processing)
Signers
In the Document Library > Document Library Settings > Advanced Settings screen click Edit Template
in the Document Template section under the Template URL: dialog.
The first step in adding a digital signature to the document is by going to the Office 2010 BackStage by
clicking on the File tab in the Ribbon Bar. Then under Protect Document click on Add Digital Signature.
Once the Digital Signature is added, you’ll want to navigate to the section of the document that will contain
the signature. To insert the Signature at that location, click on the Insert tab in the Ribbon Bar, and then click
on the Signature Line drop down.
The signature block can also be a stamped signature, such as would be done for a SAFE BioPharma logo.
In signing a document, the user is prompted for “Comment” which is generally used as the ‘Purpose for
Signing’. It is also possible to create a custom signature event, such as one for SAFE BioPharma that is
located at http://www.codeplex.com/safe
Once used by the signer, the signature block appears as such:
Note that digitally signing a document also makes that document read-only. Saving the document and
making any changes invalidates and removes the signature (but not the unsigned signature block) from the
document.
In fact, as mentioned previously, SharePoint 2010 contains out of the box workflows for digital signatures, in
this called “Collect Signatures”.
The MSDN Article used to configure this part of the document can be found at:
http://office.microsoft.com/en-us/sharepoint-server-help/use-a-collect-signatures-workflow-
HA010154428.aspx
The Collect Signatures workflow is intended primarily for use in libraries and can be started only on
documents that open in Office Word 2007 or Office Excel 2007. You must have the Manage Lists permission
to add a workflow to a library or content type. In most cases, site administrators or individuals who manage
specific lists or libraries perform this task.
The availability of the workflow within a site varies, depending on where it is added:
If you add a workflow directly to a library, it is available only for documents in that library.
If you add a workflow to a list content type (an instance of a site content type that was added to a
specific library), it is available only for items of that content type in the specific library with which
that content type is associated.
If you add a workflow to a site content type, that workflow is available for any items of that content
type in every list and library to which an instance of that site content type was added. If you want a
workflow to be widely available across libraries in a site collection for items of a specific content
type, the most efficient way to achieve this result is by adding that workflow directly to a site
content type.
For a Library:
1. Open the library that contains the instance of the list content type for which you want to
add or change a workflow.
2. On the Settings menu , click the settings for the type of library that you are opening. For
example, in a document library, click Document Library Settings.
1. On the home page for the site collection, on the Site Actions menu, point to Site
Settings, and then click Modify All Site Settings.
Note: If workflows have already been added to this library or content type, this step takes
you directly to the Change Workflow Settings page, and you need to click Add a
workflow to go to the Add a Workflow page. If no workflows have been added to this
library or content type, this step takes you directly to the Add a Workflow page.
4. On the Change Workflow Settings page, click Add a workflow or click the name of the
workflow for which you want to change the settings.
2. Do one of the following:
If you are adding a workflow, on the Add a Workflow page, in the Workflow section, click the
Collect Signatures workflow template.
If you are changing the settings for a workflow, on the Change a Workflow page, change the
settings that you want to change according to the following steps.
In the Task List section, specify a tasks list to use with this workflow.
Note: You can use the default Tasks list or you can create a new one. If you use the default
Tasks list, workflow participants will be able to find and view their workflow tasks easily by
using the My Tasks view of the Tasks list.
If the tasks for this workflow will reveal sensitive or confidential data that you want to keep
separate from the general Tasks list, you should create a new tasks list.
If your organization will have numerous workflows or if workflows will involve numerous tasks,
you should create a new tasks list. In this instance, you might want to create tasks lists for each
workflow.
In the History List section, select a history list to use with this workflow. The history list
displays all of the events that occur during each instance of the workflow.
You can use the default History list or you can create a new one. If your organization will have
numerous workflows, you might want to create a separate history list for each workflow.
In the Start Options section, specify how, when, or by whom a workflow can be started.
Notes: Specific options may not be available if they are not supported by the workflow
template that you selected.
Note: The Update List and Site Content Types section appears on the Add a Workflow page
only for site content types.
3. Click OK.
Before you can start a Collect Signatures workflow, you must save the document or workbook for which you
want to collect signatures to a SharePoint library for which the Collect Signatures workflow is available. You
must have at least the Edit Items permission to start a workflow. Some workflows may require that you also
have the Manage Lists permission in order to start a workflow on a document or item.
Note: If you want to ensure that workflow participants receive e-mail notifications and reminders about their
workflow tasks after you start a workflow, check with your server administrator to verify that e-mail
notifications have been enabled for your site.
1. If the library is not already open, click its name on the Quick Launch. If the name of your library
does not appear, click View All Site Content, and then click the name of your library.
2. Point to the document or workbook on which you want to start a Collect Signatures workflow, click
the arrow that appears, and then click Edit in Program Name.
3. If the document or workbook does not already contain signature lines to capture the digital
signatures that you want to collect, insert them now as described previously and repeated below. If
you add new signature lines, click the File tab, and then click Save to save your changes.
4. If the document is checked out, you must also check in the document before you start the
workflow. To check in the document, click the File tab, point to Server, and then click Check In.
5. For the user to start the workflow, click the File tab, and then click Workflows. In the Workflows
dialog box, locate the Collect Signatures workflow that you want to use, and then click Start.
6. In the Workflow Name dialog box, type the names of the people you want to sign the document
on the appropriate signers lines, or click Signer to select people from the directory service.
7. If you want to assign the signature tasks in the order in which signature lines appear in the
document, select the Request signatures in the order above, rather than all at once check box.
8. If you want other people to receive notifications (not task assignments) when the workflow is
started, type their names on the CC line, or click CC to select people and groups from the directory
service.
9. Click Start.
1. Open the file that contains the signatures that you want to view.
2. Click the File tab. The Microsoft Office Backstage view opens.
6. In the Signature pane, next to the signature name, click the down arrow and select Signature
Details.
Monitor resolution
You can view the message that indicates the file is not showing hidden content.
Subpart C
As the previous configurations demonstrate, SharePoint Server addresses authenticity, integrity and
confidentiality of electronic records through access control and permission to the records on either the
individual record level or a document library level. Users are assigned permissions to content and records
through permissions which limit what they can do by administrators. Documents identified as records can be
sent to a record center for safe keeping and have separate access control than when the document was
authored and reviewed.
To protect confidentiality of an electronic record, documents can be protected by Information Rights
Management (IRM) policy that could restrict users from copying or printing documents even after the
document is saved outside of the SharePoint Server.
SharePoint also addresses non-repudiation through audit trails as demonstrated. The auditable system of
records are implemented through policies which can be configured for documents and items in Office
SharePoint Server 2010 to specify which events will be audited for each Content Type or site level, via the
Information Management Policy capabilities. An audit trail is kept with a document throughout the
document and record life cycle.
In the case of Installation Qualification, the focus is on ensuring that the application is installed correctly, and
all Microsoft product generated installation logs are maintained which detail the installation as well as any
errors that may arise during the installation process.
In addition, Microsoft Systems Center can provide installation audit trails for SharePoint implementations to
ensure that all components installed properly.
Operational Qualification begins with the development methodology utilized to create the software. Most
Microsoft products, and all the products detailed in this whitepaper, adhere to the Security Development
Lifecycle methodology. This methodology, which encompasses steps traditionally employed in software
development methodology, places a particular focus on development of software that is secured by design,
in development, and through implementation. All major software releases from Microsoft, beginning with
the Office 2007 and Vista/Longhorn wave of software releases are required to go through the internal
The details of the methodology are available on MSDN as well as through published works by Steve Lipner
and Michael Howard (see the Reference section for more information).
In addition, there is a whitepaper available entitled “Mapping Microsoft Development Methodology to the
V-Model” that is available on MSDN as well.
Operational Qualification extends to the operation of the software. To that end, most Microsoft software,
and all the products detailed in this whitepaper, provide detailed error logging and troubleshooting
information that can be gained through a proper implementation of the Microsoft Systems Center
Operations Manager. In fact, any software release must include a management pack for Operations Manager
before the particular software can be released to the general public.
The details of the management pack for all relevant software are available in the References section of this
document.
Performance Qualification always includes the question, “Does the software perform to the end users’
needs?” As that question can only be answered by the implementing party, the final step in validation of the
software needs to be the development of test plans and testing of the software in the environment in which
it will be utilized. These test plans can be modeled on this whitepaper to assist with the proper configuration
of the software.
While the overall validation of the software is up to the implementing party, Microsoft has assisted in the
validation through the creation of the development methodology, implementation of management packs,
implementation of the installation logs, and development of this whitepaper to give guidance in the
configuration of the software and development of the test plans for performance qualification.
Finally, Microsoft recommends that companies periodically audit their own implementation of the software,
in order to ensure that the guidelines specified herein are applied to their production systems and are
enforced throughout.
To address validation of the individual documents, SharePoint provides auditing features to facilitate the
validation process.
As SharePoint server is designed as an auditable system, the administrator can configure the system to audit
document creation, specifically document modification and deletion among other things so all changes to a
document are audited. Additionally, you can also extend the auditing capabilities to include additional
information such as version and workflow status.
All these capabilities related to SharePoint were demonstrated in the configurations detailed in the use cases
section of this Whitepaper
Additionally, when the documents in question are written in the Microsoft Office 2010 system, the OpenXML
file format allows the document to be accessible electronically (i.e. machine readable in XML in its
component parts) while still maintaining the ability to be viewed as a whole through Word, Excel, or
PowerPoint as appropriate. Saving the document in XML Paper Specification (XPS) format provides the best
Both XPS and OpenXML are native file formats for Office 2010 and are understood and readable by the
Windows 7 operating system as well.
Agencies and inspectors can be given read-only access to documents during the review process. Electronic
documents will be viewed either natively or in other formats via document converters or viewers.
2. Hold orders: The Records Center includes a powerful hold order system to locate records relevant
to particular event requiring a hold order, suspending disposition of those records for the duration
of the event, and for resuming normal disposition once those events have ended.
3. Separate access controls: Records Center can give you the flexibility to specify whether users can
access any section of the Records Center, whether they can view or add items, independent of the
permissions those users have on authoring and collaboration sites.
As demonstrated, documents can be attached to a policy that defines content expiration and version control
policy.
Microsoft Office technology allows content that is outside the repository to be secured on the basis of
policies as well by using the Rights Management Server. With the 2010 system, an access control policy set
up for a SharePoint site can also be maintained for documents on the desktop. These rights also extend to
expiration, printing, forwarding, and copying, thereby ensuring a higher level of content security than has
been possible with traditional approaches.
Windows integrated (NTLM, Kerberos, or certificate) – user is authenticated when they log on their
computer. This is enforced by IIS.
Authentication setting is set per web application (the container that hosts portal and collaboration sites) and
is configured through SharePoint Central Administration Application.
The following is a sample web.config file used to setup forms-based authentication, role-based access, and
denies access to unauthenticated users:
<configuration>
<connectionStrings>
Source=MySqlServer;Initial Catalog=aspnetdb;Integrated
Security=SSPI; />
</connectionStrings>
<system.web>
</authentication>
<authorization>
<providers>
<clear />
<add
name= SqlProvider
type= System.Web.Security.SqlMembershipProvider
connectionStringName= MySqlConnection
applicationName= MyApplication
enablePasswordRetrieval= false
enablePasswordReset= true
requiresQuestionAndAnswer= true
requiresUniqueEmail= true
passwordFormat= Hashed />
</providers>
enabled= true
cacheRolesInCookie= true
cookieName= .ASPROLES
cookieTimeout= 30
cookiePath= /
cookieRequireSSL= false
cookieSlidingExpiration= true
<providers>
<add
name= SqlProvider
type= System.Web.Security.SqlRoleProvider
connectionStringName= MySqlConnection
applicationName= MyApplication />
</providers>
</roleManager>
</system.web>
</configuration>
After authentication, the user will also need to be assigned appropriate rights to access specific features and
contents. Details on how to configure user roles and rights are discussed in Section 11.10 (g) of this paper.
By default, objects inherit permissions from their parent (document from document library or folder,
document library from site, site from parent site).
Following are the screen shots of defining a unique permission setting for a document.
ASP.NET (which SharePoint is built on) uses the Message Authentication Code (MAC) technique to protect
key information, such as view state data and authentication tickets, to make sure that the data are not
illegally modified.
For cookie-based authentication (such as forms authentication), administrators can configure cookie timeout
parameters to be reasonably short to reduce the cookie reply security risk.
For additional protection, Microsoft has developed Forefront Security for SharePoint, which helps businesses
protect their Microsoft Office SharePoint Server 2010 servers from viruses, unwanted files and inappropriate
content. With a layered, multiple scan engine approach, Forefront Security for SharePoint helps stop the
latest threats before they impact your business and users.
Creating a successful Records Management system starts with mapping out the organization’s records
management goals, anticipating the challenges an organization will face in making that vision a reality within
the company, and developing a policy and implementation that fits these needs. Since planning is a key to
both the policy development and solution implementation phases, it is important to outline the challenges
faced at each stage so these can be kept top of mind when working out both the organization policy plan
and implementation strategy.
At the policy planning stage, the major challenge is to devise a system that encompasses an organization’s
current records-keeping needs: content types, media types, storage requirements, business processes, and
policies. It also needs to meet present legal and audit requirements, and be extensible and flexible enough
to accommodate future content types and retention requirements. Another important goal is to enhance
information retrieval, which will help employees do their jobs more efficiently and give an organization a
competitive advantage.
In developing the policy for an organization, the challenge is to create an overarching policy document that
is comprehensive but short, easy to read, and accompanied by actionable retention schedules that can then
be put into practical use. Furthermore the policy needs to be integrated with the organization’s other
enterprise content management policies, and be able to absorb and integrate previous record keeping
efforts.
At the implementation stage, the major challenge is to create a system that suits the organization’s
workflow, one that will actually be adopted by users and integrated into their daily activities. The
implementation must be simple enough for employees to grasp quickly, easy enough to require only few
extra steps (or clicks), but rigorous enough to meet the organization’s overall need for record keeping within
the organization. Furthermore, any technology rollout must be manageable for the organization as a whole –
and not significantly disrupt normal business operations.
SharePoint Server 2010 includes multiple information management policy features to help an organization
manage content type as shown in Section 11.10 (c):
Document expiration
Document auditing
Document labels
How Office 2010 System and Rights Management Services (RMS) Address the
Requirement
Microsoft Active Directory Rights Management Services (RMS) augments an organization’s security strategy
by providing protection of information through persistent usage polices, which remain with the information.
Content is protected with RSA 1024-bit Internet encryption and authentication so that information will be
safe in transit and will remain with the document, no matter where it goes. For example, encrypted content
stored on a lost USB drive will not be accessible and viewable to any unauthorized viewer, regardless of
location.
This information protection technology works with RMS–enabled applications to help safeguard digital
information from unauthorized use—both online and offline, inside and outside of the firewall. Record
managers and administrators can define exactly how users can use data and can place limitations on who
can open, modify, print, copy, and forward certain confidential information.
Revision and change control can be enforced through checkout and audit trail policies as discussed
previously in this document.
Office 2010 enables three use-case scenarios with the out-of-the-box digital signature functionality to
protect documents starting from their point of creation.
Authenticity & Tamper Resistance: Signing an Office document to prove that it hasn’t been
modified since it was signed. You can also view the digital certificate used to sign the document to
verify the authenticity of the document and prove that it came from a trusted individual or
organization.
Digital Signature: Signing an Office document with both a specific identity and an assertion about
why this document was signed (for example, “Approved for Publication”). This type of signature
does not print with a document and does not affect the on-page content of a document, but can
be viewed and verified with software, including Office 2010 applications.
In Document Signature: Signing an Office document in a special signature line object that visually
shows who signed the document. This feature is designed to mimic the experience of pen and ink
signatures. It is this type of signature that was created in the earlier configuration of electronic
signatures discussion.
As discussed, Office 2010 documents support digital signatures out of the box and are extensible. For digital
signature of non-office based documents, there is third-party vendor support in the market place.
2. The date and time when the signature was executed; and
3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
In the case of Electronic Signatures, the signature, date and time of signature, and the signature meaning are
linked to the document through metadata that is associated with the document in SharePoint; are kept with
and linked to the document throughout the document life cycle; and can be viewed with the document in
SharePoint. As demonstrated, it is possible to integrate the metadata into the body of the document, as it
would appear in a printed version of the document, through the use of a document template that reads the
metadata from SharePoint, stores the metadata in the document as part of the OpenXML, and then allows
for display of the metadata inline in the document.
Electronic signature and approval information are stored as part of the audit trail and metadata associated
with the document. The linkage between signature and document is maintained by the server and can be
read in the document through document templates as discussed in the previous section.
Digital signature and approval information are stored as part of the audit trail and metadata associated with
the document when signed as part of a workflow.
The creation, maintenance, and authentication of the user are discussed in Section 11.300 – Controls for
Identification Codes / Passwords.
1. The certification shall be submitted in paper form and signed with a traditional handwritten
signature, to the Office of Regional Operations (HFC 100), 5600 Fishers Lane, Rockville, MD 20857.
a. Employ at least two distinct identification components such as an identification code and
password.
2. When an individual executes one or more signings not performed during a single, continuous
period of controlled system access, each signing shall be executed using all of the electronic
signature components.
4. Be administered and executed to ensure that attempted use of an individual's electronic signature
by anyone other than its genuine owner requires collaboration of two or more individuals.
A similar mechanism will need to be implemented by the authentication provider if Forms authentication is
used.
These capabilities can be extended to Digital Signatures through Active Directory and the use of Microsoft
Active Directory Certificate Manager.
Similar policies can be extended to Digital Certificates through the use of Microsoft Active Directory
Certificate Services.
Microsoft software development practices and how they map to the industry v-model
This whitepaper is available on MSDN at the Microsoft Life Sciences Developer Center
(http://msdn.microsoft.com/architecture/lifesciences
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this
document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-
mail address, logo, person, place, or event is intended or should be inferred.
Microsoft, Microsoft Office 2010, Microsoft SharePoint 2010, Microsoft Word, Microsoft Excel, Microsoft
PowerPoint, Microsoft Rights Management Services, Active Directory, Windows Server 2008 R2, Windows 7,
Windows Vista, Windows XP, Microsoft Windows, Microsoft Certificate Lifecycle Manager, Microsoft Visual Studio,
Microsoft Forefront are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.