There are many components and processes that go into building a system designed to meet compliance requirements such as ISO9001, HIPAA, FINRA, SOX, GDPR, FDA Title 21 CFR Part 11, country specific electronic signature requirements, and others. FileHold can play a major supporting role in these sorts of compliance systems, but only when used in conjunction with good governance and operational processes.
In all compliance systems it is critical that the IT environment is controlled in a secure and auditable fashion. This starts with strictly limiting administrative control to users that are properly skilled and made aware of their responsibilities and where needed asked to sign supplements to their contracts associated with this power. Set up appropriate audit policies in Windows to track any changes that might impact the FileHold system or data.
Your IT governance should determine were a segregation of duties (SoD) policy is appropriate to further prevent fraud or error by any one person. An example of appropriate SoD is avoiding a situation where a Windows administrator with access to the FileHold system also has the rights to changes the audit policy on that system. Another example is to ensure that the Windows administrator is not also the database administrator. While this can increase the effort needed to manage the system it may be the only way to ensure the needs of a compliance system are met. Each organization should assess their needs and implement policy and configuration that balances the minimum requirements for compliance with keeping IT operations efficient. In many cases there will be multiple compliance systems with overlapping and unique needs.
Each user in FileHold should have a unique user id. FileHold records every action on a document. That information is useless if the same user id can apply to two or more people. By default FileHold installs a single user with the user id "sysadm". As soon as the basic installation and configuration of FileHold is complete this user should be disabled and a system administration role should be assigned to one or more user ids representing identifiable persons.
Ideally user ids with administrative rights should only be used for configuration purposes to help avoid human error. People who are assigned administrative user ids should also have non-administrative ids that they would use in normal operations. They would only log in with their special administrative user id when configuration changes were required.
The final step is to configure FileHold to meet the records management needs of the compliance system. The requirements of each compliance system should be reviewed and each requirement addressed as needed in the FileHold configuration. The following are some examples where configuration will aid in compliance.
- When the compliance system requires document approvals before documents can be consumed, enable the hide until approved feature on the schema.
- If documents cannot be ad hoc deleted according to the compliance requirements ensure no operational user is assigned a role that allows ad hoc document deletion.
- Design the library structure and document schema membership to ensure only appropriate users can take actions on documents.
On its own, no document management software will make you compliant with any information standard or process. You need to combine records management processes, with good governance and IT operations, along with the correct configuration of your DMS.
|Russ Beinder is the Director of Product Development and Professional Services at FileHold. He is an entrepreneur, a seasoned business analyst, computer technologist and a certified Project Management Professional (PMP). For the last 25 years he has used computer technology to help organizations solve business problems.|