Analyst Software. Laboratory Director s Guide to Security and Regulatory Compliance. Part Number: A June 2003

(1)

Analyst

®

Software

Laboratory Director’s

Guide to Security and

Regulatory Compliance

Part Number: 1008650 A June 2003

(2)

protected and any reproduction of this document or any part of this document is strictly prohibited, except as MDS Sciex may authorize in writing.

Equipment that may be described in this document is protected under one or more patents filed in the United States, Canada, and other countries. Additional patents are pending.

Software that may be described in this document is furnished under a license agreement. It is against the law to copy, modify, or distribute the software on any medium, except as specifically allowed in the license agreement. Furthermore, the license agreement may prohibit the software from being disassembled, reverse engineered, or decompiled for any purpose.

Portions of this document may make reference to other manufacturers’ products, which may contain parts that are patented and may contain parts whose names are registered as trademarks and/or function as trademarks. Any such usage is intended only to designate those manufacturers’ products as supplied by Applied Biosystems/ MDS Sciex for incorporation into its equipment and does not imply any right and/or license to use or permit others to use such product names as trademarks.

All products and company names mentioned herein may be the trademarks of their respective owners.

Applied Biosystems/MDS Sciex makes no warranties or representations as to the fitness of this equipment for any particular purpose and assumes no responsibility or contingent liability, including indirect or consequential damages, for any use to which the purchaser may put the equipment described herein, or for any adverse

circumstances arising therefrom.

Applied Biosystems/MDS Sciex is a joint venture between Applera Corporation and MDS Sciex, the instrument technology division of MDS Inc.

ANALYST is a registered trademark owned by Applera Corporation or its subsidiaries in the United States and certain other countries.

For Research Use Only. Not for use in diagnostic procedures.

ISO

9 0 0 1

REGISTERED COMPANY

Equipment built by MDS Sciex, a division of MDS Inc., at 71 Four Valley Dr., Concord, Ontario, Canada L4K 4V8. MDS Sciex and Applied Biosystems are ISO 9001 registered. © 2003 Edition MDS Sciex, a division of MDS Inc., and Applera Corporation, Joint Owners. All rights reserved.

(3)

Foreword

This guide explains the security features of the Analyst®_{software and}

how these features work with Windows security. It also describes how to install and configure Analyst stations. For a list of platforms supported and detailed installation instructions, please refer to the release notes included on your software installation CD.

Audience

The information contained in this guide is intended for two primary audiences:

• The Laboratory Administrator, who is concerned with the daily operation and use of the Analyst software and attached

instrumentation from a functional perspective.

• The System Administrator, who is concerned with system security and system and data integrity.

Guide Organization

This guide is organized in the chronological order in which tasks should be performed to install, configure, and administer the Analyst software. Chapter 1—Security and Regulatory Compliance

This section provides an overview of the Analyst software security features.

(6)

Chapter 2—Windows and Analyst Security Configuration Process Overview

This section describes how the Analyst software access control and auditing components work in conjunction with Windows access control and auditing components.

Chapter 3—Windows Security Configuration

This section describes how to configure Windows security prior to installing the Analyst software. System configuration is usually performed by network administrators or people with network and local administration rights.

Chapter 4—Installing the Analyst Software

This section explains how to install the Analyst software. The Analyst software comes with an installation CD to guide you step-by-step through the installation process.

Chapter 5—Analyst Security Configuration

This section describes procedures on how to configure Analyst security. Windows Users and Groups are available to the Analyst security Configuration so that you can control access to the Analyst software. Chapter 6—Setting up the Audit Trail

This section explains the various types of audit trails available in the Analyst software and how they are used.

Chapter 7—Data Systems Conversions

This section explains how to migrate data from the Applied

Biosystems/MDS Sciex Macintosh MassChrom software to the Analyst software.

(7)

Analyst Laboratory Director’s Guide

Technical Support

• If you encounter problems configuring or using the Analyst software, consult the following documentation for assistance before contacting support:

! Analyst online Help

! Release notes

• If you have a technical question or request for assistance please contact Applied Biosystems/MDS Sciex support:

! Toll Free (North America only): 1-800-831-6844

(8)

(9)

1

Security and Regulatory

Compliance

This section provides an overview of the Analyst®_{software security}

features. The Applied Biosystems/MDS Sciex Analyst software provides the laboratory director with the following:

• Customizable administration to meet the needs of both research and regulatory requirements.

• Security and auditing tools which adhere to 21 CFR Part 11 guidelines for the use of electronic record keeping.

• Flexible and effective management of access to critical instrument functions.

• Controlled and audited access to your vital data and reports. • Easy security management linking to Windows security.

Security Requirements

Security requirements range from relatively open environments, such as research or academic laboratories, to the most stringently regulated, such as forensic laboratories.

Laboratory monitoring agencies such as the Food and Drug

Administration (FDA) and the Environmental Protection Agency (EPA) require adherence to Good Laboratory Practices (GLP). The Analyst software supports regulated laboratory environments and assists you in

(10)

achieving GLP compliance. In particular, the Analyst software auditing and access control components are designed to help you meet the recommendations of the Code of Federal Regulations (CFR), Title 21,

Chapter I, Part 11, Electronic Records; Electronic Signatures Final Rule, for file and process security, validation, and data tracking.

This introduction will help you understand how the Analyst software incorporates several layers of security to allow the laboratory director complete control over access to the instruments and data, and the flexibility to ensure compliance at any level.

Analyst and Windows Security:

Working Together

The Analyst software and the Windows New Technology File System (NTFS) both have security features designed to control system and data access. Understanding how these features work together is critical to implementing the desired level of security for data acquisition and processing.

Windows is typically used in a network environment, thus the ability to control access to systems and data is critical. Windows security

provides the first level of protection by requiring users to log on to the network by means of a unique user identity and password. This ensures that only those who are recognized by the Windows Local or Network security settings can have access to your systems. For more

information, see “Windows Security” on page 19.

The Analyst software has three progressively secure system access modes:

• Single User Mode • Integrated Mode • Mixed Mode

Single User Mode: This mode treats the current user that is logged onto

(11)

software functionality. Anyone who can successfully log on to

Windows on the computer will have Analyst Administrator privileges.

Note: In Single User Mode, the People and Roles tabs are not available. For more information, see “Configuring Security Mode” on page 34.

Integrated Mode: This mode allows the current user who is logged

onto Windows to have access to the Analyst software, providing that the Windows user is also someone who should have and is allowed access to the Analyst software.

Mixed Mode: This mode allows the user who is logged onto the

Analyst software to be different (or the same) as the current user who is logged onto Windows. The user logged on to the Analyst software can be assigned to a specified role in the same way as in Integrated Mode. The difference is that the user logged on to the Analyst software may be different from the user logged on to Windows. This provides the possibility of having a group login for Windows with a known password, while requiring the Analyst software user to log on to the Analyst program using a unique user name, password, and if required, domain. If you select Mixed Mode, the Screen Lock/Auto Logout feature is available for use.

Each security mode adds functionality to the previous mode, and all modes provide the administrator with the ability to configure access to project information (methods, data, and reports).

The Analyst project security configuration is tied to the Windows NTFS, therefore there is no need to set the NTFS object permissions externally. The Analyst software functionality is a subset of the

functionality available in Windows, but it allows you to manage project security directly with the Analyst software. For more information, see “Analyst Security Configuration” on page 33.

The Analyst software also provides completely configurable Analyst Roles that are distinguished from the User Groups associated with Windows. Through the use of Roles, the laboratory director can easily control access to the instrument, on a function-by-function basis. For more information, see “Configuring People and Roles” on page 40.

(12)

Audit Trails within Analyst and

Windows

The auditing features within the Analyst software compliment the built-inWindowsauditing components. Together, they are key in the creation and management of electronic records.

The Analyst software provides a system of audit trails specifically geared towards addressing the requirements of electronic record keeping. Separate audit trails record changes to instrument parameters, maintenance, project information (methods, data, batches, and data acquisition), and results table and report generation. Electronic

signatures may be applied to critical tuning, acquisition, processing, and review activities. For more information, see “Audit Trails” on page 57. The Audit Trail Manager (ATM) module within the Analyst software allows easy configuration and review of audit trail information. The Audit Trail Manager allows record sorting, printing, searching, and processing review. The ATM may be configured to provide e-mail notification of attempted unauthorized use of the system. For more information, see “Audit Trail Manager” on page 58.

Windows maintains three audit trails, known as event logs, which capture a range of security, system, and application related events. In most cases, the auditing is designed to capture exceptional events, such as a logon failure. The administrator may configure this system to capture a wide range of events, such as access to specific files or Windows administrative activities. For more information, see “System Auditing” on page 22.

The Analyst software uses the Application Event log to capture information about the operation of the software. This log may be used as a troubleshooting aid since instrument, device, and software interactions are recorded in detail here. Windows also provides the Event Viewer tool to access the event log information.

The Analyst Security Structure diagram provides an overview of the levels of security that the Administrator can configure when installing the Analyst software.

(13)

Analyst security interaction

Analyst and 21 CFR Part 11

Electronic record keeping is generally understood to be an activity that can significantly reduce the burden associated with traditional paper records.

The Analyst software provides a secure user environment, which conforms to the 21 CFR Part 11 requirements for the creation of electronic records, with the implementation of:

• Mixed Mode and Integrated Mode Security linked to Windows

security.

• Controlled Access to Functionality through customizable roles.

• Controlled Access to Project Data on a role-by-role or group

basis.

(14)

• Electronic Signatures utilizing a combination of user ID and

password.

Within 21 CFR Part 11 there are requirements for the control of electronic records that extend beyond the domain of the Analyst software. These requirements include the distribution and control of records in a closed or open system.

As a tool for producing electronic records, the Analyst software forms a part of an overall strategy of compliance, and provides a simple, yet powerful suite of tools to ensure that records created conform to the 21 CFR Part 11 standards for electronic records in a secure GLP

(15)

2

Windows and Analyst

Security Configuration

This section describes how the Analyst®_{access control and auditing}

components work in conjunction with Windows access control and auditing components.

Since the Analyst software works with the security, application, and system event auditing components of the Windows Administrative Tools, you must configure Windows security appropriately. After installing the Analyst software you can set Analyst security and authorizations for your system.

Security and Installation Process

Overview

The following shows the workflow process for configuring the Analyst security features.

(16)

(17)

You can configure security at the following levels: • Access to Windows.

• Access to the Analyst software.

• Selective access to the Analyst software functionality. • Access to specific projects.

• Access to instrument station status.

The Security Configuration table indicates the options for setting the various levels of security.

Security Configuration

CFR Mid-Range Non GLP

Windows Security

Format Drives to NTFS Yes Yes Optional Configure Users/Groups Yes Yes Optional Enable Windows

Auditing, and File and Directory Auditing

Yes Optional Optional Set File Permissions Yes Optional Optional Install Analyst

Install Analyst Yes Yes Yes Select CFR Options Yes Optional No Event Viewer (Inspect

Install)

Yes Yes Yes Analyst Security

Select Security Mode Integrated or Mixed

Any Single User Add/Configure Analyst

Roles and People

Yes Yes Optional Configure Audit Trail

Manager, Instrument, Project and Quantitation Audit Trails

(18)

Configure E-Mail Notification

Yes Optional No Activate Checksum Yes Optional No Common Tasks

Add New Projects and Sub-Projects

Yes Yes Yes Configure Project Audit

Trail for new Projects and Sub-Projects

Yes Optional No Transfer Existing Data Yes Yes Yes Maintenance: • Maintenance Log for Instrument • Security, Data, Project Maintenance Yes Yes Yes Yes Yes Yes

Security Configuration (Continued)

(19)

3

Windows Security

This section describes how to configure Windows security prior to installing the Analyst® _{software. System configuration is usually}

performed by network administrators or people with network and local administration rights.

Steps for Configuring Windows

Security

In order to use the Analyst software to manage security, the Analyst Administrator must have the right to change permissions for the project folder and all the subfolders. If the root directory is on a local computer, then the Analyst Administrator could be part of the local administrators group. Only the Analyst user who manages security must be in the local administrators group.

In order for the Analyst software to work well, users should be part of the Windows local user group. If certain users need to be able to stop the Analyst Service, this specific right can be set up without giving the user all the local administrator rights and thereby compromising local security.

If you plan to use network acquisition, the network administrator must set up Windows security so that the Analyst Administrator has the right to change permissions for the required folders. It is not recommended that local users on acquisition computers be added to a network project security folder.

(20)

For the workflow process for configuring Windows security, see the following figure, Workflow process for configuring Windows security.

Workflow process for configuring Windows security

Definition of Users and Groups

User: Any user who may log on to Windows.

Groups: Method of defining or classifying user rights by group identity

on a Windows system.

Administrators Group: A group of users with administrative rights on

the network domain(s).

Local Administrators Group: A group of users with administrative

rights on the local computer.

(21)

Analyst People: A Windows user or group of users who has been

granted rights to access and use Analyst software components.

Analyst Role: Method of defining or classifying Analyst users’ rights

by group identity for operating Analyst components and accessing Analyst files.

Active Directory: The Active Directory system allows you to allocate

and find resources on the network.

For more information on Analyst users, see “Configuring People and Roles” on page 40.

Users and Groups

The Analyst software uses the user names and passwords recorded in the primary domain controller security database or Active Directory. Passwords are managed using the tools provided with Windows. Before you configure your security requirements, you must do the following:

• Remove all unnecessary Users and User Groups such as replicator, power user, backup operator from both local and network.

• Establish User Groups with the purpose of holding

non-administrative, Analyst People, and configuring system permission. • Create suitable procedures and account policies for Users in Group

Policy.

See your Windows documentation for more information on the following:

• Users and Groups and Active Directory Users.

• Password and Account Lockout Policies for User Accounts. • User Rights Policy.

When working in an Active Directory environment, the Active Directory group policy settings affect the workstation security. Please discuss group policies with your Active Directory administrator as part of a comprehensive Analyst software deployment.

(22)

Active Directory Support

Active Directory can work in two environments, mixed and native. The Analyst security configuration window and Analyst security database allows user accounts to be specified in user principal name (UPN) format, and administrators can add new people in the Add Person/Role dialog box in UPN format.

Mixed Environment: The network is comprised of both Windows

2000 and Windows NT servers and clients.

Native Environment: The network is comprised of Windows 2000

servers and clients.

If the Analyst software starts in the mixed environment, the logon window contains the user name, password, and domain fields. If you are using a Windows NT account, you should provide all three parameters. If you are using a Windows 2000 account, you can enter your user name in UPN format, and the domain field is ignored.

If the Analyst software starts in the native environment, the domain field is not displayed, and the Analyst software accepts your user name in UPN format only. The Analyst Status window will also display your user name in UPN format.

Windows File System

The Analyst software requires that files and directories be located on a hard-disk partition formatted as the Windows New Technology File System (NTFS), which can control and audit access to Analyst files. The FAT file system cannot control or audit access to folders or files and is therefore not suitable for a secure environment.

System Auditing

Enabling system auditing can inform you of events that pose security risks and can detect security breaches. For example, auditing failed log ons to Windows can indicate attempted log ons using random

passwords. Auditing successful log ons can be used to help detect actual log ons using stolen passwords. Auditing successful and failed file writes and other processes can be used to help check for viruses. You

(23)

might want to audit successful and failed access to sensitive files, directories, and printers.

It is recommended that you only audit abnormal occurrences such as failed log on attempts, attempts to access sensitive data, and changes to security settings.

It is suggested that you customize the event logs as follows: • Set appropriate event log size.

• Set automatic overwrite of old events.

It is also recommended that you set Windows computer security settings. Additionally, you might want to implement a process of review and archival. For more information regarding security settings and audit policies, refer to your Windows documentation.

Event Viewer

You can launch the Event Viewer through the Analyst software or through Windows Administrative Tools. The Event Viewer records the audited events in the Security Log, System Log, or Application Log. Refer to your Windows documentation for information about viewing the details of audited events in the Event Log dialog box.

File and Folder Permissions

In order to manage security on a network drive, the Analyst Administrator must have the right to change permissions for the Analyst Data folder and all the subfolders. As this folder is on the network, the Analyst Administrator, by default, may not have access. Access must be set up by the network administrator.

Before selecting the events or actions that will be audited, set the permissions (or detailed permissions) for the files and folders. The permissions for folders can be applied to subfolders and/or files in the folder. Once file and folder permissions have been set, you can define the events that will be written to the Security log.

Note: You must consider the access needs of users to the drive and folder on each computer. You must configure sharing and associated permissions. For more information about file sharing, refer to the operating system documentation.

(24)

Alerts

In the event of a system or user problem, a network message can be sent to a designated person, such as the System Administrator, on the same or another computer. For more information about creating an alert object, refer to the operating system documentation.

(25)

4

Analyst Installation

This section explains how to install the Analyst®_{software. The Analyst}

software comes with a software installation CD to guide you step-by-step through the installation process. Before installing the software, you should understand the difference between a processing workstation and an acquisition workstation, and then complete the appropriate installation procedure. For more information, please refer to the release notes included on your software installation CD.

Note: To install the Analyst software, you must have local

administrator privileges for the workstation on which you are installing the software.

Release Notes

Release notes are shipped with the Analyst software, and should be read before installation.

The release notes contain information related to: • Minimum hardware requirements

• Supported devices

• Minimum software requirements • Issues or notes

Note: The release notes can also be found on the software CD and can be read with WordPad or Adobe Acrobat Reader.

(26)

System Requirements

For minimum installation requirements, please refer to the release notes included on your software installation CD.

Installing Analyst

An acquisition workstation is used for controlling instrumentation and acquiring data. If you are setting up an acquisition workstation, you must first install the software for the National Instruments GPIB Interface Card and, if necessary, upgrade the mass spectrometer firmware as part of the installation process.

General Sequence for data processing and acquisition workstations Item Comments Processing Station Instrument Station Instructions Install GPIB and Drivers.

Must install. No Yes Release Notes Install Serial

Card and Drivers.

Probably need to install.

No Optional Release Notes Install ADC

and Drivers.

May need to install.

No Optional Release Notes Install MDAC. Must install if not previously installed. Yes Yes Install Analyst/ Verify Installation.

Must install. Yes Yes Release Notes. See also “Software Component Verification” on page 27. Verify/ Upgrade mass spectrometer firmware. Must complete if mass spectrometer firmware is not current.

(27)

Regulated Environment Options

By default, all audit trail settings are set to off. After installation, the Analyst Administrator can change the selection in the Security Configuration module or in the Audit Trail Manager component.

Software Component Verification

After you install the Analyst software, a Software Component Verification procedure automatically checks that all the necessary software components were successfully installed and generates an installation report. This report is in the form of an event log item from Analyst Installer in the Event Viewer Application log. Verify that the installation was successful immediately after completion. There is an event log for the checksum inspection of the core installed files. For more information about checksum, see “Enabling or Disabling Data File Checksum” on page 66.

To verify Software Component Verification results 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Event

Viewer.

3. In the Tree tab, click Application Log.

4. Click Analyst Installer event. In the Event Detail message scroll down to Total files verified. Errors should read zero.

Understanding Analyst Files

When you install the Analyst software, the software creates a default directory structure to provide a consistent and logical means of accessing project files. In addition, as you create new projects, the Analyst software sets up a project directory structure automatically. The installation includes the following projects:

• API Instrument: The API Instrument project contains critical

instrument information and should not be used for routine data acquisition.

(28)

• Default: The Default project contains the default instrument

configuration information used in configuring new folders. • Example: The Example project contains information that can be

used for building methods and creating batches. It also contains example data files that can be used to explore Analyst.

Folder Structure

The project hierarchy below shows the typical contents of the different subdirectories. For more information on folder structure, refer to the online Help or the Analyst Operator’s Manual.

(29)

Sample folder structure

Flat Files

Whether you acquire data locally or through network acquisition, if you have large data files or if you perform high throughput

(30)

“Flat” means these files are ordinary sequential files where data is stored byte after byte and not organized in special structures as in compound documents. Flat files are more stable and less likely to become corrupted. Since the structure is simpler, reading and writing data is more efficient, and provides problem-free transfer of large amounts of data over the network. Data in compound documents are more difficult to transmit over the network because of their structural limitations.

If the flat file format is selected for a .wiff file scan, data from every scan will be stored in separate flat files. For example, the scans of the first sample from Test.wiff will be stored in a file called

“Test.wiff.1.Scan”, the scans from the second sample will be stored in a file called “Test.wiff.2.Scan” and so on for each sample.

Network Acquisition

Network acquisition allows you to acquire data from several

instruments into network-based project folders/.wiff files that can be processed on remote workstations. This process is network-failure tolerant, thus ensuring no data is lost.

At the start of network acquisition, the Analyst software creates a temporary subfolder with the same name as the network project folder in the Wiff_Cache_Backup folder. Data is acquired in a local temporary file. A network file is created using an asynchronous process that takes place in the background. Depending on network performance and file size, the remote file is updated in near real-time.

Locally, the Analyst queue displays the acquisition into the local cache. If a local user opens a file during data acquisition, it is the cache file that is opened. The status of the remote file during acquisition is hidden from the local user. Users from other workstations are able to open network files and view updates during acquisition.

After data acquisition is completed, the Analyst software ensures that the network files were written correctly, and then deletes the temporary files. When the Analyst software starts up, it checks the contents of the Wiff_Cache_Backup folder. If temporary files are present, it means that a previous network acquisition was interrupted and the Analyst

(31)

To configure network acquisition, you must perform the following steps:

1. Set up acquisition security in Security Configuration. By default, the acquisition account is set to Client. For more information on selecting an acquisition account, see “Acquisition Process” on page 36.

2. If required, set up flat files for network acquisition. 3. Create a root directory.

4. Set the root directory.

5. Set up your projects in the root directory. To set up flat files (optional)

1. In Configure mode, from the Tools menu, point to Settings, and then select Queue Options.

(32)

2. Select Use flat files for scan data if you want to use a split file format for acquisition.

3. Click OK.

To create a root directory

Note: To perform this procedure, you should have the requisite access rights.

1. On the Tools menu, point to Projects, and then select Create Root Directory.

2. Browse to the location where the root directory is to be created. 3. In the New text box, name the directory.

4. Click OK.

To set the root directory

1. On the Tools menu, point to Projects, and then select Set Root

Directory.

2. Browse to the location where the root directory is to be created. 3. In the Browse for Folder dialog box, browse to your created root

directory. 4. Click OK.

(33)

5

Analyst Security

Configuration

This section describes procedures on how to configure Analyst®

security. Windows Users and Groups are available to the Analyst security Configuration so that you can control access to the Analyst software. You can configure security at the following levels:

• Selective access to the Analyst software functionality. • Access to specific projects, folders, and files.

• Access to computers.

Steps for Configuring Analyst

Security

Note: Any changes to the Analyst security configuration take effect after the Analyst software has been restarted.

The following diagram illustrates the general workflow process for configuring the Analyst software:

(34)

Configuring Analyst security

Configuring Security Mode

The Analyst security component allows you to choose a security mode, set up security for the acquisition process, and set up system lockout and auto logout.

The security modes are as follows: • Single User Mode

• Integrated Mode • Mixed Mode

For more information about security modes, see “Analyst and Windows Security: Working Together” on page 10.

(35)

To select the security mode

1. On the Navigation bar, under Configure, double-click Security

Configuration.

The Security Configuration dialog box appears.

2. In the Security Configuration dialog box, click Advanced.

(36)

4. Click a Security Mode: Single User Mode, Mixed Mode, or Integrated Mode.

Note: Any changes to Analyst security configuration take effect after the Analyst software has been restarted.

5. Click Apply, and then click OK. 6. Restart the Analyst software.

Acquisition Process

You can setup security for the acquisition process. Client and Special Acquisition Administrator accounts are network accounts that are used for reading and or writing data into project folders during normal acquisition, but not during tuning. It is the network administrator’s responsibility to provide access rights for network accounts.

• Client Account: Uses the same account that you use to log on to

the Analyst software. In integrated mode, the user who has logged on to Windows is also logged on to the Analyst software. In mixed mode, the Windows user and the Analyst software user may be different.

(37)

• Special Acquisition Administrator Account: Used in a regulated

environment. The operator must provide a user name, domain, and password for this account. Once the network administrator sets up this account, it can be used by the Analyst software to read or write data regardless of who the current the Analyst software user is. This means that although the current user may not have rights to modify data in project folder, data acquisition can still take place. Account information is stored in the registry in encrypted form.

To select an acquisition account mode

Configuration.

2. In the Security Configuration dialog box, click Advanced. 3. Click the Security tab.

4. Click an Acquisition Account option: Client Account or Special Acquisition Administration Account.

If you select Special Acquisition Administration Account, the Set Acquisition Account dialog box will open. If you are using Active Directory in the Native environment, the domain field is not visible and you can enter your username in user principal name (UPN) format.

5. If you selected Special Acquisition Administration Account, type the User name, Password, and if necessary, Domain.

(38)

7. Click Apply, and then click OK.

Screen Lock and Auto Logout

For security purposes, you can set the computer screen to lock after a defined period of inactivity. You can also set an auto logout time where the Analyst client will close after a defined period of inactivity. Screen lock and auto logout are available in Mixed Mode only.

When the screen locks, the Unlock Analyst dialog box indicating that the system has been locked, as well as the currently logged on user name and domain, will appear. If the auto logout option is also set, the time remaining before the Analyst software closes is also displayed. Only the currently logged on user, the Administrator, or the Supervisor can either unlock the Analyst software or close the Analyst software. If the screen is not unlocked, after a defined period, the Analyst client will close and all unsaved data will be lost.

To set up screen lock and auto logout

Note: Screen lock and auto logout are only available in Mixed Mode. 1. On the Navigation bar, under Configure, double-click Security

Configuration.

(39)

4. Select Screen Lock.

The Auto Logout and Wait fields are enabled.

5. In the Screen Lock Wait field, type the amount of minutes to elapse before the screen locks.

6. If required, select Auto Logout, and in the Wait field, type the amount of minutes to elapse before the Analyst client closes. Once the Screen Lock time has elapsed, the Unlock Analyst dialog box appears.

(40)

You have a 10-second grace period to move the mouse or press a key to clear the Unlock Analyst dialog box. Only the current user, Administrator, or Supervisor can either unlock the screen or log out the user. The Unlock Analyst dialog box also indicates the time left before you are logged out.

Important! If you are automatically logged out, the Analyst client closes and all unsaved methods, batches, or quantitation results will be lost.

7. To unlock the screen, type your password, and then click

UNLOCK.

8. To log out the user, type your user name if necessary, and password, and then click LOGOUT.

Configuring People and Roles

The Analyst software limits access to people authorized to log on to the workstationand to the Analyst software, using the same user name and password for both. The Analyst software does not allow multiple logons by a single user.

Note: The People and Role tabs are not available in Single User Mode. An Analyst Administrator can configure an Analyst Person or People from among the Users and Groups that can log on to the Windows

(41)

workstation. Only an Analyst Person or People can be assigned to an Analyst Role or Roles. Only Analyst Roles can access Analyst components.

The Analyst software comes with six predefined roles, which cannot be deleted but their rights can be modified, and that reflect typical users of the Analyst software. You can also choose to define your own Roles and configure system access depending on your own specific

requirements. Access to the Analyst software is controlled by Role, not by People, although you can create roles that consist of only a single person.

A summary of the default Role privileges appears in the following table.

Analyst Roles

Role Typical Tasks Access

Administrator System administration. Security configuration.

All Analyst functionality Analyst Oversees instrument

operation.

Analyzes data for use by end user.

Acquisition Method Analyst Application Audit Trail Manager Compound Optimization Explore

Hardware Configuration Quantitation

Report Template Editor Sample Queue

Tune View Status

(42)

Accessing the Analyst Software

Before you can assign a person or people to a specific role, you must first add the person to the Analyst software. To either add a person or

Operator Oversees daily use of the system, including maintenance, sample organization, data gathering, and processing.

Acquisition Method Analyst Application Audit Trail Manager Batch

Compound Optimization Explore

ExpressView

Hardware Configuration Report Template Editor Sample Queue

Tune View Status End User Provides samples.

Receives processed results. Integrates results with input and output from other applications.

Acquisition Method Analyst Application Audit Trail Manager Compound Optimization Explore

ExpressView

Report Template Editor View Status

QA Reviewer

Review data Review audit trails Review quantitation results

Analyst Application Audit Trail Manager Quantitation

Report Template Editor View Status

Supervisor Unlock Analyst or log out user.

Unlock/Logout Application

Analyst Roles

(43)

people and assign them to Analyst Roles, or remove a person or people, you must be logged on as an Analyst Administrator.

Note: If you have one person assigned to a single role, and that role is to be deleted, you will be asked if you want to delete the person as well as the role.

You must also add Windows Users and/or Groups to the Analyst security database before you configure Analyst People and Role access to the Analyst software.

Note: Any changes to Analyst security configuration take effect after the Analyst software has been restarted.

To add People to Analyst

Configuration.

2. In the Security Configuration dialog box, click the People tab.

3. Click New Person.

(44)

5. Click Apply, and then click OK. 6. Proceed to To assign People to Roles To assign People to Roles

Configuration.

2. In the Security Configuration dialog box, click the People tab. 3. In the left window, select the Person.

4. In the Available Roles window, select the required Role, and then click Add.

5. Click Apply, and then click OK. To create a user-defined Role

Configuration.

2. In the Security Configuration dialog box, click Advanced. 3. Click the Roles tab.

(45)

4. Click New Role.

The New Role dialog box appears.

5. Type the Role Name and Description, and then click OK. By default, a user-defined Role will have full access rights to the Analyst software. In the Access to Analyst window, a green check mark denotes system access is enabled; a red “X” denotes system access is disabled.

(46)

To set access rights for a user-defined Role

Configuration.

4. In the Roles window, select the Role to be configured.

5. In the Access to Analyst window, select the access requirement, and then click the Enable/Disable toggle button.

Double-click components in the Access Rights list to enable or disable access as appropriate. To configure access at a functional level, expand the components, and then double-click the

functionality to enable or disable it. 6. Click Apply, and then click OK. To delete a user-defined Role

Configuration.

4. In the Roles window, select the Role to be deleted, and then click

Delete.

If you have a person who is assigned to a single role, and that role is to deleted, you will be asked if you want to delete the person as well as the role.

5. Click Yes to confirm or No to close the dialog box. 6. Click Apply, and then click OK.

To remove People from Roles

Configuration.

2. In the Security Configuration dialog box, click the People tab. 3. In the left-hand window, select the Person.

4. In the Role(s) Selected window, select the required Role, and then click Remove

(47)

5. Click Apply, and then click OK. To delete People

Configuration.

2. In the Security Configuration dialog box, click the People tab. 3. In the left window, select the Person/People to be deleted, and then

click Delete.

Configuring Project Security

You can configure access to projects and project files by People or Roles. The Analyst software organizes all Analyst files into project folders under the Analyst Data folder (except the compound database and the library search database, which is stored in the Analyst Data folder). The API Instrument folder contains information about the instrument and related instrument configurations. All other files generated while using the Analyst software will be saved in folders within the active project folder, which can be one of the project folders provided with the Analyst software or, typically, a project folder created by an operator. For more information on creating projects, refer to the online Help.

Common Analyst file types and folders are listed in the following table. The API Instrument folder has all the subdirectories, except Processing Methods and Results. Asterisked (*) subdirectories exist only in the API instrument folder. All other subfolders exist within each project folder. They may be in the project level folder or within each sub-project.

Analyst User Files

Extension File Type Sub-folder Name

.aasf Acquisition script Acquisition Scripts .aasf Acquisition script (supplied Example Scripts

(48)

.ata Audit trail archives Project Information .atd Instrument audit trail data

Instrument audit trail settings

Project audit trail data Project audit trail settings

Project Information

.dab Acquisition batch files Batch

.dam Acquisition method Acquisition Methods .dat Acquisition batch template Batch\Templates .dab Batch Batch

.dll Dynamic link library Processing Scripts .eph Explore processing history

data

Processing Methods .hwpf Hardware profile Configuration* .ins Instrument data calibration

information

Instrument Data* .mdb MS Access database

.pdf Exported data

.psf Parameter settings Parameter Settings* .qmf Quantitation method Quantitation Methods .rdb Result table. Holds

Quantitation audit trail data.

Results .rpt Report template Templates

Templates\Method Templates\Report Templates\Workspace .rtf Rich text format

.rtf Log records from automated collection

Log .sdb Quantitation audit trail

settings

Project Information

Analyst User Files (Continued)

(49)

In the Example Project, several formats are supported for importing batch information: .mdb, .txt, .xls, and .dbf: d base 5 and Fox Pro. In the Security Configuration dialog box, the Projects tab displays the project directories, subdirectories, and files, and the People and Roles with access to the objects.

Using the Analyst software security configuration, you can configure access to projects and project files. You can control access by People or by Role. In addition, you can control how files exported to other workstations are accessed by operators not defined in the Analyst software security database.

To use this feature of Analyst security, you must have NTFS for your work route. If you elect not to set up project security, operator access to the project files depends on the data setup for each Windows user in NTFS. For more information, see “Windows File System” on page 22.

Setting Access Rights for Projects and Files

You can configure how users access files that are exported to computers other than the computer on which the projects, folders, and files were created. You can allow files to have a default access method, and also configure certain files to have specific access rights.

You can also set global access rights for all your Analyst files (data objects) that you export, or you can set access rights for an individual data object you select for export.

Alternatively, if you routinely compare files to see if they match, and you do not want to have access rights set for all your files, you can select a computer with which you can share files without setting any export privileges.

.tun Tuning preference file Preferences* .txt Text file

.wiff Mass spectrometry data Tuning Cache* .wiff Mass spectrometry data Data

.xls Excel spreadsheet Batch

Analyst User Files (Continued)

(50)

To set access rights to projects and project files

Configuration.

2. In the Security Configuration dialog box, click the Projects tab.

3. In the left window, select the folder or file for which you wish to configure access.

(51)

5. Select a Domain and an Account, or a Role.

6. Under Rights, set the access rights: NoAccess, ReadOnly, Write, or Delete.

7. Click OK.

The Person/Role and rights appear in the Access Rights window. 8. Click Apply, and then click OK.

To view or change access rights

Configuration.

2. In the Security Configuration dialog box, click the Projects tab. 3. In the Access Rights window, select the Person/Role you want to

view or change. 4. Click View/Change.

(52)

5. View or change the access rights as required.

6. If required, select Include subfolders to have access rights applied to the project’s subfolders.

7. Click OK to apply the changes or Cancel to close the dialog box. 8. Click Apply, and then click OK.

To remove a Person/Role from a project or folder

Configuration.

2. In the Security Configuration dialog box, click the Projects tab. 3. In the Access Rights window, select the Person/Role you want to

remove. 4. Click Delete.

To set global access rights for exported files

Configuration.

2. In the Security Configuration dialog box, click the Projects tab. 3. On the Default drop-down list, select a permission: ReadWrite,

NoAccess, or ReadOnly. The default state is ReadWrite.

(53)

Note: The above procedure will only affect new files created in the current security domain. The following procedure will affect existing files.

To set export access rights for an individual project file

Note: The selected access right will be applied as you create new files. You can also change access rights to existing files.

Configuration.

2. In the Security Configuration dialog box, click the Projects tab. 3. In the project window, navigate to the specific file.

The No Access, Read Only, and Read Write access rights options are now available.

4. Click an option.

5. Click Apply, and then click OK. To select a computer for file sharing

Configuration.

4. In the Select Domain area, browse to the required computer. 5. Click Apply, and then click OK.

The selected computer can now share files created on your workstation.

(54)

Configuring Remote Sample

Queue Monitoring

Using Analyst security, you can set up a list of instruments whose queues you may wish to routinely monitor. This procedure describes how to configure access to an instrument through the Remote Viewers tab.

To add access to a workstation

Configuration.

2. In the Security Configuration dialog box, click the Remote

Viewers tab.

3. Click Add.

(55)

4. Type the instrument station in the Name field.

If you are using Active Directory in the Native environment, the domain field is not visible and you can enter your username in user principal name (UPN) format.

5. To select a Domain and Computer, click Browse.

6. Using the Select Computers dialog box, select an instrument. 7. If desired, type location information in the Location field. 8. If desired, type a description in the Description field. 9. Click OK.

The information is displayed in the Remote Viewers tab. 10. Click Apply, and then click OK.

To remove a workstation

Configuration.

2. In the Security Configuration dialog box, click the Remote

Viewers tab

3. In the left window, select an instrument. 4. Click Delete.

(56)

Printing Your Security Configurations

You can print out a copy of your security configurations to keep on file as a backup.

To print your security configurations

1. On the Navigation bar, double-click Security Configuration under Configure.

(57)

6

Audit Trails

This section explains the various types of audit trails available in the Analyst®_{software and how they are used. The Analyst Audit Trail}

System records audited events from the Configure, Tune, Acquire, Explore, and Quantitate modes. Audit tracking helps ensure the integrity of data in the Analyst software files by logging changes to files, so that a third party (such as an auditor or QA reviewer) can determine the history of the data.

The Instrument Audit Trail records events associated with: • Configuring

• Tuning • Acquiring

The Project Audit Trail records events associated with: • Configuring

• Tuning • Acquiring

• Explore Processing

The Quantitation Audit Trail records events for: • Results in the result table

Each event has a record number, a date and time stamp, user name, Analyst module, reason for the change, and description of the modification. Some events require a user to enter an electronic signature. The Instrument Audit Trail history records additions or

(58)

replacements to the mass calibration table or resolution table and records entries into the Instrument Maintenance Log. The Quantitation Audit Trail history records the quantitation method and parameters, sample, and peak for later read-only reprocessing of the MS data file. The Quantitation Audit Trail history does not include sample list or window settings information.

The Project, Instrument, and Quantitation audit trails are encrypted files. All audit trail files are stored in the project directories under the Analyst Data directory.

Audit Trail Manager

The Audit Trail Manager (ATM), available on the View menu in all modes, is the user interface to the instrument, project, and quantitation audit trails generated by the Audit Trail System.

For new installations, the audit trail settings for default folder settings are set to off. Once installed, the Analyst Administrator can modify the audit trail settings for new or existing objects. During an upgrade, if an existing Analyst Data directory is used, the current audit trail settings are preserved.

Instrument Audit Trail: Enabling the Instrument Audit Trail starts

auditing for instrument maintenance and changes to the instrument resolutions and mass calibrations, sample queues, and hardware profiles.

Project Audit Trail: Enabling the Project Audit Trail starts auditing for

project-level events in all projects.

Quantitation Audit Trail: Enabling the Quantitation Audit Trail starts

auditing for result table events in all projects.

Electronic Signatures: Enabling the use of electronic signatures allows

modifications to the Analyst software files only if the user enters his ID and password.

(59)

Instrument Audit Trail

The Instrument Audit Trail (IAT) records instrument maintenance and changes to the instrument resolutions and mass calibrations, sample queues, and hardware profiles. There is only one Instrument Audit Trail.

The following events are recorded in the IAT data file.

For more information on setting the Instrument Audit Trail, refer to the online Help.

Event Electronic

Signature required Mode

Log on/logoff Analyst No N/A Enable/Disable audit trail Yes Audit Trail Enable/Disable

electronic signatures

Yes Audit Trail Activate or deactivate a

Hardware (HW) profile

No Configure Add an entry to the

Instrument Maintenance Log

Yes Tune Add or replace a resolution

table or mass calibration table

Yes Tune Submit or move a batch in

the Queue

No Acquire Acquire a sample, reacquire

or reorder samples in the Queue

(60)

Project Audit Trail

For each project, the Project Audit Trail (PAT) records creation, modification, and deletion events for project, data, quantitation, method, batch, tuning, result table, and report template files, as well as module opening and closing and printing events. When a project is created, the audit trail settings for the project audit trail is taken from the default Project Settings Template, which may be viewed and edited through the ATM. Once a project has been created, the audit trail settings for that project can also be viewed and edited through the ATM. The following events are recorded in the PAT data file.

Event Electronic Signature

requirement Mode

Enable/Disable audit trail Yes Audit Trail Enable/Disable

Yes Audit Trail Open or close a

Resolution Optimization

No Tune Open or close Quantitative

Optimization

No Tune Open or close Manual Tuning No Tune Open or close

Acquisition Batch Editor

No Acquire Open or close

Acquisition Method Editor

No Acquire Create acquisition method files No Acquire Save acquisition

methods with a different name or overwrite acquisition methods

Yes

(By default, overwrite made available to Administrator only)

Acquire

Create batch and batch template files

No Acquire Create data files (including

tuning data files) or add samples to data files

No Acquire Create quantitation method files No Acquire

(61)

Changing the Audit Trail Settings

When you create a new Analyst project, the audit trail settings for the project are copied from the default project under Audit Trail Settings Templates in the ATM. Once you have created a project, if you want to change the default Quantitation Audit Trail settings for that project, you can change the settings in the ATM.

To set the default audit trail settings for Projects 1. On the View menu, click Audit Trail Manager.

The Audit Trail Manager window appears.

2. Expand the Audit Trail Settings Templates folder, and then expand the Default subfolder.

3. Click Project Settings Template.

4. Select or clear the auditing features for the project as required. 5. Click Apply.

Depending on the auditing level for the project, you may be prompted for a reason and an electronic signature.

To view or change the audit trail settings for projects 1. On the View menu, click Audit Trail Manager.

Open or close Explore No Explore Open a data file No Explore Save an Explore

Processing History file

Yes Explore Create result table files No Quantitate Create report template files No Configure Start printing from any mode Yes all End printing includes error

status, if any

No all

(62)

2. Expand the Audit Trail Data folder, and then expand the Projects subfolder.

3. Click the desired project.

The History tab will shows the audit trail data for the project. 4. In the right pane, click the Settings tab.

5. Select or clear the auditing features for the project. 6. Click Apply.

Depending on the auditing level for the project, you may be prompted for a reason and an electronic signature.

For more information about setting the Project Audit Trail, refer to the online Help.

Quantitation Audit Trail

The audit trail for Quantitation Results Tables records the following: • User name.

• Date and time modified. • Category.

• Reason for the modification.

• Description of the modification, such as the points removed from a calibration, automatic and manual baseline fitting, and curve fitting changes.

The Results Tables audit trail information is stored in the History tab in the ATM. The Quantitation Audit Trail records the following changes to the results table:

requirement Mode

Enable/disable the audit trail No/Yes Audit Trail Clear the audit trail Yes Audit Trail Enable/disable

No/Yes Audit Trail Open result table by QA

Reviewer

(63)

The Analyst software users can create and save a results table, but they do not have permission to change Audit Trail/Electronic Signature settings; these buttons are read-only on the Quantitation tool bar.

Changing the Results Tables Settings

When a project is created, the audit trail settings for the Results Tables audit trail is taken from the default Quantitation Settings Template, which may be viewed and edited through the ATM. By default, all new results tables for the project will have the same settings. Once you create and save a results table, the default project quantitation audit trail settings are applied to that table.

If you want to set the Results Tables audit trail settings for new results tables on a per project basis, you can change the audit trail settings using the Table Settings dialog box. Current table settings can also be edited using the Table Settings>Edit option on the shortcut menu in the Results Table.

To set the default audit trail settings for the Results Tables 1. On the View menu, click Audit Trail Manager.

2. Expand the Audit Trail Settings Templates folder, and then expand the Default subfolder.

3. Click Quantitation Settings Template.

Close result table by QA Reviewer (and add a comment if saved)

Yes Quantitate Create result table No Quantitate Calibrate curves Yes Quantitate Re-integrate peaks Yes Quantitate Change integration parameters Yes Quantitate Modify methods Yes Quantitate Add or remove samples Yes Quantitate Change sample type Yes Quantitate

Analyst Software. Laboratory Director s Guide to Security and Regulatory Compliance. Part Number: A June 2003

Analyst

®

Software

Laboratory Director’s

Guide to Security and

Regulatory Compliance

ISO

9 0 0 1

Contents

Foreword

Audience

Guide Organization

Related Documentation

Technical Support

1

Security and Regulatory

Compliance

Security Requirements

Analyst and Windows Security:

Working Together

Audit Trails within Analyst and

Windows

Analyst and 21 CFR Part 11

2

Windows and Analyst

Security Configuration

Security and Installation Process

Overview

3

Windows Security

Steps for Configuring Windows

Security

Definition of Users and Groups

Users and Groups

Active Directory Support

Windows File System

System Auditing

Event Viewer

File and Folder Permissions

Alerts

4

Analyst Installation

Release Notes

System Requirements

Installing Analyst

Regulated Environment Options

Software Component Verification

Understanding Analyst Files

Folder Structure

Flat Files

Network Acquisition

5

Analyst Security

Configuration

Steps for Configuring Analyst

Security

Configuring Security Mode

Acquisition Process

Screen Lock and Auto Logout

Configuring People and Roles

Accessing the Analyst Software

Configuring Project Security

Setting Access Rights for Projects and Files

Configuring Remote Sample

Queue Monitoring

Printing Your Security Configurations

6

Audit Trails

Audit Trail Manager

Instrument Audit Trail

Project Audit Trail

Changing the Audit Trail Settings

Quantitation Audit Trail

Changing the Results Tables Settings