Question

Yes

No

Comments

Is documented evidence available that adequate software development standards were followed? Can system be validated to discern altered records- i.e. by provision of audit trail, with metadata?

X

Our software development standards are based, in part, on the guidelines put forth in "Capability Maturity Model for Software Version 1.1" developed by SEI at the Carnegie Mellon University. This document is available for customer review at any time. The CIMScan application can produce an audit trail of any user changes that could impact the monitoring and collection of data. An optional encrypted digital signature can be generated for data and audit trail files created by the system. The signature can be used by the CIMRecall facility to validate that the data has not been altered.

Can system generate accurate, complete copies of records in electronic and human readable form?

X

An unlimited number of data log files can be generated by the system. Logs can also be created in external databases. Log are typically ASCII text tab delimited files that can be easily imported into virtually any spreadsheet, word processor, or data analysis program.

Can system protect records, including attendant audit trails, and enable accurate, ready retrieval of both throughout retention period?

X

Data and Audit Trail logs (records) are protected at the operating system level (write protection) and by the application of a digital signature that can be used to detect if the log has been altered. Any log can be recalled, displayed, and validated by CIMRecall based on the date and time the log was created.

Can system limit access to authorized individuals by requiring contemporaneous, bilateral identification and/or single biometric identification?

X

The user must select his or her User ID and then enter a valid password associated with that specific ID.

Can system provide data and time-stamped audit trails that identify date and time of operator entries and actions, without allowing record changes to obscure previously recorded information?

X

Audit Trails of every user action that could impact the validity of the data collected are created and maintained by the system. Each record in the audit trail contains the time the alteration was made, the ID of the operator, and what was changed (before and after).

Can such audit trail documentation, including metadata, be electronically retained as long as the associated records are required to be retained, in a manner that makes them available for review and copying?

X

The date and time stamps in audit trails and data records are used to associate the two. The names of audit trail and data files contain the date that the file was created. This allows specific audit trail information to be easily linked to the data and retained for as long as the user desires.

Can system provide audit trails to record time sequenced activities involving establishment and modifications of system documents?

X

Every audit trail entry is time stamped with one second resolution.

For situations in which sequencing of steps or events is required, can system cause only permitted sequencing to be accepted?

X

Typically, CIMScan is used for monitoring only. Simple scripts can, however, be used to generate control sequences that a user must follow in the execution of a task.

Can system provide authority checks to require that only authorized individuals can: Use system? Access the operation? Electronically sign record? Perform the operation at hand? Alter a record or Access a computer system input or output device?

X

Each user has an ID with an associated password and privilege level. The privilege level is used to restrict access to information in the system as well as prevent unauthorized modification or data entry.

Can system identify and document the physical source of data input or operation instruction?

X

User ID's can be included in log files for manually entered data and the source of all automatic data is maintained by the system in its configuration files.

Can system display the following information in association with each signature: printed name of signer, date and time signature was executed, meaning associated with each signature?

X

Every data log can have an associated test information file that can contain summary information about the process being monitored or activity being performed. This file can contain one or more signature entries including the user's ID, Name, time stamp, and any necessary notes. Like all other data files, the Test Information file can be protected with a digital signature.

Can the above information be recorded and the records accessed in electronic and human readable form throughout the retention period?

X

Test information files are simple ASCII text and can be recalled and displayed by almost anything.

Can system require bilateral use of password plus User ID for initial (unique) identification, followed by identification that employs either password or User ID for subsequent signing within the same session?

X

Users are required to log onto the system with a unique ID and password. As long as the user maintains activity on the system, his or her ID and privilege will be used. The user will be automatically logged off whenever an administrator-defined period of inactivity is detected. The user will have to again logon and give a valid password to continue.

Can system accommodate biometric – and /or behavioral based signatures?

X

A barcode reader and any other external means can be used to perform the data entry required for a logon.

Can system link signatures to the corresponding electronic records in a manner that ensures the signatures cannot be excised, copied, or transferred to another electronic record by ordinary means?

X

Digital signatures contain a encrypted key that is based on the data that the signature is associated with. In other words, if the data is alerted, CIMRecall will detect that the digital signature is invalid.

Can system ensure that each identification combination of code and password is unique, cannot be duplicated, and is periodically verified, recalled, or revised?

X

The system insures that User ID's are unique and a valid password and privilege level is associated with each. This information is encrypted and saved in the application's configuration file and can only be viewed and modified by the system administrator. Period review and modification of the security information can be easily accomplished as a customer procedure.

Can system provide measures that detect, display announcement, and record by audit trail attempts at unauthorized use of passwords and / or identity codes?

X

Valid logons as well as invalid attempts are logged in the daily audit trail file.

Is the system sufficiently robust that it can integrate with common COTS programs, such as Microsoft Word, Excel?

X

CIMScan easily integrates with Microsoft Word, Excel, and Access.

Can the system be implemented in less than a month?

X

Simple CIMScan systems can be implemented in a few hours. More complex system may require some number of days or even weeks, but certainly less than a month.