SciCord and Software Security

SciCord Security

Background Information

The SciCord ELN application is a Cloud-based Electronic Laboratory Notebook system. The application provides or facilitates user-security, electronic records, electronic signatures, sample management, document editing, document review, document lifecycle, and audit trails. SciCord also produces validated templates, which run on a validated core system to support specific scientific work processes. These SciCord ELN templates are customized spreadsheets that provide automation to specific work processes.

The SciCord ELN is a “Closed System” and complies with GxP standards as well as CFR 21 Part 11

Security in SciCord encompasses multiple layers:

• Password Security
• Screen Lock
• Roles, Permissions, & Claims
• Data Center Security
• Encryption
• Backups
• Data Replication
• Penetration & Vulnerability Testing
• Archive
• Audit Trail & Electronic Signatures

Password Maintenance and Security

The SciCord solution implements User identity & password maintenance by enforcing several security rules:

• Enforces non-trivial passwords (password strength criteria is set via a configurable system-wide setting).
• Enforces periodic change of passwords (password-expiry period is set via a configurable system-wide setting).
• Account lock and screen lock after a certain amount of invalid authentication attempts (parameter is set via a configurable system-wide setting).

Screen Lock

The application provides a “screen-lock”-like functionality that requires User password challenge after a configured amount of time of no activity on screen (mouse or keyboard movement)

Roles, Permissions, & Claims

The SciCord Solution implements a matrix of roles and permissions to restrict access to system functionality based on role.  SciCord provides 10 default roles including Scientist, Supervisor, and Reviewer.  Customer specific “Custom” roles may also be defined.  Each role is then assigned a set of permissions to enable activities to be performed such as document review.

SciCord also implements a claims functionality which can restrict activities at a granular level. For example, trained users are granted a “claim” indicating training has been completed.  Only trained users may access an instrument or methodology.

Datacenter Security

SciCord provisions cloud services through the award winning Microsoft Azure platform. Azure meets a broad set of international and industry-specific compliance standards, such as General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2.

Data Encryption

All data transmitted by or stored in the SciCord Solution is encrypted (in transit and at rest).

Data Backups

• Two physical locations
• Incremental Daily – retained for 30 days
• Full Weekly – retained for 4 weeks
• Full Monthly – retained for 12 months

Data Replication

Production data is replicated to multiple physical locations to provide resiliency should one data center be compromised.

Penetration & Vulnerability Testing

SciCord routinely contracts expert third party organizations to execute penetration tests and vulnerability scanning to manage security risks.

Archive

SciCord provides a comprehensive archive bundle for each completed document or sample.  The bundles are rendered in pdf format for long term storage and can be accessed using only a pdf reader.

Audit Trail & Electronic Signatures

A comprehensive audit trail is captured for all records created in SciCord.  The audit details who created the record, when the record was created (server time stamp), reason for the record, and the record source.  Additionally, the record reviewer(s) are captured.