eLifeSciences White Paper

e-Life Sciences 2010 – Enabling a
Trusted Electronic Value Chain
Jacques Francoeur
VP Strategic Aliances
Proofspace, Inc.
(650) 255-6516
jacques@proofspace.com
Table of Contents
Acknowledgements .................................................................................................................3
Executive Summary ................................................................................................................4
1 The Electronic Drug Development, Approval, Marketing & Sales Value Chain...........5
1.1 Electronic Value Chain Transition Pressures ............................................................ 5
1.2 Electronic Value Chain Overview .............................................................................. 7
e-Supply Chain........................................................................................................................................8
e-Collaboration.......................................................................................................................................9
e-Detailing ...............................................................................................................................................9
e-Submissions .......................................................................................................................................10
e-Clinical Trials .....................................................................................................................................12
Online Physician-based Initiatives.....................................................................................................14
Online Patient-based Initiatives .........................................................................................................15
1.3 Electronic Value Chain Challenges...........................................................................16
The Electronic Risks............................................................................................................................17
Interpretation and Differences in International Standards............................................................17
Measuring, Verifying and Demonstrating the Electronic State.....................................................18
Absence of Legal Precedence.............................................................................................................18
Controlling the Transition and Management Assertions ...............................................................19
Enterprise-Wide e-Implementations.................................................................................................20
1.4 Electronic Value Chain ROI .....................................................................................21
2 Vision and Strategy for Enterprise Risk Management .................................................22
2.1 Vision - A Trusted Digital Enterprise ...................................................................... 22
2.2 Strategy - Enterprise Digital Trust Management .................................................... 23
2.2.1 Enterprise-Wide Strategy ..................................................................................................24
2.2.2 Business Centric Strategy..................................................................................................26
2.2.3 Comprehensive Risk Management..................................................................................27
2.2.4 Integrated Risk Management Strategy ............................................................................33
3 Enterprise Risk Management Method: The Digital Chain of Trust Methodology .....36
3.1 Management & Organizational Benefits ................................................................. 37
e-Life Sciences 2010 – Enabling a Trusted Electronic Value Chain
Acknowledgements
The knowledge embodied in this white paper represents the culmination of a long and hard journey that
could not have been realized without the support of family, friends and a number of colleagues along the
way. I wish to acknowledge the contributions of a few.
To my sister Joanne, who has always believed in me and supported my efforts since the beginning. To my
Mother and my other sisters Nicole and Helene, who have always been supportive of the choices I have
made. A very special thanks to my partner Tani Rivera, who exhibits great patience and continues to
provide support in innumerable ways. A special thanks to Frank Raimondo, a friend and colleague who
continues to provide support to realize the vision set out in this paper.
A very special thanks to Eric Leighninger, a friend and colleague who has provided encouragement and
support over the years and especially for the words he authored below and affixed his name to.
“The Digital Chain of Trust Methodology is a

significant contribution to the body of work on
trusted systems theory and practice.
The methodology is constructive and evidentiary in

nature in that it provides a process modeling, design
and evaluation framework for building systems to
create, manage, and preserve
trustworthy electronic forensic evidence.
Such forensic evidence – the sequence of events
involving who, what, when and how – is essential for
audits and a posteriori analyses required as the basis
for legal enforcement and adjudication of electronic
business processes and practices.”
Eric Leighninger
Chief Security Architect, Allstate Insurance Company
© Jacques Remi Francoeur, 2003. All Rights Reserved Page 3 of 39

Executive Summary
The Life Sciences’ industry is undergoing fundamental changes as a result of the advent of genomics and
proteomics. Combined with the current market and regulatory conditions, Life Sciences Organizations
(LSOs) find themselves under an unprecedented set of industry, market, regulatory and competitive
pressures that are creating significant challenges to the current “way of doing business” and driving for
fundamental changes to its core business models and practices.
Currently there exist significant downward price pressures on the demand side. Price premiums are
increasingly difficult to justify and will only be acceptable for first-to-market new drugs that are not “me
too” in their benefits. The trend towards smaller target communities as a result of the transition to
genomics is driving up the number of drugs that need to be successfully brought to market. Combined with
the loss of patent protection for a number a key drugs, it will be extremely difficult to maintain revenue
levels let alone build share value.
These factors are driving the need for a radically reduced time-to-market, a significantly lower drug
development cost and a move towards a service-based therapeutic value proposition that requires knowing
a great deal more about the customer than current norms. This cannot be achieved with the current paper-
based, manual, semi-electronic and physical-world business models and processes. To maintain the status
quo equates to decreasing profitability and its consequent reduced lower shareholder value.
Accordingly, the transition to an electronic value chain is essential to the viability of the Life
Sciences’ industry and the competitiveness and profitability of LSOs.
Enabling laws providing legal effect and validity to electronic records and signatures has been enacted
around the world, effectively ensuring non-discrimination for being electronic. Regulations driving the
adoption of electronic record and signature systems for medical information (HIPAA) and New Drug
Applications (21 CFR Part 11) are in effect. Yet, the transition to an electronic value chain has been slow –
Why?
This is due in large part to the difficulty and complexity of controlling and managing the business,
technical, legal and regulatory risks of transitioning to and maintaining an electronic value chain.
There is currently no enterprise-wide, multi-stakeholder and global strategy to manage the transition to an
electronic value chain and there is no integrated and comprehensive method to control and manage the
business, technical, legal and regulatory risks in making the transition from the “physical” to a more efficient
and effective “electronic” value chain.
This white paper presents such a vision and strategy called Enterprise Digital Trust Management and
outlines a risk mitigation and transition management method called the Digital Chain of Trust
Methodology. This vision, strategy and methodology provides benefits to “C”- class executives, legal
counsel, and senior executives by providing confidence for making management assertions to regulators,
investors and business partners; to middle managers by enabling a controlled and measurable transition and
a risk mitigation approach that enables the effective allocation of scarce resources; and to practitioners and
internal auditors by providing a structured and automated method of performing audits. The overall
organization will benefit from more effective control over risks, lower cost-of-compliance, greater
“consistent intended performance” across the enterprise and a framework for continuous improvements.
The end result – a Life Science Organization that operates an electronic value chain that brings
new drugs to market in a significantly shorter time and lower cost while being demonstrably
trustworthy and compliant (from both legal and regulatory perspectives).

1 The Electronic Drug Development, Approval, Marketing & Sales Value Chain
The adoption of Internet-based electronic business models and channels has the potential to dramatically
reduce costs and revolutionize the speed, responsiveness, reach, efficiency, and effectiveness of each phase
of the drug research, development, approval, manufacture and commercialization value chain. A number of
creditable authorities including IBM Life Sciences 1, Tufts Center for the Study of Drug Development 2 and
Cap Gemini Ernst & Young 3 have articulated strong business cases for the need to radically change how
drugs are discovered, developed, approved, brought to market and administered to patients.
The gains require focus on delivering three main bottom-line

outcomes – a shorter new drug development cycle, from an An Electronic Drug Development,
average of 10 - 12 years to 3 - 5; a lower pre-launch total cost approval and commercialization
value chain delivers a
of development of $200 million down from an average of
¾ Shorter drug development cycle
$800; and a more effective way of understanding and
¾ Lower pre-launch total cost of
leveraging the customer relationship. For example, the Tuft development, and
CSDD analysis 4 indicates that reducing the total development ¾ A more effective physician and
time by 50% would reduce the cost of development by 29%. patient relationship.
Realizing these gains require Life Science Organizations

(LSOs) to not only convert their core business models and processes to “trusted electronic equivalents,” but
to also take the unique opportunity to make improvements to processes and to consider new ways of doing
business. One of the areas most critical to the industry is forming better long-term mutually beneficial
relationships with their customers – physicians and patients. However, adopting the Internet-based
electronic paradigm requires stakeholder cohesion and integration, and creates many new legal and technical
challenges that will radically change the methods of managing risks, adhering to legal standards and
maintaining regulatory compliance.
Key to meeting the challenges and delivering a superior Return on Investment (ROI) is implementing a
comprehensive and integrated enterprise-wide strategy and method to control risks that reduces uncertainty
and the cost-of-compliance. This white paper presents an enterprise vision, strategy and outlines a
methodology for making a controlled transition that will demonstrably deliver the cost reductions and
efficiency and effectiveness gains mentioned above.
1.1 Electronic Value Chain Transition Pressures
The pressures forcing the transition to an electronic value chain are significant and originate from several
sources – industry, market, competitive and regulatory, combining synergistically to create the necessary
conditions to implement changes – the adoption of electronic initiatives and ultimately an end-to-end
electronic value chain.
Industry Dynamics: The Life Sciences industry is undergoing radical changes. The advent of Genomics is
causing a trend towards smaller target communities and personalized medicine that are in turn causing
fundamental changes to the current “way of doing business.” The shift from “one size fits all” drug
treatments to targeted treatments and service-based value propositions is mandating a higher level of
knowledge of customer needs, preferences and behaviors that has already clashed with the personal
information privacy “revolution” underway around the world.
1 IBM Business Consulting Services, “Pharma 2010: The Threshold of Innovation,” Future Series.
2 Tufts Center for the Study of Drug Development Outlook 2003.
3 “The Quantum Shuffle – the Impact of e on the Pharmaceutical and Medical Device Industries,” Gap Gemini Ernst & Young.
4 Tufts Center for the Study of Drug Development – Outlook 2003

Market Expectations: In recent years a number of events have caused a significant downturn in share
values and a return to conservative business values. The pressure exerted by investors to regain share value
is higher than ever. There are no silver bullets – value must be created by the traditional business metrics of
revenue growth through increasing market share and reaching previously untapped markets and profitability
through increasing profit margins.
Competitive Pressures: Premium profit margins go to those who make it to market first with innovative
products. Follow-on “me too”-like drugs have similar development costs but do not command the same
price premiums and they have to dislodge the incumbent. It is therefore a fierce race to get to market first.
This creates significant pressures to increase business efficiency and reduce cycle times and calls for
considering new ways of doing business to increase effectiveness.
Regulatory Requirements: The emergences of industry

specific regulations are requiring the transition to electronic
information management and signature systems and
Competitive
Pressures
electronic business process and transactions. The
regulations define standards of data privacy protection and
security and standards of trustworthiness for electronic
systems, processes, signatures, records and audit trails.
Some of the most significant regulations are those issued by

the US Health and Human Services. They include the
Industry
Dynamics LSO Market
Expectations
FDA’s 21 CFR Part 11 Electronic Records and Signatures

regulation governing electronic submissions for New Drug
Applications (NDA). Part 11 establishes the standards of
Requirements
Regulatory
security and electronic systems trustworthiness for all
aspects of information and decision-making that impact or
contribute to the submission requirements for NDA
The industry must also ensure that its clinical trials comply with HIPAA. This regulation affects the
collection, use and disclosure of personally identifiable medical information during clinical trials. Under
HIPAA the health industry is transitioning to electronic records and transactions as the medium to manage
personally identifiable health information and to deliver health care services. HIPAA require the protection
of patient data privacy and the security and integrity of information and is backed by stringent penalties,
including imprisonment in the case of malicious or profit-based intent.
For multinationals, the European Union Data Privacy Directive and the European Union Electronic
Signature Directive also have to be adhered to as relates to personally identifiable health information on
Europeans and the execution of legally admissible electronic signatures, respectively. To facilitate single
NDA filings in the US and the European Union, the Electronic Common Technical Document (e-CTD)
standard is being established to enable a common approach to meeting the U.S. and European Union filing
requirements.

1.2 Electronic Value Chain Overview
The Internet has already delivered significant benefits to the drug development, approval, manufacture,
marketing and sales value chain, hereinafter referred to as the “e-Value Chain.”
In order to more effectively define the domain to which the enterprise risk management strategy will be
applied, it is useful to provide an overview of key domains in the e-Value Chain. The core electronic
initiatives, referred to as e-Programs, within the value chain can be divided into the seven main domains of
e-Supply Chain, e-Submissions, e-Clinical Trials, e-Detailing and Online Physician and Patient Initiatives, as
illustrated in Figure 1 below. The illustration depicts the domains as independent from one another but
should be considered integrated and operated by an enterprise-wide network system of electronic resources.
Each domain has its own set of business drivers and risks. The objective of this paper is to describe an
enterprise-wide strategy that will yield an integrated risk management approach that will deliver greater
management assurance while driving a lower cost-of-compliance.
Discovery Development Manufacture Marketing & Sales
e-Submissions Online
Electronic Initiatives: e-Programs
Physician
Electronic Signature Applications
Initiatives
Electronic Records Management Disease Management
Portal
Electronic Identity Management
Direct-to-Physician
Electronic Time Management Marketing
Audit Trail Management Customer Service Center

e-Prescribing
e-Clinical
Trials e-Detailing
Electronic Data Sales Force Automation
Capture Physician Relationship
e-Recruitment Management
Remote Monitoring Online

Patient Initiatives
e-Supply Chain Drug Specific Portal
e-Procurement e-Distribution Direct-to-Patient
Marketing
e-Marketplace
© Jacques Francoeur 2003
Patient Relationship
e-Auction Management
e-Collaboration
Knowledge Management
Intranet/Extranet/Wireless
Electronic Value Chain

Figure 1

It is not the intent of this paper to discuss the strategies, issues and specific risks of each electronic initiative.
For this purpose the reader is referred to references made throughout the paper and the following two
sources: “Digital Strategies in the Pharmaceutical Industry” 5 and “The Quantum Shuffle – the Impact of e
on the Pharmaceutical and Medical Device Industries” 6.
The following is an overview of each of the seven main e-Value Chain domains illustrated in Figure 1
above. The e-Value Chain domains contain different logically associated e-Programs that are based on
different business models, communities of individuals, processes, workflows and transactions. However, all
e-Programs rely on a common networked information infrastructure whose risk can be managed on a
similar common basis.
e-Supply Chain
e-Supply
e-SupplyChain
Chain
The e-Supply Chain covers transactions related to
the procurement of goods and services that
e-Procurement e-Distribution contribute to the cost of goods sold and to the
e-Procurement e-Distribution distribution and sales of the final product.
e-Marketplace
e-Marketplace Corporate Intranets are a proven e-Supply chain
e-Auction
e-Auction initiative delivering internal operational efficiencies
between stakeholders within the organization.
Extranets extend this operational efficiency to all external participants of the manufacturing and distribution
value chain such as suppliers, distributors, Contract Research Organizations and increasingly contract
manufacturers. The Internet and web-based applications play a critical role in tying all workflows together.
Extending beyond the enterprise, the cost of

procurement can be greatly reduced and the “All respondents [100 Pharmaceutical
effectiveness of supplier relationships greatly increased executives] consistently cited the supply
through either proprietary e-Procurement initiatives chain as the area where e-implementation
such as a corporate Extranet or public member-based is most likely to bring cost benefits.” 5
initiatives such as B2B e-Marketplace. With pre-
established relationships among certified suppliers, the
mechanics of procurement according to standardized policies and procedures can be automated. Without
pre-established relationships, e-Marketplaces allow reverse auctions to be conducted for the competitive
tendering of commodity-like products that drive prices down. However, it remains a challenge to conduct
e-Auctions for highly specialized and regulated products.
On the distribution side, fears of being eliminated from the

“We believe the relationship between value chain (i.e., disinter-mediation) and control over the
distributors and manufacturers will customer relationship are still being played out. However, the
change dramatically in the medium value-point is shifting given the increase in customer power, in
term driven by who owns the particular the payee. What is certain is that LSOs must shift
customer interface.” 5
their focus to owning the customer relationship, understanding
the customer pain-points and how to cost effectively provide
relief without adding further encumbrances.
5
Leonard Lerer and Mike Piper, “Digital Strategies in the Pharmaceutical Industry,” Gap Gemini Ernst & Young. 2003.
6
INSEAD and Gap Gemini Ernst & Young, “The Quantum Shuffle – the Impact of e on the Pharmaceutical and Medical
Device Industries,” 2001.

e-Collaboration
Common to all phases of bringing a drug to
e-Collaboration
e-Collaboration market is the generation of sensitive
information exchanged between individuals
Knowledge Management
Knowledge Management who must make decisions. The efficiency and
Intranet/Extranet/Wireless
Intranet/Extranet/Wireless effectiveness of this process is critical to the
competitiveness of the LSO. The
implementation of corporate Intranets and Extranets has greatly enhanced the ability of employees and
partners to collaborate. However, data and business information are created and stored in independent
silos and knowledge is not being generated and leveraged. That is, solutions and lesson learnt are not made
available to those who need-to-know and they are not applied consistently through out the enterprise. This
results in significant loss of value and competitive advantage. For example, the lack of awareness of the
existence of specific information and fragmented information sources cause the need for data to be
regenerated, adding additional costs. Inaccessible historical information inhibits learning and impairs the
transformation of information into predictive and actionable knowledge.
e-Collaboration based on a foundation of knowledge management is essential to an electronic drug

development, approval, marketing and sales value chain - a tightly integrated, seamless, and near real-time
“enterprise electronic value chain” that links together all phases of the drug development cycle and all
stakeholders through a trusted distributed networked community. Information is no longer static; making
its transformation from descriptive data to dynamic information and finally to predictive knowledge that
can be acted upon to drive revenues. Confidential information and knowledge domains are generated,
captured, transmitted, preserved, secured, linked and made available to all authenticated and authorized
stakeholders. It is maintained current, accurate and complete, verified for authenticity and displayed in
human readable form when and where required - facilitating e-Collaboration.
e-Collaboration is being greatly enhanced in terms of near real-time collaboration by the use of wireless
technology, which has and continues to improve dramatically in terms of available bandwidth, area
coverage and available personal devices, such as Personal Digital Assistants. However, ensuring the
confidentiality and integrity of this information over its life cycle (capture, transmission and storage)
remains a critical challenge and barrier to adoption.
e-Detailing
The needs of physicians are changing in concert with the dramatic
e-Detailing
e-Detailing changes in the industry and the nature of the treatment solutions. The
amount and complexity of information is dramatically increasing while the
Sales Force Automation bandwidth of physicians to access and assimilate the information
Sales Force Automation
Physician Relationship continues to decrease. In addition, physicians must not only absorb the
Physician Relationship
Management latest information but also synthesize it into knowledge they can use to
Management
improve the quality of care of their patients.
This new reality represents a critical challenge

for LSOs in general and sales agents in “ E-detailing implies web-enabling an existing
particular. First, LSOs must shift their (supplier-driven) process rather than addressing the
basic need, which is how to get the information a
physician-facing value proposition from
physician needs to him or her in the right place at
providing information to meeting the the right time. If this need can be met, the role of
increasingly sophisticated needs of the physician the sales force will be much more that of a
that are focused around specific disease relationship manager, satisfying other needs rather
management knowledge. This will require the than simple information requirements. .” 5
sales agent to have access to this information in
a form that can be easily assimilated by the
physician.

Second, this new value-added proposition must use the appropriate channel(s) to reach the physician, the
sales agent being one of many possible touch-points. Others include Internet Physician-based initiatives
such as Customer Service Centers, discussed later.
Consequently, as it relates to the sales channel, Sales Force Automation needs to involve not only
increasing the efficiency of the sales function (“Automate”) to improving the effectiveness of the sales agent
function. For this to occur, detailed knowledge of the physician’s needs, preferences and behavioral
patterns must be captured and analyzed and delivered to the agent in a way that enables the delivery of the
needed services. This is accomplished by physician focused Customer Relationship Management, also
referred to as Physician Relationship Management, covered in the following sections.
The Internet in general is a cost-effective e-Detailing channel for all the traditional reasons: the cost of
information distribution is low, especially to hard to reach regions; a large distribution of physicians can be
reached; information can be accessed on the physician terms; and communication with sales agents can be
conducted via email and other more sophisticated
techniques such as instant messaging and video “e-Detailing will become the mainstream
conferencing. The battle for the physician’s attention is way of doing business. I believe in five
extremely competitive and consequently, establishing a years from now 70 per cent of all
value-added relationship with physicians will be critical detailing will be done electronically.” 5
toward getting through the noise, drawing their attention
and obtaining the desired action.
Physician Relationship Management: Effective Customer Relationship Management (CRM) is key to the
formation of sustained value-added relationships with physicians, patients, or payees. The nature and extent
of information that can be captured through the Internet, such as preference and behavioral patterns, is
unparalleled and very controversial. A decade of data collection abuse involving the unauthorized tracking
and sale of personal data has resulted in significant mistrust by customers. If the main purpose of CRM is
data collection with only nominal benefits to the customer, initiatives will continue to be rejected. CRM
must not only focus on improving existing processes, such as message targeting and customer service, but
also bringing tangible value to the customer in the form of reducing information clutter and facilitating
complex decisions. However, issues of privacy, security and trust remain the main barriers to the success of
electronic “get to know your customer” practices. By bringing significant value to the customer, they will
richly reward the organization with behavioral and preference information that can be used for effective
Direct-to-Customer marketing and personalized web services.
A CRM can take on a specific “customer” focus. Physician Relationship Management is focused on
physicians as customers while Patient Relationship Management is focused on patients as customers. Given
that physician and patients are very different types of customers with very different needs, each CRM will
manage a very distinct set of data and value propositions. CRM must also integrate and leverage
complementary initiatives, the boundaries of which are not clear, such as Disease Management Portals,
Product Specific Portals, Sales Force Automation, e-Detailing and Customer Support Centers. These are
covered in the next sections.
e-Submissions

The New Drug Application (NDA) submission process is highly

e-Submissions
e-Submissions regulated and complex, as all phases of the drug development
Electronic Signature Applications process contribute to the documentation requirements. 21 CFR
Electronic Records Management Part 11 (“Part 11”) defines the basis upon which the FDA will
Electronic Records Management consider electronic records and signatures as equivalent to paper
Electronic Identity Management records and handwritten signatures, enabling the adoption of
Electronic Time Management paper-free processes and the transition to electronic NDA
Electronic Time Management
Audit Trail Management submissions. Part 11 defines how the life-cycle of electronic
Audit Trail Management records, signatures, time stamps and audit trails must be managed
in order for an e-Submission to be considered regulatory
compliant. Although the potential for cost and time savings by the adoption of electronic submissions is
significant, the transition to Part 11 compliance should be taken as an opportunity to re-engineer workflows
and processes to improve the effectiveness and efficiency of the submission process. Although
implementing a closed system (restricted access) reduces the complexity of the compliance requirements,
deploying an open system that supports a wider base
of business applications will leverage the compliance “The pharmaceutical industry is beginning to
investment, delivering greater effectiveness and see significant operational improvements
efficiency gains to the enterprise, thereby increasing through implementation of e. For example,
the ROI. companies are reporting a 40% reduction in
the time it takes to move from finishing
The ability to deliver a compliant NDA e-Submission clinical trials to submitting dossiers for
is predicated on e-Systems that operate compliant regulatory approval. 5
electronic identity, record, time, signature and audit
trail management systems.

Reliable electronic identity management is mission critical as it is the key to keeping critical information
assets and business operations secure. Therefore, central to the trustworthy operation of all the electronic
initiatives in the e-Value Chain is the effective management of electronic identities. Effective electronic
identity management must not only authenticate in real-time the true identity of an individuals and link
them to current access privileges but also capture and preserve the identities of individuals involved in
electronic transactions in order to ensure their accountability. The reliability of an electronic identity is
central to the legal admissibility and therefore the enforceability of electronic signatures and agreements.
Electronic identities must therefore be sufficiently reliable to ensure their admissibility for purposes of
accountability, dispute resolution and court adjudication.
An enterprise must manage a large number of identities across heterogeneous environments that represent
members of different communities of interest (e.g., employees, partners and customers) that have different
service requirements. The level of identity reliability, and therefore technology solution used (e.g.,
username/password versus digital certificate) for these different communities will vary depending on the
nature and risk of the application, the sensitivity of the information being accessed and the business
function. The different identity communities required by the various business units naturally drive towards a
decentralized identity management approach that creates many management and operational problems such
as isolated information silos, administrative duplication, data inconsistencies, policy and procedural conflicts
and inconsistent security standards. In order to minimize these problems and provide efficient access to
users across multiple applications and environments, identity management should be centralized according
to standard enterprise-wide policies and procedures with decisional control for provisioning and managing
identities and privileges delegated at the operational unit level. This will reduce management complexity and
duplication, thereby reducing costs and reduce user down time involved in gaining access to information
needed, increasing the time focused on value added activities. Greater consistency will allow for increased
access interoperability across the enterprise and allow increased responsiveness to changing dynamic
communities.

Electronic Time Management

Time is one of the most critical components of the e-Value Chain and the business it enables. The ability to
manipulate time underpins the reliability of information systems, the integrity of electronic signatures and
the authenticity of information. The ability to reliably source legal time from a National Timing Authority,
synchronize networks and applications and to embed time stamps in electronic records and signatures is
fundamental to the integrity, legal admissibility and regulatory compliance of the business transactions
flowing through the e-Value Chain. The reader is referred to a white paper produced by the author on this
subject – “Trusted Time – Essential to e-Business Risk Mitigation.” 7

Signatures are required for many business functions such as acceptance, approval and agreement. Under 21
CFR Part 11 the FDA requires management to assert that their electronic signatures are legally equivalent to
handwritten signatures. This requirement is integral to the FDA’s definition of an electronic signature “… a
computer data compilation of any symbol… executed, adopted or authorized by an individual to be the legal equivalent of the
individual’s handwritten signature.” 8
Electronic signatures merge content and informed consent with identity and time. The trustworthiness of
an electronic signature is predicated on the reliability of the identity, information and time management
systems described above and the process used to execute the signature. The system must be able to
capture, preserve and verify the integrity of signatory’s identity, the content of what was signed and the time
of signature. It should be noted that the admissibility of an electronic signature is dependent not only on
technology but a number of other factors such as sole control over the act of signing and a state of
informed consent during the act of signing. These issues are discussed in a white paper by the author
entitled “The principles and Measurement Metrics of Electronic Agreement Admissibility.” 9
Electronic Records Management

Common to all phases of e-Value Chain is the generation of commercially sensitive information, ranging
from R&D results (e.g., Intellectual Property) to pricing and competitive information. Creating and
maintaining information in electronic form will deliver significant paper life-cycle cost reductions, facilitate
the near real-time update, access and exchange of information and greatly reduce cycle times and response
times. However, information in electronic form creates significant risks and challenges including ensuring
the confidentiality, restricted access and integrity of the information over its life-cycle - creation,
transmission, rendering, storage and archival.
Audit Trail Management

Accountability has become a critical enterprise requirement due to the risks of being digital. Given that the
risk of identity, information and time manipulation and unauthorized alteration may come from within the
enterprise, security measures must also apply to IT administrators and others who have access to the
information systems that manage identity, information and time.
Key to the ability to make individuals accountable is the ability to track and capture tamper resistant audit
trails that log who accessed what when in a manner that can be verified for integrity. This especially relates
to individuals who set policy and rules for identity, information and time management systems. The need to
report on who has what access to what information and resources and the fact that their access is limited to
what is needed to perform their function is not only a good security practice but also increasingly a
regulatory requirement.
e-Clinical Trials
7
“Trusted Time – Essential to e-Business Risk Mitigation,” Jacques Francoeur, March 2000
8 FDA 21 CFR Part 11: 11:3 Definitions 7
9 “The Principles and Measurement Metrics of Electronic Agreement Admissibility,” March 2003, Jacques Francoeur, www.trustera.com.

The clinical development phase is complex, rigid, currently manual, paper-based,

e-Clinical
e-Clinical static and therefore very resource intensive. It is one of the most costly stages in
Trials
Trials
the drug development process. Consequently, it is currently a critical problem
area and with the increasing number of new drug prospects targeted to smaller
Electronic Data treatment populations, the industry will face some even greater challenges in the
Electronic Data
Capture years to come. 10
Capture
e-Recruitment
e-Recruitment These factors are driving the “It has been estimated that increasing
need to change how clinical trials the efficiency and effectiveness of
Remote Monitoring
Remote Monitoring are designed and conducted. clinical trial process could reduce the
Through the adoption of the total drug development costs as much
as $240 million out of an average of
Internet and electronic technologies,11 such as Electronic
$800M, a 30% reduction.”
Data Capture, Remote Monitoring and e-Recruitment, there
are opportunities to dramatically improve the current Tufts Center for the Study of Drug Development –
approach and alleviate the current bottlenecks. Outlook 2003.
e-Clinical trials provide the opportunity to streamline and integrate processes to yield efficiency and
effectiveness gains. This includes reducing the resources expended on patient recruitment and tracking and
work flow logistics. Real-time feedback on trial progress allows for protocol corrections, while preserving
the statistical validity of the information, and early terminations if necessary.
The use of Electronic Data Capture (EDC) techniques

Nearly 90% of them [respondents] believe and the Internet are slowly emerging to enable e-Clinical
the process for conducting clinical trials Trials. EDC can drastically improve the quality of raw
will be radically transformed over the data and value-added information by increasing the
next five years.” 5 accuracy of the data collected, reducing data entry errors
and ensuring complete data collection at the time of data
entry and patient assessment.
The immediate access to clinical trial information is essential to more informed decision making
concerning needed corrections to protocols or even cost saving benefits that can be derived from
terminating trials early. “In fact, it is estimated that quick identification of failing studies could save companies as much as
$1M per study.” 12
The Internet can be used in two ways to conduct EDC

and provide immediate access to the results. The first is in “Firms will expand their use of e-
a “batch” mode where the information is captured offline technologies to reduce the length and
costs of clinical development by
and downloaded to a web portal. However, this “client-
improving the investigator site selection
side” method of Internet EDC has the disadvantages of process, reducing delays in recruiting
requiring validation of the device and software and patients for clinical trials, lowering trial
addressing local client side problems. Another approach monitoring costs, and permitting quicker,
eliminates these disadvantages. Through the adoption of cheaper collection of clinical trial data.”
high-speed Internet connectivity, server-side EDC can be
Tufts Center for the Study of Drug Development –
implemented. This involves maintaining the software at Outlook 2003
the server side and downloading the data to the server in
near real-time as it is captured. This removes many of the
10 “Streamlining Clinical Trial Processes for Improving Time to Market”, IBM Life Science, 2002
11 “Technology in clinical trials,” Pharmafocus Feature, March 2003, Stella Holford.
12
“Streamlining Clinical Trial Processes for Improving Time to Market”, IBM Life Science, 2002

client-side validation problems. Both methods dramatically improve the nature and responsiveness of the
relationship between the clinical data manager and the clinical research associate, enabling the efficient
resolution of data queries.
With recent advances in wireless technology and its increasing coverage and wide spread use combined with
advances in sensing and monitoring technology, it is possible to conduct Remote Monitoring of clinical trial
patients, reducing some of the logistical burdens placed on patients and capturing data in a more realistic
life-like situation.
Online Patient Recruitment: The greatest bottleneck in

the clinical development process is patient recruitment, “The opportunity costs of one day’s
retention and trial completion. The costs and loss delay in clinical development can equal
opportunity related to patient recruitment, complications millions of dollars; every day a drug
candidate is delayed decreases the
and delays are significant and as the number of drugs on the
potential revenue for that product.”
market increases and the target populations decrease, this
problem will increase dramatically. Patient Recruitment: The Growing Challenge for
Pharmaceutical Companies.
IBM Global Industries, June 2002
Using the Internet to identify and recruit patients for clinical
trials (e-Recruitment) is controversial as it circumvents the
patient-physician relationship creating the potential for
damage to the critical physician-pharmaceutical relationship. Even though the Internet is a low cost
medium for reaching potential patients, it is not an effective method for Online Patient Recruitment due to
complexity of the decision related to participating in a clinical trial and the significant privacy concerns.
However, once the relationship is started, the Internet is a very cost effective method of maintaining patient
commitment and compliance to the trial protocol and to implement techniques such as EDC and remote
monitoring of patients. If trust is built and value provided, the patient may be available throughout the life
of the ailment and for more than one trial.
Online Physician-based Initiatives

The physician generally controls the patient relationship and remains the
Online
Online key driver for creating product demand. Consequently, the
Physician
Physician pharmaceutical-to-physician relationship remains the main focus of
marketing. However, the nature and form of these relationships are
Initiatives
Initiatives changing due to fundamental changes in the industry, the shift in power
Disease Management
Disease Management towards the patient and the impact of the Internet.
Portal
Portal
Direct-to-Physician There are a number of possible electronic initiatives focused around
Direct-to-Physician
Marketing
Marketing improving physician marketing and sales methods and the pharmaceutical-
Customer Service Center to-physician relationship, as described below
Customer Service Center
e-Prescribing
e-Prescribing The portal business model of the 1990s has come and gone. Its failure
was due in large part to a business model sustained by advertising that was
strongly linked to extensive data collection and mining of preference and behavioral patterns. In many cases
the collection occurred without the knowledge and consent of individuals and without providing adequate
protection to the sensitive data. Portals must first and foremost deliver real tangible value when and where
needed in a form readily usable. In Disease
Management Portals this value must relate to improving “This is an area ripe for change, as for
pharmaceutical companies, marketing
how physicians provide quality-of-care to their patients
and sales costs account for 25% of
and reduce the complexities of conducting their business. revenues – about twice what the industry
Disease Management Portals should not only provide is spending on R&D.” 5
useful and current information concerning particular
diseases but also provide services that aid physicians in
providing disease management services to their patients.

A Customer Service Center (CSC) is an innovative and effective way of providing real-time and interactive
support to physicians in an ever-increasing complex drug and treatment environment using a “pull” service-
based model. The initial “push” based portal model was inherently positioned for failure. A CSC extends
the CRM model to the point of value delivery, overcoming one of the main previous reasons for failure.
This is where the gap is closed between value provided for the exchange of customer knowledge and ability
to more effectively target. A CSC integrates multi-channel service delivery and marketing (phone, Internet,
face-to-face) into a comprehensive support package that leverages synergies between the needs of the
physician and that of the LSO. A CSC has the potential of transforming the descriptive nature of CRM
data into predictive information and eventually actionable knowledge.
Making the link between physicians and patients through a Customer Service Center can provide valuable
services to patients; however, it remains a risky proposition given the insertion of an intermediary in the
coveted patient-physician relationship.
A Customer Service Center is an ideal channel for e-Detailing given the “pull” based model where
information is provided by request and consequently has a significantly greater changed of being reviewed
and reacted upon. However, if e-Detailing follows the path of SPAM in Direct-to-Physician Marketing,
a backlash will occur which will take considerable time to rebuild.
Online Patient-based Initiatives

The patient being the consumer of prescription drugs ultimately drives
Online
Online demand. Traditionally the physician has been the sole intermediary to the
Patient consumer and they are extremely averse to releasing control of this critical
PatientInitiatives
Initiatives relationship.
Drug Specific Portal
Drug Specific Portal However, the Internet has changed the character and power of consumers.
Direct-to-Patient
Direct-to-Patient Patients are better informed and come armed with medical advice of all
Marketing
Marketing
Patient Relationship
kinds. Consequently patients are making choices with less and less
Patient Relationship influence from any one physician and demanding particular treatments.
Management
Management
Consequently, physicians are slowly losing their exclusive control over the patient.
The industry’s entry into pharmaco-genomics and

evolution into segmented medicine, offering “Our respondents were quite uniform in where
diagnostic techniques, preventive treatments and they believe e will have the greatest impact.
therapeutic choices, is causing a value proposition One marketing manager was very clear that,
transition to a service-based treatment model that “The big opportunity [of e] is that we can
provides value over the life-cycle of the patient’s communicate directly with patients.” Nearly
condition. Realizing that the patient relationship is 70% of pharmaceuticals said that e will have
the biggest impact on how they go to market.” 5
central to this new value proposition,
pharmaceutical companies are investing
considerably efforts towards reaching and
understanding patients in an effort to target them more effectively through a number of different touch-
points, build brand recognition and build sustained relationships with strong exit barriers. This is all in an
effort to drive sustained sales of not only the drug product but also complementary disease management
services.
The Internet has provided a legal and cost-effective avenue to reach patients and to deliver service-based
value propositions that were previously not possible. Targeted Direct-to-Consumer (D2C) marketing
initiatives are being used to identify and capture consumers and Online Patient Communities, such as
Drug Specific Portals, are an efficient patient point-of entry.

Once a patient enters the Internet portal, a cost-effective way of managing the relationship over their
ailment duration is required. A custom application of CRM called Patient Relationship Management
(PRM) can be used to ensure an effective extraction of behavioral and preference information and delivery
of value such as personalization features (diaries, reminders) to encourage treatment compliance and loyalty
incentives to retain the patient over the lifetime of their ailment. PRM requires patient tracking and
profiling to deliver a “personalized” online experience, data analysis to determine needs and preferences
from which targeted marketing can be conducted and interactive exchanges over multiple channels of
communication to deliver services.
However, this focus on patient preference and behavioral patterns comes at a time when issues of privacy
and security of sensitive medical information is at an all time high. Given that D2C interactions and
medical information are heavily regulated, PRM techniques create significant compliance and brand name
risk. Patients do not trust that their highly sensitive medical information will be protected from
unauthorized use and disclosure. As well, they do not trust that it will be secure from unauthorized access.
Consequently, central to the success of Internet Patient-based Initiatives is complying with the data privacy
and security related regulations and overcoming the barriers of mistrust patients have towards such
initiatives. The early days of the Internet and its data collection abuses have created this presumption of
mistrust that must be overcome.
1.3 Electronic Value Chain Challenges
Before laws providing for the legal effect and validity of electronic records and signatures were enacted, the
legally binding use of the electronic medium had to be enabled by expensive proprietary, rigid, and closed
electronic networks and covered by complex business agreements. The advent of the Internet provides the
potential for a flexible, open and inexpensive alternative based on a public infrastructure. However this
public infrastructure creates many new risks and uncertainties that have created barriers to the widespread
use of the Internet as a medium for executing mission critical business.
Figure 1 illustrated the e-Programs that can be implemented across the value chain. A number of challenges
are creating barriers to the deployment of such initiatives. Even though technologies of mitigating the risks
of doing business electronically are available, significant vulnerabilities remain, especially as it relates to
mission critical applications. The issue is not one of technology but one of weaknesses with people not
following policy and poorly designed processes. Even with laws recognizing electronic records and
signatures, there remains uncertainty as to the legal enforceability of electronic transactions, especially given
the absence of case law. The absence of best practices for the measurement and verification of electronic
integrity and regulatory compliance creates apprehension as to the ability to make management assertions
with confidence. Finally, the current atmosphere of customer mistrust as to the collection, use and
disclosure of their personal information is a significant barrier to initiatives intended to profile customers.
There are a number of vulnerabilities and business risks common to all electronic initiatives across the value
chain. The cost and complexity to manage these risks in isolation, where investments and experience
cannot be leveraged, is enormous. An enterprise vision and strategy that addresses these issues holistically
and a methodology that manages these requirements in an aggregated and integrated manner will deliver
significant benefits to the LSO. It should be noted again that this white paper assumes the availability of a
reliable network information system and therefore does not consider the risks associated with availability
and reliability of the network and its systems.

The Electronic Risks
In the paper-based/physical world, a business mitigates its risks by

implementing physical and logical security measures, ensures its
transactions adhere to laws and legal standards and ensures its Technical Regulatory
methods are compliant to Good Laboratory Practices, Good Risks Risks
Manufacturing Practices and Good Clinical Practices. The e-Risk
“conversion” to electronic equivalents makes no difference to that
fact that these same technical, legal and regulatory requirements
must still be met. What are different however are the methods of
mitigating the risks, adhering to laws and complying with regulatory Legal
requirements. Risks
Figure 2
As illustrated in Figure 2, electronic risks can be separated into
three primary classes called technical, legal and regulatory risks. Technical risks can be in-turn divided
into three independent secondary sources - Identity Risks (“who”), Information Risks (“what”) and Time-
of-event Risk (“When”). The resistance to alteration, manipulation or falsification without detection or
traceability of electronic identities, information and time is a measure of the level of risk mitigation. The
same can be said of the resistance of e-Systems, e-Processes and e-Transactions to alteration, manipulation
or falsification without detection or traceability. This is collectively referred to as e-Integrity.
Controlling these three risk sources is central to maintaining a trustworthy digital enterprise, specifically
authentic information, which is essential for reliable decision-making, and dependable identities, which are
essential for restricting access to information and for ensuring that individuals can be held accountable for
their electronic acts. Capturing accurate and auditable time stamps is also essential for all aspects of
operations and in particular for meeting audit trail requirements.
Legal risks are those related to adhering to legal standards and electronic signature laws. They are
measured by the degree to which the method of conducting electronic transactions, creating electronic
records and executing electronic signatures adhere to legal standards and e-Sign laws. The is collectively
referred to as “e-Enforceability.” The authenticity of electronic records –“what,” the reliability of
signatures – “who,” and the auditability of time stamps –“when,” must be sufficiently trustworthy to be
deemed admissible by regulators and adjudication authorities.
Compliance risks are those related to complying with its own internal requirements, industry best practices
and external regulations such as HIPAA and 21 CFR Part 11. They relate to the ability to measure, verify
and demonstrate compliance of e-System, e-Processes and e-Transactions to specific regulatory
requirements. This is collectively referred to as e-Compliance.
Interpretation and Differences in International Standards
e-Sign laws around the world have been recently enacted recognizing the legal effect and validity of
electronic records and signatures. Even though these laws are consistent with the United Nations
Commission on International Trade Law (UNCITRAL) Model Law 13 on Electronic Signatures, there are
substantive difference in approach and interpretation. For example, the United States Electronic Signatures
in Global and National Commerce Act 14 is technology neutral while the European Union Electronic
13Model Law and Guide to Enactment: http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf

14United States Electronic Signatures in Global and National Commerce Act:
http://www.ecommerce.gov/ecomnews/ElectronicSignatures_s761.pdf

Signature Directive 15 has given strong favor to cryptographic-based signatures for legal admissibility
purposes. This has created the challenge of not only differences in interpretation of a given law but having
to deal with variations between territories.
The regulatory side has been much better in its harmonization efforts. Significant efforts are being made by
regulatory agencies around the world to create a standard format for submitting applications. Under the
International Conference on Harmonization 16 the Electronic Common Technical Document (e-CTD)
standard is being created that will greatly simplify international applications. However, given that all NDA
regulations such as Part 11 require the assertion that electronic signatures are “legally” equivalent to
handwritten signatures, the connection to e-Sign law requirements is clear.
Measuring, Verifying and Demonstrating the Electronic State
Given the relatively recent enactment of laws and industry regulations driving the transition to an electronic
business models and processes, methods to measure, verify and demonstrate the electronic integrity, legal
admissibility and regulatory compliance of e-Systems, e-Processes and e-Transactions are misunderstood,
early in their development and are unproven. Enterprise Digital Trust Management and The Digital Chain
of Trust Framework, Architecture and Methodology, the subject of this white paper, are such methods.
Absence of Legal Precedence
The U.S.17, Canada 18 and the members of the European

Union 19 have all passed enabling legislation and legal “The survey found that legal and
frameworks (“e-Sign”) providing for the non-discrimination regulatory issues were indeed viewed
against electronic signatures and records solely on the basis as the second biggest external barrier
that they exist in electronic form. In legal parlance this means to realizing the benefits of e.”
electronic signatures and records have equivalent “legal effect
and validity” to their paper-based counterparts. However, The Quantum Shuffle – the Impact of e on
the Pharmaceutical and Medical Device
this does not guarantee their “legal admissibility,” which is a Industries,” Gap Gemini Ernst & Young.
prerequisite for the basic business requirement of ensuring the
“legal enforceability” of electronic signatures and
agreements. The e-Sign laws and frameworks are still subject to significant interpretation and the lack of
legal precedence.
The requirement of executing “legally equivalent” electronic and paper-based signatures is made clear by the
FDA in their definition of an electronic signature – “… means a computer data compilation of any symbol
… executed, adopted or authorized by an individual to be the legal equivalent of the individual’s
handwritten signature.” 20 This statement has the effect to require the compliance not only to Part 11 but
also to e-Sign laws and established legal standards.
15 European Union Electronic Signature Directive: Directive 1999/93/Ec Of The European Parliament And Of The Council of 13 December 1999
on a Community framework for electronic signatures. http://europa.eu.int/ISPO/ecommerce/legal/documents/1999_93/1999_93_en.pdf

16 International Conference on Harmonization, http://www.ich.org/ichctd.html
17 U.S.: “Electronic Signatures in Global and National Commerce Act (E-Sign)
18 Canada: “Personal Information Protection and Electronic Documents Act”
19 EU: European Union Electronic Signature Directive
20 FDA 21 CFR Part 11: 11.3 Definitions, (b) 7.

This assertion is substantiated by the FDA statement:

“At the same time, [Part 11] ensures that individuals will assign the same level of
importance to affixing an electronic signature, and the records to which that
signature attests, as they currently do to a handwritten signature.” 21.
This statement reflects an attempt to adhere to the established legal standard of “Legal Sufficiency.” This
means that a signature has a legal significance and consequently, a commensurate level of awareness must
exist as to what is being signed and the implications, irrespective of whether the signature is executed
electronically or physically.
In fact, the organization must make a management assertion to the FDA as follows:
“Persons using electronic signatures shall, … certify to the agency that electronic
signatures … are intended to be legally binding equivalent to traditional
handwritten signatures.” 22
Even though this assertion can be made at the organizational level, the FDA reserves the right to request
“additional certification or testimony that a specific electronic signature is the legally binding equivalent to
the signer’s handwritten signature.” 23
Meeting the requirements of legal admissibility is contingent on meeting a number of technical and more
importantly non-technical requirements that are discussed in detail in a white paper by the author entitled
“The Principles and Measurement Metrics of Electronic Agreement Admissibility 24”. Irrespective of
meeting the highest standards of executing electronic signatures and agreements, there are very few
adjudicated legal cases that can be used as legal precedence. This represents a legal risk that must be
managed.
Controlling the Transition and Management Assertions
In making the transition from the current state of paper-based, manual and semi-electronic (“physical
world”) drug development business models and processes to end-to-end electronic equivalents,
management must make assertions that during the transition they have maintained demonstrable levels of
electronic integrity, that is security and controls over their e-Systems, legal enforceability, that is legal
admissibility of e-Transactions and regulatory compliance that otherwise could compromise existing
business revenues.
The risks not only lie in the design and operation of electronic value chain initiatives. They also exist in
making a structured and measurable transition to the desired electronic state in a manner that does not
compromise existing operations. The transition must be sufficiently controllable and measurable to enable
executives to make management assertions with confidence to their stakeholders as to the electronic
integrity, legal admissibility and regulatory compliance of any given electronic initiative.
21 FDA 21 CFR Part 11, Final Rule Page 13462, Column 3, A. Objectives.
22 FDA 21 CFR Part 11 Subpart C – Electronic Signatures, 11.1 General Requirements c)
23 FDA 21 CFR Part 11 Subpart C – Electronic Signatures, 11.1 General Requirements c), 2)
24 “The Principles and Measurement Metrics of Electronic Agreement Admissibility,” Jacques Francoeur, March 2003.

Privacy Mistrust
There is significant mistrust by the general public as to the
confidentiality, security, control over and use of their personal
information. The sensitivity is drastically greater as it relates to
medical and genetic information. This concern is one of the most
significant barriers to getting to know and understand the consumer –
patients. LSOs must presume an existence of mistrust that will take
time and special practices to overcome. The existence of this
information in electronic form combined with automated and
integrated systems makes the risks of this information getting into the
hands of an unauthorized individual very real.
“The widespread adoption of the Internet and Critical to both online physician and patient initiatives
the web has shifted cultural attitudes toward are issues of the privacy of personally identifiable
privacy. Heightened privacy sensitivity will information. This still remains the number one barrier
require online and offline businesses to to the adoption of the new “personalized medicine”
re-examine existing information practices. value proposition. It is also a regulatory requirement of
HIPAA and laws enacted in the European Union as a
Through 2006 information privacy result of the European Union Data Privacy Directive.
will be the greatest inhibitor for Many of the core critical concepts essential to the
consumer-based e-business." success of online communities are discussed in a book
called “Net Worth – Shaping Markets When
Gartner Group
Customers Make the Rules.25
Enterprise-Wide e-Implementations
Enterprise implementations of electronic initiatives are extremely complex and difficult to carry out
successfully 26 as they require a cohesive team of business and technical leaders and effective coordination
between many stakeholders often driven by different agendas. Adding to this complexity is that fact that
the boundaries of today’s virtual and dynamic enterprise are difficult to define as they are constantly
changing.
In order to ensure the success of enterprise electronic initiatives, the current reactive, fragmented, technical
and IT approach to risk management must change. Managing the risks of an electronic value chain must be
recognized as mission critical and therefore it must be sponsored and driven top down by executive
management. Only with such a clear commitment will the required cultural change in mindset take place
throughout the organization in a sustained manner. In order for risk management to be considered an
enabler, overcoming the current perceived notion of a constraint, the risk management objectives must be
aligned with the business objectives and risk tolerance of the organization. And finally given the fluid nature
of the virtual enterprise, a proactive and formal approach to risk management must be taken that monitors
and continuously adjusts to dynamic situations. 27 However, for those who take on such significant
challenges, the benefits to the organization are commensurate.
25 “Net Worth: Shaping Markets When Customers Make the Rules, The Emerging Role of the Infomediary in the Race for
Customer Information,” John Hagle III and Marc Singer.
26 “Enterprise-wide Implementations: Helpful Tips for CIOs Who Take on the Universe,” Health Data Management, Greg
Gillespie, July 8, 2003.

27 “Defending the Digital Frontier – A Security Agenda,” Mark W. Doll, Sanjay Rai and Jose Granado, Ernst & Young, John Wiley
& Sons, Inc., 2003.

1.4 Electronic Value Chain ROI
The return on investment associated with reducing the cost and time of bringing successful drugs to market
are substantial. Reducing drug development time will drastically increase the competitiveness of the LSO by
increasing the number of drugs that can be processed through the pipeline and increase the probability of
being “first to market,” thereby commanding premium pricing and avoiding the commodity effect of “me
too” drugs. It will also allow much greater profits from a longer patented sales cycle. A Tuft Center for the
Study of Drug Development analysis 28 indicates that reducing the total development time by 50% will
reduce the cost of development by 29%. Reducing the pre-launch total cost of development has an
immediate bottom line effect – lower cost of development means higher profit margins or higher sales
volumes through lower prices.
The key question is how will this be achieved? The adoption of e-Programs such as those illustrated in
Figure 1 can significantly reduce the cost and time of drug development by delivering the following
improvements to the drug development, approval, marketing and sales value chain:
Changing the Medium of Business from physical, manual and paper-based to electronic will
eliminate the paper-life cycle costs of printing, copying, faxing, and physical sending, receiving, storage
and archival.
Increasing the Speed of Business will drastically reduce the cycle and response time of doing
business. For example by reducing approval times and increasing access and dissemination of
information to near real-time will not only drastically accelerate business but allow for greater
transaction volumes.
Increasing Business Efficiency. The transition to the electronic paradigm is an opportunity to re-
engineer workflows and business processes to eliminate non value-added components, reduce work
duplication and error rates.
Improving Business Effectiveness: The transition to the electronic paradigm is an opportunity to

reconsider how business is done and to adopt new business models that improve the interaction
between all the stakeholders.
28 Tufts Center for the Study of Drug Development – Outlook 2003

2 Vision and Strategy for Enterprise Risk Management
The previous section outlined an electronic value chain

“Clearly, successful targeted drug
that was composed of a number of different electronic
development will require enterprise-wide
initiatives, referred to as e-Programs that serve very changes in the pharmaceutical industry.”
different business objectives. Each e-Program executes
transactions with differing levels of corporate and legal Pharmaceutical Clinical Development: The future of clinical trials –
How genomics, proteomics, and technology are changing the clinical
significance, requires different levels of risk mitigation, development process,
depending on the nature and risks of the application, IBM Life Sciences, June 2002
and has its own specific set of regulatory requirements.
However, even with the mandate of each e-Program being different, a finite and common set of electronic
resources must deliver all e-Programs within the value chain. In addition, all e-Programs involve the
management of technical, legal and regulatory risks and the same three fundamental components of –
identity, information and time. It therefore makes good business sense that an enterprise vision and
strategy be formulated that allows all stakeholders across the enterprise to perceive and manage in a
cohesive manner all e-Program risks consistently and to allow investments and solutions by one stakeholder
to be leveraged by another.
This section will describe a vision of a trustworthy digital enterprise and the characteristics of an enterprise
risk management strategy to transition to such an enterprise. Section 3 will then present an outline of a risk
audit methodology that can implement the strategy and transition to a measurable and demonstrable trusted
digital enterprise.
2.1 Vision - A Trusted Digital Enterprise
Recall that the e-Value Chain involves a number of e-Programs, as was illustrated in Figure 1. If one
assumes that the enterprise has implemented all its e-Programs in such a way that its actual practices are in
compliance with all its risk mitigation requirements, whether technical, legal or regulatory risks, then one
could describe the enterprise as being in a state of Enterprise Digital Trust.
In other words, Enterprise Digital Trust means the

organization can measure and demonstrate specific Enterprise Digital Trust
design levels of electronic integrity (e-Integrity), e-Integrity e-Enforceability e-Compliance
electronic enforceability (e-Enforceability) and
electronic compliance (e-Compliance) for each of the Authenticity Adherence Compliance
e-Programs within the electronic value chain. This is of Electronic to Legal to Industry
Records, Standards and Regulations &
illustrated in Figure 3 to the right. Identities & e-Sign Law Best Practices
Time Stamps
e-Integrity relates to the electronic technical
perspectives of the e-Program. Its principle mandate Accountability Admissible Business
is to ensure the authenticity of electronic records, & Reliable & Enforceable Continuity
Information eTransactions
identities, and time stamps to ensure that individuals
can be held accountable for their electronic acts and
that information is reliable. Figure 3
e-Enforceability relates the electronic legal perspectives of the e-Program. Its principle mandate is to
ensure that all electronic transactions conducted by the e-Program are sufficiently trustworthy to be deemed
legally admissible by an adjudication authority, such as an arbiter or a judge of a court of law. This is a pre-
requisite of enforceable electronic transactions.

e-Compliance relates the electronic regulatory compliance requirements of the e-Program. Its principle
mandate is to ensure that all electronic resources involved in the delivery of the e-Program are in
compliance with relevant regulations to ensure business continuity.
It should be noted that e-Integrity, e-Enforceability and e-Compliance are heavily interrelated and one
cannot be achieved without the others. In terms of information system architectures, Digital Trust for each
e-Program means, demonstrable levels of e-System security and controls; e-Process integrity that captures,
preserves, retrieves, verifies, renders and makes available in human readable form the e-Transaction
authentic content, context, notice, intent, consent, identity and time; that meet the enterprise requirements
for accountability and reliable information, regulatory compliance and for legal admissibility of electronic
forensic evidence, to a level of confidence commensurate with the nature and level of risk of the e-
Program and the legal significance of the e-Transaction.
Enterprise Digital Trust means a constant level of Digital Trust over time of each e-Program being
operated by the enterprise (e.g., e-Submissions, e-Clinical Trials and Online Patient/Physician
communities). The level of Digital Trust is a customized characteristic of each e-Program given that the
nature and level of risks 29 can vary dramatically.
Now that the ultimate goal is established, a management strategy must be defined to guide the enterprise
towards its attainment.
2.2 Strategy - Enterprise Digital Trust Management
In the transition to an electronic enterprise, many new challenges, uncertainties and risks are created. In
order to effectively address these issues, a new form of e-management must emerge to ensure that the ROI
is captured, adequate controls over the risks are maintained and management can make assertions to its
stakeholders with confidence.
This new form of “e” management is called Enterprise Digital Trust Management (EDTM). Its
mandate is three-fold.
Mitigate the technical, legal and regulatory risks to the required level in a manner that can be measured,
verified and demonstrated,
Coordinate the decisions and work deliverables of all stakeholders at all management levels in a
hierarchical mechanism where decisions can be executed and verified for completion,
Plan and manage the transition from the current state to an Internet-based end-to-end “trusted”
electronic equivalent 30 in a structured and integrated manner.
The EDTM strategy encompasses four attributes, as

illustrated in the Figure 4 to the right, as follows:
Digital Trust Management
Enterprise Wide
Enterprise-wide: Deploying e-Programs
involves many internal organizational functions Business Centric
(e.g., business, audit, legal, IT, security, data
privacy, records management, marketing and Comprehensive & Integrated
sales) and extends outward to partners, suppliers
and customers. Therefore, the EDTM strategy
Manageable
takes a multi-stakeholder perspective and Figure 4
integrates all business domains.
29 The nature and level of risk is determined by the business context and degree of sensitivity of the application, the environment in
which the e-Program is carried out, the specific external regulatory requirements that apply and internal risk sensitivities.
30 “equivalent” shall not mean “only as good” but allows for process reengineering and optimization.

Business-Centric: The business objectives are to reduce costs, increase efficiency and effectiveness,
and deliver strong ROI by enabling new business models and delivery channels. Therefore, the EDTM
strategy has a strong business focus.
Comprehensive & Integrated: The transition involves many business risks, technical challenges, legal
issues, and regulatory requirements that must be managed at all architectural levels. Consequently, the
EDTM strategy is comprehensive in its scope and integrated in its relationships and associations
between systems, processes, transactions, events and data.
Manageable: In order to ensure a successful implementation that controls business risks so as not to
compromise existing business and provides management assertion confidence, the EDTM strategy
enables a structured and measurable transition process.
The following will describe each of the key attributes in more detail.
2.2.1 Enterprise-Wide Strategy
There are three main characteristics to enterprise–

wide strategy, as illustrated in Figure 5. It must be
Multi-Domain in that it addresses the technical, legal
Enterprise-Wide
and regulatory aspects of the electronic business risks; Multi-Domain
Multi-Stakeholder to provide an inclusive framework
for all stakeholders and organizational functions and e-Integrity e-Enforceability e-Compliance
it must be Multi-National to ensure to the extent
possible a normalization of business practices across Multi-Stakeholder
the greatest territory. The three main characteristics Business Legal Audit Privacy
are discussed in more detail as follows.
IT QA Security eRM
Multi-Domain Multi-National
The transformation from a “physical world” North American European Union Asia Pacific
paper-based medium of business to an electronic one
makes no difference to the need for adhering to legal
standards, meeting e-Sign legislative requirements and Figure 5
complying with regulatory requirements. However, the electronic paradigm will create many new legal and
technical challenges and present risks that will radically change the methods of meeting the standards and
requirements and demonstrating their adherence and compliance.
The EDTM strategy is a multi-domain strategy designed to address the technical, legal and regulatory risks
of adopting an electronic value chain. The goal is to ensure the integrity of electronic business (e-Integrity),
the legal enforceability of electronic transactions (e-Enforceability) and the compliance of electronic systems
and processes (e-Compliance), defined as follows:
e-Integrity: the degree to which the e-Program; its e-System, e-Processes and e-Transactions cannot be
altered or manipulated without detection or traceability.
e-Enforceability: the degree of confidence that (1) the method of conducting the electronic transaction
adhered to legal standards and (2) the content of its audit trail (electronic records –“what,” signatures –
“who,” and time stamps –“when,”) will be deemed sufficiently trustworthy to be admissible by an
adjudication authority for dispute resolution through arbitration or by the courts.

e-Compliance: the degree of assurance that the e-Program, its e-System, e-Processes and e-Transactions
are in compliance with relevant regulations, industry best practices and internal requirements.
It is critical to understand that the e-Integrity, e-Enforceability and e-Compliance requirements are
interrelated and interdependent. e-Sign law provides for the legal effect and validity of electronic records
and signatures, that is, records and signatures cannot be discriminated against solely for being in electronic
form. However, this does not guarantee that electronic records, signatures and agreements will be deemed
legally admissible in a court of law, a prerequisite of legal enforceability. That is in fact what a trusted digital
enterprise is seeking to achieve.
This is illustrated in Figure 6. Starting Trusted Digital Enterprise

at the bottom of the diagram with
Legal Effect & Validity, provided by Electronic Systems and Processes
electronic signature laws, one moves that Comply with Regulations
Electronic Systems 3
through three distinct domains to reach Reliable e-Compliance
a state of a Trusted Digital Enterprise. Electronic Signatures
Execute
& Transactions that to
in Adherence 2
The first domain is e-Integrity. Its Legal
Adhere to Legal Standards & eAdmissibilit
mandate is to ensure authentic Standardse-Sign Legislation e-Enforceability
y
electronic identities, records and time Rende Authenti
Authentic
stamps – the core building blocks. rElectronic
Electronic c
Identities, 1
eIntegrit
Signatures,
Records
Records and Time Stamps e-Integrity
Without this, no electronic business & Time
y
will be admissible or regulatory Stamps
compliant. It will also be impossible
Figure 6
for individuals to be held accountable
or for the organization to make reliable Legal Effect & Validity
decisions.
The second domain is e-Enforceability. Based on a solid foundation of identity, information and time, one
must then design and execute transactions involving electronic signatures that adhere to legal standards and
electronic signature laws. This involves mostly non-technology issues such as notice, the security of the
signing key, control over the act-of-signing and creating a state of informed consent in the act-of-signing.
The reader is referred to a white paper by the author on the subject entitled “The Principles and
Measurement Metrics of Electronic Agreement Admissibility” for more details.
The third and final domain before creating a Trusted Digital Enterprise is e-Compliance. Based on a solid
foundation of identity, information and time and electronic signatures and admissible electronic signatures
and transactions, one must operate e-Programs in a manner that complies with regulatory requirements.
In summary, the strategy of Enterprise Digital Trust Management is to achieve operational compliance,
transactional enforceability and identity, information and time integrity. It is clear from this discussion that
many corporate department and functions must integrate to achieve a Trusted Digital Enterprise.
Consequently, Enterprise Digital Trust Management requires a multi-stakeholder strategy.
Multi-Stakeholder
Given that Digital Trust Management is enterprise-wide, business centric, and comprehensive in
nature it will involve the contributions and cooperation of many stakeholders, including representatives of
external organizations such as the regulatory agencies. The adoption of the e-Value Chain must be driven
by business needs, enabled by IT, protected by security, continually assessed by audit and advised by legal
with records manager custodianship. Consequently, the fact that stakeholders do not speak the same
language, do not agree on the same objectives, are driven by different agendas and approach problems
differently presents many problems to the enterprise. A reference framework is required to organize the

problem into domains that more clearly illustrate how collectively stakeholders relate to one another and
understand what requirements they need from one another.
In summary, the strategy of Enterprise Digital Trust Management enables a cohesive management team,
integrated planning and coordinated deployment of electronic initiatives between all key stakeholders -
essential for an efficient and successful implementation.
Multi-National
Given that large LSOs are international in character, having operations and customers all around the
world, combined with the intrinsic nature of e-business, they must not only adhere to local laws and
regulations but also they must comply with multiple national regulations that govern either where they
conduct business or where their consumers are located. However, in order to reduce costs and complexity
an Enterprise Digital Trust Management strategy is multi-national (international), ensuring compliance to
the requirements of each nation yet taking an integrated and harmonized approach to its compliance
methods to the fullest extent possible. The goal is to establish a common audit standard and corresponding
policies and practices that will ensure compliance across the greatest geographical area.
In summary, the strategy of Enterprise Digital Trust Management is to manage the technical, legal and
regulatory risks in an integrated manner (multi-domain), bring together all key stakeholders into a cohesive
management team (multi-stakeholder), and take an integrated and normalized international legal and
regulatory approach (multi-national).
2.2.2 Business Centric Strategy
The primary objective of adopting the e-Value Chain

is to reduce costs, increase business efficiency and Business Centric
effectiveness. This is illustrated in Figure 7. The
strategy of Enterprise Digital Trust Management is to Reduce Costs
be business centric and use metrics that measure in Paper Costs Cost of Compliance
quantitative terms the nature and degree of the
benefits. Increase Efficiency
The strategy focuses on the following: Cycle Time Real Time
Reducing paper costs by deploying business Increase Effectiveness

processes that eliminate the paper life cycle - Business Models Channels
printing, copying, faxing, couriering, storage and
archival. This is achieved by ensuring that Figure 7
electronic records and signatures are deemed a
legally binding alternative to paper and handwritten signatures.
Reducing the cost-of-compliance by using a consistent framework throughout the audit life-cycle,
leveraging audit practice knowledge across the enterprise and employing work automation techniques.
Increasing Business Effectiveness by re-engineering workflows and business processes to eliminate
inefficiencies and reviewing how business is being done to consider new business models and channels
to optimize the value chain.
Increasing the Business Efficiency by making available in real-time authentic and complete
information when and where required and greatly reducing cycle times, response times and transaction
times to enable more business to be conducted within the same time period.

2.2.3 Comprehensive Risk Management
Today’s approach to risk management is fragmented.

LSOs operate e-Programs that require a system-level Comprehensive
risk management approach and the adoption of a broad
base of industry best practices to manage those risks. Risk Mitigation
LSOs in turn operate many e-Programs that require an Information
Access Time-of-Event
enterprise-level risk management approach. Integrity
Consequently, given the multi-domain, multi- Confidentiality Regulatory Admissibility
stakeholder and multinational character of the
challenge, a comprehensive risk management Industry Best Practices
strategy is required to effectively manage the diverse
scope of electronic risks. This is illustrated in Figure 8. Identity Mgt. e-Records Mgt. Time Mgt.
Data Trusted
eSignatures Security
As was mentioned previously, enterprise risks can be Privacy e-Systems
classified into three primary classes - e-Integrity Electronic Forensic Evidence
(technical), e-Enforceability (legal) and e-Compliance
(regulatory) risks. Figure 8
e-Integrity
The primary risk class of e-Integrity can be further divided into three secondary classes - Identity Risk,
Information Risk, Time-of-Event Risk, as illustrated in Figure 9 and defined as follows.
Identity Risk relates to the ability to authenticate in real-time the

true identity of an individual, to capture and preserve the electronic
Identity forensic evidence related to the activities of that individual and to
Risks hold that individual accountable for their electronic act.
Information
Risks Information Risk relates to the ability to create, preserve, retrieve,
access, and verify the integrity of information and to make it
e-Integrity available in human readable form.
Time-of-
Event e-Risks Time-of-Event Risk relates to the ability to source legal time,
Risks synchronize networks and applications and “affix” time stamps to
Figure 9 electronic records, signatures and events and to capture, preserve,
retrieve, and verify the integrity of time-of-events.
Many other additional risks follow from these three secondary route sources, such as Access Control,
Authorization, Confidentiality and Audit Trails, which are not covered in this paper.

e-Enforceability
The primary risk class of e-Enforceability can be further categorized into two
secondary classes of Adherence Risks and Admissibility Risks. This is
illustrated in Figure 10. eRisks
Adherence Risks: Electronic signature laws and established legal

standards represent the minimum standard that electronic transactions e-Enforce-
must adhere to in order for the transaction to be deemed “legal.” ability
Admissibility
An electronic agreement must indicate the signatory’s approval of the Risks
information in the document being signed and the agreement to be bound by
Adherence
its terms. This clearly falls outside of the technology of capturing and Risks
preserving an electronic signature and into the softer domain of “awareness”
of what is being signed and acceptance of the implications of the act of signing Figure 10
– being bound by its terms.
This requirement is embodied in what is called Legal Sufficiency 31, which is an established legal standard
ensuring that a state of informed consent is present during the act-of-signing. Legal Sufficiency involves
two basic concepts referred to as “Writing” and “Signature,” which combine measurable parameters such as
notice and content with less demonstrable notions of context, intent and consent. Legal Sufficiency
requires that certain transactions, such as agreements (i.e., contracts), must be reduced to writing on paper
to be legally enforceable. The requirement of “writing” is an established legal standard whose “functional
purpose” must be respected in the execution of an electronic agreement. The requirement of writing is
important as it forces a type of ceremony that builds awareness that a process of agreement formation is
taking place and appreciation as to the obligations under the agreement and the consequences for failing to
fulfill the obligations.
The second component of Legal Sufficiency is called “Signature.” Legal Sufficiency requires that certain
transactions, such as contracts, must not only be reduced to writing but also contain a signature in order to
be legally enforceable. The act of signing meeting the requirement of “signature” must clearly establish the
identity of the signatory, established by the application of the individual’s unique mark, a clear expression of
awareness as to the intent of signing and a clear expression of understanding as to the content and, most
importantly obligations of the agreement. The requirement of “signature” is an established legal standard
whose “functional purpose” must be respected in the execution of an electronic agreement.
Admissibility Risks: In order for an electronic record, signature or agreement to be enforceable,

they must first be deemed admissible by adjudication authorities, whether it is the employer, arbiter
or judge. This relates to the “trustworthiness” of the information forming the transaction, usually contained
in an audit trail. There are two components to the trustworthiness of an audit trail. The trustworthiness of
the information it contains and the ability to demonstrate the integrity of the audit trail itself.
The trustworthiness of the information contained in the audit trail is based on the level of reliability of the
electronic signatures, the ability to demonstrate the authenticity of the electronic records and the accuracy
and auditability of the electronic time stamps. In general, the level of trustworthiness of all aspects of the
electronic execution process must be appropriate for the purpose of the agreement, the legal significance of
the act of signing, and the nature and level of the risks, including consideration of the damages that can
31US Department of Justice, “Legal Considerations in Designing and Implementing Electronic Processes: A guide
for Federal Agencies”, November 2000. http://www.cybercrime.gov/eprocess.htm

ensue from the failure of any party to fulfill its obligations. This may be different depending on the nature
of the transaction, the environment in which it is being conducted and the requirements of law and
regulations. Consequently, this is a case-by-case set of requirements.
The trustworthiness of the audit trail is also related to the technical mechanisms used to preserve and
protect its content over time and the ability to verify its integrity at any future time. Methods should be
used to verify and demonstrate that the audit trail has not been altered or manipulated in any way since it
was created - that is, its integrity has been maintained. This is a fundamental prerequisite. If this cannot be
demonstrated, it invalidates the audit trail irrespective of the level or reliability of the information it
contains.
In the case of electronic transactions, e-Enforceability relates to whether the process of electronic
agreement formation, in terms of its design architecture and method of execution, results in the legal
admissibility of the agreement. In the case of Business-to-Employee transactions, admissibility means
meeting the prerequisite requirements necessary to demonstrate the electronic forensic evidence necessary
to hold an individual accountable for their electronic act or signature. In the case of Business-to-Business or
Business-to-Consumer transactions, admissibility means meeting the prerequisite requirements necessary to
demonstrate the electronic forensic evidence necessary to obtain a successful dispute resolution judgment
or to obtain favorable court adjudication.
There are five principles that

contribute directly to the legal Electronic Agreement Legal Admissibility Requirements
admissibility of an electronic
Agreement Intent:
agreement. The first principal is
the reliability of an electronic Nature of Legal Significance of Signatures:
signature, in terms of the Agreement Environment of Agreement Execution:

robustness of how the signature and Risks Nature of Risks and Liabilities:
is linked to the record, the Basis of Repudiation:
reliability of the chain-of-trust Electronic Signature Reliability
related to identity authentication Criteria 1: Electronic Signature to Electronic Document Binding
and the ability to verify the Principle
Criteria 2: Identity Authentication
integrity of the signature and 1
Criteria 3: Electronic Signature Integrity
record after the signature is
Criteria 4: Electronic Document Integrity
affixed. The second principal
relates to reliability of the act of Sole Control over Act of Signing
signing itself - the ability of the Principle Criteria 5: Privacy of Unique Identifier
signatory to be the only one that 2 Criteria 6: Sole Control Over Unique Identifier
can exercise sole control over the Criteria 7: Revocation of Unique Identifier
act-of-signing. The third A State of Informed Consent in the Act of Signing
principal relates to the state of
Principle Criteria 8: Awareness of Engaging in a Process of Agreement Formation
mind of the individual at the time 3 Criteria 9: Awareness of Intent and Implications of Act of Signing
of signature. That is, whether a
Criteria 10: Notice of Rights
state of informed consent did
exist during the act of signing. The Digital Chain of Admissibility
Principle
Was the individual aware that 4
Criteria 11: Audit Trail of How, Who, What and When
they were engaged in an Criteria 12: Retention
agreement formation process, Electronic Agreement Trustworthiness
were they fully informed of their
Criteria 13: Level of Electronic Signature Reliability
rights, were they cognizant of Principle
Criteria 14: Degree of Control over the Act of Signing
their obligations under the 5
agreement and were they aware Criteria 15: Extent of a State of Informed Consent
that they were affixing their Criteria 16: Trustworthiness of the Digital Chain of Admissibility
legally binding signature that will

result in enforceable obligations. The fourth principal relates to the requirement to capture, preserve and
retain for as long as necessary all material information related to the transaction in a way that can be verified
and shown to be accurate and complete. The fifth and final principal relates to the need to design and
operate an agreement formation process that is sufficiently reliable and trustworthy commensurate with the
legal significance of the act of signing and the nature and risk of the transaction.
These five principals are collectively sufficient to ensure that the electronic agreement, its electronic
signature and records will be granted legal admissibility in a court of law. This framework of principles can
be further broken down into sixteen measurement criteria (outlined in the Table above) that can be used to
assess the Admissibility Risk and Adherence Risk of a particular agreement formation process. This is
discussed in more detail in a white paper by the author entitled “The Principles and Measurement Metrics
of Electronic Agreement Admissibility,” published in March 2003.
e-Compliance
The primary risk class of e-Compliance can be categorized into

three secondary basic classes of requirement - Security, Data
Privacy and Trusted Electronic Systems. This is illustrated in Security
Figure 11. For example, HIPAA has requirements related to
security and data privacy of medical information and trustworthy e- Data
Privacy
Systems to ensure the integrity of the information. 21 CFR Part 11
has requirements related to security and Trusted e-Systems to e-
ensure the trustworthiness of electronic submissions. The three Compliance
classes of requirement are interrelated, for example, security is at Trusted

e-Risks
the core of meeting both Data Privacy and Trusted e-Systems e-Systems
regulations. However, security is necessary but insufficient to Figure 11
meeting the requirements of Data Privacy and Trusted e-Systems.
Security: Security is at the core of mitigating organizational threats and vulnerabilities and meeting
many (but not all) of the regulatory requirements of HIPAA and 21 CFR Part 11. Security aims to
ensure the integrity and confidentiality of sensitive information assets and to make them available to those
who need to know when and where required. At the core of meeting these security requirements is
Entitlement Management – Authentication and Authorization. Authentication is the critical component of
Access Control. The ability to verify in real-time the true identity of individuals seeking access to
information assets is the first line-of-defense. The ability to capture and preserve that identity with a certain
level-of-confidence is essential to the ability to establish accountability for electronic acts. Methods of
ensuring the accountability of individuals for their electronic acts are an increasing requirement of business
and emerging regulations. For example, tracking and logging the activities of authorized personal to
sensitive systems is a regulatory requirement. Authorization is a second line-of-defense. Once authenticated,
access to specific digital assets, whether information or applications, should be restricted based on the
“principle of least privilege” - ensuring access privileges are granted based on a need-to-know basis.
Security is insufficient as it relates meeting the data privacy and Trusted e-Systems compliance requirements
of HIPAA and 21 CFR Part 11 and building on the traditional perimeter defense approach of security
towards an Intrinsic Trustworthiness model – security at the object level.

Data Privacy: Traditionally, privacy has been linked to confidentiality (keep it private) and security
(lock it up, prevent unauthorized
access). Privacy, in the context of the Fair Information Practice Principles
digital economy, has shifted to a new
paradigm based on a set of ten
privacy principles. These principles Accountability
have as their foundation the Fair Principle An organization is fully accountable for all personal information under their
1 control. A person shall be designated to be responsible to ensure that all
Information Practice Principles processing of personal information is conducted in compliance with all the
issued by the Organization for relevant privacy legislation.
Economic and Cooperative Purpose
Principle
Development (OECD) in 1980 32, 2
The purpose(s) for which the personal information is being collected shall be
defined at or before the time of collection and unambiguous notice shall be
outlined in the table to the right. given to the individual before collection
At the forefront of global privacy Consent
legislation is the European Data
Principle The unambiguous and informed consent of the individual is required for the
Privacy Directive,33 the de facto 3 collection, use, and disclosure of personal information, except where
international standard, which took inappropriate. Explicit consent (proof) is required in the case of “sensitive”
information (racial or ethnic origin, religious beliefs, health or sex life).
effect October 25th, 1998. The
Directive is designed to normalize the Collection
Principle
national data privacy laws of the 15 4
The collection of personal information shall be limited to that which is necessary
for the fulfillment of the purpose(s) identified. Information shall be collected by
member states of the European fair and lawful means.
Union (United Kingdom, Germany, Limited Use
France, Portugal, Spain, Italy, Austria, Principle Personal information collected shall not be used or disclosed for any other
Luxembourg, Belgium, Greece, 5 purpose(s) other than those for which it was originally collected, except with the
Ireland, the Netherlands, Denmark, consent of the individual or as required by law.
Sweden, and Finland), allowing for Retention
Principle
the unrestricted free flow of personal 6 Personal information shall be retained only as long as necessary for the
information within the EU. The fulfillment of those purposes.
Directive governs all personally Accuracy
identifiable information held by an Principle
7 Personal information shall be as accurate, complete, and up-to-date as is
organization, including employee and necessary for the fulfillment of the purposes for which it is collected.
customer information, and covers its
Safeguards
collection, storage, processing, and Principle
transfer. Processing generally means 8 Personal information shall be protected by security safeguards commensurate
with the nature of risks and degree of sensitivity of the information.
everything (storage, alteration) except
transit. The legislation applies to all Openness
Principle
organizations conducting business in 9 Information on the organization’s personal information management policies
legislated territories, and controls the and practices shall be disclosed to the individual.
flow of personal information to Access
countries (organizations) outside the Principle Upon request, an individual shall be provided access to personal information
EU. This has been a driver of 10 held and shall be informed as to its use and disclosure to third parties. An
international legislation resulting in individual shall be able to challenge the accuracy and completeness of the
information and have it amended as appropriate.
approximately fifty 34 countries who
have enacted, or are in the process of Complaints
Principle
enacting, privacy legislation that is 11 An individual shall be able to file a concern or complaint with the designated
“equivalent” to the Directive. individual as to the organization’s compliance with the principles.
32
Organization for Economic & Cooperative Development: “Guidelines on the Protection of Privacy and Transborder Flow of
Personal Data: Fair Information Practice Principles,” www.oecd.org
33 “None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive,” Peter P Swire and
Robert E. Litan, The Brookings Institution, ISBN 0-8157-8239-X.

34 “Privacy and Human Rights – An International Survey of Privacy Laws and Developments,” Global Internet Liberty Campaign,
October 1998, www.gilc.org.

Trusted e-Systems: The domain of “electronic trustworthiness” addresses aspects of electronic

risks that are distinct from and fall outside the purview of classical security. Security has
traditionally focused on threat analysis and vulnerability mitigation from a “perimeter defense” perspective,
although it does address risks from within the perimeter, such as system administration access. The risk
assumption is that threats will originate from within the perimeter, communications will be intercepted,
sources will be spoofed, identities will be misrepresented, information will be altered without authorization,
time will be manipulated, transactions will be repudiated and fraud will take place. In many respects, the
risks of falsification, misinterpretation and alteration without leaving evidence are much higher with
electronic records, identities and time stamps than with their physical counterparts.
Electronic trustworthiness builds on security towards what is called “Intrinsic Trustworthiness.” This
means trustworthiness at the object level – the inherent property of an electronic record, identity, signature,
time-stamp and audit trail to be resistant to alteration or manipulation without detection or traceability and
verifiable for integrity and authenticity over their lifetime. An example of Intrinsic Trustworthiness related
to identity is a biometric – a unique attribute that is intrinsic to one individual. Examples include
fingerprints, retinal scans, facial patterns, voiceprints and signature dynamics. These methods of identity
authentication are clearly more trustworthy and less vulnerable than passwords and private keys given their
higher confidentiality and access control risks. Another example of Intrinsic Trustworthiness is a Digital
Signature, a cryptographic-based electronic signature. The unique content of the document and the unique
identifier (private key) are intrinsically bound through a cryptographic process to yield a unique electronic
signature. The document that was signed can be verified that it has not been modified since the application
of the signature (content integrity), and the corresponding Digital Certificate uniquely linked to the private
key used to execute the signature can be identified, verified for integrity and validity at the time of signature.
These attributes of electronic trustworthiness are essential for reliable decision-making, ensuring the
accountability of individuals for their electronic acts, demonstrating regulatory compliance, controlling the
basis of repudiation and ensuring enforceable electronic transactions.
Trusted e-Systems are the means by which Intrinsic Trustworthiness is implemented in e-Programs. They
involve the ability to prove the “who, what and when” of electronic transactions, collectively referred to as
capturing and preserving electronic forensic evidence. A trustworthy e-System will operate e-Processes
that capture, preserve, retrieve, verify, render and make available in human readable form the e-Transaction
authentic content, context, notice, intent, consent, identity and time to a level of confidence commensurate
with the nature and level of risk of the e-Program and the legal significance of the e-Transaction. It
delivers accountability - that a party involved in electronic acts can be demonstrated to be the actual party
who committed the act. It also delivers reliable information - records whose content can be demonstrated to
be a complete and accurate representation of the transaction, related activities, or facts to which it attests;
and can be depended upon for subsequent actions.
The requirements of electronic trustworthiness and Identity Security

trusted e-Systems are relatively new and are best
Data
embodied in the FDA regulation on electronic Information
Privacy
records and signatures - 21 CFR Part 11. However,
Part 11 is still controversial, under revision and e-Integrity e-Compli-
subject to interpretation and compliance industry ance
Enterprise
Time-of- Trusted
best practices are still emerging. Event
Digital Trust
e-Systems
Management
Comprehensive Risk Management: In

summary, the strategy of Enterprise Digital
Trust Management provides for the e -Enforce-
ability
comprehensive management of the technical, legal
and regulatory risks of conducting electronic Admissibility
business, as illustrated in an integrated framework in

Adherence
Figure 12.
Figure 12

2.2.4 Integrated Risk Management Strategy
An enterprise has many internal and external security,

data privacy and trusted e-Systems requirements it Integrated
must address. Currently, these risks are addressed on
a regulation-by-regulation basis and even on a Unified
territory-by-territory basis. This has resulted in an
Security Privacy Trust eSign
extremely high level of complexity, significant
duplication and a very high cost-of-compliance. It is Common
agreed that ultimate compliance must be for each
regulation in each territory. However, the risk Internal External
management and compliance methods for these
regulations can be integrated. This allows for Architectural
investments made in one area to be effectively
eSystems eProcesses eTransactions eEvent eFunction
leveraged by others, both on a regulation and territory
basis. Figure 13
In order to reduce the cost-of-compliance and control management complexity, Enterprise Digital Trust
Management strategy is integrated. This is accomplished by 1) adopting a unified approach to addressing
the diverse but closely interrelated requirements; 2) viewing both the internal and external requirements in a
common perspective where one meets the requirements of the other and 3) taking an architectural
approach to the problem which allows the specific nature of a vulnerability to be precisely identified and its
interdependencies understood. This is illustrated in Figure 13 and will be discussed in greater detail below.
Unified Compliance Approach
The e-Value Chain illustrated in Figure 1 requires compliance to a number of laws and regulations that
govern the privacy of personally identifiable medical information, the security and trustworthiness of
information systems, the reliability of electronic signatures and the admissibility of electronic transactions.
Many laws and regulations from different sources, whether they are from different industry segments or
territories, have the same essential intent – trustworthiness of the electronic state. Consequently, many
requirements are similar and therefore should be managed in a unified approach. The following are
examples of the similarity of requirements.
Data Privacy. The European Union Data Privacy Directive establishes a minimum standard by which all
EU national legislation must govern the collection, use and disclosure of personally identifiable information,
irrespective of its industry segment or application. The U.S. Health and Human Services has issued its final
rule (HIPAA) for the privacy protection of medical records. Both of the data privacy directive and the
HIPAA privacy rule are consistent with the OECD Fair Information Practice Principles. Consequently,
there is a common foundation between the two and the management of the compliance requirements
should leverage this commonality.
Electronic Signatures. The European Union Electronic Signature Directive establishes a minimum
standard by which all national legislation must governs the validity and admissibility of electronic signatures
and agreements. The U.S. has its own electronic signature legislation. Both are consistent with the United
Nations model law on electronic signatures. The U.S. Health and Human Services under HIPAA will be
issuing its final rule establishing the standards for the use of electronic signatures and the FDA has issued its
regulation governing in part standards for electronic signatures. There is also a significant body of legal
standards that electronic signatures must adhere to in addition to e-Sign laws. Consequently, there is also a

significant common foundation between the two and the management of these requirements should
leverage this commonality.
Security. The U.S. Health and Human Services under HIPAA will be issuing its final rule establishing the
security standard for the protection of medical records. The FDA’s 21 CFR Part 11 regulation also has
requirements governing in part standards for electronic records security. These two regulations, both of
which govern different e-Programs within the e-Value Chain, require compliance to the common set of
requirements. The security practices that will meet these requirements under HIPAA for protecting the
confidentiality of medical information of clinical trial patients are the same security best practices that will
also fulfill the requirements under 21 CFR Part 11.
Trustworthy e-Submissions. The FDA has issued 21 CFR Part 11, a regulation governing New Drug
Application submissions and the International Conference on Harmonization is developing the Electronic
Common Technical Document (e-CTD) standard. Both are designed to be consistent, that is, a submission
compliant to Part 11 will be considered e-CTD compliant, and vice versa.
All these laws and regulations are driving towards a common objective – the creation of a Trusted Digital
Enterprise where patient personal information is secure, electronic signatures are reliable, electronic records
are authentic, time stamps are auditable, electronic transactions are admissible and electronic systems and
processes are trustworthy. Many requirements from different sources can be aggregated into “governing”
requirements that can be managed using a common and consistent approach.
Enterprise Digital Trust Management adopts a compliance strategy that is unified – managing the Data
Privacy, Security, and Trusted e-Systems regulatory requirements, e-Sign legislative requirements and the
requirements of legal standards into an integrated set of enterprise Digital Trust requirements.
Common Compliance Approach
The FDA has explicitly stated that there are higher risks of manipulation and falsification in conducting
business electronically and being in electronic form than there are in their paper-based counterparts.
“The FDA view is that the risks of falsification, misinterpretation, and change
without leaving evidence are higher with electronic records than paper records.” 35
Consequently, in order to address this new reality, the FDA has articulated through Part 11 a minimum
standard of security and electronic integrity to ensure the trustworthiness of electronic submissions for New
Drug Applications.
“The regulation … [21 CFR Part 11] set forth the criteria under which the agency
considers electronic records, electronic signatures, … to be trustworthy, reliable,
and generally equivalent to paper records and handwritten signatures executed on
paper.” 36
The business case for adopting e-Programs and transitioning to an electronic value chain is sufficiently
compelling even without regulatory pressures. The very same risks as those articulated by the FDA exist for
the LSOs that make the transition. Consequently, the internal risk mitigation requirements that each LSO
will seek to implement to ensure a trustworthy enterprise will be very similar to those established by external
regulators such as the FDA. In fact, 21 CFR Part 11 is the first articulation of a “standard” as to the
trustworthiness of electronic records and signature systems that will eventually evolve into an industry best
practice. Part 11 should be viewed as a useful reference standard to guide an organization’s own transition
to an electronic value chain. It makes no business sense to define and manage two separate standards –
35
“Good Practice and Compliance for Electronic Records and Signatures, Part 2, page 9, section 1.1”
36
FDA 21 CFR Part 11.1 Scope.

internal and external requirements. A common standard should be established, to the extent possible,
where the exception can be managed on a case-by-case basis.
The Enterprise Digital Trust Management strategy integrates internal and external (regulatory) requirements
into a common compliance approach that reduces the overall level of complexity and cost-of-compliance.
Architectural Compliance Approach
The technical, legal and regulatory risks previously

discussed exist at many different levels within an Enterprise Digital Trust
organization. These require different types of e-Program
expertise and forms of mitigation involving
technology, people and process. The vulnerability can e-Systems
be a business or liability risk at the e-program level, a
regulatory compliance issue at the e-Process level, an e-Processes
Applications
enforceability risk at the transaction level or a e-Transactions
technical risk at the function level.
e-Events
Digital Trust is a state of trustworthiness that must
exist throughout all architectural levels of the e-Functions
electronic resources engaged in the delivery of an e-
Data
Program. There must be a structure of relationships
and associations that start with the electronic systems
Figure 14
that are networked, the processes and applications
operated by the systems, the transactions run by the processes, the events executed by the transactions, the
functions executed by the events and finally the relational data upon which it all rests. This is illustrated in
Figure 14.
The Enterprise Digital Trust Management strategy adopts a systematic and architectural approach to
defining the generic types of risks that must be addressed, the identification of those risks that apply, the
classification of those risks by probability, frequency and severity and the subsequent prioritization in terms
of which risks should be mitigated for the greatest return on investment – increased trustworthiness.

3 Enterprise Risk Management Method: The Digital Chain of Trust

Methodology
Notice: This section is proprietary and

Manageable
confidential. To obtain the information under a Framework
Non-Disclosure, please contact
Jacques Francoeur at: jfrancoeur@trustera.com or Concept Language Structure
call 650-255-6516.
Architecture
Measure Monitor Demonstrate
Methodology
Knowledge Work
CIP/CI
Management Automation
Figure 15

3.1 Management & Organizational Benefits
There are a number of organizational and

management benefits to Enterprise Digital “Perhaps one reason for the slow adoption rate [of
Trust Management – the enterprise e-Clinical Trials] is that the implementation of EDC
solutions needs to be at the enterprise level and
management of the technical, legal and regulatory
must be fully supported by related process and
risks of an electronic value chain. The return on
infrastructure changes. Without a commitment at
investment from a 3 - 5 year drug development the enterprise level, an organization is unlikely to be
cycle, down from an average of 10 - 12 years and able to access and view disparate data sources in
a $200 million pre-launch total cost of one place, within a single clinical trial, across a
development, down from an average of $800, is development program, and ultimately across the
self-evident. The cost of not achieving this goal enterprise – which is fundamental to realizing the
is certain corporate death – share value sought-after business benefits. There is little value
devaluation. in having data available electronically if it remains
siloed and largely inaccessible.”
Enterprise Digital Trust Management contributes
Pharmaceutical Clinical Development: The future of clinical trials
to reaching these goals as follows: – How genomics, proteomics, and technology are changing the
clinical development process, IBM Life Sciences, June 2002.
Effective Allocation Scarce

Resources - Identify, Classify and Prioritize
The complexity of risks involved in an e-Program is substantial, let alone a number of e-Programs forming
the e-Value Chain. One of the main challenges facing the organization is the comprehensive and systematic
identification of risks, the classification of those risks by probability, frequency and severity and the
subsequent prioritization in terms of which risks should be mitigated for the greatest return on investment.
The comprehensive and architectural nature of the Digital Chain of Trust Methodology enables the
effective allocation of scarce resources for risk mitigation.
Controlled and Measurable Risk Mitigation – Reduced Uncertainty
Enterprise Digital Trust Management controls the transition from the current state to the desired end state
by applying a comprehensive and integrated reference framework consistently throughout the entire
transition period. The DCTF is used to first inventory and classify all the electronic resources involved in a
particular e-Program. The DCTF then is used to identify and structure all electronic risks by class, type and
function, assess and classify each e-Risk by level of severity and frequency probability and help prioritize
and allocate scarce resources to mitigate selected e-Risks. The Digital Chain of Trust Architecture is then
used to build the three e-Program reference architectures to subsequently measure the current state of
identity, information and time practices against a desired state.
Finally, the Digital Chain of Trust Methodology automates the process of auditing against the three DCTA
reference architectures to transition through the engagement lifecycle (assessment, gap analysis and
remediation) to reach and maintain the desired state. The DCTM allows for a precise determination of the
current status of any electronic system, process and transaction anytime during the transition.
Enterprise Digital Trust Management provides a systematic method of measuring and demonstrating to all
key stakeholders that the organization’s e-Programs are trustworthy. That is, each e-Program mitigates its
risks to a specific design level (e-Integrity), adheres to legal standards and electronic signature laws (e-
Enforceability) and is regulatory complaint (e-Compliance) to all relevant requirements.
From this level of management and measurement structure, effective decisions and management assertions
can be made to stakeholders with confidence.

Reduced Cost-of-Compliance
The Life Sciences industry is heavily regulated and therefore the cost-of-compliance is a significant cost
burden that will only increase. In a letter to the FDA, SmithKline Beecham stated the following concerning
the one-time internal cost-of-compliance for 21 CFR Part 11: “The total cost of these initiatives for
SmithKline Beecham is estimated to exceed 214 million dollars.” 37 This includes the costs for SOPs,
training, inventory and assessment, corrective action plans, implementation of corrective action plans,
capital expenditure, validation, electronic archival, data migration and certification. This excludes the cost
of assuring compliance of third party vendors such as Contract Research Organizations.
A Gartner G2 report 38 on the impact of Part 11 stated, “A common concern is that a global company
could spend more than $100 million in administrative and technology expenses to become
compliant.” The report goes on to say, “For this industry, the cost of compliance will have at least
the same impact, if not more, than Y2K.”
Enterprise Digital Trust Management and the Digital Chain of Trust Methodology will reduce the cost-of-
compliance by implementing a consistent framework throughout the compliance life-cycle, leveraging audit
practice knowledge across the enterprise and employing work automation techniques.
A consistent framework for analysis is applied throughout the audit life-cycle.
Knowledge management methods are used to make available all related information such as audit
control objectives, assessment templates, etc, to practitioners to facilitate the audit and to leverage
existing information. The same information is made available throughout the enterprise resulting in a
consistent implementation of audit practices across all systems.
Work automation techniques are implemented to automate the audit process including data capture,
data management and reporting.
The DCTM brings together all stakeholders involved in the successful delivery of an electronic
initiative. From the structure inherited from the framework (DCTF), all stakeholders can identify their
role and functions, understand those of other stakeholders, understand how different stakeholders
interrelate, understand the source and reasoning of decisions and their implications, and defined actions
and deliverables between stakeholders. The increased cohesion of the multi-disciplinary team and
reduced confusion and misunderstanding between all stakeholders greatly increases the effective
management of the compliance process.
Requirements Aggregation: There are a number of different regulations and internal requirements
that require a specific system, process, or transaction to be a particular characteristic. It is not cost
effective to manage these requirements as if they were independent of each other. The same
requirement from multiple sources can be aggregated and audited once for compliance. This will save
considerable time and resources. The actual compliance to a particular control objective from a specific
regulation can still be easily demonstrated.
37 SmithKline Beecham letter to Dockets Management Branch (HFA-305), Food and Drug Administration, Docket
No. 99N-4166, 29 November, 1999.
38 Gartner G2, “Truth and Misconceptions: The Federal Electronic Records Statute”, May 2002.

Consistent Intended Performance & Continuous Improvements

In order to reduce the risk management cost and complexity, it is important that the organization create as
much “predictability” in terms of “consistent intended performance” in their systems across the enterprise
as possible. The application of a consistent risk management framework across multiple e-Programs will
result in a greater “consistency of risk mitigation” of systems, processes and transactions.
It is also important to the organization’s return on investment that it effectively leverage investments and
knowledge allocated to solve one problem to the resolution of other similar problems. This consistency of
approach to risk mitigation will allow for solutions applied to one system to be applied to others with lower
expenditure of resources and a higher predictability of outcome.
The Management Process
Enterprise Digital Trust Management provides measurable benefits to all levels of management, as follows:
“C”-level executives and Legal Counsel with greater certainty and confidence that management
assertions concerning the electronic integrity, regulatory compliance and legal admissibility of their
business practices are reflective of their actual practices; including confidence that this can be
demonstrated to external stakeholders.
Senior Executives with a structured method to identify the nature and level of risks involved in an e-
Program, determine the desired level of risk mitigation and to manage the implementation of those
decisions in a verifiable manner.
Middle Managers with a practical implementation method for delegating individual practitioners to
conduct particular tasks, monitoring the execution of those tasks and aggregating the results of those
tasks for systematic reporting. A method that allows the allocation of resources attached to a scope of
work and to identify the resource shortfalls.
Practitioners with a step-by-step guide to the completion of a task by providing a structured and well-
defined scope of work, a method of defining input requirements necessary for the completion of a task
and of defining deliverables to other practitioners.
Auditors with a systematic way of measuring and reporting compliance to corporate policies and
practices.

eLifeSciences White Paper

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

eLifeSciences White Paper

Uploaded by

Copyright:

Available Formats

e-Life Sciences 2010 – Enabling a

Trusted Electronic Value Chain

“The Digital Chain of Trust Methodology is a

The methodology is constructive and evidentiary in

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 3 of 39

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 4 of 39

The gains require focus on delivering three main bottom-line

Realizing these gains require Life Science Organizations

1.1 Electronic Value Chain Transition Pressures

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 5 of 39

Regulatory Requirements: The emergences of industry

Some of the most significant regulations are those issued by

FDA’s 21 CFR Part 11 Electronic Records and Signatures

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 6 of 39

1.2 Electronic Value Chain Overview

Discovery Development Manufacture Marketing & Sales

Audit Trail Management Customer Service Center

Remote Monitoring Online

Electronic Value Chain

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 7 of 39

Extending beyond the enterprise, the cost of

On the distribution side, fears of being eliminated from the

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 8 of 39

e-Collaboration based on a foundation of knowledge management is essential to an electronic drug

This new reality represents a critical challenge

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 9 of 39

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 10 of 39

The New Drug Application (NDA) submission process is highly

Electronic Identity Management

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 11 of 39

Electronic Time Management

Electronic Signature Applications

Electronic Records Management

Audit Trail Management

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 12 of 39

The clinical development phase is complex, rigid, currently manual, paper-based,

The use of Electronic Data Capture (EDC) techniques

The Internet can be used in two ways to conduct EDC

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 13 of 39

Online Patient Recruitment: The greatest bottleneck in

Online Physician-based Initiatives

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 14 of 39

Online Patient-based Initiatives

The industry’s entry into pharmaco-genomics and

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 15 of 39

1.3 Electronic Value Chain Challenges

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 16 of 39

The Electronic Risks

In the paper-based/physical world, a business mitigates its risks by

Interpretation and Differences in International Standards

13Model Law and Guide to Enactment: http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 17 of 39

Measuring, Verifying and Demonstrating the Electronic State

Absence of Legal Precedence

The U.S.17, Canada 18 and the members of the European

on a Community framework for electronic signatures. http://europa.eu.int/ISPO/ecommerce/legal/documents/1999_93/1999_93_en.pdf

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 18 of 39

This assertion is substantiated by the FDA statement:

Controlling the Transition and Management Assertions

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 19 of 39

Gillespie, July 8, 2003.

& Sons, Inc., 2003.

© Jacques Remi Francoeur, 2003. All Rights Reserved Page 20 of 39

1.4 Electronic Value Chain ROI

Improving Business Effectiveness: The transition to the electronic paradigm is an opportunity to

Reducing paper costs by deploying business Increase Effectiveness

A consistent framework for analysis is applied throughout the audit life-cycle.