UCF ID: 00904 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain procedures for managing the records of each system. [UCF Control ID 00903]
This control has the following supporting controls:
- • Define what documents the organization should capture. [UCF Control ID 00905]
Authority documents complied with:
FFIEC IT Examination Handbook – Operations, July 2004, Pg 32, Exam Tier I Obj 9.3; FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1, § 11.10; US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007, § 6.a; Protection of Assets Manual, ASIS International, Pg 29-I-16; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.255(a)(7), § 27.255(b); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 4-103, § 10-716; 49 CFR Part 1542 - Airport Security, § 1542.209(k), § 1542.209(o); US Export Administration Regulations Database, § 762.2(a), § 762.4; US The International Traffic in Arms Regulations, April 1, 2008, § 122.5(a), § 123.21, § 125.6, § 130.14; IRS Revenue Procedure: Record retention: automatic data processing, 98-25, § 5.01; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, App 10, Pg 3; The Sedona Principles Addressing Electronic Document Production, July 2005 Version, Principle 5.a; Telemarketing Sales Rule (TSR), 16 CFR 310, § 310.5; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 15.1.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.3.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 15.1.3; Guidelines for Media Sanitization, NIST SP 800-88, September, 2006, § 4.3, § 4.6; Italy Personal Data Protection Code, § 93
Banking and Finance Guidance
The original document should not be destroyed until it has been verified that the scanned image is readable. [Pg 32, Exam Tier I Obj 9.3, FFIEC IT Examination Handbook – Operations, July 2004]
Healthcare and Life Science Guidance
Organizations prepare for discovery by having records available for inspection and review by the FDA but does not explicitly mention indexing capability. [§ 11.10, FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1]
Energy Guidance
Senior management should define the policies and procedures for sanitizing electronic media and hardware. The policies and procedures should include the following, at a minimum: media should be purged before it is released to personnel who do not have the authorization to access the information contained on it; the equipment used to purge, clear, and destroy media should have regular maintenance performed to ensure it works correctly and is calibrated; storage media should be tracked and controlled until it has been properly purged or destroyed; destruction records should be kept for all destroyed media; the personnel who approves the procedures, equipment, and software should be stated; the process required for reusing media should be stated; and directions on how to handle and control the media before it is purged, cleared, or destroyed. [§ 6.a, US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007]
US Federal Security Guidance
All Letters of Approval and Authorization received from the Department of Homeland Security and all results from audits and inspections must be kept for at least 3 years. The Site Security Plans, Security Vulnerability Assessments, Top-Screens, and other correspondence submitted to the Department of Homeland Security must be kept for at least 6 years. [§ 27.255(a)(7), § 27.255(b), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]
After a classified contract has ended, unneeded information must be disposed of appropriately. The organization may retain needed information for up to 2 years after the contract is completed. NATO classified documents must be returned to the contracting agency when the contract has been completed. [§ 4-103, § 10-716, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
The airport operator must maintain all employment investigation files for 180 days after an individual's unescorted access authority is terminated. After this time the record must be destroyed. The airport operator must designate an individual to maintain and destroy criminal record files. [§ 1542.209(k), § 1542.209(o), 49 CFR Part 1542 - Airport Security]
The required records to be kept include export control documentation, memoranda, notes, contracts, correspondence, financial records, bid invitations, restrictive trade practices, and records of other transactions described in § 762.1(a). Records must be maintained in the form they are received or created, unless they meet the requirements of the reproduction of reports. [§ 762.2(a), § 762.4, US Export Administration Regulations Database]
All records must be maintained for 5 years from the expiration of the license or the date of the transaction. An export license is valid for 4 years. It will expire when the quantity or value approved has been shipped or the expiration date is reached, whichever comes first. Unused, expended, expired, revoked, or suspended licenses must be returned immediately to the State Department. Exemption certifications must be maintained by the exporter for 5 years. [§ 122.5(a), § 123.21, § 125.6, § 130.14, US The International Traffic in Arms Regulations, April 1, 2008]
US Federal Privacy Guidance
All sellers and telemarketers must keep for 24 months from the date the record is produced, the following records relating to their activities: any unique advertising and promotional material, the name and address of each prize recipient, the name and last known address of each customer, goods or services purchased, the date the services were shipped or provided and amount the customer paid for the services, the name and contact information for former employees involved in telephone sales or solicitations, and all verifiable authorizations and agreements required to be provided. [§ 310.5, Telemarketing Sales Rule (TSR), 16 CFR 310]
US Internal Revenue Guidance
Any machine-sensible records containing financial taxpayer information must be retained so long as the contents may become material in the administration of any internal revenue law. For the purposes of discovery, procedure 97-22 requires that any hardcopy books and records stored electronically must be made available to the service upon request. The same is true for machine-sensible records outlined in 98-25. Furthermore, 97-22 requires that indexes of electronic records be available for retrieval of such information. [§ 5.01, IRS Revenue Procedure: Record retention: automatic data processing, 98-25]
Records Management Guidance
Before the recordkeeping project’s cost-benefit analysis can be conducted, that the business purpose and overall business objectives have to be understood and accounted for. [App 10, Pg 3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]
It’s all right to continue routine destruction of records so long as those records do not include materials necessary for evidence in the litigation. Routine recycling of materials such as magnetic tapes may also be permitted. Striking a balance between an organization’s duty to preserve relevant data and an organization’s need to continue operations is recommended. [Principle 5.a, The Sedona Principles Addressing Electronic Document Production, July 2005 Version]
NIST Guidance
The organization should ensure all media classifications have a sanitization method associated with them and the processes are documented. [§ 4.3, § 4.6, Guidelines for Media Sanitization, NIST SP 800-88, September, 2006]
ISO Guidance
When deciding how to store records, the amount of time they must be kept should be considered. Records can be stored on microfiche, digital media, or paper. If digital media is used, procedures should be in place to ensure the media can be read in the future due to possible technology changes. [§ 15.1.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
The organization should decide how long each type of record should be maintained and how the records will be destroyed when the retention time period has elapsed. [§ 4.3.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]
When deciding how to store records, the amount of time they must be kept should be considered. Records can be stored on microfiche, digital media, or paper. If digital media is used, procedures should be in place to ensure the media can be read in the future due to possible technology changes. [§ 15.1.3, ISO/IEC 27002 Code of practice for information security management, 2005]
General Guidance
Information and diagnoses of injuries/illnesses must be inputted into the injury/illness log within 6 working days, and the log must be kept current to within 45 days. The logs and records must be maintained for 5 years and must be available to personnel from the Department of Labor and the Department of Health and Human Services for examination without delay. [Pg 29-I-16, Protection of Assets Manual, ASIS International]
Other European and African Guidance
Clinical records or certificates of attendance at birth that contains personal data that identifies the mother, who has objected, may be issued to any person who is interested in the data after 100 years have passed since the document was drawn up. During this 100 year period, requests for access may be granted if suitable precautions are taken to prevent the mother from being identifiable. [§ 93, Italy Personal Data Protection Code]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.