Determining documents for capture

Status: Live

The organization will determine documents for capture. [UCF ID 00905]

Supporting and supported controls

This control directly supports:

Determine each system’s records preservation and disposition obligations [UCF Control ID 00904]

This control has the following supporting controls:

Determining how long to retain records and create a data retention policy [UCF Control ID 00906]

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Pg 32; Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1, § 240.17a-1(a); Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3, § 240.17a-3(a); Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § 8(a)(1)(j); ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 9.1; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 4.2.4.2

Banking and Finance Guidance

Adequate controls should be in place at the point at which document images are captured. [Pg 32, FFIEC IT Examination Handbook – Operations, July 2004]

NASD NYSE Guidance

Every national securities exchange, national securities association, registered clearing agency and the Municipal Securities Rulemaking Board shall keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made or received by it in the course of its business as such and in the conduct of its self-regulatory activity. [§ 240.17a-1(a), Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1]

Organizations must keep blotters containing an itemized daily record of all purchases and sales of securities, all receipts and deliveries and securities, all receipts and disbursements of cash and all other debits and credits. Such records shall show the account for which each such transaction was effected, the name and amount of securities, the unit and aggregate purchase or sale price (if any), the trade date,and the name or other designation of the person from whom purchased or received or to whom sold or delivered. Ledgers must also be kept, containing a list of all assets and liabilities, income and expense and capital accounts. Ledgers must also be kept for accounts of each customer, and financial information for the organization such as securities in transfer, dividends and interest received, securities borrowed or loaned, money borrowed or loaned and any failure to deliver or receive securities. [§ 240.17a-3(a), Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3]

US Federal Security Guidance

The organization should record, preserve, and make accessible sufficient information to ensure the management and accountability of agency programs, and to protect the legal and financial rights of the Federal Government. [§ 8(a)(1)(j), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

Records Management Guidance

To determine what documents to capture, an analysis of the regulatory environment, business and accountability requirements and the risk of not capturing records should be conducted. What to capture and what to ignore will vary from organization to organization. Business or personal actions should generally be captured and linked to metadata that characterizes their specific business context. [§ 9.1, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

Determine what records to capture the organization’s internal and external environment, its relationships to that environment and identification of the business functions and activities it performs. This information should be examined with the business unit responsible for the activity on the systems record capturing is potentially being set up for. Anything captured and created need to have a retention period assigned to them so it is clear how long they should be maintained. [§ 4.2.4.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]