Define what documents the organization should capture.

UCF ID: 00905
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Define the preservation and disposition requirements for each system's records. [UCF Control ID 00904]

This control has the following supporting controls:

    Establish and maintain a data retention policy and determine how long to retain records. [UCF Control ID 00906]

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Pg 32; Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1, § 240.17a-1(a); Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3, § 240.17a-3(a); Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § 8(a)(1)(j); ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 9.1; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 4.2.4.2; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.4.5 ¶ 2

Banking and Finance Guidance

Adequate controls should be in place at the point at which document images are captured. [Pg 32, FFIEC IT Examination Handbook – Operations, July 2004]

NASD NYSE Guidance

Every national securities exchange, national securities association, registered clearing agency and the Municipal Securities Rulemaking Board shall keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made or received by it in the course of its business as such and in the conduct of its self-regulatory activity. [§ 240.17a-1(a), Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1]

Organizations must keep blotters containing an itemized daily record of all purchases and sales of securities, all receipts and deliveries and securities, all receipts and disbursements of cash and all other debits and credits. Such records shall show the account for which each such transaction was effected, the name and amount of securities, the unit and aggregate purchase or sale price (if any), the trade date,and the name or other designation of the person from whom purchased or received or to whom sold or delivered. Ledgers must also be kept, containing a list of all assets and liabilities, income and expense and capital accounts. Ledgers must also be kept for accounts of each customer, and financial information for the organization such as securities in transfer, dividends and interest received, securities borrowed or loaned, money borrowed or loaned and any failure to deliver or receive securities. [§ 240.17a-3(a), Records to be made by certain exchange members, brokers, and dealers SEC 17 CFR 240.17a-3]

US Federal Security Guidance

The organization should record, preserve, and make accessible sufficient information to ensure the management and accountability of agency programs, and to protect the legal and financial rights of the Federal Government. [§ 8(a)(1)(j), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

Records Management Guidance

To determine what documents to capture, an analysis of the regulatory environment, business and accountability requirements and the risk of not capturing records should be conducted. What to capture and what to ignore will vary from organization to organization. Business or personal actions should generally be captured and linked to metadata that characterizes their specific business context. [§ 9.1, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

Determine what records to capture the organization’s internal and external environment, its relationships to that environment and identification of the business functions and activities it performs. This information should be examined with the business unit responsible for the activity on the systems record capturing is potentially being set up for. Anything captured and created need to have a retention period assigned to them so it is clear how long they should be maintained. [§ 4.2.4.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]

General Guidance

The organization must develop, implement, and maintain procedures to approve the adequacy of documents prior to issuance; review, update, and then re-approve documents; ensure that documents are identified with the current revision status and changes; ensure relevant versions of documents are available for use where needed; set parameters for document retention and archiving; ensure original and archived copies of documents, information, and data are readily identifiable and legible; ensure identification of external origin documents that are necessary for the planning and operation of the organizational resilience management system and control their distribution; identify as obsolete outdated documents the organization is required to retain; and ensure a document's integrity by making sure they are tamperproof, protected from unauthorized access, securely backed-up, and protected from loss, damage, and deterioration. [§ 4.4.5 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.