Capture records as defined by organizational policy

Status: Live

The organization will capture records as defined by organizational policy. [UCF ID 00912]

Supporting and supported controls

This control directly supports:

Maintain a classification methodology for captured records [UCF Control ID 00911]

This control has the following supporting controls:

Ensure that the system has capabilities for assigning the appropriate information classification categories to information being imported manually [UCF Control ID 04555]

Classify confidential information in records systems according to sensitivity [UCF Control ID 04720]

Authority documents complied with:

FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 4.4; Protection of Assets Manual, ASIS International, Pg 11-III-6; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 9.3; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 4.3.2

Banking and Finance Guidance

[Exam Tier II Obj 4.4, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

In order to maintain a continuous record of accountability for products, the organization should record the identification and quantity of products and the names of those who were involved in the transaction, and their signatures, in a database. [Pg 11-III-6, Protection of Assets Manual, ASIS International]

Records Management Guidance

The purpose of capturing records into records systems is to establish a relationship between the record, the creator and the business context that originated it, place the record and its relationship within a records system and link it to other records. Techniques to ensure record capture include classification and indexing that allow appropriate linking and categorization, arrangement in a logical structure and sequence, whether a physical file or an electronic directory, which facilitates subsequent use and reference, registration which provides evidence of the existence of records in a records system and systems which profile or template the actions undertaken in doing business. [§ 9.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

Capture is the process of determining that a record should be made and kept. This includes both records created and received by the organization. It involves deciding which documents are captured, which in turn implies decisions about who may have access to those documents and generally how long they are to be retained. Decisions about which documents should be captured and which discarded are based on an analysis of the organization’s business and accountabilities. The organization may use a formal instrument such as a records disposition authority (see § 4.2.4) or guidelines that identify documents that do not need to be retained. Examples of documents that may not require formal capture as records are those that do not:
a) commit an organization or individual to an action,
b) document any obligation or responsibility, or
c) comprise information connected to the accountable business of the organization. [§ 4.3.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]