Establish and maintain a records usage and tracking documentation standard.

UCF ID: 00919
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a classification methodology for captured records. [UCF Control ID 00911]

This control has the following supporting controls:

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .24 § 3.1; Controls and Procedures, SEC 17 CFR 240.15d-15, § 240.15d-15(f)(3); FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 13.2; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 9.8; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 4.3.8; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.13; Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, Art 23(c)

Sarbanes Oxley Guidance

The organization must provide assurance that it can prevent or detect unauthorized acquisition, use, and/or disposition of the organization's assets. [§ 240.15d-15(f)(3), Controls and Procedures, SEC 17 CFR 240.15d-15]

Banking and Finance Guidance

[Exam Tier II Obj 13.2, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should have policies and procedures in place for creating and maintaining source documents. [Pg 32, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Records Management Guidance

Generally tracking systems should identify any actions that need to be taken, enable the retrieval of a record, prevent loss of records, monitor usage for systems maintenance and security and maintain capacity to identify the operational origins of individual records where systems have been amalgamated or migrated. [§ 9.8, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

The movement of a record should be tracked, as should access to the record, whether access rights are appropriate for different users, ensuring information about the record is appropriately captured and stored and reviewing access classifications of records to ensure they’re accurate and up to date. [§ 4.3.8, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]

NIST Guidance

Audit trails should be employed to track records and record use in order to better handle individual accountability, reconstruction of events, intrusion detection and problem identification. [§ 3.13, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

General Guidance

The organization should have procedures in place to ensure that the completeness, accuracy, timeliness, and authorization of inputs meets the requirements of the processing integrity policy. [¶ .24 § 3.1, AICPA Suitable Trust Services Principles and Criteria]

Other European and African Guidance

Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent data from being introduced into the information system without authorization and prevent the unauthorized amendment, knowledge, or deletion of recorded data. [Art 23(c), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.