Document, database, and messaging inventory

Status: Live

The organization will ensure critical data files identified as a part of the asset audit plan. [UCF ID 01260]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg G-7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 29, Exam Tier I Obj 6.3; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-201, § 10-717; Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-1.1, SC-3.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 3.2, § 3.3, § 4.6; The Standard of Good Practice for Information Security, UE3.1.1 thru UE3.1.4; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 112, Sched 4 ¶ 6, Sched 11A ¶ 2; Archer Control Table, ATCS-036

Banking and Finance Guidance

The organization should maintain comprehensive inventories of all assets. [Pg G-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should maintain an inventory of all data sets and the location of where they are stored on the system. [Pg 29, Exam Tier I Obj 6.3, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

An inventory of all Top Secret material must be conducted at least annually. COSMIC TOP SECRET, NATO SECRET, and ATOMAL documents must be inventoried on an annual basis. [§ 5-201, § 10-717, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

[SC-1.1, SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

US Internal Revenue Guidance

Inventory records must be kept of any media that contains Federal Tax Information (FTI) or results from the processing of FTI. The log for electronic files must list the date the information was received, a control number, the file name and contents of the file, the recipient(s), the number of records, and the date and method of disposition, if disposed of. The log for non-electronic files must list the taxpayer name, tax year, the type of information received, the reason the information was requested, the date the information was requested, the date the information was received, the storage location of the information, who has access to the information, and the date and method of disposition, if disposed of. [§ 3.2, § 3.3, § 4.6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

General Guidance

An inventory should be maintained of all critical desktop applications (typically programs developed with a spreadsheet or database program). For each application, the inventory should include a unique description, the intended purpose of the application, who maintains and uses the application, changes made to the application, the type of information processed by the application, who is responsible for the development of the application, and the level of complexity of the application. The inventory should be kept up-to-date, independently reviewed, and approved by the appropriate personnel. [UE3.1.1 thru UE3.1.4, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

A list of all registered audit companies must be kept by the auditing commission and must include the name and address of the company, the name and address of each director of the company, any restrictions on the company, and details of any suspensions the company has or has had. The organization is required to keep a register containing the name of each shareholder and note when the information was entered into the register. The organization is required to keep a register of information about persons' relevant interests. [Sched 1 ¶ 112, Sched 4 ¶ 6, Sched 11A ¶ 2, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of scheduled asset inventories that occurred on time [UCF Control ID 02055]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.