Establish, implement, and maintain data processing integrity controls.
CONTROL ID 00923
CONTROL TYPE Establish Roles
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain records management procedures., CC ID: 11619
This Control has the following implementation support Control(s):
Compare each record's data input to its final form., CC ID: 11813
Sanitize user input in accordance with organizational standards., CC ID: 16856
Establish, implement, and maintain Automated Data Processing validation checks and editing checks., CC ID: 00924
Establish, implement, and maintain Automated Data Processing error handling procedures., CC ID: 00925
Establish, implement, and maintain Automated Data Processing error handling reporting., CC ID: 11659
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
AIs should also implement sufficient controls to maintain and verify the integrity of the information processed by their Internet banking systems. For example, AIs should implement checks and controls in the application systems so as to reconcile data file balances after transaction updates and to c… (§ 5.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
AIs should also implement sufficient controls to maintain and verify the integrity of the information processed by their Internet banking systems. For example, AIs should implement checks and controls in the application systems so as to reconcile data file balances after transaction updates and to c… (§ 5.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
The quality of personal information shall be guaranteed in personal information processing, to avoid adverse impacts on the rights and interests of individuals caused by inaccurate and incomplete personal information. (Article 8, Personal Information Protection Law of the People's Republic of China)
the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. (§ 8.(3) ¶ 2, Digital Personal Data Protection Act, 2023, August 11, 2023)
Robust information is at the heart of risk management processes in a bank. Inadequate data quality is likely to induce errors in decision making. Data quality requires building processes, procedures and disciplines for managing information and ensuring its integrity, accuracy, completeness and timel… (Introduction ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Authenticity: In computing, e-business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. (Basic Principles of Information Security ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
There should be suitable interface controls in place. Data transfer from one process to another or from one application to another, particularly for critical systems, should not have any manual intervention in order to prevent any unauthorized modification. The process needs to be automated and prop… (Critical components of information security 11) c.27., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. (Article 45(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damage… (Article 23(2), Personal Information Protection Act)
Perform data validation on user input to prevent buffer overflow attacks, injection attacks and XSS attacks. (Annex A1: Websites and Web Application Security 56, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
a policy that defines the roles and responsibilities for managing the integrity of the data in the ICT systems (e.g. data architect, data officers, data custodians, data owners/stewards) and provides guidance on which data are critical from a data integrity perspective and should be subject to speci… (Title 3 3.3.4(d) 57.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Measures for observing confidentiality and integrity when transferring personally identifiable data. (9.3 Requirements Bullet 2, Information Security Assessment, Version 5.1)
Secondly, intelligence agencies must comply with Intelligence Community standards for accuracy and objectivity, in particular with respect to ensuring data quality and reliability, the consideration of alternative sources of information and objectivity in performing analyses. (3.2.1.3 (156), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
The organization shall gather, record, compile, and analyze information in such a way that the information can be examined to establish its quality. (Verifiability ¶ 1(a), GRI 1: Foundation 2021)
set up internal controls and organize documentation in such a way that individuals other than those preparing the reported information (e.g., internal auditors, external assurance providers) can review them; (Verifiability Guidance ¶ 2 Bullet 1, GRI 1: Foundation 2021)
Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives. (PO2.4 Integrity Management, CobiT, Version 4.1)
Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. (DS11.1 Business Requirements for Data Management, CobiT, Version 4.1)
Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. (AC6 Transaction Authentication and Integrity, CobiT, Version 4.1)
Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. (AC4 Processing Integrity and Validity, CobiT, Version 4.1)
Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components. (§ 3 Principle 13 Points of Focus: Maintains Quality throughout Processing, COSO Internal Control - Integrated Framework (2013))
Many controls have separation of duties as a vital element. The organizational structure should not have one individual or department with full responsibility for all aspects of processing data. Initiating, authorizing, inputting, processing, and checking data should be separated. (§ 5.3.3.1 ¶ 1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
The risk of staff disrupting the running of business applications, Information Systems, and networks either in error or by malicious intent should be reduced by separating the duties of staff running business applications, Information Systems, and networks from the duties of staff designing, develop… (CF.02.05.07a, The Standard of Good Practice for Information Security)
The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by organizing duties in such a way as to minimize the risk of theft, fraud, error, and unauthorized changes to information (e.g., by supervising … (CF.02.05.07c, The Standard of Good Practice for Information Security)
The integrity of information contained in critical spreadsheets should be assured by using separate areas for calculation cells and data entry cells. (CF.13.02.06a, The Standard of Good Practice for Information Security)
Key components of computer and network installations should be protected by segregating different types of software and information (e.g., by storing them in separate directories). (CF.07.01.07c, The Standard of Good Practice for Information Security)
Hypervisors should be configured to segregate virtual servers according to the confidentiality requirements of information they process. (CF.07.03.05a, The Standard of Good Practice for Information Security)
The risk of staff disrupting the running of business applications, Information Systems, and networks either in error or by malicious intent should be reduced by separating the duties of staff running business applications, Information Systems, and networks from the duties of staff designing, develop… (CF.02.05.07a, The Standard of Good Practice for Information Security, 2013)
The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by organizing duties in such a way as to minimize the risk of theft, fraud, error, and unauthorized changes to information (e.g., by supervising … (CF.02.05.07c, The Standard of Good Practice for Information Security, 2013)
The integrity of information contained in critical spreadsheets should be assured by using separate areas for calculation cells and data entry cells. (CF.13.02.06a, The Standard of Good Practice for Information Security, 2013)
Key components of computer and network installations should be protected by segregating different types of software and information (e.g., by storing them in separate directories). (CF.07.01.07c, The Standard of Good Practice for Information Security, 2013)
Hypervisors should be configured to segregate virtual servers according to the confidentiality requirements of information they process. (CF.07.03.05a, The Standard of Good Practice for Information Security, 2013)
Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. (1.5.1, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI). (12.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. (12.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection. (1.5.2, Application Security Verification Standard 4.0.3, 4.0.3)
ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; (§ 6.8.3.2.1 ¶ 1 g), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate:
â scope and schedule of backups;
â backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. (PI1.3 ¶ 2 Bullet 5 Processes Inputs, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Processing inputs are evaluated for compliance with defined input requirements. (PI1.2 ¶ 2 Bullet 2 Evaluates Processing Inputs, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 ¶ 3 Bullet 4 Maintains Quality Throughout Processing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Automated and manual controls can be circumvented by two or more personnel acting together; therefore, the organization should segregate duties to prevent this from occurring. (§ 314.65, § 314.66, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. (¶ 1.48 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
evaluate the reliability of data from which the practitioner's expectation is developed, taking into account the source, comparability, nature, and relevance of information available, and controls over their preparation; and (AT-C Section 205.27 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 Maintains Quality Throughout Processing, Trust Services Criteria)
Processing inputs are evaluated for compliance with defined input requirements. (PI1.2 Evaluates Processing Inputs, Trust Services Criteria)
Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. (PI1.3 Processes Inputs, Trust Services Criteria)
Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 ¶ 2 Bullet 4 Maintains Quality Throughout Processing, Trust Services Criteria, (includes March 2020 updates))
Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. (PI1.3 ¶ 2 Bullet 5 Processes Inputs, Trust Services Criteria, (includes March 2020 updates))
Processing inputs are evaluated for compliance with defined input requirements. (PI1.2 ¶ 2 Bullet 2 Evaluates Processing Inputs, Trust Services Criteria, (includes March 2020 updates))
Procedures exist to prevent, or detect and correct, processing errors to meet the entityâs processing integrity commitments and system requirements. (PI1.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
Modification of data, other than routine transaction processing, is authorized and processed to meet with the entityâs processing integrity commitments and system requirements. (PI1.6, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
When desktop computers are used to transmit scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When desktop computers are used to store scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When desktop computers are used to process scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
CSR 4.1.2: The organization must divide the duties for critical mission functions or sensitive control, information system support functions, and financial functions between separate individuals to ensure least privileged and individual accountability.
CSR 4.7.1: The organization must implement comp… (CSR 4.1.2, CSR 4.7.1, CSR 4.7.2, CSR 4.7.3, CSR 4.7.5, CSR 7.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
PII and PHI are categorized as CUI and as such must minimally be stored and processed in a Level 4 CSO. While the Privacy Overlay provides a Business Rolodex Exception (BRE) which exempts a subset of low sensitivity PII from the protection of the overlay, this does not remove this PII from the CUI c… (Section 5.1.5.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The Records Management Application shall allow only authorized individuals the ability to edit metadata items after a record is filed. (§ C4.1.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The responsibilities of the authorized individuals referred to in section c4.1.12 (editing metadata items after a record is filed) shall be accomplished, as necessary, by an Application Administrator, a records manager, or a privileged user. (Table C4.T2 Requirement C4.1.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
If necessary, group plan health documents must be corrected to include adequate separation between the plan sponsor and the group health plan. Plan documents must describe employees, classes of employees, or other persons who are to be given access to information that will be disclosed, provided tha… (§ 164.504(f)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (§ 164.312(c)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Use of data and reporting tools, maintenance of data quality, and promotion of data integrity. (App A Objective 2:9b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Controls to verify that data were not corrupted during transmission or processing failures. (App A Objective 16:2a Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Use validation controls for data entry and data processing. (App A Objective 6.27.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Back-office operations and transaction processing. (App A Objective 8:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
Data security activities are independent from systems and programming, computer operations, data input/output, and audit; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
The adequacy of data controls over preparation, input, processing, and output. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
Adequate controls exist over any origination functions, including separation of data preparation, input, transmission, and reconcilement; (TIER II OBJECTIVES AND PROCEDURES E.3. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
Determine whether audit procedures for payment systems risk adequately consider the risks in automated clearinghouse (ACH). Evaluate whether
⪠Policies and procedures govern all ACH activity;
⪠Incoming debit and credit totals are verified adequately and items counted prior to posting to custome… (Exam Tier II Obj E.3, FFIEC IT Examination Handbook - Audit, August 2003)
Determine if there are adequate controls around transaction initiation and data entry, including:
⪠Daily log review by the supervisor including appropriate sign-off;
⪠Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);
⪠Separation of duties;
⪠Li… (Exam Tier II Obj H.1, FFIEC IT Examination Handbook - Operations, July 2004)
The organization should use separation of duties to minimize the potential of staff members tampering with check images and information during the processing process. (Pg 38, Exam Tier I Obj 2.1, Exam Tier I Obj 3.3, Exam Tier I Obj 4.2, Exam Tier II Obj 2.1, Exam Tier II Obj 2.2, Exam Tier II Obj 3.2, Exam Tier II Obj 4.2, Exam Tier II Obj 6.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.15, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
The organization should establish a separation of duties for individuals involved in funds transfer systems, accounting tasks, and critical payment processing tasks. (Pg 16, Pg 20, Pg 31, Pg 32, Exam Tier I Obj 2.1, Exam Tier II Obj 1.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.3, Exam Tier II Obj 12.1, Exam Tier II Obj 14.4, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Organizational records and documents should be examined to ensure individuals are not assigned responsibilities that conflict with the separation of duties policy, separation of duties are enforced continuously, and specific responsibilities and actions are defined for the implementation of the sepa… (AC-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures. (T0683, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Implement system security measures in accordance with established procedures to ensure confidentiality, integrity, availability, authentication, and non-repudiation. (T0489, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization may enforce Separation of Duties for any duties that involve accessing Personally Identifiable Information. (§ 4.3 Bullet Separation of Duties (AC-5), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures. (T0683, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The information system validates the integrity of transmitted security attributes. (SC-16(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls; and (DI-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. (SC-8(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. (SC-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Verify the integrity of transmitted security and privacy attributes. (SC-16(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and (PM-11b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. (SC-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Verify the integrity of transmitted security and privacy attributes. (SC-16(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Duties should be segregated to prevent one person from having control over an entire process from beginning to end. (§ II.C, OMB Circular A-123, Management's Responsibility for Internal Control)
Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and (§ 6-1-1305 (2)(b), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures. (§ 6-1-1305 (4), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures. (§ 6-1-1305 (4), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
protect the confidentiality and integrity of personal data; and (13-61-302 (2)(a)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
protect the confidentiality and integrity of personal data; and (13-61-302 (2)(a)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
