Back

Define and assign the Archives and Records Management oversight's roles and responsibilities.


CONTROL ID
00697
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, who have the knowledge, expertise and authority to access all of the Regulatory Records kept with an EDSP at any time, and who can ensure that the SFC has effective acc… (7.(g), Circular to Licensed Corporations - Use of external electronic data storage)
  • In addition, it is necessary to decide two or more persons responsible for each affair including a leader and deputy leader in order to avoid communication failures and to inform persons in the related departments of established procedures thoroughly. (P70.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Security-relevant documentation may contain information requiring protection and must therefore be suitably protected. Along with the protection requirements, the type and the duration of storage and options for the destruction of information must be defined. The process descriptions must describe w… (§ 4.2 Bullet 5 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • An effective records management policy will identify a senior staff member to have lead responsibility for records management and to oversee policy and program implementation. (§ 2.2 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Records management personnel have the primary responsibility for implementing International Standards Organization 15489-1. (§ 2.3.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Records management personnel are responsible for establishing the overall records management policies, procedures, and standards and implementing these processes. (§ 2.3.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • determining the responsibilities for preparing, approving, publishing and managing the documented information; and (§ 7.5.2 Guidance ¶ 2(d), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • A record for each office listing, by name or title, each person at that office who, without delay, can explain the types of records the firm maintains at that office and the information contained in those records. (§ 240.17a-3 (a)(21), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • The Records Management Application shall be able to allow organizations the ability to define the roles and responsibilities for their Records Management operating procedures. (§ C2.2.7, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Ch 2 (Records Management Liaisons): The Records Management Liaison (RML) must be assigned to an individual who is knowledgeable of all office functions. The RML is responsible for the following: assisting originators in making records management issue determinations; coordinating with the Records Of… (Ch 2 (Records Management Liaisons), Ch 2 (Departmental Records Officer), Ch 7 (Records Officers Responsibilities), Ch 7 (Procedures), Ch 8 (Records Schedules are to be kept current), Ch 10 (Responsibilities), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Data-related responsibilities: (App A Objective 2:9b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The Records Management Officer should ensure all system and/or data owners know the retention requirements for their information, so records that should be preserved are not destroyed. (§ 3.8, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)