Back

Establish, implement, and maintain records management policies.


CONTROL ID
00903
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Records management, CC ID: 00902

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a record classification scheme for forms., CC ID: 00911
  • Establish, implement, and maintain a record classification scheme., CC ID: 00914
  • Define each system's preservation requirements for records and logs., CC ID: 00904
  • Define each system's disposition requirements for records and logs., CC ID: 11651
  • Establish, implement, and maintain secure record transaction standards with third parties., CC ID: 06093


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Data control rules must be developed for the handling and managing of data in the development, operation, and maintenance departments in order to protect confidential and personal information and prevent data-processing mistakes. This is a control item that constitutes a greater risk to financial in… (App 2-1 Item Number IV.4(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Is there a corporate policy on log retention and the centralised storage and management of log information? (Secure configuration Question 20, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Has the documented information required by the standard and necessary for the effective implementation and operation of the ISMS been established? (Support ¶ 5, ISO 22301: Self-assessment questionnaire)
  • When private and public health care bodies draw up and retain clinical records, precautions must be taken for ensuring the data is understandable and that data for each patient is kept separate from other patients, including information relating to unborn children. Requests by entities other than th… (§ 92, Annex B.28, Italy Personal Data Protection Code)
  • The organization must implement the following baseline controls for protectively marked material: grant access on a need to know basis; clearly and conspicuously mark the assets; only owners or originators can protectively mark an asset; protect assets sent overseas as indicated by the originator's … (Mandatory Requirement 19, HMG Security Policy Framework, Version 6.0 May 2011)
  • A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for information management to appropriate individuals. (Principle of Accountability:, Generally Accepted Recordkeeping Principles®, For the Web)
  • Records must be established, maintained, and controlled to provide evidence that the business continuity management system is operating effectively. Business continuity management system documentation must have established controls to ensure documents are approved for adequacy prior to being issued;… (§ 3.4.1.2, § 3.4.3, BS 25999-2, Business continuity management. Specification, 2007)
  • Certain organizations that have 11 or more employees are required by OSHA to keep 3 types of injury/illness records (fatalities; lost workdays other than fatalities; and nonfatal cases without lost workdays resulting in termination or transfer to another job, or nonfatal cases that require medical t… (Pg 29-I-15, Pg 29-I-16, Protection of Assets Manual, ASIS International)
  • it is available and suitable for use, where and when it is needed; (§ 7.5.3 ¶ 1 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall define the formats, content, semantics, and medium for transmitting, retaining, representing, and retrieving information. (§ 6.3.6.3(a)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define the actions for information maintenance. (§ 6.3.6.3(a)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall maintain information and storage records in accordance with security requirements, integrity requirements, and privacy requirements. (§ 6.3.6.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Taking a systematic approach to determining the features of the organization's records management system. Ideally it should be done according to laws and regulations is recommended. (§ 4.2.4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should define and document its records management policies. (§ 2.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Records management personnel are responsible for establishing the overall records management policies, procedures, and standards and implementing these processes. (§ 2.3.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization needs to conduct a preliminary investigation to identify the factors that influence its need to create and maintain records, to define the scope of a records project, to define records problems, to assess the feasibility and risks, to assess its responsibilities, and to assess its c… (§ 3.2.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should identify the strategies it should implement to make and keep the required records. (§ 3.2.6, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should develop a records system plan that fulfills the requirements that were identified during the investigation and the assessment of the existing systems and records. (§ 3.2.7, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The storage choices should be integrated into the overall Records Management program. (§ 4.3.7.1 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Monitoring should occur on a regular basis and be documented in the records management policy. (§ 5.1 ¶ 6, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • it is available, accessible and suitable for use, where and when it is needed; (§ 7.5.3 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Decisions concerning the creation, retention and handling of documented information should take into account, but not be limited to: their use, information sensitivity and the external and internal context. (§ 6.7 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • it is available, and suitable for use, where and when it is needed; (§ 7.5.3 ¶ 1 a), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • it is available, and suitable for use, where and when it is needed; (§ 7.5.3 ¶ 1 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • it is available and suitable for use, where and when it is needed; and (Section 7.6.5 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Documented information required by the SMS and by this document shall be controlled to ensure: (§ 7.5.3.1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization should also manage documented information of external origin (i.e. from customers, partners, suppliers, regulatory bodies, etc.). (§ 7.5.3 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization should establish policies and procedures to provide rational guidelines and defensible guidelines for managing the Electronically Stored Information. (Comment 1.b ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • The organization should address the retention and destruction of backup media simultaneously to ensure they are handled in accordance with any records management requirements or legal hold requirements. (Comment 1.b ¶ 6, The Sedona Principles Addressing Electronic Document Production)
  • Verify the practitioner in charge of the engagement has an understanding of how the organization is enabled by or depends on Information Technology and how Information Systems record and maintain financial information. (Ques. AT411 Item 6, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Did the information security policy review contain Records Management policies? (§ B.1.33.7, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Items exported or reexported in order to repair or service legally exported or reexported items controlled under ECCNs 2A983 and 2D983 must be maintained and the records must contain a description of the equipment, what type of service was completed, certification of the destruction or return of the… (§ 740.10(c), § 740.13(f), US Export Administration Regulations Database)
  • All registered persons must maintain records of the manufacture, acquisition, and disposition of copies of export documentation, defense articles, brokering activities, technical data, and political contributions. All records must be available at all times for inspection. If records are requested, t… (§ 122.5(a), § 123.26, US The International Traffic in Arms Regulations, April 1, 2008)
  • CSR 1.3.3: The organization must establish appropriate controls for all sensitive data that enters or leaves the facility. The organization must use a system that precludes the unauthorized or erroneous transfer of data. The organization must implement controls that maintain a log of shipping and re… (CSR 1.3.3, CSR 2.14.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Appropriate steps must be taken by agencies and evaluators to protect information that may adversely affect information security, if it was disclosed. (§ 3545(f), Federal Information Security Management Act of 2002)
  • Each organization that is required to submit reports must keep its books, records, and accounts in enough detail to accurately and fairly reflect the assets of the organization. The organization must maintain records to keep the Securities and Exchange Commission informed about the policies and syst… (§ 78m(b)(2)(A), § 78q(i)(3)(A)(i), Securities Exchange Act of 1934)
  • A Records Management Application shall be used to manage all records in accordance with this standard. (§ C2.1.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall allow the implementation of standardized data in accordance with Department of Defense 8320.1-m. (§ C2.1.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall be able to sort, view, print, and save user-selected parts of the file plan, including record folders. (§ C2.2.1.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall identify and show which records and record folders are eligible for interim transfer and/or ascension. (§ C2.2.6.5.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall provide a way to identify and aggregate the vital records due to be cycled. (§ C2.2.6.7.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall provide a way to identify and aggregate vital records by the previous cycle dates. (§ C2.2.6.7.4, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application should interface with the organization's Office Automation packages. (§ C3.2.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application should have the capability to generate reports based on user-generated report templates or user queries. (§ C3.2.4, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application should interface with document imaging, workflow software, and workflow hardware. (§ C3.2.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • All records that the organization holds are subject to inspection in accordance with the predicate rules. (§ III.C.4 ¶ 1, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • Records may be kept in electronic form. If records are retained in electronic form, they must be protected against deletion, destruction, modification, disclosure, and unauthorized access. (§ 27.255(d), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • § 552a(e)(5): Agencies that maintain a system of records shall maintain all records used to make determinations about individuals with the accuracy, timeliness, relevance, and completeness reasonably necessary for assuring fairness. § 552a(e)(7): Unless it is named in a statute, consented by the i… (§ 552a(e)(5), § 552a(e)(7), § 552a(j), § 552a(k), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Development of data-related policies, management of the data life cycle and the entity's data assets, oversight of compliance with applicable laws and regulations, and conformance with industry practices. (App A Objective 2:9b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should implement adequate controls to protect the imaging processes from altering images, producing unusable images, and losing sensitive customer information. (Pg 31, Exam Tier I Obj 9.2, FFIEC IT Examination Handbook - Operations, July 2004)
  • Procedures for statement preparation and processing. (App A Tier 2 Objectives and Procedures M.2 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the institution maintains adequate records as required by the Currency and Foreign Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT Act. (Exam Tier II Obj 7.5, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Records for the request of Federal Tax Information (FTI) should include the results of its use or why the information was not used. The organization must maintain a log of all requests for and disposal of FTI. Organizations that receive FTI must file a Safeguard Procedures Report (SPR) that states h… (§ 2.4, § 6.3.1, § 7.1, Exhibit 3(A), IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Establishment of a BSA compliance program—(1) Program requirement. Each federally insured credit union shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and recording requirements in subchapter II of … (§ 748.2 (b)(1), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Has the Board of Directors established a written vital records preservation program? (IT - Compliance Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • When WLAN components are disposed of, the organization should ensure the audit records for that component are retained according to legal and organizational requirements. (Table 8-6 Item 58, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Lead efforts to promote the organization's use of knowledge management and information sharing. (T0339, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement a Media Protection security policy. (SG.MP-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Lead efforts to promote the organization's use of knowledge management and information sharing. (T0339, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Document findings from each assessment and retain them until no longer valid; (4.3 ¶ 2 Bullet 3, Pipeline Security Guidelines)
  • Lost or stolen identification cards or badges; (Table 1: Personnel Identification and Badging Baseline Security Measures Cell 1 Bullet 1, Pipeline Security Guidelines)