Back

Capture the records required by organizational compliance requirements.


CONTROL ID
00912
CONTROL TYPE
Records Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain authorization records., CC ID: 14367
  • Assign the appropriate information classification to records imported into the Records Management system., CC ID: 04555
  • Establish, implement, and maintain electronic health records., CC ID: 14436
  • Establish and maintain an implantable device list., CC ID: 14444
  • Establish, implement, and maintain decision support interventions., CC ID: 14443
  • Establish, implement, and maintain a recordkeeping system., CC ID: 15709
  • Log records as being received into the recordkeeping system., CC ID: 11696
  • Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity., CC ID: 04720


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A service provider shall record the initiation or completion of a wire or electronic communication to protect the service provider, another service provider giving a service for completing a wire or electronic communication, or a user of the service from fraudulent, abusive, or unlawful use of the s… (§ 73(1), The Electronic Communications and Transactions Act, 2002)
  • A data user shall keep and maintain a log book- (Part 5 Division 3 Section 27(1), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • for the purposes of this Part; (Part 5 Division 3 Section 27(1)(a), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • the documentation and record-keeping, taking into account the requirements in Section 11; (4.7 42(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • Finally, including in order to facilitate oversight of compliance with the applicable legal requirements as well as effective redress, each intelligence agency is required under EO 14086 to keep appropriate documentation about the collection of signals intelligence. The documentation requirements co… (3.2.1.3 (159), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In order to maintain a continuous record of accountability for products, the organization should record the identification and quantity of products and the names of those who were involved in the transaction, and their signatures, in a database. (Pg 11-III-6, Protection of Assets Manual, ASIS International)
  • Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. (CIS Control 3: Data Protection, CIS Controls, V8)
  • The organization shall include records of materials, components, and work environment conditions to meet the traceability requirements, if these could cause implantable medical devices to not meet the specified requirements. The organization shall require distributors and agents to keep distribution… (§ 7.5.3.2.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. (§ 8.2 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • recall the history of specific interested party communication, inquiries, or concerns; (7.4.1 ¶ 6 Bullet 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • understand the nature of various interested party engagements over time; (7.4.1 ¶ 6 Bullet 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • improve the organization's effectiveness in developing future communication and in following up and addressing the concerns of specific interested parties as needed. (7.4.1 ¶ 6 Bullet 3, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The purpose of capturing records into records systems is to establish a relationship between the record, the creator and the business context that originated it, place the record and its relationship within a records system and link it to other records. Techniques to ensure record capture include cl… (§ 9.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Capture is the process of determining that a record should be made and kept. This includes both records created and received by the organization. It involves deciding which documents are captured, which in turn implies decisions about who may have access to those documents and generally how long the… (§ 4.3.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management policy should require employees to create and maintain records that meet the legal, operational, fiscal, regulatory, archival, and historical needs of the organization. (§ 2.2 ¶ 4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The scope should be readily available as documented information. (§ 4.3 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The information management systems should capture both issues and complaints and allow classification and analysis of those that relate to compliance. (§ 9.1.5 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Accurate, up-to-date records of the organization's compliance activities should be maintained to assist in the monitoring and review process and demonstrate conformity with the compliance management system. (§ 9.1.9 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 1 Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • it is available and suitable for use, where and when it is needed, (§ 7.5.3 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Documented information required by the compliance management system and by this document shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Accurate, up-to-date records of the organization's compliance activities shall be retained to assist in the monitoring and review process and demonstrate conformity with the compliance management system. (§ 9.1.5 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • it is available and suitable for use, where and when it is needed; (7.5.3.1 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Accurate, up-to-date records of the organization's compliance activities shall be retained to assist in the monitoring and review process and demonstrate conformity with the compliance management system. (§ 9.1.5 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Documented information required by the compliance management system and by this document shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Documented information required by the IT asset management system and by this document shall be controlled to ensure: (Section 7.6.5 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. (§ 7.5.4 ¶ 1(l), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • collect and retain documented information on unintended changes and actions taken to mitigate adverse effects. (§ 8.1 Guidance ¶ 3(p), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Some organizations maintain registers for tracking nonconformities and corrective actions. There can be more than one register (for example, one for each functional area or process) and on different media (paper, file, application, etc.). If this is the case, then they should be established and cont… (§ 10.1 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Communications between Control Centers CIP-012-1, Version 1)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-2, Version 2)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: (B. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-3, Version 3)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • The applicable entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • The following evidence retention periods identify the period of time an entity is required to retain specific evidence to demonstrate compliance. For instances where the evidence retention period specified below is shorter than the time since the last audit, the CEA may ask an entity to provide othe… (C. 1. 1.2. ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • The Transmission Owner and Transmission Operator shall keep data or evidence to show compliance, as identified below, unless directed by its Compliance Enforcement Authority (CEA) to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • The Transmission Owner and Transmission Operator shall keep data or evidence to show compliance, as identified below, unless directed by its Compliance Enforcement Authority (CEA) to retain specific evidence for a longer period of time as part of an investigation. (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • The memorandum must show the terms and conditions of the order or instructions and of any modification or cancellation thereof, the account for which entered, the time the order was received, the time of entry, the price at which executed, the identity of each associated person, if any, responsible … (§ 240.17a-3 (a)(6)(i) (A), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • An account record including the customer's or owner's name, tax identification number, address, telephone number, date of birth, employment status (including occupation and whether the customer is an associated person of a member, broker or dealer), annual income, net worth (excluding value of prima… (§ 240.17a-3 (a)(17)(i) (A), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Records required to be maintained pursuant to paragraph (d) of § 240.17f-2. (§ 240.17a-3 (a)(13), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Records required to be maintained pursuant to paragraph (e) of § 240.17f-2. (§ 240.17a-3 (a)(15), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Every member, broker or dealer must make and keep current, as to each office, the books and records described in paragraphs (a)(1), (6), (7), (12), and (17), (a)(18)(i), and (a)(19) through (22) of this section. (§ 240.17a-3 (f), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • A record of all puts, calls, spreads, straddles, and other options in which such member, broker or dealer has any direct or indirect interest or which such member, broker or dealer, has granted or guaranteed, containing, at least, an identification of the security, and the number of units involved. … (§ 240.17a-3 (a)(10), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Copies of all Forms X-17F-1A filed pursuant to § 240.17f-1, all agreements between reporting institutions regarding registration or other aspects of § 240.17f-1, and all confirmations or other information received from the Commission or its designee as a result of inquiry. (§ 240.17a-3 (a)(14), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • A record of the date that each Form CRS was provided to each retail investor, including any Form CRS provided before such retail investor opens an account. (§ 240.17a-3 (a)(24), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • A record of the reserve computation required under § 240.15c3-3(p)(3). (§ 240.17a-3 (a)(27), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • A record of all information collected from and provided to the retail customer pursuant to § 240.15l-1, as well as the identity of each natural person who is an associated person, if any, responsible for the account. (§ 240.17a-3 (a)(35)(i), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • In the case of a margin account, the signature of such owner; provided that, in the case of a joint account or an account of a corporation, such records are required only in respect of the person or persons authorized to transact business for such account; and (§ 240.17a-3 (a)(9)(iii), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • An account record including the customer's or owner's name, tax identification number, address, telephone number, date of birth, employment status (including occupation and whether the customer is an associated person of a member, broker or dealer), annual income, net worth (excluding value of prima… (§ 240.17a-3 (a)(17)(i) (B) (1), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • The Records Management Application shall automatically enter the name of the sender into the author or originator data field of the metadata. (Table C2.T4 Row 1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall automatically enter the name of all primary addressees or distribution lists into the addressee(s) field of the metadata. (Table C2.T4 Row 2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall automatically enter the name of all other addressees or distribution lists into the other addressee(s) data field of the metadata. (Table C2.T4 Row 3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall automatically enter the date and time the message was sent into the publication date data field of the metadata. (Table C2.T4 Row 4, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall automatically enter the date and time the message was received into the date received data field of the metadata. (Table C2.T4 Row 5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall automatically enter the message's subject into the subject or title data field of the metadata. (Table C2.T4 Row 6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall let the user file e-mails and attachments as a single record, as individual records, or both. (§ C2.2.4.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • A user shall be able to enter the metadata required in table c2.t3 when e-mail attachments are filed as individual records. (§ C2.2.4.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The "downgrade on" field is not applicable for records that contain restricted data or Formerly Restricted Data and shall be disabled. (§ C4.1.13.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The "declassify on" field is not applicable for records containing restricted data or Formerly Restricted Data and shall be disabled. (§ C4.1.13.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (§ 164.316(b)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of… (§ 164.412(b), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). (§ 164.508(b)(6), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specification: Documentation. A covered entity must document a restriction in accordance with §160.530(j) of this subchapter. (§ 164.522(a)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Recordkeeping. The covered entity must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the covered entity's denial of the request, t… (§ 164.526(d)(4), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Document the statement, including the identity of the agency or official making the statement; (§ 164.528(a)(2)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • If an e-mail message documents the organization's mission or provides evidence of Health and Human Services (HHS) actions, it is considered to be a record. To determine if an e-mail message is a record, the organization must examine the message content for information developed in preparing reports,… (Email as a Record, Department of Health and Human Services Records Management Handbook, Appendix D - HHS Guidelines for Establishing An Electronic Recordkeeping Process, Version 2.9 Draft)
  • Determine whether receipt issuance ensures customers receive a receipt showing the amount, date, time, and location for retail EFT transactions in compliance with Regulation E. (App A Tier 2 Objectives and Procedures G.6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the institution records incoming and outgoing telephone transfer requests. Also determine if the institution notifies the customer that calls are recorded (e.g., through written contracts, audible signals). (Exam Tier II Obj 4.4, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. (PO.4.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. (SA-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. (SA-22b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Develop and document recordkeeping policies and procedures for security information. Protection of SSI in accordance with the provisions of 49 CFR Parts 15 and 1520 should be specifically addressed. (Table 1: Recordkeeping Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • retain a consumer's email address to comply with the consumer's request to exercise a right. (13-61-304 (1)(n), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • retain a consumer's email address to comply with the consumer's request to exercise a right. (13-61-304 (1)(n), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)