Back

Establish, implement, and maintain data input and data access authorization tracking.


CONTROL ID
00920
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Validate transactions against master files of third parties and clients, as necessary., CC ID: 06552
  • Validate transactions using identifiers and credentials., CC ID: 13203
  • Establish, implement, and maintain a system storage log., CC ID: 13532
  • Establish, implement, and maintain a system input log., CC ID: 13531


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number IV.3(3): The organization must develop creation procedures and operational procedures for input data to prevent mistakes and misconduct and to protect confidentiality during the preparation, handling, and input of data. This is a control item that constitutes a relatively small r… (App 2-1 Item Number IV.3(3), App 2-1 Item Number IV.3(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O24: The organization shall develop input procedures for the computer center and head and branch offices to process data accurately and prevent unauthorized conduct. T32.1(1): The organization should consider checking input data to detect defective data. This can be accomplished by checking the form… (O24, T32.1(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • To accurately process data to be input into an information system as well as to ensure its integrity, protect its confidentiality, and prevent unauthorized conduct, formulate procedures for data input and approval, and fully adhere them. (P65.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Without prejudice to paragraph 1, to the extent the user exercises control over the input data, that user shall ensure that input data is relevant in view of the intended purpose of the high-risk AI system. (Article 29 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • When personal data is used or processed automatically, the authorities or enterprises internal organization must be arranged to meet the specific requirements of data protection. Measures need to be taken for the type of personal data or data categories to be protected to ensure it is possible to ch… (Annex, German Federal Data Protection Act, September 14, 1994)
  • The system should record the identity of the operators who are entering or confirming critical data. (¶ 10, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Any alterations to critical data should be authorized and recorded with the reason for the change. (¶ 10, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Manual input of control data (e.g., key verification code) to enable export, import or use of a key; and (G3 Bullet 1, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • International transactions may carry higher levels of risk. For international customers, the organization should find out which countries are heavily involved in Internet fraud and perform additional verification checks. Additional verification checks include requiring the billing and shipping addre… (Pg 34, Pg 35, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Input controls provide reasonable assurance that received data has been authorized and properly converted into machine-readable form and the data is not suppressed, lost, duplicated, added, or improperly changed. Computerized input controls include check digits, data checks, hash totals, and record … (App A (Input Controls), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The integrity of information processed by business applications should be maintained by ensuring that the processing of information is validated (e.g., by record counts, and hash, session, batch, or balancing totals). (CF.04.03.02b, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of default values (e.g., pre-agreed values that will automatically be entered when a new record is added). (CF.13.02.04a, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of drop-down lists consisting of predefined values (e.g., to help users of spreadsheets select the correct information). (CF.13.02.04b, The Standard of Good Practice for Information Security)
  • Critical databases should be supported by documented standards / procedures, which covers validation of information input into databases. (CF.13.03.01b, The Standard of Good Practice for Information Security)
  • The integrity of information processed by business applications should be maintained by ensuring that the processing of information is validated (e.g., by record counts, and hash, session, batch, or balancing totals). (CF.04.03.02b, The Standard of Good Practice for Information Security, 2013)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of default values (e.g., pre-agreed values that will automatically be entered when a new record is added). (CF.13.02.04a, The Standard of Good Practice for Information Security, 2013)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of drop-down lists consisting of predefined values (e.g., to help users of spreadsheets select the correct information). (CF.13.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Critical databases should be supported by documented standards / procedures, which covers validation of information input into databases. (CF.13.03.01b, The Standard of Good Practice for Information Security, 2013)
  • The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. (PI1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Procedures related to completeness, accuracy, timeliness, and authorization of inputs are consistent with the system processing integrity policies. (Processing Integrity Prin. and Criteria Table § 3.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to enable the tracing of information inputs from their source to their final disposition and vice versa. (Processing Integrity Prin. and Criteria Table § 3.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. (PI1.2, Trust Services Criteria)
  • The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. (PI1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • CSR 7.3.4: The system must log all transactions as they are entered and the userid of the person entering the data. CSR 8.1.2: The organization must enter a source documents pre-assigned serial number into the computer and use it for sequence checking. CSR 8.1.3: The system must automatically assign… (CSR 7.3.4, CSR 8.1.2, CSR 8.1.3, CSR 8.5.1, CSR 9.9.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Records Management Application shall capture, populate, and/or provide users with the ability to populate the metadata elements before filing the record. (§ C2.2.3.10, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall provide users who are using a user interface with the ability to edit the record metadata before filing the record, except for data that is specifically identified as not editable in this standard. (§ C2.2.3.11, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall provide users the option of editing the record metadata before filing, when autofiling is being used. (§ C2.2.3.11, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall have the capability for authorized individuals to enter or update exemption categories in the "declassify on" field. (§ C4.1.15, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c4.1.1.15 (enter or update exemption categories in the "declassify on" field) shall be accomplished by an Application Administrator (installing and setting up the database) or a privileged user (entering and maintaining the da… (Table C4.T2 Requirement C4.1.15, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The agency shall restrict the information that is input into any of the Federal Bureau of Investigation criminal justice information services to authorized personnel only. (§ 5.10.4.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall restrict the information input to any connection to FBI CJIS services to authorized personnel only. (§ 5.10.4.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Monitors databases and maintains normal operations. (App A Objective 3:6h Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess the effectiveness of personnel responsible for internal ATM processing. Determine whether there are: • Controls prohibiting staff members who originate entries from processing and physically handling cash. • Proper control of all source documents (e.g., checks for deposit) maintained thro… (Exam Tier II Obj 7.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should have a second staff member verify the accuracy and authorization of a payment order before sending the order to the Federal Reserve Bank. (Pg 19, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization shall have procedures and controls in place for carrying out the use of device checks to determine if the source of the data input or operational instruction is valid. (§ 11.10(h), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The organization must ensure only authorized personnel can input information into the system. (§ 5.6.16, Exhibit 4 SI-9, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are the internet banking transactions processed in real-time? (IT - Member Online Services Q 24a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the internet banking transactions processed in batch? (IT - Member Online Services Q 24b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are internet banking transactions processed in other ways? (IT - Member Online Services Q 24c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide the means for authorized individuals to determine the identity of the producer of the information. (AU-10(1)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information syst… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the system can restrict the individuals authorized to input data into the system based on their responsibilities, user accounts can be restricted beyond normal access control measures, and specific responsibilities and actions are def… (SI-9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The smart grid Information System must use mechanisms to check inputted information for completeness, accuracy, authenticity, and validity. (SG.SI-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must restrict the input of information to authorized personnel. (App F § SI-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization restricts the use of information inputs to {organizationally documented trusted sources} and/or {organizationally documented formats}. (SI-10(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. (SI-10(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides the means for authorized individuals to determine the identity of the producer of the information. (AU-10(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide the means for authorized individuals to determine the identity of the producer of the information. (AU-10(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. (SI-10(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide the means for authorized individuals to determine the identity of the producer of the information. (AU-10(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. (SI-10(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provides the means for authorized individuals to determine the identity of the producer of the information. (AU-10(1) ¶ 1b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (AU-10(2) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)