Back

Conduct Archives and Records Management training.


CONTROL ID
00975
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An organization should develop a high-level training strategy on good record keeping practices. Alternative delivery methods should be considered, and then the best method should be selected. (§ F.4.8, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Records management training programs are called for. (§ 11, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • "a training program should ensure that the functions and benefits of managing records are widely understood in an organization. It should explain the policies and procedures in place and processes in a context that gives staff an understanding of why they are required." They should be tailored to th… (§ 6.1, § 6.4.1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • A manager at a suitable level should be assigned responsibility for implementing and managing the records management training program. (§ 6.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization may use a third party supplier for some or all of its records management training. (§ 6.2 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can be incorporated into the employee orientation program and documentation. (§ 6.4.2 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include classroom training at system change times or new job responsibilities. (§ 6.4.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include on-the-job training and coaching. (§ 6.4.2 ¶ 1(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include briefing sessions and seminars on specific issues. (§ 6.4.2 ¶ 1(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include short "how-to" booklets and leaflets that describe the record policies or practices. (§ 6.4.2 ¶ 1(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include computer-based presentations. (§ 6.4.2 ¶ 1(f), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include help text in the system. (§ 6.4.2 ¶ 1(g), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include training courses from professional organizations, educational institutions, or developed specifically for the organization. (§ 6.4.2 ¶ 1(h), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • An effective Records and Information Management program should train individuals how to keep and manage the business records that are created or received during normal business days. (Comment 1.b ¶ 2 Bullet 6, The Sedona Principles Addressing Electronic Document Production)
  • Training should be provided in a firm's procedures governing correspondence (incoming and outgoing). (R 3010(d)(2), NASD Manual)
  • Handling of BES Cyber System Information and its storage; (CIP-004-6 Table R2 Part 2.1 Requirements 2.1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • Handling of BES Cyber System Information and its storage; (CIP-004-7 Table R2 Part 2.1 Requirements 2.1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • The Information Assurance Officer/Network Security Officer, for Network Intrusion Detection System data, will ensure reviewers are HIPAA trained. (§ 4.5.3 (MED0320), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • The using or acquiring organization should state the requirements for records manager training and end-user training. (§ C3.1.9, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Protect information subject to confidentiality concerns — hardcopy through destruction. (§ 5.2.1.2 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Proper handling and marking of CJI. (§ 5.2.1.2 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Data backup and storage—centralized or decentralized approach. (§ 5.2.1.4 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization shall have procedures and controls in place to determine if persons who are developing, maintaining, or using electronic records/electronic signatures have the training, experience, and education to conduct their assigned tasks. (§ 11.10(i), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • Employees should be trained in their computer security responsibilities and duties associated with their jobs. (§ 3.5.1.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)