Back

Include record integrity techniques in the records management procedures.


CONTROL ID
06418
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Note in electronic records converted from printed records, the location of the original., CC ID: 11809
  • Incorporate desktop publishing into the organization's Records Management program., CC ID: 06535
  • Provide structures for browsing records stored in the Electronic Document and Records Management system., CC ID: 10009
  • Provide structures for searching for items stored in the Electronic Document and Records Management system., CC ID: 10010
  • Provide structures for downloading records from the Electronic Document and Records Management system., CC ID: 10011
  • Provide structures for managing e-mail stored in the Electronic Document and Records Management system., CC ID: 10012
  • Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system., CC ID: 11965
  • Provide structures for version control of records stored in the Electronic Document and Records Management system., CC ID: 10013


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When a law requires information to be kept or presented in its original form, this requirement shall be met for a data message if the integrity of the information from the time it was first generated in its final data message form has passed the integrity assessment stated in section 7(2). (§ 7(1)(a), The Electronic Communications and Transactions Act, 2002)
  • Information integrity shall be assessed by determining if the information has remained complete and unaltered, except for adding endorsements and changes which come up in the normal course of communications, storage, and display. (§ 7(2)(a), The Electronic Communications and Transactions Act, 2002)
  • Information integrity shall be assessed in light of the purpose that it is being generated. (§ 7(2)(b), The Electronic Communications and Transactions Act, 2002)
  • Information integrity shall be assessed with regard to all other circumstances. (§ 7(2)(c), The Electronic Communications and Transactions Act, 2002)
  • The integrity of information in a document shall be maintained if the information remained complete and unaltered except for adding endorsements or immaterial changes which occur in the normal course of communication, storage, or display. (§ 10(2), The Electronic Communications and Transactions Act, 2002)
  • Audit trails, operation records, logs, and other information should be properly protected against falsification, unauthorized access, and other malicious acts by anyone other than duly authorized personnel. (P10.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should verify the integrity of the content and block it if the verification fails. (Control: 1292, Australian Government Information Security Manual: Controls)
  • The integrity of records in accordance with the legal, regulatory or contractual provisions and business requirements is considered. (7.1.1 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • A firm must conduct ongoing monitoring of its business relationships on a risk-sensitive basis. Ongoing monitoring means scrutinising transactions to ensure that they are consistent with what the firm knows about the customer, and taking steps to ensure that the firm's knowledge about the business r… (3.2.5 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Procedures have been established to ensure the reliability, accuracy, and consistency of the electronic record system, when electronic records are used to keep the gxp data. (¶ 21.10 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Business applications should incorporate security controls to protect the integrity of information by minimizing manual intervention (e.g., by automating processes). (CF.04.01.04a, The Standard of Good Practice for Information Security)
  • Standards and procedures for security of customer connections should cover protecting the integrity of critical information. (CF.05.03.01b, The Standard of Good Practice for Information Security)
  • Business applications should incorporate security controls to protect the integrity of information by minimizing manual intervention (e.g., by automating processes). (CF.04.01.04a, The Standard of Good Practice for Information Security, 2013)
  • Standards and procedures for security of customer connections should cover protecting the integrity of critical information. (CF.05.03.01b, The Standard of Good Practice for Information Security, 2013)
  • Ensure the integrity of the database records for the SWIFT messaging interface. (6.3 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • identification and description (e.g. a title, date, author, or reference number); (7.5.2 ¶ 1 Bullet 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The record uses will determine the protection levels that are needed to protect against loss or damage. (§ 4.3.7.1 ¶ 5(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and … (§ 7.5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The integrity of publicly available health information should be protected to prevent unauthorized modification. (§ 14.1.3.1 Health-specific controls ¶ 2, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). (7.5.3.1 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Documented information retained as evidence of conformity shall be protected from unintended alterations. (7.5.3.2 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • A change management process for documented information should ensure that only authorised persons have the right to change and distribute it as needed through appropriate and predefined means. Documented information should be protected to ensure it keeps its validity and authenticity. (§ 7.5.3 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Have quality assurance procedures to verify the quality and accuracy of the electronic or micrographic recording process; and (§ 240.17Ad-7(f)(2)(iv), 17 CFR Part 240.17Ad-7 - Record retention)
  • If you use electronic storage media or micrographic media to store your records, you must establish an audit system that accounts for the inputting of and any changes to every record that is stored on electronic storage media or micrographic media. The results of such audit system must: (§ 240.17Ad-7(f)(4), 17 CFR Part 240.17Ad-7 - Record retention)
  • Ensure the security and integrity of the records by means of manual and automated controls that assure the authenticity and quality of the electronic facsimile, detect attempts to alter or remove the records, and provide means to recover altered, damaged, or lost records resulting from any cause; (§ 240.17Ad-7(f)(3)(i), 17 CFR Part 240.17Ad-7 - Record retention)
  • The Records Management Application shall enforce referential integrity, data integrity, and relational integrity. (§ C2.2.3.23, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Technical Surveillance Countermeasure program information shall have appropriate protection to preserve program and information integrity. (§ 5.7, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Preferred drug list checks. Automatically check whether a preferred drug list exists for a given patient and medication. (§ 170.315 (a) (10) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Drug formulary checks. Automatically check whether a drug formulary exists for a given patient and medication. (§ 170.315 (a) (10) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Preferred drug list checks. Automatically check whether a preferred drug list exists for a given patient and medication. (§ 170.315 (a) (10) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Drug formulary checks. Automatically check whether a drug formulary exists for a given patient and medication. (§ 170.315 (a) (10) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • It is important to have audit trails or other logical, physical, or procedural security measures to ensure the reliability and trustworthiness of records, even if there are no predicate rule requirements for documenting the time, date, or sequencing of events. (§ III.C.2 ¶ 2, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • Part 11 controls should be applied to part 11 records and signatures for systems that have been changed after august 20, 1997, and the changes would prevent the system from meeting predicate rule requirements. (§ III.C.3 ¶ 3, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • § 4.16.4 Bullet 1: Identify and implement procedures to protect ePHI from modification. § 4.16.4 Bullet 2: Identify techniques and tools that support ePHI integrity. § 4.16.6 Bullet 1: Review existing processes to determine if objectives are being addressed. § 4.16.6 Bullet 2: Maintain integrity… (§ 4.16.4 Bullet 1, § 4.16.4 Bullet 2, § 4.16.6 Bullet 1, § 4.16.6 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Manage the compilation, cataloging, caching, distribution, and retrieval of data. (T0146, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement a smart grid information System and Information Integrity security policy. (SG.SI-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information System and Information Integrity security policy must include the objectives, roles, and responsibilities of the program. (SG.SI-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information System and Information Integrity security policy must include the scope of the program. (SG.SI-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented System and Information Integrity policy that addresses purpose, roles, responsibilities, scope, management commitment, compliance, and coordination among entities. (App F § SI-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the System and Information Integrity policy and its associated controls. (App F § SI-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Manage the compilation, cataloging, caching, distribution, and retrieval of data. (T0146, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. (SI-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. (SI-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. (SI-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. (SI-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)