This Control has the following implementation support Control(s):
Establish, implement, and maintain source document authorization tracking., CC ID: 01262
Review the information that the organization collects, processes, and stores, as necessary., CC ID: 12988
Establish, implement, and maintain source document error handling tracking., CC ID: 01263
Maintain electronic records in an equivalent manner as printed records, as necessary., CC ID: 11806
Establish, implement, and maintain data input and data access authorization tracking., CC ID: 00920
Assign ownership for all electronic records., CC ID: 14814
Establish, implement, and maintain data accuracy controls., CC ID: 00921
Protect records from loss in accordance with applicable requirements., CC ID: 12007
Capture the records required by organizational compliance requirements., CC ID: 00912
Establish, implement, and maintain data completeness controls., CC ID: 11649
Include record integrity techniques in the records management procedures., CC ID: 06418
Establish, implement, and maintain data availability controls., CC ID: 15301
Control error handling when data is being inputted., CC ID: 00922
Establish, implement, and maintain electronic storage media security controls., CC ID: 13204
Establish, implement, and maintain data processing integrity controls., CC ID: 00923
Establish, implement, and maintain document security requirements for the output of records., CC ID: 11656
Establish, implement, and maintain electronic storage media management procedures., CC ID: 00931
Establish, implement, and maintain output distribution procedures., CC ID: 00927
Establish, implement, and maintain document retention procedures., CC ID: 11660
Establish, implement, and maintain electronic media distribution procedures., CC ID: 11650
Establish, implement, and maintain output balancing audit trails., CC ID: 00928
Establish and maintain reconciliation audit trails., CC ID: 11647
Establish, implement, and maintain output review and error handling checks with end users., CC ID: 00929
Establish, implement, and maintain paper document integrity requirements for the output of records., CC ID: 00930
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
When the law requires information to be kept or presented in its original form, this requirement shall be met for a data message if the information can be displayed or presented to the person it is being presented to. (§ 7(1)(b), The Electronic Communications and Transactions Act, 2002)
AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA in accordance with §§55 and 56 of the Banking Ordinance and that data retrieved from the service providers are accurate and available in Hong Kong on a timely basis. (2.8.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
For cases where banking services are provided through chat messages via instant messaging applications, appropriate measures should be taken to ensure that proper records are maintained by AIs and customers are properly authenticated before executing the customers' instructions. If such services inv… (§ 7.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
Copies of vital records should be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certa… (4.6.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
App 2-1 Item Number IV.4(4): Data usage must be recorded and reviewed on a periodic basis. This is a control item that constitutes a relatively small risk to financial information. This is an IT application control.
App 2-1 Item Number IV.5(7): Output data usage must be recorded and reviewed on a pe… (App 2-1 Item Number IV.4(4), App 2-1 Item Number IV.5(7), App 2-1 Item Number IV.6(3), App 2-1 Item Number IV.7(5), App 2-1 Item Number IV.8(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
System specifications should be reviewed by external auditors to verify that the system was properly developed by considering if measures are taken to ensure entry information is complete, accurate, and valid and to ensure erroneous data is corrected and reprocessed. (Practice Standard § III.4(2)[2].C.b, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
The organization shall strengthen the function for detecting and eliminating defective data to prevent defective data from being loaded onto the system. (T32, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
In cases that the configuration information of network devices such as a router is changed illegally and lost due to troubles and disasters, it is necessary to acquire backup copies of configuration information and define the management method. (P43.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In order to prevent unauthorized use, tampering, and loss of documents, it is necessary to manage the documents during system operation according to established procedures. (P44.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
formulating internal management system and operational procedures; (Article 51 ¶ 1(1), Personal Information Protection Law of the People's Republic of China)
control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and (§ III.10. ¶ 1(d), India Information Technology Act 2008, 2008)
the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; (§ III.6 (1)(b), India Information Technology Act 2008, 2008)
Robust information is at the heart of risk management processes in a bank. Inadequate data quality is likely to induce errors in decision making. Data quality requires building processes, procedures and disciplines for managing information and ensuring its integrity, accuracy, completeness and timel… (Introduction ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Talks about the importance of records management. As part of a business impact analysis, vital records that support business processes will be identified. If these records are damaged, restoring them will require a good records management program. Loss of records can cause an organization serious pr… (Pg 47, Pg 48, Australia Better Practice Guide - Business Continuity Management, January 2000)
The system should be able to generate printouts showing what data has been changed since the original entry for records that support batch release. (¶ 8.2, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports (Art. 10.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Security-relevant documentation may contain information requiring protection and must therefore be suitably protected. Along with the protection requirements, the type and the duration of storage and options for the destruction of information must be defined. The process descriptions must describe w… (§ 4.2 Bullet 5 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
In addition, checks must be made as to whether information that requires protection is stored in other rooms. Then these rooms must also be recorded. Here, also the rooms where non-electronic information requiring protection is stored, e.g. document files or microfilms, must be acquired. The type of… (§ 8.1.8 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Is the documented information controlled in a way that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the organization for the BCMS? (Support ¶ 6, ISO 22301: Self-assessment questionnaire)
Based on the risk of a privacy breach and the state of the art and implementation costs, the technical and organization security measures must prevent data from being introduced into the information system without authorization and prevent the unauthorized amendment, knowledge, or deletion of record… (Art 23(c), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
A firm must conduct ongoing monitoring of its business relationships on a risk-sensitive basis. Ongoing monitoring means scrutinising transactions to ensure that they are consistent with what the firm knows about the customer, and taking steps to ensure that the firm's knowledge about the business r… (3.2.5 ¶ 1, Financial Crime Guide: A Firmâs Guide to Countering Financial Crime Risks, Release 11)
Documentation and record-keeping. (Table 4 Column 2 Row 1 Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
Special procedures should be implemented for critical data entry that requires a second check. (¶ 20.2, Good Practices For Computerized systems In Regulated GXP Environments)
System controls and detection measures, along with implemented procedures, exist to identify, quarantine, and report on invalid records or modified records. (¶ 21.10 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
The organization should implement information system(s) (electronic and paper) to collect, maintain and analyze information necessary for organizational management that includes a plan for storage, maintenance and destruction. (CORE -13(b), URAC Health Utilization Management Standards, Version 6)
Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation's security policy and regulatory requirements. (DS11.2 Storage and Retention Arrangements, CobiT, Version 4.1)
Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. (AC4 Processing Integrity and Validity, CobiT, Version 4.1)
Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original sourc… (AC2 Source Data Collection and Entry, CobiT, Version 4.1)
Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect… (AC1 Source Data Preparation and Authorisation, CobiT, Version 4.1)
Documents should be managed throughout the document lifecycle (i.e., creation, categorization, storage, retrieval, modification, and destruction). (CF.03.02.01, The Standard of Good Practice for Information Security)
The management of documents should be supported by a document management process. (CF.03.02.02c, The Standard of Good Practice for Information Security)
The document management process should be supported by an automated Document Management System (or equivalent) to improve the management of documents (e.g., by storing documents centrally and prompting users to classify and label them). (CF.03.02.08a, The Standard of Good Practice for Information Security)
Records should be subjected to a more rigorous Records Management process to meet business, legal, and regulatory requirements. (CF.03.02.07, The Standard of Good Practice for Information Security)
The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by tracking information handled inside the Digital Rights Management system (e.g., using digital watermarking or information hiding techniques). (CF.08.08.08f, The Standard of Good Practice for Information Security)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including storage (e.g., locally on a business user's computing device or centrally on a network folder). (CF.03.02.06c, The Standard of Good Practice for Information Security)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including retrieval (by one or more business users). (CF.03.02.06d, The Standard of Good Practice for Information Security)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including modification (e.g., adding to, changing, or deleting content). (CF.03.02.06e, The Standard of Good Practice for Information Security)
Documents should be managed throughout the document lifecycle (i.e., creation, categorization, storage, retrieval, modification, and destruction). (CF.03.02.01, The Standard of Good Practice for Information Security, 2013)
The management of documents should be supported by a document management process. (CF.03.02.02c, The Standard of Good Practice for Information Security, 2013)
The document management process should be supported by an automated Document Management System (or equivalent) to improve the management of documents (e.g., by storing documents centrally and prompting users to classify and label them). (CF.03.02.08a, The Standard of Good Practice for Information Security, 2013)
Records should be subjected to a more rigorous Records Management process to meet business, legal, and regulatory requirements. (CF.03.02.07, The Standard of Good Practice for Information Security, 2013)
The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by tracking information handled inside the Digital Rights Management system (e.g., using digital watermarking or information hiding techniques). (CF.08.08.08f, The Standard of Good Practice for Information Security, 2013)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including storage (e.g., locally on a business user's computing device or centrally on a network folder). (CF.03.02.06c, The Standard of Good Practice for Information Security, 2013)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including retrieval (by one or more business users). (CF.03.02.06d, The Standard of Good Practice for Information Security, 2013)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including modification (e.g., adding to, changing, or deleting content). (CF.03.02.06e, The Standard of Good Practice for Information Security, 2013)
The organization shall establish and maintain records to provide evidence of the effective operation of the quality management system and the conformity of requirements. The records shall stay readily identifiable, retrievable, and legible. The organization shall establish procedures to define the c… (§ 4.2.4 ¶ 1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
format (e.g. language, software version, graphics) and media (e.g. paper, electronic); (7.5.2 ¶ 1 Bullet 2, ISO 14004:2016, Environmental management systems â General guidelines on implementation, Third Edition)
Generally tracking systems should identify any actions that need to be taken, enable the retrieval of a record, prevent loss of records, monitor usage for systems maintenance and security and maintain capacity to identify the operational origins of individual records where systems have been amalgama… (§ 9.8, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
The movement of a record should be tracked, as should access to the record, whether access rights are appropriate for different users, ensuring information about the record is appropriately captured and stored and reviewing access classifications of records to ensure they're accurate and up to date. (§ 4.3.8, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The organization should ensure the records management policies are implemented and maintained at all organizational levels. (§ 2.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The definition of responsibilities, authorities, and inter-relationships for records management should implement standard practices or business rules that requires employees to create records in accordance with business processes and business needs. (§ 2.3.1 ¶ 2(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The definition of responsibilities, authorities, and inter-relationships for records management should implement standard practices or business rules that ensures information and processing systems that support business activities create the appropriate records. (§ 2.3.1 ¶ 2(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The definition of responsibilities, authorities, and inter-relationships for records management should implement standard practices or business rules that ensures the transparency of record processes and the adequacy of records systems. (§ 2.3.1 ¶ 2(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The definition of responsibilities, authorities, and inter-relationships for records management should implement standard practices or business rules that ensures records are maintained, stored, and preserved for their usefulness period. (§ 2.3.1 ¶ 2(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The definition of responsibilities, authorities, and inter-relationships for records management should implement standard practices or business rules that ensures records are disposed in accordance with disposal procedures. (§ 2.3.1 ¶ 2(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The organization should implement the identified strategies to implement the records system plan. (§ 3.2.8, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
Documented information recommended by the compliance management system and by this International Standard should be controlled to ensure: (§ 7.5.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
The organization shall establish documented procedures for the identification, storage, retrieval, protection, retention, and disposal of records. (§ 4.3.3 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The organization shall ensure records are readily identifiable, legible, and retrievable. (§ 4.3.3 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Documented information required by the BCMS and by this document shall be controlled to ensure: (§ 7.5.3.1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
distribution, access, retrieval and use; (§ 7.5.3.2 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. (§ 7.5.3.2 ¶ 1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
update documentation and procedures in a timely manner. (§ 8.6 ¶ 1 e), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. (§ 14.1.1.1 Health-specific control ¶ 1(b), ISO 27799:2016 Health informatics â Information security management in health using ISO/IEC 27002, Second Edition)
distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 Bullet 1, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
Documented information required by the OH&S management system and by this document shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
Documented information of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system shall be identified, as appropriate, and controlled. (§ 7.5.3 ¶ 3, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
maintaining and retaining documented information as evidence of continual improvement. (§ 10.3 ¶ 1 e), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
determining, maintaining and retaining documented information to the extent necessary: (8.1 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
maintain documented information to support the operation of its processes; (4.4.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. (§ 7.5.3.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. (§ 8.5.2.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
Documented information required by the information security management system and by this document shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. (§ 7.5.3 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
Duplication of information in documented information should be avoided and cross-references used rather than replicating the same information in different documents. (§ 7.5.2 Guidance ¶ 6, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
determining the standard structure of the documented information; (§ 7.5.2 Guidance ¶ 2(b), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The audit team leader should ensure all audit work documents are classified appropriately and handled in accordance with that classification. (§ 6.3.4.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. (§ 18.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. (§ 18.1.3 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
An effective Records and Information Management program should include the establishment of a workable retention schedule for paper and Electronically Stored Information. (Comment 1.b ¶ 2 Bullet 1, The Sedona Principles Addressing Electronic Document Production)
An effective Records and Information Management program should include helping business units identify the business records that they need to keep. (Comment 1.b ¶ 2 Bullet 2, The Sedona Principles Addressing Electronic Document Production)
An effective Records and Information Management program should address the retention requirements for e-mail, instant messaging, voicemail, and other communications. (Comment 1.b ¶ 2 Bullet 3, The Sedona Principles Addressing Electronic Document Production)
An effective Records and Information Management program should address all forms of Electronically Stored Information created during ordinary business times. (Comment 1.b ¶ 2 Bullet 4, The Sedona Principles Addressing Electronic Document Production)
An effective Records and Information Management program should include the development of communications policies for the appropriate use of the organization's systems. (Comment 1.b ¶ 2 Bullet 5, The Sedona Principles Addressing Electronic Document Production)
An effective Records and Information Management program should train individuals how to keep and manage the business records that are created or received during normal business days. (Comment 1.b ¶ 2 Bullet 6, The Sedona Principles Addressing Electronic Document Production)
The records management policy should recognize that the ordinary retention and destruction schedule will have to be suspended sometimes and should include the procedures for these suspensions. (Comment 14.e ¶ 1, The Sedona Principles Addressing Electronic Document Production)
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. (PI1.5 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. (Data Security (PR.DS), CRI Profile, v1.2)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including Database Management and error correction, are consistent with the system processing integrity policies. (Processing Integrity Prin. and Criteria Table § 3.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the system processing integrity policies. (Processing Integrity Prin. and Criteria Table § 3.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. (PI1.5, Trust Services Criteria)
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. (PI1.5 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
All records relating to a Member's adoption and implementation of an ISSP and that document a Member's compliance with this Interpretive Notice must be maintained pursuant to NFA Compliance Rule 2-10. (Recordkeeping ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use. (CIP-011-2 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-2, Version 2)
Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality. (CIP-011-2 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-3, Version 3)
Before CMS sensitive input data is released for processing, the organization must conduct a multilevel review of the data. (CSR 7.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The organization must certify that it will not release or otherwise provide access to controlled technology or technical data to foreign workers in the H-1B, H-1B1 (Chile/Singapore), L-1, and O-1A categories until it has received from the U.S. Government the required authorization to do so. (Part 6, Form I-129, Petition for a Nonimmigrant Worker, 11/23/10)
The records required by § 240.17Ad-6(a) (2), (3)(ii), (4), (5) or (7) shall be maintained for a period of not less than two years, the first year in an easily accessible place. (§ 240.17Ad-7(b), 17 CFR Part 240.17Ad-7 - Record retention)
The records required by § 240.17Ad-6(a) (8), (9) and (10) and (b) shall be maintained in an easily accessible place during the continuance of the transfer agency and shall be maintained for one year after termination of the transfer agency. (§ 240.17Ad-7(c), 17 CFR Part 240.17Ad-7 - Record retention)
The records required by § 240.17Ad-6(c) shall be maintained for a period of not less than six years, the first six months in an easily accessible place. (§ 240.17Ad-7(d), 17 CFR Part 240.17Ad-7 - Record retention)
All records required pursuant to § 240.17f-2(e). (§ 240.17Ad-7(e)(2), 17 CFR Part 240.17Ad-7 - Record retention)
The records required by §§ 240.17Ad-17(d) and 240.17Ad-19(c) shall be maintained for a period of not less than three years, the first year in an easily accessible place. (§ 240.17Ad-7(i), 17 CFR Part 240.17Ad-7 - Record retention)
The CSP maintains ownership of all logs and monitoring data created within the CSO related to the Mission Owner's usage and management of the CSO. This includes logs related to customer access and usage used for billing, data used for capacity planning for the CSO, monitoring data related to malicio… (Section 5.2.3 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
DoD Mission Owners using an off-Premises Impact Level 2 CSO which by default uses CSP managed commercial IP addresses and URLs must host their .mil DNS records in the DoD .mil NIPRNet DNS servers and use a CNAME to point to the commercial URL or IP address as appropriate. CSP DNS servers will be aut… (Section 5.10.4.2 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
DoD Mission Owners using an off-premises Impact Level 4/5 CSO (IaaS and some PaaS) where the Mission Owner does not have control over the IP addressing and therefore is dependent upon CSP managed commercial IP addresses and URLs must host their .mil DNS records in the DoD .mil NIPRNet DNS servers an… (Section 5.10.4.2 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The Records Management Application shall correctly accommodate and process information containing dates for past centuries, current centuries, and future centuries. (§ C2.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The date capability of the Records Management Application shall include, but not be limited to, century recognition, logic, and calculations that accommodate the same century and multi-century formulas and date values, and date interface values reflecting the century. (§ C2.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application shall store years in a 4-digit format. (§ C2.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application shall implement leap-year calculations. (§ C2.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application documentation shall include information that describes the features addressing title 36 Code of Federal Regulations 1194.21, title 36 Code of Federal Regulations 1194.31, and title 36 Code of Federal Regulations 1194.22. (§ C2.1.5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application shall be able to edit the title, subject, author, originator, addressee(s), and other addressee(s) metadata fields before filing the e-mail and all other fields are not editable. (§ C2.2.4.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application shall be able to sort, view, save, and print lists of records and/or record folders, regardless of the media, based on any of the following combinations: location, disposition action, disposition action date, folder Unique Identifier, record category identifier, tr… (§ C2.2.6.1.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application shall be able to sort, view, print, and save lifecycle information, events, and eligibility dates of user-selected records and record folders. (§ C2.2.6.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The organization shall implement procedures to enable calendars and task lists to be managed by the Records Management Application, when the application does not have the capability to extract the calendars and task lists from the software that is generating them. (§ C2.2.10.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The organization shall implement procedures to enable all e-mail system records to be managed by the Records Management Application, when the application does not have the capabilities that are stated in section c2.2.3. (§ C2.2.10.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The organization shall ensure it can view, copy, print, and process any records stored in the Records Management Application for as long as the records are required to be retained. (§ C2.2.10.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The organization shall implement procedures to extract and store e-mail distribution lists as records, when the Records Management Application is unable to access and store them from the e-mail server. (§ C2.2.10.4, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application should have the capability to view files in a human readable form or in the stored format. (§ C3.2.14, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The Records Management Application should have the capability for users to interface it through a web browser or other independent platform means. (§ C3.2.15, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
§ 820.180: Required records shall be stored at the manufacturing plant or another location that is reasonably accessible to manufacturer officials and Federal Drug Administration (FDA) employees who have been designated to conduct inspections. These records, including ones not stored at the inspect… (§ 820.180, § 820.180(c), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
Maintain documentation sufficient to meet its burden of proof under §164.414(b). (§ 164.530(j)(1)(iv), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Enable a user to record, change, and access patient demographic and observations data including race, ethnicity, preferred language, sex, sex parameter for clinical use, sexual orientation, gender identity, name to use, pronouns, and date of birth. (§ 170.315 (a) (5) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
Enable a user to record, change, and access patient demographic data including race, ethnicity, preferred language, sex, sexual orientation, gender identity, and date of birth. (§ 170.315 (a) (5) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
Ch 2 (Originators/Creators).b: The organization must keep records in locations where the needed information is unaltered and available to all staff in a usable format, when and where it is needed.
Ch 3 (Application): The organization must implement the following when records are created, regardless … (Ch 2 (Originators/Creators).b, Ch 3 (Application), Ch 4 (Records Maintenance), Ch 6 (Basic Records Management Principles), Ch 8 (Records Schedules are to be kept current), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
The organization should allow records to be copied, inspected, and reviewed in human readable format using hardware from the site and the organization's procedures and techniques to access the records. (§ III.C.4 ¶ 3, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
The controls and security measures in this document also apply to CJI in physical (printed documents, printed imagery, etc.) form. Physical media shall be protected at the same level as the information would be protected in electronic form. (§ 5.8.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Procedures for identifying/controlling duplicate checks. (App A Tier 2 Objectives and Procedures M.3 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether the financial institution performs any data entry functions (e.g., adjusting dollar amounts), and whether there is an independent review or reconciliation. (App A Tier 2 Objectives and Procedures N.8 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess the quality of risk management and support for checks. (App A Tier 1 Objectives and Procedures Objective 10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess whether controls are appropriate for the adjustment process, including authorization (e.g., signature verification and callbacks on telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals making requests. (Exam Tier II Obj 9.17, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
If a financial institution has begun to image checks or retrieve imaged checks pursuant to Check 21, determine whether the institution has the following:
⢠Consumer awareness program.
⢠Customer service - training and education process.
⢠Procedures for expedited re-credit.
⢠Procedures to q… (Exam Tier II Obj 13.2, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
The organization should have policies and procedures in place for creating and maintaining source documents. (Pg 32, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
§ 11.1(d): Electronic records may be used instead of paper records, if they meet the requirements of Part 11 of this Act, unless paper records are specifically required.
§ 11.2: Electronic records may be used instead of paper records or electronic signatures instead of traditional signatures, in w… (§ 11.1(d), § 11.2, § 11.10, § 11.30, 21 CFR Part 11, Electronic Records; Electronic Signatures)
The information system protects the [FedRAMP Selection: confidentiality AND integrity] of [Assignment: organization-defined information at rest]. (SC-28 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The information system protects the [FedRAMP Selection: confidentiality AND integrity] of [Assignment: organization-defined information at rest]. (SC-28 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, FedRAMP Security Controls High Baseline, Version 5)
Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, FedRAMP Security Controls Low Baseline, Version 5)
Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
Establishment of a BSA compliance programâ(1) Program requirement. Each federally insured credit union shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and recording requirements in subchapter II of … (§ 748.2 (b)(1), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. (PR.DS Data Security, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. (PR.DS Data Security, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Audit trails should be employed to track records and record use in order to better handle individual accountability, reconstruction of events, intrusion detection and problem identification. (§ 3.13, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Manage the compilation, cataloging, caching, distribution, and retrieval of data. (T0146, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Determine existing collection management webpage databases, libraries and storehouses. (T0646, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Manage the indexing/cataloguing, storage, and access of explicit organizational knowledge (e.g., hard copy documents, digital files). (T0421, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Implement data management standards, requirements, and specifications. (T0422, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Scan, identify and prioritize target graphic (including machine-to-machine communications) and/or voice language material. (T0853, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem. (CM.AW-P5, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The information and document management policy must include the procedures for retrieving electronic records, written records, equipment, and other media. (SG.ID-1 Requirement 1.a.iii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Implement data management standards, requirements, and specifications. (T0422, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Manage the indexing/cataloguing, storage, and access of explicit organizational knowledge (e.g., hard copy documents, digital files). (T0421, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Manage the compilation, cataloging, caching, distribution, and retrieval of data. (T0146, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Determine existing collection management webpage databases, libraries and storehouses. (T0646, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Scan, identify and prioritize target graphic (including machine-to-machine communications) and/or voice language material. (T0853, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and (SI-22a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. (SC-28 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and (SI-22a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
The organization must provide assurance that it can prevent or detect unauthorized acquisition, use, and/or disposition of the organization's assets. (§ 240.15d-15(f)(3), 17 CFR Part 240.15d-15, Controls and Procedures)
The information system protects the [TX-RAMP Selection (one or more): confidentiality AND integrity] of [Assignment: organization-defined information at rest]. (SC-28 Control, TX-RAMP Security Controls Baseline Level 2)
transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (Art. 16.III, Brazilian Law No. 13709, of August 14, 2018)
