Back

Define each system's disposition requirements for records and logs.


CONTROL ID
11651
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management policies., CC ID: 00903

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain records disposition procedures., CC ID: 00971


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • App 2-1 Item Number IV.3(5): The organization must develop procedures for input data storage and disposal based on the input management rules. This is a control item that constitutes a relatively small risk to financial information. This is an IT application control. App 2-1 Item Number IV.4(8): The… (App 2-1 Item Number IV.3(5), App 2-1 Item Number IV.4(8), App 2-1 Item Number IV.5(5), App 2-1 Item Number IV.6(6), App 2-1 Item Number IV.7(6), App 2-1 Item Number V.4(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Securing back-up and disposal of log files (Critical components of information security 21) iii.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • It is also important that controls are in place to ensure that IT security is not compromised throughout the testing process. This would include access to and the secure destruction of sensitive data/information after the test. (Attachment B ¶ 11, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Policies and instructions with technical and organisational safeguards for the secure handling of meta data (user data) are documented, communicated and provided according to SA-01. The meta data is collected and used only for accounting and billing purposes, for eliminating malfunctions and errors … (Section 5.6 RB-11 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; … (PO2.3 Data Classification Scheme, CobiT, Version 4.1)
  • Cardholder data storage must be kept to a minimum with the implementation of data retention and disposal policies, procedures, and processes that include specific retention requirements for the cardholder data. (PCI DSS Requirements § 3.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant e… (CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process, CIS Controls, V8)
  • § 412.52: A hospitals that is participating in the prospective payment system must meet the recordkeeping and cost reporting requirements of § 413.20 and § 413.24. § 412.511: A long-term care hospital that is participating in the prospective payment system must meet the requirements of § 412.22… (§ 412.52, § 412.511, § 413.20(c), § 413.198(b), § 422.564(g), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The Records Management Application shall be able to define multiple phases inside the disposition schedule. (§ C2.2.2.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall only allow authorized individuals to define the Cutoff criteria and the disposition action for each lifecycle phase. (§ C2.2.2.3.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall allow only authorized individuals the ability to freeze or extend the retention period of records or record folders past their scheduled disposition. (§ C2.2.6.4.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c2.2.2.3 (defining the Cutoff criteria and disposition components for each lifecycle phase) shall be accomplished by an Application Administrator (ensuring data structure is correctly installed and database links are implement… (Table C2.T5 Requirement C2.2.2.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c2.2.6.4.1 (extending or freezing the retention period or records or record folders past their scheduled disposition) shall be accomplished by an Application Administrator (setting up the database rules and business rules) or … (Table C2.T5 Requirement C2.2.6.4.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • After a classified contract has ended, unneeded information must be disposed of appropriately. The organization may retain needed information for up to 2 years after the contract is completed. NATO classified documents must be returned to the contracting agency when the contract has been completed. (§ 4-103, § 10-716, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Ch 2 (Originators/Creators).c: The originator must ensure the disposition instructions are identified and applied to the information. Ch 3 (Application): After the information has been identified, the record should have the disposition instructions noted on the record and then the record should be p… (Ch 2 (Originators/Creators).c, Ch 3 (Application), Ch 4 (HHS Files and Disposition Plans).c, Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for how unneeded log data must or should be disposed of. (§ 4.2 Bullet, Guide to Computer Security Log Management, NIST SP 800-92)
  • Establish and periodically reevaluate a schedule for retention and disposal of nonpublic information and establish a mechanism for the destruction of nonpublic information that is no longer needed. (§ 601.952(1)(c), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)