Back

Establish, implement, and maintain document security requirements for the output of records.


CONTROL ID
11656
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain document handling procedures for paper documents., CC ID: 00926


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When taking out backed-up documents, it is necessary to obtain approval from the responsible person in the department and keep the record for a predetermined period. (P45.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Additionally, when taking out backed-up data, it is necessary to obtain approval from the person responsible for the department, and to keep the record for a predetermined period. (P39.3. ¶ 4, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Regarding the creation, delivery, storage, management, and destruction of important output information, it is necessary to take measures to prevent unauthorized actions such as tempering, theft, and leakage and in order to protect security. (P66.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services. (Control: ISM-1178; Revision: 3, Australian Government Information Security Manual, June 2023)
  • When manually exporting data from systems, the data is checked for unsuitable protective markings. (Control: ISM-1187; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services. (Control: ISM-1178; Revision: 3, Australian Government Information Security Manual, September 2023)
  • When manually exporting data from systems, the data is checked for unsuitable protective markings. (Control: ISM-1187; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation's security policy and regulatory requirements. (DS11.6 Security Requirements for Data Management, CobiT, Version 4.1)
  • Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the… (AC5 Output Review, Reconciliation and Error Handling, CobiT, Version 4.1)
  • Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. (A.18.1.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. (§ 18.1.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. (§ 5.33 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. (PI1.4 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. (PI1.4 ¶ 2 Bullet 1 Protects Output, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. (PI1.4, Trust Services Criteria)
  • Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. (PI1.4 Protects Output, Trust Services Criteria)
  • The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. (PI1.4 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. (PI1.4 ¶ 2 Bullet 1 Protects Output, Trust Services Criteria, (includes March 2020 updates))
  • Limits access to analytics tools and related outputs. (App A Objective 3:9a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Security features for substitute checks. (App A Tier 2 Objectives and Procedures M.3 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Controls physical access to output from [Assignment: organization-defined output devices]; and (PE-5(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that only authorized individuals receive output from the device. (PE-5(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)