Back

Establish, implement, and maintain records management systems.


CONTROL ID
13036
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Records management, CC ID: 00902

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is recommended that the centralized management be adopted to keep documents consistent with the computer systems. (P79.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • formulating internal management system and operational procedures; (Article 51 ¶ 1(1), Personal Information Protection Law of the People's Republic of China)
  • Is the documented information controlled in a way that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the organization for the BCMS? (Support ¶ 6, ISO 22301: Self-assessment questionnaire)
  • An organization shall maintain its information assets in a manner that ensures their timely, efficient, and accurate retrieval. (Principle of Availability:, Generally Accepted Recordkeeping Principles®, For the Web)
  • An organization shall maintain its information assets for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements. (Principle of Retention:, Generally Accepted Recordkeeping Principles®, For the Web)
  • A system should be developed for classifying, storing and retrieving the information. (§ 9.1.5 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • To be useful, information must be available to decision-makers when it is needed. It is also essential that the information be of high quality. If the underlying data is inaccurate or incomplete, management may not be able to make sound judgments, estimates, or decisions. To maintain high-quality in… (Putting Relevant Information to Use ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In general and IAW DoDI 8410.01 Mission Owner systems/applications using the .mil domain instantiated in an IaaS/PaaS/SaaS CSO where the Mission Owner has control over the IP addressing and is using DoD NIPRNet IP addresses, must host their .mil DNS records in the DoD .mil NIPRNet authoritative DNS … (Section 5.10.4.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Use of data and reporting tools, maintenance of data quality, and promotion of data integrity. (App A Objective 2:9b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]. (AC-16(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. (AC-16(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. (AC-16(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)