Back

Establish, implement, and maintain data availability controls.


CONTROL ID
15301
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should maintain an effective governance process for (a) the acquisition, deployment and use of software applications or services which read, write or modify Relevant Information, and (b) ensuring the security, authenticity, reliability, integrity, confidentiality and timely … (13., Circular to Licensed Corporations - Use of external electronic data storage)
  • The licensed corporation should ensure that all of its Regulatory Records which are kept exclusively with an EDSP are fully accessible upon demand by the SFC without undue delay, and can be reproduced in a legible form from premises of the licensed corporation in Hong Kong approved for this purpose … (7.(d), Circular to Licensed Corporations - Use of external electronic data storage)
  • When taking out backed-up program files, it is necessary to obtain approval from the person responsible in the department and keep the record for a predetermined period. (P41.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • There may be statutory or contractual requirements regarding the documentation that must be observed, e.g. storage periods and levels of detail. Documentations only fulfil their purpose if they are drawn up and updated at regular intervals. Furthermore, the documentation must be identified and store… (§ 4.2 Bullet 5 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Availability. Information and systems are available for operation and use to meet the entity's objectives. (¶ 1.48 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Have available at all times for examination by the staffs of the Commission and of your ARA facilities to project or produce immediately easily readable images of such records; (§ 240.17Ad-7(f)(2)(i), 17 CFR Part 240.17Ad-7 - Record retention)
  • Be ready at all times to provide such records that the staffs of the Commission and your ARA or their representatives may request; (§ 240.17Ad-7(f)(2)(ii), 17 CFR Part 240.17Ad-7 - Record retention)
  • Maintain, keep current, and provide promptly upon request by the staffs of the Commission and your ARA all information necessary to access the records and indexes stored on electronic storage media or micrographic media; and (§ 240.17Ad-7(f)(5)(i), 17 CFR Part 240.17Ad-7 - Record retention)