Information Management Policy
Development and approval (at a senior level) of an Information Management Policy covering the Code’s specific requirements for Protective Marking, Approved
Storage Media Policy, Data File Formats(there is considerable information in the Code about how documents are to be scanned including document image quality), Disposal Policy, Data File Formats Policy as well as quality system processes to govern compliance.
Duty of Care
Development and implementation of an Information Security Policy, an Information Security Management System (ISMS), version control of all information types with date and time stamps as well as Data Retention and Disposal Policies in compliance with the Data Protection Act are required.
As the Standard isn’t a legislative or regulatory requirement, compliance is carried out on a risk based approach to determine the threats, impacts and vulnerabilities mapped off against the appropriate countermeasures needed to be implemented.
An effective Prince 2 compliant Risk Assessment Methodology should be used, such as CRAMM, and the implementation of the recommended countermeasures carried out and monitored as part of the ISMS auditing cycle.
The Code is concerned with the authenticity and integrity of Original Documents and has numerous recommendations surrounding images, macros and paper records and how they enter the electronic storage solution. These requirements must be built into the associated functionality of the solution, which itself should meet the requirements of the Standard for Records Management, BS ISO 1549.
Procedures and Processes
The Code is highly geared around the identification, development, implementation and maintenance of processes such as data capture and migration requirements, indexing, authentication of outputs to support the policies.
These all need to be available in a central repository of policies and procedures, subject to formal change control, which must be easy to read and lend themselves toTraining staff on how to apply them.
Choosing a reliable and trustworthy electronic storage solution is essential. It must be capable of supporting access to the records based on the ‘need to know principle’ to ensure compliance with the Data Protection Act 1998. As such, role segregation and a Role Based Access Control Schema should be created, maintained and complied with. Integrity and availability of data are key themes within the Code.
Platform hardening standards should therefore be implemented, audit data trails maintained to allow for reconstruction of evidential records, cryptographicRequirements appropriately implemented and monitored, and contingency plans developed, implemented and tested.
Audit trails are essential to provide a trustworthy record of the operations that have been performed on data stored within a document record management system. Logs of suspicious activity and of every access to any record and/or modification made to
Any data contained within the electronic storage solution should create an audit trail showing who made the changes, at what time and what the before and after data values are. Audit data should be stored on Write Once Read Many (WORM) systems (Optical media is preferable) in an encrypted form (or be the subject of Checksums to provide legal assurance of audit data integrity) but these shouldn’t be on the same system from which the audit data is derived. Compliance with the Code isn’t impossible – but it requires ongoing demonstrable auditing to prove the integrity of the records contained within it HM Revenue and Customs use PD0008 as the basis of their requirements for scanned documents to meet their specific requirements for both VAT and Tax records.
The business benefits of moving from a largely paper based system to an electronicStorage system (paperless office) is clear, but there are a significant numberOf issues that organizations should consider to ensure that their procurementOf an electronic storage solution and its deployment meets their internal business needs and legislative requirements, as well as allowing them to retain the capability to produce evidential records recognized by our Courts of Law.
The accuracy and provenance of the original data must be scrutinized before there is any destruction of original hard copy files. All requirements of PD0008, the Civil Evidence Act 1995 and the Criminal Justice Act 2003 need to be considered in terms of maintaining the evidential probity of the evidence.
- Electronic Data Storage – a Perfect Storm of Operational Challenges (eon.businesswire.com)
- ISACA releases audit tools to ease compliance (computing.co.uk)
- Yorkshire Building Society breaches Data Protection Act (computing.co.uk)
- Cintas Document Management Earns PCI DSS Compliance for Third Consecutive Year (eon.businesswire.com)