Terminology Explained PD0008

Information Management Policy 

Development and approval (at a senior level) of an Information Management Policy covering the Code’s specific requirements for Protective Marking, Approved

Storage Media Policy, Data File Formats(there is considerable information in the Code about how documents are to be scanned including document image quality), Disposal Policy, Data File Formats Policy as well as quality system processes to govern compliance.

Duty of Care

Development and implementation of an Information Security Policy, an Information Security Management System (ISMS), version control of all information types with date and time stamps as well as Data Retention and Disposal Policies in compliance with the Data Protection Act are required.

As the Standard isn’t a legislative or regulatory requirement, compliance is carried out on a risk based approach to determine the threats, impacts and vulnerabilities mapped off against the appropriate countermeasures needed to be implemented.

An effective Prince 2 compliant Risk Assessment Methodology should be used, such as CRAMM, and the implementation of the recommended countermeasures carried out and monitored as part of the ISMS auditing cycle.

The Code is concerned with the authenticity and integrity of Original Documents and has numerous recommendations surrounding images, macros and paper records and how they enter the electronic storage solution. These requirements must be built into the associated functionality of the solution, which itself should meet the requirements of the Standard for Records Management, BS ISO 1549.

Procedures and Processes

The Code is highly geared around the identification, development, implementation and maintenance of processes such as data capture and migration requirements, indexing, authentication of outputs to support the policies.

These all need to be available in a central repository of policies and procedures, subject to formal change control, which must be easy to read and lend themselves toTraining staff on how to apply them.

Enabling Technologies

Choosing a reliable and trustworthy electronic storage solution is essential. It must be capable of supporting access to the records based on the ‘need to know principle’ to ensure compliance with the Data Protection Act 1998. As such, role segregation and a Role Based Access Control Schema should be created, maintained and complied with. Integrity and availability of data are key themes within the Code.

Platform hardening standards should therefore be implemented, audit data trails maintained to allow for reconstruction of evidential records, cryptographicRequirements appropriately implemented and monitored, and contingency plans developed, implemented and tested.

Audit Trails

Audit trails are essential to provide a trustworthy record of the operations that have been performed on data stored within a document record management system. Logs of suspicious activity and of every access to any record and/or modification made to

Any data contained within the electronic storage solution should create an audit trail showing who made the changes, at what time and what the before and after data values are. Audit data should be stored on Write Once Read Many (WORM) systems (Optical media is preferable) in an encrypted form (or be the subject of Checksums to provide legal assurance of audit data integrity) but these shouldn’t be on the same system from which the audit data is derived. Compliance with the Code isn’t impossible – but it requires ongoing demonstrable auditing to prove the integrity of the records contained within it HM Revenue and Customs use PD0008 as the basis of their requirements for scanned documents to meet their specific requirements for both VAT and Tax records.

Summary

The business benefits of moving from a largely paper based system to an electronicStorage system (paperless office) is clear, but there are a significant numberOf issues that organizations should consider to ensure that their procurementOf an electronic storage solution and its deployment meets their internal business needs and legislative requirements, as well as  allowing them to retain the capability to produce evidential records recognized by our Courts of Law.

The accuracy and provenance of the original data must be scrutinized before there is any destruction of original hard copy files. All requirements of PD0008, the Civil Evidence Act 1995 and the Criminal Justice Act 2003 need to be considered in terms of maintaining the evidential probity of the evidence.

Advertisements

About martin smith

A degree in Engineering Management ,who is just trying to make life a bit easier, for anyone who wishes to read these articles. View all posts by martin smith

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: