Data Security - Electronic Records (SS-08-003)
SS-08-003.02 Data Security - Electronic Records
Issue Date: 3/31/2008
Revision Effective Date: 12/15/2014
Review Date: 7/1/2010
Email messages, electronic data interchange, and other forms of electronic materials often document important government transactions and decisions. Like any other type of record, such information is necessary to ensure government accountability. In light of today’s reliance on technology for conducting official business, the Georgia Records Act states that each Agency establish a policy of intent to rely on the electronic data as a form of official record. Official records reflect the information and position that the agency believes is true and complete and will rely upon to conduct its business.
This standard designates digital data as an authorized form of official record within the state, but DOES NOT imply that electronically generated data is the only form of official record recognized or authorized by the state, NOR does it preclude an agency from establishing internal policy regarding the creation and designation of official records. This standard establishes the official record, once designated by the agency, which must be protected with safeguards for creation, modification, storage, and destruction under a records management program.
SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS
See Enterprise Information Security Charter PS-08-005
The State of Georgia recognizes electronically generated materials (such as email, electronic data interchange and other forms of electronic material) as a standard format for official public record.
Each Agency shall formally designate all other formats for official records in the custody of that agency.
As with any forms of official record, digital data shall be safeguarded against loss, unauthorized destruction, modification or disclosure and as such shall be included in data security and records management programs.
No state entity or employee shall dispose of (i.e., destroy or give away) any public record except in accordance with a retention schedule approved by the State Records Committee and the Georgia Archives and set forth by the Georgia Records Act for records retention.
Each state entity shall designate a records management officer who shall establish and maintain a records management program and shall serve as primary contact for the archives. (Georgia Records Act)
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Appropriate Use of Information Technology Resources PS-08-003
Appropriate Use and Monitoring SS-08-001
Reliance on Electronic Records PS-08-007
Electronic Communications Accountability SS-08-009
Media Protection and Handling SS-08-043
Georgia Archives http://www.georgiaarchives.org/
Records Retention Schedules
NIST Computer Security Resource Center- http://csrc.nist.gov/
SP 800-53 Security and Privacy Controls for Federal Information
Systems and Organizations
PL 4 Rules of Behavior
SI 12 Information Output handling and Retention
MP 1-5 Media Protection
Georgia Records Act O.C.G.A. 50-18-90 et seq.
TERMS and DEFINITIONS
Records, according to Georgia statute, include “all documents, papers, letters, maps, books (except books in formally organized libraries), microfilm, magnetic tape, or other material, regardless of physical form or characteristics, made or received pursuant to law or ordinance or in performance of functions by any agency” (Georgia Records Act). The International Standards Organization (ISO) states they are “recorded information in any form, including data in computer systems, created or received and maintained by an organization or person in the transaction of business and kept as evidence of such activity” (ISO/DIS 15489).
Electronic Data, Information and/or Record is any form of digitally recorded material generated, transmitted, received and/or stored that is designated a record by data owner or law, based on content and/or subject matter. This includes but is not limited to electronic digital interchange, email, digital/text voice messages, instant messages and text messages.
Records Management is the development and implementation of a life-cycle management process from the creation and receipt of records, through their active life, storage, and to their final disposition. According to Georgia statute “Records management" means the application of management techniques to the creation, utilization, maintenance, retention, preservation, and disposal of records undertaken to reduce costs and improve efficiency of record keeping. "Records management" includes management of filing and microfilming equipment and supplies; filing and information retrieval systems; files, correspondence, reports, and forms management; historical documentation; micrographics; retention programming; and vital records protection.