Data Security - Electronic Records (SS-08-003)

SS-08-003.02 Data Security - Electronic Records

Issue Date: 3/31/2008

Revision Effective Date: 12/15/2014

Review Date: 7/1/2010

PURPOSE

Email messages, electronic data interchange, and other forms of electronic materials often document important government transactions and decisions.  Like any other type of record, such information is necessary to ensure government accountability. In light of today’s reliance  on  technology  for  conducting  official  business,  the Georgia Records Act states that each Agency establish a policy of intent to rely on the electronic  data  as a  form of  official  record.   Official records reflect the information and position that the agency believes is true and complete and will rely upon to conduct its business.

This standard designates digital data as an authorized form of official record within the state, but DOES NOT imply that electronically generated  data  is  the  only  form  of  official  record  recognized or authorized  by  the  state,  NOR  does  it  preclude  an  agency from establishing internal policy regarding the creation and designation of official records. This standard establishes the official record, once designated by the agency, which must be protected with safeguards for creation, modification, storage, and destruction under a records management program.

SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS

See Enterprise Information Security Charter PS-08-005

STANDARD

The State of Georgia recognizes electronically generated materials (such as email, electronic data interchange and other forms of electronic material) as a standard format for official public record.

Each Agency shall formally designate all other formats for official records in the custody of that agency.

As with any forms of official record, digital data shall be safeguarded against loss, unauthorized destruction, modification or disclosure and as such shall be included in data security and records management programs.

No state entity or employee shall dispose of (i.e., destroy or give away) any public record except in accordance with a retention schedule approved by the State Records Committee and the Georgia Archives and set forth by the Georgia Records Act for records retention.

Each state entity shall designate a records management officer who shall establish and maintain a records management program and shall serve as primary contact for the archives. (Georgia Records Act)

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Appropriate Use of Information Technology Resources PS-08-003

Appropriate Use and Monitoring SS-08-001

Reliance on Electronic Records PS-08-007

Electronic Communications Accountability SS-08-009

Media Protection and Handling SS-08-043

REFERENCES

Georgia Archives http://www.georgiaarchives.org/

Records Retention Schedules

NIST Computer Security Resource Center-  http://csrc.nist.gov/

SP 800-53 Security and Privacy Controls for Federal Information

Systems and Organizations

PL 4 Rules of Behavior

SI 12 Information Output handling and Retention

MP 1-5 Media Protection

Georgia Records Act O.C.G.A. 50-18-90 et seq.                                     

TERMS and DEFINITIONS

Records, according to Georgia statute, include “all documents, papers, letters, maps, books (except books in formally organized libraries), microfilm, magnetic tape, or other material, regardless of physical form or characteristics, made or received pursuant to law or ordinance or in performance of functions by any agency” (Georgia Records Act).  The International Standards Organization (ISO) states they are “recorded information in any form, including data in computer systems, created or received and maintained by an organization or person in the transaction of business and kept as evidence of such activity” (ISO/DIS 15489).

Electronic Data, Information and/or Record is any form of digitally recorded material generated, transmitted, received and/or stored that is designated a record by data owner or law, based on content and/or subject matter.  This includes but is not limited to electronic digital interchange, email, digital/text voice messages, instant messages and text messages.

Records Management is the development and implementation of a life-cycle management process from the creation and receipt of records, through their active life, storage, and to their final disposition.  According to Georgia statute “Records management" means the application of management techniques to the creation, utilization, maintenance, retention, preservation, and disposal of records undertaken to reduce costs and improve efficiency of record keeping. "Records management" includes management of filing and microfilming equipment and supplies; filing and information retrieval systems; files, correspondence, reports, and forms management; historical documentation; micrographics; retention programming; and vital records protection.