Data Retention and Data Integrity - Organizations Laws Products

Organizations

ISACA's KNET has literally hundreds of articles, ICQ, Templates and recommendations for both data integrity and information lifecycle management.  This section introduces a few more organization whom you may have, up till now, overlooked.  Also, the resources in the technology areas of the IIA and AICPA websites are extremely useful, current and comprehensive.  Since they are mentioned in all other areas of this site, they are not listed again here.

 

SNIA Data Management Forum

The Storage Networking Industry Association’s Data Management Forum (DMF) is a cooperative initiative of IT professionals, integrators and vendors working to define, implement, qualify and teach improved and reliable methods for the protection, retention and lifecycle management of electronic data and information.

Recent news: XAM-Interface XAM or "eXtensible Access Method" - A SNIA technical project to establish standard interfaces, coordinating information metadata between applications and storage systems. Read about the XAM-interface and come participate in developing a very important new standard.

(We have reviewed this standard with particular note of the Compliance Class as it would relate to our contribution to the OASIS TC for Configuration and Standards Framework.)

The Three Initiatives of DMF

The DMF is currently operating three initiative-based workgroups. Each initiaitve is chartered to foster accelerated deployment of best practices for a specific subset of data management functions. The following table summarizes these initiatives.

ILMI: The Information Lifecycle Management Initiative’s work began with defining a vision for Information Lifecycle Management – a unifying vision of what ILM will become and its impact on the datacenter. Now work is underway on the next elements of defining a reference architecture for ILM, including data classification, market & product segmentation, and phases of implementation that leverage today’s information management and data management services

DPI: The Data Protection Initiative is defining new approaches and best practices for data protection and recovery. Members are working to organize and unify this emerging marketplace by defining new metrics, implementation guides, and reference models. For example, the DPI is promoting some new metrics such as the "Value of Data" and the "The Value of Protection". Our goal is to build the knowledge base and training capabilities to become the worldwide authority on data protection and retention, helping all of the our constituents (vendors, IT, regulatory agencies, and channel partners) to better understand and implement data protection solutions.

• DPI Currently Supports the Following Special Interest Groups
  • CDP - Continuous Data Protection VTL - Virtual Tape Libraries
  • DPS - Data protection Solutions

LTACSI: The Long Term Archive and Compliance Storage Initiative is a cooperative effort of end users, IT professionals, vendors, integrators, and service providers with interests in the challenges of long-term archiving and storage compliance with governmental and business regulations. We are a focal point for all such activity within the Storage Networking Industry Association. The Goal of LTACSI is to enable end users to make informed choices about long-term archive and regulatory compliance storage solutions and to gather end user needs to guide related SNIA activities.

Excellent and current on February 16, 2006, is this presentation by Michael Peterson.  I got a lot from it.

Operating the New Information Information-Centric Enterprise

 

OASIS Standards Application Vulnerability Description Language (AVDL) v1.0 Common Alerting Protocol v1.0 Common Alerting Protocol (CAP) v1.1 Darwin Information Typing Architecture (DITA) v1.0 Directory Services Markup Language (DSML) v2.0 DocBook v4.1 ebXML Collaborative Partner Profile Agreement (CPPA) v2 ebXML Message Service Specification v2.0 ebXML Registry Information Model (RIM) v2.0 ebXML Registry Information Model (RIM) v3.0 ebXML Registry Services Specification (RS) v2.0 ebXML Registry Services Specification (RS) v3.0 Extensible Access Control Markup Language (XACML) v1.0 eXtensible Access Control Markup Language TC v2.0 (XACML) OpenDocument Format for Office Applications (OpenDocument) v1.0 Security Assertion Markup Language (SAML) v1.0 Security Assertion Markup Language (SAML) v1.1 Security Assertion Markup Language (SAML) V2.0 Service Provisioning Markup Lanaguage (SPML) v1.0 Universal Description, Discovery and Integration (UDDI) v2.0 Universal Description, Discovery and Integration (UDDI) v3.0.2 Universal Business Language (UBL) v1.0 Universal Business Language Naming & Design Rules v1.0 (UBL NDR) WS-Reliability (WS-R) v1.1 Web Services for Remote Portlets (WSRP) v1.0 Web Services Security v1.0 (WS-Security 2004) Web Services Security SAML Token Profile v 1.0 and REL Token Profile v1.0 WSDM Management Using Web Services v1.0 (WSDM-MUWS) WSDM Management Using Web Services v1.0 (WSDM-MOWS) XML Catalogs v1.1 XML Common Biometric Format (XCBF) v1.1

More organizations are listed in Process, Security, Configuration Sections and various resource sections.  Sometimes less is more, so here are a few, but not all, of the laws affecting information management.

Information Technology Association of America

AKA: ITAA, IT Association of America, American / © Information Technology Association of America, Woodruff Sawyer (an Assurex Global Partner)

Founded in 1961/ Information Technology Association of America

Summary: Summary quoted from <http://www.itaa.org/business/government/> and is the property of ITAA:

"The ITAA Enterprise Solutions division is the first name in business development for any IT contractor building or expanding a presence in the government marketplace. A leading promoter of using IT commercial products, services, and systems for the federal, state, and local government markets, the Enterprise Solutions division is both a "who's who" of leading firms and a place to discover "who's new" and "what's new" in business and government. Business development opportunities include monthly dinner meetings with agency CIO's, program managers, and other key decision makers; committee and task force meetings that shape industry views on critical issues and create working relationships among industry competitors; an annual CIO survey measuring opinions and attitudes of senior government IT managers; plus events and conferences on major topics that add context and business contacts."

Applicable To:Quoted from <http://www.itaa.org/welcome/join/>:

"ITAA membership is open to any company with operations situated in the U.S. and offering commercial IT products and services. Companies eligible for full IT membership include firms with headquarters, division offices, or branch offices located in the U.S. as well as foreign firms with subsidiary operations in the U.S. In addition, ITAA offers affiliate membership to firms that sell business products and services to IT companies.

ITAA member companies, member companies pay annual dues for membership in the association. By paying dues, ITAA member company employees receive the opportunity to participate in ITAA programs, attend committee meetings, shape policy positions, contribute to industry white papers, join ITAA-sponsored Congressional visits and volunteer in related lobbying activities. ITAA members receive a variety of electronic publications and discounted opportunities to attend ITAA sponsored events ITAA sponsored events and purchase business services.

Laws: Data Retention and Information Lifecycle Source Information:

National Archives and Records Administration   AKA: National Archives or NARA
Type:  United States Code (U.S. Code) 
Law Reference -    44 U.S.C. § 2101 to 2118 Section  Chapter 21
Laws  enforced by  or aligned to this source 

• 44 U.S.C §  2901
• DoD 5015.2-STD
• P.L. 107-347, Title III
• P.L. 107-296
• Supersedes    P.L. 104–13

Author(s) United States Constitutional Provision founded 1934

URL: National Archives and Records Administration
URL:DoD 5015.2-STD, "Design Criteria Standard for Data Privacy
URL:United States Research Team Legislation Data
URL:User and System-Based Quality Criteria

Summary of Standard 
If you seek understanding in the area of data retention and records management, look no further than NARA. United States
National Archives and Records Administration.

Their mission: "NARA ensures, for the citizen and the public servant, for the President and for the Congress and the Courts, ready access to essential evidence."

As explained by our office of National Archives, NARA, a high level summary of their statutes includes:

• Federal Register (44 USC Ch. 15)
• NARA (44 USC Ch. 21)
• Presidential Records (44 USC Ch. 22)
• Trust Fund (44 USC Ch. 23)
• NHPRC (44 USC Ch. 25)
• Records of Congress (44 USC Ch. 27)
• Records Management NARA/GSA (44 USC Ch. 29)
• Records Management/Federal Agencies (44 USC Ch. 31)
• Disposal of Records (44 USC Ch. 33)

Regulated and implemented by US Code Chapter 44, NARA models records management in the manner by which we archive all national information.  As identified in Thomas.gov and other portals such as the Library of Congress, 44 U.S.C.

The Information Security Oversight Office (ISOO) is a component of the National Archives and Records Administration :  (NARA) receives policy and program guidance from the National Security Council (NSC). The Information Security Oversight Office (ISOO) is responsible to the President for policy and oversight of the Government-wide security classification system and the National Industrial Security Program. ISOO acts under authority from Executive Orders 12958 "Classified National Security Information" <http://www.archives.gov/isoo/policy-documents/eo-12958-amendment.html> [PDF] and 12829 "National Industrial Security Program" [PDF], as amended.

ISOO represents their goals and mission as follows: http://www.archives.gov/isoo/about/  An open society in which an American public is informed by a free flow of information and holds our government accountable is a defining factor of our democracy. Similarly, our ability to share and leverage information is the source of power and might in the 21st century. This must be balanced by the imperative to hold certain information in confidence in order to protect from harm our citizens, our democratic institutions, and our participation in the community of nations.

Applicable To: Sample list of Statutes affecting our National Archive:
NARA Statutes

E-Government Act of 2002 Section 207 [...]
Congressional Printing and Binding
(Title 44, Chapter 7) Copies of Acts furnished to Public Printer (§710)
Printing Acts, joint resolutions, and treaties (§711)
United States Statutes at Large: references in margins (§729)
Federal Register and Code of Federal Regulations
(Title 44, Chapter 15) Definitions (§1501)
Custody and printing of Federal documents; appointment of Director (§1502)
Filing documents with Office; notation of time; public inspection;   transmission for printing (§1503)
"Federal Register"; printing; contents; distribution; price (§1504)
Documents to be published in Federal Register (§1505)
Administrative Committee of the Federal Register; establishment and composition; powers and duties (§1506)
Filing document as constructive notice; publication of validity;judicial notice; citation (§1507)
Publication in Federal Register as notice of hearing (§1508)
Costs of publication, etc. (§1509)
Code of Federal Regulations (§1510)
International agreements excluded from provision of Chapter (§1511)
Publications for use of National Archives and Records Administration (44 U.S.C. §1714)
National Archives and Records Administration
(Title 44, Chapter 21) Definitions (§2101) [...]
Presidential Records
(Title 44, Chapter 22) Definitions (§2201)
Ownership of Presidential records (§2202)
Management and custody of Presidential records (§2203)
Restrictions on access to Presidential records (§2204)
Exceptions to restricted access (§2205)
Regulations (§2206)
Vice-Presidential records (§2207) [...]

Records Management by the Archivist of the United States and by the Administrator of General Services

(Title 44, Chapter 29) Definitions (§2901)
Objectives of records management (§2902)
Custody and control of property (§2903)
General responsibilities for records management (§2904)
Establishment of standards for selective retention of records; security measures (§2905)
Inspection of agency records (§2906)
Records centers and centralized microfilming services (§2907)
Regulations (§2908)
Retention of records (§2909)
Records Management by Federal Agencies
(Title 44, Chapter 31) Records management by agency heads; general duties (§3101)
Establishment of program of management (§3102)
Transfer of records to records centers (§3103)
Certifications and determinations on transferred records (§3104)
Safeguards (§3105)
Unlawful removal, destruction of records (§3106)
Authority of comptroller general (§3107)
Disposal of Records
(Title 44, Chapter 33) Definition of records (§3301)
Regulations covering lists of records for disposal, procedure for disposal, and standards for reproduction (§3302)
Lists and schedules of records to be submitted to the Archivist by head of each Government agency (§3303)
[...]E-Government Act of 2002 (§207, 116 Statute 2916)
Promote and enhance concepts that facilitate the sharing of information in the fulfillment of mission critical functions related
to national security.
Under Executive Order 12958, as amended, and Executive Order 12829, as amended, ISOO oversees the security
classification programs in both Government and industry and reports annually to the President on their status. We monitor
approximately 65 executive branch departments, independent agencies and offices, and their major components.

Federal Records Act, Title 44
AKA: United States Code Title 44
URL    http://www.access.gpo.gov/aboutgpo/title44/chap33.html
URL    http://www.ed.gov/policy/gen/leg/fra.html
URL    http://www.archives.gov/records-mgmt/policy/documenting-your-public-service.html
Summary and DISCLAIMER: Directly quoted as summarized by Department of Education: "The Federal Records Act of 1950, as amended, establishes the framework for records management programs in Federal Agencies. As the primary agency for records management oversight, the National Archives and Records Administration (NARA) is responsible for assisting Federal agencies in maintaining adequate and proper documentation of policies and transactions of the Federal Government. This is done by appraising records (determining record value and final disposition of temporary or permanent records), regulating and approving the disposition of Federal records, operating Federal Records Centers and preserving permanent records.
Federal records may not be destroyed-except in accordance with the procedures described in Chapter 33 of Title 44, United States Code. These procedures allow for records destruction only under the authority of a records disposition schedule approved by the Archivist of the United States. NARA issues a General Records Schedule (GRS) that gives record descriptions of records that are common to most Federal agencies and authorizes record disposals for temporary records. The Department is responsible for developing agency record schedules-with the approval of the Archivist of the United States-that are tailored to our own agency-specific records that are not provided for in the GRS.
Record schedules are mandatory instructions of what to do with records (and non-record materials) no longer needed for current Government business. The records schedules indicate how long a document must be kept before it is transferred to a Federal Records Center, destroyed or transferred to NARA for permanent preservation. The Department's Records Management Program is responsible for ensuring that the legal, financial, evidentiary and historical transactions are recorded accurately and completely. We must document and preserve the historical and nationally important events that have taken place as a result of the Department's educational leadership and support.
As the Department transitions from paper to e-government, we must capture and protect all forms of documentation in accordance with Federal laws and regulations relating to records management. We must provide and implement safeguards against the unlawful removal or loss of the Department's information. This is accomplished by using the GRS and the agency's NARA-approved records disposition schedules for records unique to this agency. Such a schedule ensures the systematic disposal of inactive records and the transfer of permanent records to the National Archives for permanent retention."

Section 17a-4: Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules

United States Federal Law 
Law Reference -    15 U.S.C. § 78 Rule 17a-4 - Section Rule 17a-4 AKA: NASD 3010/3110
Laws enforced by or associated with this ruling: 15 U.S.C. § 78, NASD 3010/3110, P.L. 107-347, 21 CFR Part 11 Supersedes P.L. 94-29 
Publisher:   Commodities Future Trading Commission CFTC SEC, Securities and Exchange Commission, 1934, Revised September 2004
Primary URL  Final Rule: Applicability of CFTC and SEC Customer
URL: SEC 17a-4; NASD 3010/3110
URL: Rule 17a-4 -- Records to Be Preserved by Certain

Summary:
"Found this on a site owned by ZIPLIP, and I quote them in support of their efforts to create a great review of this area of law.  Please visit the ZipLip Consultancy on line. www.ZipLip.com

"SEC 17a-4 is a subsection of the Securities Exchange Act of 1934; "In 1934, in a move designed to protect investors from deceitful or misleading claims in the securities industry, the SEC passed the Securities Exchange Act, a group of laws requiring the creation and retention of records with the objective of reviewing and auditing securities transactions. The SEC amended the main rule, 17-a4, in 1997 to allow brokers and dealers to store their transaction records electronically, including voice and data communications. Brokers, dealers, individuals who trade securities or act as brokers on behalf of traders are subject to the regulations; enterprises include securities firms, banks, brokerage firms, and any financial institution dealing in securities trading of any type governed by the SEC or the National Association of Securities Dealers (NASD).

SEC 17a-4; NASD 3010/3110 In 1934, in an effort to protect investors from fraudulent or misleading claims in the securities industry, the SEC enacted the Securities Exchange Act, a set of laws that required records be made and kept for the purposes of review and auditing of securities transactions. In 1997, the Commission amended the primary rule 17a-4 to allow broker-dealers to store records electronically, including electronic communications and messaging such as email and instant messages.

For brokerage firms SEC 17a-3, the requirement to make records, and SEC 17a-4, the requirement to keep records are most relevant. Specific rules surrounding retention, non-rewriteable storage, and ease of retrieval and viewing are highlighted by 17a-4. NASD 3010 and 3110 refer to and inherit the same requirements of 17a-3 and 17a-4 as applied to the NASD, demanding the creation of policies and retention of reviewable customer records and transaction data. All updated aspects of SEC 17a-4 and NASD 3010/3110 are active as of May 12, 2003.

On December 31, 1997, the Securities and Exchange Commission (SEC) approved amendments to National Association of Securities Dealers, Inc. (NASD) Rules 3010 (Supervision) and 3110 (Books and Records).  The amendments were made effective on February 15, 1998. Rule 3010(d)(1), as amended, provides that procedures for review of correspondence with the public relating to a member’s investment banking or securities business be designed to provide reasonable supervision for each registered representative, be described in an organization’s written supervisory procedures, and be evidenced in an appropriate manner. New Rule 3010(d)(2) requires each member to develop written policies and procedures for review of correspondence with the public relating to its investment banking or business, tailored to its structure and the nature and size of its business and customers. 
Rule 3010(d)(2) had previously required that a registered principal review all incoming and outgoing correspondence of registered representatives.  This is described as ‘pre-send’ or ‘pre-use’ review.  The amendments allow for ‘post-send’ review  of correspondence if the member follows specific supervisory procedures. The retention requirements of 3010(d)(3) refer to Rule 3110, which states that records must be retained in a format or medium that complies with Rule 17a-4 under the Securities Exchange Act of 1934" (Thanks to ZipLip, and for the record, this was an unsolicited plug.)

Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities Investor Protection Act of 1970 to Accounts Holding Security Futures Products

Exact text Disclaimer: please use the source authority when quoting. Our text is copied and therefore may be out of date or innaccurate.

K. Exchange Act Recordkeeping Rules

1. Amendment to Paragraph 17a-4(b)(9) The SEC amended Rule 17a-4(b)(9) to provide that the records broker-dealers are required to create or obtain pursuant to new paragraph 15c3-3(o)59 must be maintained for at least three years, the first two in an easily accessible place.

Present Rule 17a-4(b)(4) requires that a broker-dealer maintain "originals of all communications received and copies of all communications sent . . . relating to his business as such." Thus, the paragraph 15c3-3(o) requirements that a broker- dealer must furnish the customer with certain disclosures, and provide each customer with notice of the effective date of a change of account type is covered under the present rule.

2. New Paragraph 17a-4(k)
New paragraph (k) to Exchange Act Rule 17a-4 parallels CFTC Rule 1.35(a-2)(1). This paragraph requires a broker-dealer that engages in an SFP business, upon request of the SEC or of any self-regulatory organization of which it is a member, to obtain from its customers and provide to the SEC or the applicable self-regulatory organization documentation of cash transactions underlying exchanges of SFPs for the underlying security(ies). This type of transaction is also called an exchange of futures for physical (or an "EFP"). The production of this documentation is necessary, among other things, to allow regulators to investigate claims of market manipulation.

In the futures markets, an EFP is a transaction between two parties in which the first party buys a physical commodity from the second party and simultaneously sells (or gives up a long) a futures contract on that physical commodity to the second party. The CEA authorizes EFPs only to the extent that they are conducted in accordance with the rules of a contract market. EFPs traditionally served an important function by providing a means of pricing a cash transaction, or of making or taking delivery on their futures commitments outside the normal exchange delivery system, allowing parties to offset exchange positions through a privately negotiated transaction. EFPs are commonly used in the futures markets to enter or exit positions in the futures market after normal trading hours.  60 Industry representatives have informed SEC staff that EFPs may be used with relation to SFPs. In the SFP market, an EFP  would be a two party transaction in which the first party sells an SFP (or gives up a long) to the second party, while simultaneously buying or taking delivery on the underlying securities from the same second party. After the transaction, the Applicable To: first party will have the securities and the second party will be long, or own, the SFP. If the second party was short an SFP to hedge its long securities position, it may use its newly acquired SFP to offset that short position in the SFP. The two This rule affects broker-dealers, individuals who trade securities or act as brokers for traders are subject to the regulations.

parties must then notify the firm or firms that hold their securities and SFPs of the EFP so that records as to the ownership Organizationally include: banks, securities firms, stock brokerage firms, and any financial institutions that deal in the trading of the transferred securities and SFPs can be amended, and the clearing agency or organization can be notified of the  of securities of any type that are governed by the SEC. change. Any entities under the jurisdiction of the National Association of Securities Dealers (NASD)  

The SEC revised the proposed language of paragraph (k) of Rule 17a-4 to account for the fact that Exchange Act Rules 17a-Final Rule: 3 and 17a-4 already require that certain records regarding securities transactions be created, maintained, and made Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities available to the SEC and self-regulatory organizations upon request. Accordingly, paragraph (k) does not require a broker-Investor Protection Act of 1970 to Accounts Holding Security Futures Products Commodity Futures Trading Commission

17 CFR PARTS 1, 41 and 190 RIN 3038-AB76

• Securities and Exchange Commission 17 CFR Part 240
• [Release No. 34-46473; File No. S7-17-01] RIN 3235-AI32
• Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities: Investor Protection Act of 1970 to Accounts Holding Security Futures Products

Firms must enact policies or implement technologies to enable:

• Written and enforceable retention policies
• Storage of data on indelible, non-rewriteable media
• Searchable index of all stored data
• Readily retrievable and viewable data
• Storage of data offsite

Failure in the area of 17a-4 would jeopardize compliance with many federal laws and guidelines. Failure in this area invokes fines and jail time.

Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic
Type:  Code of Federal Regulation                                 AKA:     Title 21
Law Reference - Most Common   21 CFR Part 11
Laws enforced by or aligned to this CFR
21 U.S.C. 321-393
42 U.S.C. 262
P.L. 106-102
P.L. 107-347, Title III
Food and Drug Administration Department of Health and Human Services
5600 Fishers Lane
Rockville, Maryland 20857
Edition   April 1, 2005,   published August 2003

21 CFR Part 11: Electronic Records; Electronic Signatures
FDA > CDRH > CFR Title 21 Database Search
Federal Register / Vol. 68, No. 37 / Tuesday, February 25, 2003 / Notices
Summary
Guidance for Industry as explained by  Margaret M. Dotzel,  Acting Associate Commissioner for Policy. July 1, 1999

Part 11, Electronic Records; Electronic Signatures - Scope and Application
U.S. Department of Health and Human Services Food and Drug Administration
Part 11, Electronic Records; Electronic Signatures -
Scope and Application This guidance represents the Food and Drug Administration's (FDA's) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.
I. INTRODUCTION  This guidance is intended to describe the Food and Drug Administration's (FDA's) current thinking regarding the scope and application of part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11).2This document provides guidance to persons who, in fulfillment of a requirement in a statute or another part of FDA's regulations to maintain records or submit information to FDA,3 have chosen to maintain the records or submit designated information electronically and, as a result, have become subject to part 11. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act), even if such records are not specifically identified in Agency regulations (§ 11.1). The underlying requirements set forth in the Act, PHS Act, and FDA regulations (other than part 11) are referred to in this guidance document as predicate rules.As an outgrowth of its current good manufacturing practice (CGMP) initiative for human and animal drugs and biologics,4 FDA is re-examining part 11 as it applies to all FDA regulated products. We anticipate initiating rulemaking to change part 11 as a result of that re-examination. This guidance explains that we will narrowly interpret the scope of part 11. While the re-examination of part 11 is under way, we intend to exercise enforcement discretion with respect to certain part 11 requirements. That is, we do not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules. In addition, we intend to exercise enforcement discretion and do not intend to take (or recommend) action to enforce any part 11 requirements with regard to systems that were operational before August 20, 1997, the effective date of part 11 (commonly known as legacy systems) under the circumstances described in section III.C.3 of this guidance. Note that part 11 remains in effect and that this exercise of enforcement discretion applies only as identified in this guidance.
FDA's guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidance describe the Agency's current thinking on a topic and should be viewed only as recommendations, unless
specific regulatory or statutory requirements are cited. The use of the word should in Agency guidance means that something is suggested or recommended, but not required….

Applicable To:
Part 11 text: Sec. 11.1 Scope.
(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
(b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not
apply to paper records that are, or have been, transmitted by electronic means.
(c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.(d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with 11.2, unless paper records are specifically required.
(e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part shall be readily available for, and subject to, FDA inspection.(f) This part does not apply to records required to be established or maintained by 1.326 through 1.368 of this chapter. Records that satisfy the requirements of part 1, subpart J of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part.

[62 FR 13464, Mar. 20, 1997, as amended at 69 FR 71655, Dec. 9, 2004]
Sec. 11.2 Implementation. 
(a) For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met.
(b) For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that:
(1) The requirements of this part are met; and
(2) The document or parts of a document to be submitted have been identified in public docket No. 92S-0251 as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission.  
Sec. 11.3 Definitions. 
(a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.
(b) The following definitions of terms also apply to this part:
(1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201-903 (21 U.S.C. 321-393)).
(2) Agency means the Food and Drug Administration.
(3) Biometrics means a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.
(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.
(8) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a
writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.
(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. 
Subpart B--Electronic Records
Sec. 11.10 Controls for closed systems.  Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record,  access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or
operational instruction.(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and
maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
Sec. 11.30 Controls for open systems.  Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. 
 Sec. 11.50 Signature manifestations. 
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
Sec. 11.70 Signature/record linking.  Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.  
Subpart C--Electronic Signatures 
Sec. 11.100 General requirements.  (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.  
Sec. 11.200 Electronic signature components and controls. 
(a) Electronic signatures that are not based upon biometrics shall:(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
Sec. 11.300 Controls for identification codes/passwords.  Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such  controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have  the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to  cover such events as password aging).
(c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. 
Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.
Source: 62 FR 13464, Mar. 20, 1997, unless otherwise noted.

How Used:
As explained by Margaret M. Dotzel,  Acting Associate Commissioner for Policy. July 1, 1999 Regulatory Action Guidance: Program monitors and center compliance offices should be consulted prior to recommending regulatory action. FDA will consider regulatory action with respect to Part 11 when the electronic records or electronic signatures are unacceptable substitutes for paper records or handwritten signatures, and that therefore, requirements of the applicable regulations (e.g., CGMP and GLP regulations) are not met. Regulatory citations should reference such predicate regulations in addition to Part 11. The following is an example of a regulatory citation for a violation of the device quality system regulations.   

Failure to establish and maintain procedures to control all documents that are required by 21 CFR 820.40, and failure to use authority checks to ensure that only authorized individuals can use the system and alter records, as required by 21 CFR 11.10(g). For example, engineering drawings for manufacturing equipment and devices are stored in AutoCAD form on a desktop computer. The storage device was not protected from unauthorized access and modification of the drawings.

Federal Financial Institutions Examination Council
AKA:      FFIEC Examination Handbook
Sometimes searched       Information Security IT Examination Handbook
URL Source Data
Federal Financial Institutions Examination Council
FFIEC Information Technology Examination Handbook
FFIEC IT Handbook InfoBase Main Page
Information Security IT Examination Handbook
http://www.ffiec.gov/ffiecinfobase/booklets/information_security/Info_sec_workprogram.doc
Summary:
The Federal Financial Institute Examination Council is the governing body over financial institutions. This site provides field examiners in financial institution regulatory agencies an InfoBase of new regulations and standards.

The structure of the on line Information Security "Booklet" surpasses any other form of presentation I have seen. Writing is clear, and sources are comprehensive.  Regulated Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS), it is hard to imagine that the guidelines used to create the FFIEC framework lack consideration for laws I any industry, public, private or international.

OVERVIEW
Information is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintain information vital to its operations. On a broad scale, the financial institution industry has a primary role in protecting the nation’s financial services infrastructure. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer financial information. Individual financial institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. This booklet provides guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.

Organizations often inaccurately perceive information security as the state or condition of controls at a point in time. Security is an ongoing process, whereby the condition of a financial institution’s controls is just one indicator of its overall security posture. Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions. A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.

Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations.

Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 14-16.

SECURITY OBJECTIVES
Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)-related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

Availability—The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.  

• Confidentiality of Data or Systems—Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
• Accountability—Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection and legal admissibility of records.
• Assurance—Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions. 
• Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

REGULATORY GUIDANCE, RESOURCES, AND STANDARDS
Financial institutions developing or reviewing their information security controls, policies, procedures, or processes have a variety of sources to draw upon. First, federal laws and regulations address security, and regulators have issued numerous security related guidance documents. Institutions also have a number of third-party or security industry resources to draw upon for guidance, including outside auditors, consulting firms, insurance companies, and information security professional organizations. In addition, many national and international standard-setting organizations are working to define information security standards and best practices for electronic commerce. While no formal industry accepted security standards exist, these various standards provide benchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices. Some standard-setting groups include the following organizations

 The National Institute of Standards and Technology (NIST) at www.nist.gov; 
 The International Organization for Standardization (ISO) Information technology at www.iso.ch with specific standards such as

• The code of practice for information security management (ISO/IEC 17799) and
• Information Security -- Security techniques—Evaluation criteria for IT security (ISO/IEC 15408); and 
• The Information Systems Audit and Control Association (ISACA)—Control Objectives for Information Technology
• (CobiT), at www.isaca.org

Gramm-Leach-Bliley Act
Data Privacy and Records Management
Type:  United States Federal Law
Codification alt  Section: 15 U.S.C. § 6801 AKA:15 U.S.C. § 6801
Law Reference - Most Used  P.L. 106-102
Laws enforced by or aligned to this
           15  U.S.C. §§41-58
           Directive 95/46/EC
           15 U.S.C. § 6801
           15 U.S.C..§§ 44-58 Section 5
Supersede by More Association:   Glass Steagall Act of 1933
Author(s) Representatives James Leach, Phil Gramm and …Publisher:            Committees: House Banking and Financial Services and 106th Congress
Date of 11/12/1999
Sometimes searched as:  Financial Services Modernization Act of 1999
URL Source Data
Gramm-Leach Bliley Act
FDIC: Important Banking Legislation
Summary of Standard (Mainly as quoting the FDIC, which is where you should go to affirm correct information and gain up to minute information)
[Content found at http://www.epic.org/privacy/glba/] Information that many would consider private--including bank balances and account numbers--is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses. The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.

Gramm-Leach-Bliley Act (GLBA).
Title V of the GLBA (sections with financial privacy and pretexting protections).
Applicable To:
As explained by FDIC:
Repeals last vestiges of the Glass Steagall Act of 1933. Modifies portions of the Bank Holding Company Act to allow affiliations between banks and insurance underwriters. While preserving authority of states to regulate insurance, the act prohibits state actions that have the effect of preventing bank-affiliated firms from selling insurance on an equal basis with other insurance agents. Law creates a new financial holding company under section 4 of the BHCA, authorized to engage in: underwriting and selling insurance and securities, conducting both commercial and merchant banking, investing in and developing real estate and other "complimentary activities." There are limits on the kinds of non-financial activities these new entities may engage in. Allows national banks to underwrite municipal bonds.

Restricts the disclosure of nonpublic customer information by financial institutions. All financial institutions must provide customers the opportunity to "opt-out" of the sharing of the customers' nonpublic information with unaffiliated third parties. The Act imposes criminal penalties on anyone who obtains customer information from a financial institution under false pretenses.

Amends the Community Reinvestment Act to require that financial holding companies can not be formed before their insured depository institutions receive and maintain a satisfactory CRA rating. Also requires public disclosure of bank-community CRA-related agreements. Grants some regulatory relief to small institutions in the shape of reducing the frequency of their CRA examinations if they have received outstanding or satisfactory ratings. Prohibits affiliations and acquisitions between commercial firms and unitary thrift institutions.

Makes significant changes in the operation of the Federal Home Loan Bank System, easing membership requirements and loosening restrictions on the use of FHLB funds.

How Used: Also found within <http://www.export.gov/safeharbor/ENFORCEMENTOVERVIEWFINAL.htm>Safe Harbor Enforcement Overview Federal and State "Unfair and Deceptive Practices" Authority and Privacy
[…]
 "On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley Act (Pub. L. 106-102, codified at 15 U.S.C. § 6801 et seq.) into law. The Act limits the disclosure by financial institutions of personal information about their customers. The Act requires financial institutions to, inter alia, notify all customers of their privacy policies and practices with respect to the sharing of personal information with affiliates and non-affiliates. The Act authorizes the FTC, the Federal banking authorities and other authorities to promulgate regulations to implement the privacy protections required by the statute. The agencies have issued proposed regulations for this purpose."

 

Best practice and current wisdom...  Stay out

UETA § 7(a).

Products:

HIGHLIGHTS: RPost Registered e-Mail, when used with electronic transaction and signature statutes:

• Accelerated shareholder sign-off & expedited the closing of a business deal within days as opposed to weeks.
• Cut the closing cost to a fraction of the norm.
• Eliminated the need to store any paper as thousands of pages of executed agreements were retained in an electronic and verifiable format.

Electronic Law: The Uniform Electronic Transaction Act (“UETA”) and the Electronic Signatures in Global and National Commerce Act (“ESIGN”) define, in similar language, “that a record or signature may not be denied legal effect or enforceability solely because it is in electronic form.” UETA goes further, affirmatively stating that “if a law requires a record to be in writing, an electronic record satisfies the law,” and both statutes state that “if a law requires a signature, an electronic signature satisfies the law.” These pieces of legislation guarantee e-mail messages the same legal weight and value as paper records. Indeed, courts have recently ruled that proposals tendered by e-mail can have the same force as written contracts; and that documents can be legally served by e-mail4. To be enforceable under U.S. law, E-SIGN and UETA require that an electronic signature possess three elements:

1. A sound, symbol, or process,
2. attached to or logically associated with an electronic record, and
3. made with the intent to sign the electronic record.

Registered e-Mail: RPost (www.rpost.com) invented Registered e-Mail, that among other things, is a dealclosing tool that cuts closing time by 70%, closing cost by 99%, and paper storage by 100% when executing transactions involving: shareholder consent, director consent, waivers, required notifications, SEC required shareholder notifications, and consents and agreements to business transactions.

...read more from RPOST

We can't talk about data integrity and regulations for retention and not bring your attention to EMC.  Some shops may be small and some may not be ready.  Where there is risk around your data, we start with compliance products from EMC

Can your business afford to wait days/weeks/months to get your audited records back? ...

• Does your current archive media strategy expose your firm to unnecessary discovery risk?
• Will a supported system be available to read your tape/optical media 5 years from now?
• Does your organization have a reliable means of storing and retrieving business-critical and sensitive information?
• Are your disclosure and reporting processes costly and inefficient?
• Do you have an integrated means of managing records,
•  from creation, to maintenance,
•  to eventual destruction?
• Does your organization have an established records archiving method and can you quickly demonstrate its effectiveness?
• What record-creating activities are outsourced (new accounts, trade confirmations, etc)
• Do you archive recorded customer calls?

SEC Rule 17-a4 Compliance Media Requirements 17a-4(f)(2)(ii)(A)—Preserves the records exclusively in a non-rewritable, non-erasable format 17a-4(f)(2)(ii)(B)—Verifies automatically the quality and accuracy of the storage media recording process 17a-4(f)(2)(ii)(C)—Serializes the original, and, if applicable, duplicate units of storage media and time-date for the required period of retention the information placed on such electronic media 17a-4(f)(2)(ii)(D)—Has the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable

Controls go far beyond the requirements of the Sarbanes-Oxley Act and they are no longer just an "auditor's problem.". The days of fighting for budget to Optimize IT are long gone, and everyone has one single mission "Compliance"

	E-mail Archiving Solutions Meet compliance challenges—and increase efficiencies—with a customized archiving solution.
	Records Management Solutions Centralize online document and records management—and automate processes for regulatory compliance.
	eDiscovery Solutions Easily locate records for electronic discovery requests—at lower costs, and while minimizing liability risk.

EMC Corporation is the world leader in products, services, and solutions for information storage and its management. We are the information storage standard for every major computing platform and, through our solutions, serve as caretaker for more than two-thirds of the world’s most essential information.

What They do EMC helps enterprises of all sizes manage their growing volumes of information—from creation to disposal—according to its changing value to the business through information lifecycle management (ILM) strategies. EMC information infrastructure solutions are at the heart of this mission, helping organizations manage, use, protect, and share their information assets more efficiently and cost-effectively. Our world-class solutions integrate networked storage technologies, storage systems, software, and services.

Their vision: creating the ultimate information lifecycle management company—to help our customers manage and use more information, more easily and effectively. The result? Information with greater business value and at lower management cost.

EMC. Where information lives.

What is compliance?

Compliance is a universe of constraints enforcing business and technology practice aligned to minimally acceptable product, service and financial benchmarks, consumer and citizen safety, and continuous availability of critical resource as mandated by US and World Governments.   Considerations for HIPAA, the USA Patriot Act, Graham-Leach-Bliley, FISMA/ eGovernment, OMB Circulars (various, such as A-119 and A-130), Executive Directives, DCIDs can't be limited to government, federal and financial programs.   Businesses work in tandem, weaving regulatory issues via ecommerce, outsourcing and third party services, such that any law has implications for across multiple industries and business classifications.  Laws like the Clinger-Cohen Act, the Paper Reduction Act, Basel I and II - European Union privacy laws and Safe Harbor Principles - California Security Breach Notice Law as well as emerging bills with similar guidelines - SEC rule17a-4, NARA regulations for federal records management, SEC CFR 17 Rule no. 16900 affecting Clearing Corporations, the National Strategy to Secure Cyberspace and many associated Public Laws and Government guidelines (especially those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe.  The PB&SP toolbox is a list of applications and industry tools, with special attention to the better companies and materials, as found most successfully implemented among our clients.

About Euclid™

Euclid Product Sheet

Think About Data Integrity

Platforms Operating systems • Windows 2003, 2000, XP
• Linux (most recent distributions)
• IBM AIX
• Sun Solaris
• HP/UX

Browsers
• Microsoft IE 4 and above
• Netscape 4 and above
• Phoenix/Mozilla
• Opera

• Oracle 8 and above
• IBM DB2/UDB 7.x and above
• Microsoft SQL Server 2000 and above
• MySQL 3.20 and above
• Sybase ASE 11.x and above
• CSV and similar flat files
Additional JDBC-compliant data source can often be supported out of the box, or with minimal work. Non-JDBC data sources can also be supported through an open Java API.

CobiT®.On Line from ISACA and ITGI and CobiT Advisor 3rd Ed

Data in CobiT 4.0 (coming soon)

Logos belonging to affiliated organizations suggest PB&SP support and are not meant to imply ownership, creation or collaboration in any product.  We stand behind experience and consensus among our clients to suggest these highlighted products and organizations are the best audit and compliance resources in the world. We have not, and will never use this as a means for revenue. We are not paid to say these are great products. We believe they are great because we witness their results.