Minnesota State Archives

Handbook for Trustworthy Information Systems: Section 9

Criteria Group 1: System administrators should maintain complete and current documentation of the entire system.

QUESTIONS TO ASK:
  • What is the system's unique identifier and/or common name?
  • What is the agency and department responsible for the system?
  • What is the agency and department responsible for applications?
  • What is the name and contact information of the person(s) responsible for system administration?
  • What is the name and contact information of the person(s) responsible for system security?
  • Has a formal 1. A component of risk management that evaluates risks (the possibility of incurring loss or injury), examining the probability of loss or injury occurring, then determining the amount of risk that is acceptable for a given situation or event; a prioritization of risks. risk assessment of the system been completed? Date? Performed by? Methodology? Findings?
  • Were design reviews and system tests run prior to placing the system in production? Were the tests documented?
  • Is application software properly licensed for the number of copies in use?
  • If connected to external systems lacking commensurate security measures, what mitigation procedures are in place?
  • What other systems might records be 1. The process of moving computer files from one information system or medium to another. migrated to?

1A. System documentation should include, but is not limited to:

  1. hardware (procurement, installation, modifications, and maintenance)
  2. software (procurement, installation, modifications, and maintenance)
  3. communication networks (procurement, installation, modifications, and maintenance)
  4. interconnected systems
    1. list of interconnected systems (including the 1. A decentralized global network connecting millions of computers. Internet)
    2. names of systems and unique identifiers
    3. owners
    4. names and titles of authorizing personnel
    5. dates of authorization
    6. types of interconnection
    7. indication of system of record
    8. sensitivity levels
    9. security mechanisms, security concerns, and personnel rules of behavior

Did you know?

Did You Know icon "Agencies shall take reasonable measures to ensure that only agency authorized computer equipment is installed on or connected to state systems and that only approved software is installed or executed on state computer resources." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

Consider This:

Consider This icon System documentation, including specifications, program manuals, and user guides, should be covered in 1. A plan for the management of records including a list of record series, coverage dates, locations, formats, volume, data practices classifications, and retention periods. retention schedules, and retained for the longest retention time applicable to the records produced in accordance with the documents.

Consider This icon Unique names and identifiers should remain the same over the lifetime of the units to allow tracking.

Consider This icon When a system is installed at more than one site, steps should be taken to ensure that each site is running an appropriate, documented, up-to-date version of the authorized configuration.

Consider This icon Audit trails of hardware and software changes should be maintained such that earlier versions of the system can be reproduced on-demand.

Consider This icon A process should be implemented to ensure that no individual can make changes to the system without proper review and authorization.

1B. Policy and procedure documentation should include, but is not limited to:

  1. programming conventions and procedures
  2. development and testing activities, including tools
    1. Consider This:
    2. Consider This icon Periodic functional tests should include anomalous as well as routine conditions, and be documented such that they can be repeated by any knowledgeable programmer.
  3. applications and associated procedures such as methods of entering/accessing data, data modification, data duplication, data deletion, indexing techniques, and outputs
  4. identification of when records become official
  5. record formats and codes
  6. routine performance of system 1. "To copy files to a second medium . . . as a precaution in case the first medium fails." (b) back-ups. Each back-up should be documented with back-ups being appropriately labeled, stored in a secure, off-line, off-site location, and subjected to periodic integrity tests.
  7. routine performance of quality assurance and control checks, as well as performance and reliability testing of hardware and software on a schedule established through consultation with the manufacturers
    1. Consider This:
    2. Consider This icon Identification devices (e.g., security cards) should be included in periodic testing runs to ensure proper functioning and to verify the correctness of identifying information and system privilege levels.
    3. Consider This icon Each type of storage medium used should undergo regular statistical sampling following established procedures outlining sampling methods, identification of data loss and corresponding causes, and the correction of identified problems.
  8. migration of records to new systems and media as necessary. All record components should be managed as a unit throughout the transfer.
  9. standard training for all users and personnel with access to equipment

Did you know?

Did You Know icon "The agency head shall ensure that agency employees understand the importance of security measures and their role in sharing the responsibility for the security and integrity of state computerized information resources." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

Did You Know icon "Agencies shall make a copy of the state Security Policy available to each agency employee and shall make all employees, contractors, and information users aware of their responsibilities under the state Security Policy and the agency security plan." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

Did You Know icon "The agency head shall ensure that each agency employee is aware that violation of the principles of the state Security Policy or the agency security plan could be cause for disciplinary action or termination from employment." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

Consider This:

Consider This icon Users should sign statements agreeing to terms of use. Such a document should include guidelines for: user responsibilities and expected behavior, consequences of inconsistent behavior or non-compliance, remote-access use, Internet use, use of copyrighted works, unofficial use of resources, assignment and limitations of system privileges, and individual accountability.

go to Criteria › ›:  1  2  3  4  5

Go to Table of Contents

‹ ‹back: Section 9

TIS Handbook last updated July 2002, Version 4.

State Archives Home Research Services Government Record Services Records Retention Schedules Electronic Records Management Trustworthy Information Systems Recent Acquisitions Recordkeeping Metadata Standard Special Projects Contact Us


Powered by Meta Data