Trustworthy Information Systems Handbook: Section 7
How important is your information?
1. "Information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form." (e)
2. Information created or received during the course of government business that becomes part of an official transaction.
3. "All cards, correspondence, discs, maps, memoranda, microfilms, papers, photographs, recordings, reports, tapes, writings and other data, information or documentary material, regardless of physical form or characteristics, storage media or conditions of use, made or received by an officer or agency of the state and an officer or agency of a county, city, town, school district, municipal subdivision or corporation or other public authority or political entity within the state pursuant to state law or in connection with the transaction of public business by an officer or agency." Excluding "data and information that does not become part of an official transaction, library and museum material made or acquired and kept solely or reference or exhibit purposes, extra copies of documents kept only for convenience of reference and stock of publications and processed documents, and bonds, and coupons, or other obligations or evidence of indebtedness, the destruction or other disposition of which is governed by other laws." (g)
Records and
1. "Symbols, or representations, of facts or ideas that can be communicated, interpreted, or processed by manual or automated means." (i)
2. Minnesota "government data" is defined, by statute, to mean "all data collected, created, received, maintained or disseminated by any state agency, political subdivision, or statewide system regardless of its physical form, storage media or conditions of use." (k)
data
are not all equally valuable. Therefore, not all information systems containing records will require the same security measures and levels of trustworthiness. In determining the importance of your
1. Data, text, images, sounds, codes, computer programs, software, databases, etc. (e)
information, you may want to consider such things as:
- What laws and regulations apply to your data?
- What are your industry's standards for system security, data security, and records 1. "The period of time, usually based on an estimate of the frequency of current and future use, and taking into account statutory and regulatory provisions, that records need to be retained before their final disposal." (l) retention?
- What areas and records might lawyers and auditors target?
- What data is of permanent and/or historical value to you and to others?
Certain policy mandates, such as the Minnesota Data Practices Act and others concerned with records management (refer to Appendix D), determine the precise value and security level of some information. These laws are written without respect to media or format. At present, however, there are no widely applicable models available for managing 1. "A record created, generated, sent, communicated, received, or stored by electronic means." (e) electronic records like there are for paper. The ever-increasing use of electronic records forces us to look at new ways to actually answer policy demands while efficiently using government resources.
Agencies should have some leeway to decide the significance of
their records, their functional priorities, and the resources
available to them as a basis for making informed choices about the
appropriate practices to apply. The criteria set will help
government agencies manage the risks
associated with their
1. "An electronic system for creating, generating, sending, receiving, storing, displaying, or otherwise processing information." (e)
2. "The organized collection, processing, transmission, and dissemination of information in accordance with defined procedures, whether automated or manual. . . . Most often refers to a system containing electronic records, which involves input or source documents, records on electronic media, and output records, along with related documentation and any indexes." (i)
information systems.
While comprehensive in scope, the set will not apply to all systems
equally. A system holding purchase orders, for example, will not
have as high a legal profile and need for security and
1. An information system that produces reliable and authentic records.
trustworthiness
as one containing confidential medical information.
You must show that you have made informed choices that are appropriate for your records and that you have appropriate policies and procedures in place that are followed during the routine course of business—you are 1. The quality of being responsible, answerable; the obligation to report, explain, or justify an event or situation. accountable for your actions. Lawyers and auditors, for instance, may examine your information systems in minute detail, looking for things like undocumented delays, variances from established procedures, and holes in your security in terms of access to your system and your records (refer to Appendix E for case laws regarding electronic records and to the Legal Risk Analysis Tool in Appendix G for additional assistance). These inquiries can be answered with 1. "The act or process of substantiating by recording actions and/or decisions." (i)2. "Records required to plan, develop, operate, maintain, and use electronic records. Included are systems specifications, file specifications, codebooks, file layouts, user guides, and output specifications." (i) documentation showing that you have examined your systems and have made informed decisions concerning the handling of your records.
So, you see, the criteria set is really a tool for risk management!
How do you use the Trustworthy Information System criteria? 
TIS Handbook last updated July 2002, Version 4.
