LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: PII and OUO Records Protection on Electronic Records Systems
From:	Pilar McAdam <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Thu, 2 Jan 2014 20:47:07 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (69 lines)

Deb Martin asked:

"I have a customer that would like to query the experts to find out how
others are protecting PII, OUO, and other sensitive records (excluding
classified records) in electronic records systems.  This is for a large
organization with several thousand staff that are creating electronic
records.  For instance:

-          How are permissions managed on who can add/modify/delete/view
sensitive records?

-          How are permissions kept up-to-date?

-          How are permission changes documented when employees terminate
or change organizations?

-          How is permission managed for IT and RIM support employees that
may have a need to access the records area, e.g., to develop programs,
file plans, etc. but shouldn't generally have a need to see the data?"


Deb,

For access to sensitive records by organizational staff, permission should
be role-based (e.g., all HR coordinators should have access to personnel
files, all medical staff should have access to medical records, only
law-enforcement/Security staff should have access to arrest records), and
managed through the organization¹s Active Directory (all employees should
be in Active Directory, with organizational affiliations and job titles).

There should be organizational procedures in place for managing the
information in Active Directory, including the processes for keeping the
information current. This should include review/deactivation of access
rights when an employee departs or changes organizations, and periodic
revalidation of access rights for all employees with access to sensitive
information.

There should also be an organizational procedure for how
records/information for departing employee are handled (e.g., manager
reassigns to another employee).

IT employees who create/maintain databases and applications usually have
full access to any sensitive information contained within them because
it¹s not possible for them to perform ongoing activities without such
access.

Classified records are usually maintained within security walls so that
only cleared personnel ‹ whether IT or departmental ‹ have access.

Organizational policies and procedures should also address how individuals
with a need-to-know can be granted specific access rights over and above
those assigned based on their roles.


Pilar C. McAdam, CRM, ERMm
[log in to unmask]
Los Angeles, CA





>

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US