Ohio Electronic Records Committee Home

QUESTIONS TO ASK

What is the system’s unique identifier and/or common name?

What is the agency and department responsible for the system?

What is the agency and department responsible for applications?

What agency is responsible for the information/data?

What is the name and contact information of the person(s) responsible for system administration?

What is the name and contact information of the person(s) responsible for system security?

Has a formal risk assessment of the system been completed? Date? Performed by? Methodology? Findings?

Were design reviews and system tests run prior to placing the system in production?

Were the tests documented?

Is application software properly licensed for the number of copies in use?

If connected to external systems lacking commensurate security measures, what mitigation procedures are in place?

What other systems might records be migrated to?

1. hardware (procurement, installation, modifications, and maintenance)
   
   
2. software (procurement, installation, modifications, and maintenance)

   Did You Know:

   DAS Policy No.: ITP A.26 Effective Date July 1, 2001 Each state agency/organization will develop a Software Copyright Compliance Plan or submit other such procedures accompanied by a certification of the Director of a State Agency that necessary and reasonable controls are in place to assure compliance with applicable manufacturers' license agreements.
   

   DAS Directive No.: 01-25 Effective Date December 27, 1999 "Internet, electronic mail and online services use and abuse" 5. State employees shall not use the Internet, electronic mail and online services to provide access to confidential information. State employees shall not use these services to provide access to public information without following the existing rules and procedures of the custodial agency for dissemination.
   
   
3. communication networks (procurement, installation, modifications, and maintenance)
   
   
4. interconnected systems
   a. list of interconnected systems (including the Internet)
   b. names of systems and unique identifiers
   c. owners
   d. names and titles of authorizing personnel
   e.dates of authorization
   f. types of interconnection
   g. indication of system of record
   h. sensitivity levels
   i. security mechanisms, security concerns, and personnel rules of behavior
   
   Did You Know:

Rule 123:3-1-01 of the Administrative Code "Use of Electronic Signatures and Records" (H) Required Polices. State agencies must establish documented polices and procedures that provide reasonable assurances of authenticity of signatures, the nonrepudiation of the records by the signatories and the integrity of the signed records. This includes but is not limited to polices and procedures on access, control, monitoring, maintenance and any other actions necessary for physical, network and computer security.

Consider This:

System documentation, including specifications, program manuals, and user guides, should be covered in retention schedules, and retained for the longest retention time applicable to the records produced in accordance with the documents.

Unique names and identifiers should remain the same over the lifetime of the units to allow tracking.

When a system is installed at more than one site, steps should be taken to ensure that each site is running an appropriate, documented, up-to-date version of the authorized configuration.

Complete audit trails of hardware and software changes should be maintained. This documentation should be extensive enough to identify the individual components of the system at any given point in time.

A process should be implemented to ensure that no individual can make changes to the system without proper review and authorization.

1. programming conventions and procedures
2. development and testing activities, including tools

   Consider This:

   Periodic functional tests should include anomalous as well as routine conditions, and be documented such that they can be repeated by any knowledgeable programmer.

3. applications and associated procedures such as methods of entering/accessing data, data modification, data duplication, data deletion, indexing techniques, and outputs
   
   
4. identification of when records become official
   
   
5. record formats and codes
   
   
6. routine performance of system back-ups. Each back-up should be documented with backups being appropriately labeled, stored in a secure, off-line, off-site location, and subjected to periodic integrity tests
   
   
7. routine performance of quality assurance and control checks, as well as performance and reliability testing of hardware and software on a schedule established through consultation with the manufacturers

   Consider This:

   Identification devices (e.g., security cards) should be included in periodic testing runs to ensure proper functioning and to verify the correctness of identifying information and system privilege levels.
   

   Each type of storage medium used should undergo regular statistical sampling following established procedures outlining sampling methods, identification of data loss and corresponding causes, and the correction of identified problems.

8. migration of records to new systems and media as necessary. All record components, i.e., every field or informational element of a record, should be migrated to the new system as a single unit.
   
   
9. standard training for all users and personnel with access to equipment

   Did You Know:

   Ohio Revised Code § 1306.23 Exemptions to disclosure of records Records that would disclose or may lead to the disclosure of records or information that would jeopardize the state's continued use or security of any computer or telecommunications devices or services associated with electronic signatures, electronic records, or electronic transactions are not public records for purposes of section 149.43 of the Revised Code.
   

   DAS Policy No.: ITP-E.030 Effective Date May 1, 1999 Electronic records should be created and maintained in reliable and secure systems. Agencies should identify systems that create and maintain records. The development, modification, operation, and use of these systems should be documented and measures should be taken to ensure reliability and security of records over time.

   Consider This:

   Users should sign statements agreeing to terms of use. Such a document should include guidelines for: user responsibilities and expected behavior, consequences of inconsistent behavior or non-compliance, remote-access use, Internet use, use of copyrighted works, unofficial use of resources, assignment and limitations of system privileges, and individual accountability.

    

Criteria Group 2