Manual for the Design and Implementation of Recordkeeping Systems (dirks)
| Вид материала | Документы |
- Design and installation of pipelines for heating systems usingpipes, 616.28kb.
- Design and installation of pipelines for heating systems usingpipes, 608.87kb.
- 1 Примеры программ ecad, 243.4kb.
- Audi Group Design Center. Уникальный проект audi ag и Audi Russia, направленный, 105.22kb.
- Тематика лекций по дисциплине «Механика грунтов, основания и фундаменты», 8.01kb.
- Web-дизайн Понятие веб-дизайна, 215.6kb.
- Web дизайн включает в себя визуальный дизайн (вообще), дизайн представления информации, 1039.6kb.
- Assessing Implementation of the eecca environmental Partnership Strategy – a baseline, 147.38kb.
- Государственный стандарт союза СССР информационная технология Комплекс стандартов, 428.01kb.
- Experience of tqm principles and iso 9000 implementation in the Pridneprovsky region, 67.13kb.
Ensuring that your recordkeeping systems support access and security
Doing Steps A-C of DIRKS helps you to understand what your department/office's requirements relating to access and security. Steps D-G of the DIRKS methodology can help you to apply this knowledge. These steps of the methodology can help you to:
- determine whether your existing systems enable your access and security requirements to be met
- employ a range of strategies to identify how you can better meet your access and security requirements
- undertake system design work where necessary, to help you meet your access and security requirements, and
- implement access and security requirements effectively.
Step D: Assessment of existing systems
In Step D you examine your existing systems to determine whether they are able to meet the access and security requirements you want to establish.
In your Step D assessments you could determine whether systems:
- employ appropriate metadata that clearly labels records that require restriction
- capture audit trails that document when, how and by whom records have been accessed
- have the capacity to restrict the access to certain records
- have security policies and procedures that explain how particular records need to be managed
- are supported by training programs which educate staff about security management
- have documented business rules which specify which records, or classes of records, need to be protected, and
- are regularly updated to reflect changes in staff and their responsibilities.
This assessment will enable you to determine whether systems need to be designed or redesigned to enable you to implement your access and security requirements.
| ^ Tip: Don't forget the security of systems that are managed by contractors on your behalf If some of your organizational functions have been outsourced, be aware of the security or confidentiality requirements that affect the records of these functions. It is important to build these requirements into the contracts you establish with your service providers. In your contract you could require that:
In Step D, you should assess whether the systems your service provider is using meet your security requirements. You should include in your contract a range of penalties that a contractor will be subject to if they breach the access and security requirements you have included in your contract. |
Step E: Identification of strategies for recordkeeping
In Step E you decide how to rectify any business information systems that are not adequately managing your access and security needs. In this step you come up with broad ideas for what you want to achieve and how you want to do it. Step E recommends four strategies for turning business information systems into recordkeeping systems:
- policy
- design
- standards, and
- implementation
You can use these strategies individually or in combination to help ensure the effective implementation of your access and security program. The most effective solution is likely to come from a combination of strategies.
| Example: In Step E you may decide that for your high risk records, you will design a technical component of your system that does not enable staff members to see the file titles of records they do not have authority to access, as well as the records themselves (a design tactic). You may also decide to introduce an access policy (policy tactic) and a briefing session on responsibilities and rights of access (implementation tactic) to clearly explain security requirements to staff. In combination you are satisfied that this range of tactics will enable your security requirements to be addressed. |
If you are seeking to introduce access and security classification schemes across a range of organizational systems, you may have to decide upon slightly different approaches in each system, depending on the records they administer and their:
- size
- role
- technical infrastructure, and
- user requirements.
Step F: Design of a recordkeeping system
In Step F you design solutions, based on the strategies you developed in Step E: Identification of strategies for recordkeeping, that will enable you to meet your access and security requirements. That is, in Step F you:
- draft policies
- develop technical components of systems to enable you to control access
- develop training programs, and
- draft business rules etc.
| Example: If you have adopted the policy tactic, you draft a policy that specifies the different levels of security that operate across the business areas in your department/office. You also draft business rules that specify how and by whom security is to be managed across the range of your organizational business systems. You then implement procedures that require IT staff to update system user permissions as soon as staff leave or arrive in the organization. |
| Example: If you have adopted the design tactic, in Step F you could develop an application which enables your records management software to inherit the logins and consequent security controls that govern access to your IT systems. This will ensure consistent control is exercised across and will save significant duplication of effort. |
| Example: If you have adopted the design tactic, you could develop a means to issue a message to all staff at login, that reminds them of their obligations in relation to information security. |
| Example: If you have decided to adopt the implementation tactic, you will focus on improving the way systems operate in order to improve record security. You may therefore decide to put a lock on the file room door, or move records staff so that they are adjacent to records storage areas to better monitor the security of these areas. Alternatively you could restrict access to the technical components of systems to the staff that have a requirement to use this system as a part of their business activities. |
| Example: If you have decided to adopt the implementation tactic, in Step F you will develop training programs to educate your staff about security issues. You may decide to develop an induction training program that informs new staff about privacy and other considerations they need to remember in their day-to-day business activities. |
Step G: Implementation of a recordkeeping system
In Step G you implement the range of access and security solutions you have developed. When implementing this step you:
- provide staff with the policy and business rules you've developed
- present training courses and answer staff questions about security issues, and
- train staff in system use, if the security controls you've implemented have made a significant difference to system operations.
| Example: Further examples of the implementation tactic include:
|
Be aware that if the implementation of your access and security requirements is poor, staff and others may gain access to restricted records, which could breach UN rules about privacy and security Breaches could result in high financial costs and public embarrassment for the United Nations.
Therefore, be sure to devote adequate resources that enable your access and security requirements to be met.