1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

Slides:



Advertisements
Similar presentations
COMPANY MAINTENANCE MANUAL
Advertisements

GCSE ICT Networks & Security..
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Privacy, Security, Confidentiality, and Legal Issues
Auditing Computer-Based Information Systems
Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Chapter 9 Database Design
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Concepts of Database Management Seventh Edition
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Session 3 – Information Security Policies
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Management Information Systems
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
Information Security Technological Security Implementation and Privacy Protection.
© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Concepts of Database Management Sixth Edition
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section 15.2 Identify guidelines.
Concepts of Database Management Eighth Edition
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Information Systems Security Operational Control for Information Security.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Chapter 2 Securing Network Server and User Workstations.
ISO/IEC 27001:2013 Annex A.8 Asset management
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
CONTROLLING INFORMATION SYSTEMS
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Welcome to the ICT Department Unit 3_5 Security Policies.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Information Security and Privacy in HRIS
CS457 Introduction to Information Security Systems
Managing the IT Function
Move this to online module slides 11-56
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Introduction to the PACS Security
Presentation transcript:

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA

COMPUTER GENERATED & STORED RECORDS CONTROLS n BACKGROUND. n The material in this presentation is intended to provide guidance to Aviation Inspectors concerning controls for managing information systems that generate and store records used in the maintenance of aircraft and aircraft components.

COMPUTER GENERATED & STORED RECORDS CONTROLS n APPLICABLE RELATED REQUIREMENTS & INFORMATION. Chapter 11 (Maintenance Records) of the Inspectors manual and ICAO Annex 6, 8.8

COMPUTER GENERATED & STORED RECORDS CONTROLS n DEFINITIONS. n For the purpose of this Document, the following definitions apply: a. Authorizations. Permission granted by management to individuals authorizing full or partial admission to restricted access information management systems. b.Data. A set of alphanumeric and/or graphic characters organized to represent facts or instructions suitable for communicating, interpreting, or processing by a computer.

COMPUTER GENERATED & STORED RECORDS CONTROLS c. Field. An element of a computer file that may contain data and whose size is controlled by the program. d. Information Systems. A computer system which is designed to automate a specific function such as records management. e. Privacy Keys. A password or procedure that allows full or partial access to a restricted information management system.

COMPUTER GENERATED & STORED RECORDS CONTROLS f. Privacy Locks. A procedure that restricts access to a portion of an information system. g. Read Only Capability. The authority given to an individual which allows that person to access or read data in a field without being able to change or enter data.

COMPUTER GENERATED & STORED RECORDS CONTROLS n i. Record. A history of the maintenance of a particular aircraft, aircraft component or item. As used in this document, a record is not a group of associated data fields or files within an information management system. n j.Write Capability. The authority given to a user which allows that person to enter or change data in a field.

DISCUSSION. Maintenance organizations are required to maintain records. n ICAO Annex 6 and various states regulations contain requirements regarding the content of those records n Computer based systems have been acquired to generate and store maintenance records. n This document will not discuss what maintenance and quality records should contain, but rather control mechanisms that should be used.

COMPUTER GENERATED & STORED RECORDS CONTROLS n A record system will detect and deter unauthorized disclosure, modification, or use of records. Record systems require protection to ensure that an accurate history of the maintenance of an aircraft, aircraft component or item exists. An information management system should be protected from intruders.

COMPUTER GENERATED & STORED RECORDS CONTROLS n The system should also be protected from employees with authorized access privileges who attempt to perform unauthorized actions. Protection is achieved not only by technical, physical, and personnel safeguards, but also by clearly advising all employees of the organizational procedures regarding authorized system use.

SECURITY PRINCIPLES Security attributes should be present in all systems. System should include: (1) User Identification. Each user should be uniquely identified by an identification code to identify who has logged onto the system and to verify access. (2) Authentication of User. There should be a means of verifying that the person entering the user identification code is the authorized individual- normally done by the use of a password.

SECURITY PRINCIPLES (3) Principle of Least Possible Privilege. n Each person is limited to the information and transaction authority that is required by their job responsibilities. n Based upon the design of the system, privacy locks and keys may control varying combinations of data elements.Levels of protection may include the following: (i)Data items, (v)Files, or (ii)Data aggregates, (vi)The complete system (iii)Sets, (iv)Fields,

SECURITY PRINCIPLES (4) Relation to Quality Data Responsibilities. The system should ensure that authorization privileges coincide with the responsibilities outlined in the organizations quality control program.* The system should be capable of assigning each user the specific access authority needed.

SECURITY PRINCIPLES (Privileges continued) These may include: (i) Read Only Access.* (ii) Insert or Write Access Authorizations.* (iii) Change Access Authorizations.*. (iv) Delete Access Authorizations. (v) Security Access Authorizations..

AUDITING MECHANISMS. n The system should include devices that detect security breaches. n Security breaches should alert the security manager n Security breach logs should be available only to select individuals. n Serious events, may generate alarms..

AUDITING MECHANISMS Protection Against Software and Hardware Destruction. System records should be protected from computer viruses. Systems should include virus detection programs

AUDITING MECHANISMS Protection Against Software and Hardware Destruction. Inventories. Inventories of all software and hardware configurations and locations should be used to ensure unauthorized hardware/software does not enter the computer environment.

AUDITING MECHANISMS Protection Against Software and Hardware Destruction. Portable Equipment. Portable computer equipment such as laptops represent special risks from virus contamination and thus there use in the system must be strictly controlled.

AUDITING MECHANISMS Protection Against Software and Hardware Destruction. Network Security. u Procedures should address additional protection necessary to control a network. u The degree of protection should be based upon the complexity of the system. u Additional protection may required

AUDITING MECHANISMS Protection Against Software and Hardware Destruction System Backup. u Backup provisions should be developed for loss of data resulting from system failure. u Backup periods need to be established.

MEDIA CONTROL. n Media is the material on which data is stored and must: n be carefully controlled and protected. n be stored in secure locations. n come from authorized sources.

MEDIA TYPES FLOPPY DISKS AND HARD DRIVES n Not for long term storage. n Data for long term storage should be transferred to other media. n Data must be able to be retrieved.

MEDIA TYPES MAGNETIC TAPES n should be tested within six months. n Tapes should be stored in a cool dry environment. n Storage criteria: (i)temperature degrees F. (ii)Relative humidity 35%-45%. (iii)rewind under controlled tension every 3 ½ years. (iv)before 10 years data should be transferred to new tapes. (v)Annual sample of tapes should be tested to identify any loss of data. (vi)No Smoking, eating, or drinking.

MEDIA TYPES OPTICAL DISKS Optical disks are not highly sensitive to physical abuse, environmental conditions, or magnetic force fields. Optical disks need only be protected from loss.

MEDIA TYPES n METAL PARTICULE TAPES u Chromium dioxide tapes should be handled like magnetic tapes except for periodic rewinding and cleaning. u New types of metal particle tapes will become available but may be subject to oxidation. u Prior to use of any metal particle tapes for long term storage,it must be ensured that the tapes can maintain integrity of the data

DOCUMENTATION n The information management system should be properly documented. (1)All software programs within the system, including program changes, should be fully documented. (2)Procedures should be developed that control all data entered into the system. The procedures should address all information management system/human interface activities. The procedures should be kept current.

Availability. n The computer industry is extremely dynamic concerning the systems that are available for record keeping. If the organisation changes from one system to another, the records that were produced by the old system must remain accessible to the CAA in a usable format. The organizations documented quality control system should indicate how this accessibility is accomplished.

Information Management System Facility Management. The main system facilities that house the equipment must be protected from physical threats and hazards. Areas to be considered include: a.Physical Security. Survey for potential hazards such as fire and water to minimized damage possibilities. b. Environmental Conditions. Consider the environmental conditions of the equipment and media storage areas. c. Disaster Recovery.Provide a contingency plan to allow recovery of critical system information in case of a disaster.

TRAINING. n Organizations should train each employee who is involved with any portion of the system. The subject matter varying with the employees level within the organization and job responsibilities. n Training should include security awareness, organizational policy, system operation and record storage requirements. n Training should be documented

COMPUTER GENERATED & STORED RECORDS CONTROLS THE END

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.