Databases Reference
In-Depth Information
monitoring of such systems. The Department of Defense Records Management
Program under directive 5015.2 regulates automated record management sys-
tems used by the Department of Defense [24]. Food and Drug Administra-
tion 21 CFR Part 11 [27] places controls over records of trials of potential
medicines. The Family Educational Rights and Privacy Act [25] requires long-
term trustworthy storage of student records from elementary school through
the university level. The Occupational Safety and Health Administration re-
quires that records on employee exposure to dangerous substances be kept for
30 years [37].
The European Parliament has issued several directives regarding the se-
curity and mandatory retention of electronic records. For example, Directive
2006/24/EC of the European Parliament regulates the retention of data gen-
erated or processed in connection with the provision of publicly available elec-
tronic communications services or public communications networks [33]. The
Markets in Financial Instruments Directive (MiFID) regulates financial mar-
kets across Europe, and introduces strict requirements on electronic record-
keeping [10]. In addition, there are country-specific laws that mandate secure
records retention for businesses. For example, in the United Kingdom, the
Companies (Audit, Investigations and Community Enterprise) Act of 2004
requires companies to adopt strict security measures to ensure the accuracy
and integrity of financial records [28].
In Japan, the Financial Instruments and Exchange Law, nicknamed J-
SOX, was promulgated in 2006 to regulate financial reporting [4]. It requires
companies to automate their financial report audit process, and is applicable
to Japanese companies as well as their foreign subsidiaries.
Many other countries have similar regulations in place. For example, in
Australia, the Corporate Law Economic Reform Program Act of 2004 regu-
lates auditing and corporate financial reporting [39]. In Canada, Bill 198 of
2002 (An Act to Implement Budget Measures and Other Initiatives of the
Government, nicknamed C-SOX) regulates financial reporting [26]. In addi-
tion, the Ontario Securities Commission rule Multilateral Instrument 52-111
mandates management responsibility for reporting on internal control over
financial reporting [40].
While each of the regulations mentioned above is designed for a particu-
lar application area and has its own unique features, a number of assurance
criteria are common to many of the directives:
•
Guaranteed retention
. Organizations must store records in a manner
that prevents deletion of the records or tampering with their contents,
even by insiders, for a regulation-mandated lifespan.
•
Long-term retention
. The mandated retention periods are measured
in years or even decades. For example, national intelligence information,
educational records, and certain health records must be retained for over
20 years. Many mandated retention periods exceed the expected lifetime
of today's storage devices.
