Review legal requirements and responsibilities relating to the development and use of resources

Risk assessment

While legal requirements will vary based on local and regional regulations, generally risk assessments are triggered when a third party will process, store, and/or transmit personal health information or by contractual requirements. However, in order to conduct these assessments, a covered entity will need an agreement in place with a third party that addresses:

Assessment scope (what information is required to complete the assessment, will an on-site inspection of controls be required, etc.);

Notification requirements (will the third party receive 30/60/90 days’ advance notice of an assessment);

Roles and responsibilities for conducting an assessment (will the assessment be performed by the covered entity or an independent third party);

Frequency assessments will be performed (annually, biannually, on request, etc.); and

Remediation of findings (how will remediation be handled, will findings trigger a right to terminate agreement for cause if not remediated, etc.).

Organizational policy

In addition to legal requirements, there could exist policies in the enterprise that dictate what gets saved beyond its operational life. The organizational policy might require a retention period for more than or less than the legal requirements.

An example is your credit card company that tells you that you can expect to get detailed transaction information for up to six months after the transaction occurs. After that, you are out of luck. How long does a bank promise you access to detailed information? How long can you expect an insurance company to keep records on your claims? These questions are answered through policies established by the company and available to you on request.

Consider educational institutions. How long do they keep data on students, courses taken, and grades received? The policy of most schools is to retain this data forever, even though no law says they must. Forever is a long time. This is an example of a retention period that I call indefinite, which has special implications on the rest of the archiving decisions that will be made later.

II.A.1. Legal Requirements

Some countries have legal requirements that if a company is going to market products in that country, the software and/or documentation must be in certain languages. For instance, Belgium has a requirement that all software and documentation be provided in French, English, German, and Dutch. Canada has a similar requirement for French and English. Moreover, international organizations such as the North Atlantic Treaty Organization (NATO) and the United Nations (UN) have mandatory requirements for specified sets of lansguages. These markets are closed to companies that do not meet the localization requirements.

Operational effectiveness

In contrast to legal and regulatory requirements and certification of compliance with standards, operational effectiveness objectives represent primarily internal drivers for organizations. Operational effectiveness is a core objective of enterprise and IT governance where organizations seek to maximize the efficient use of resources in their business operations and to improve quality, productivity, or competitive positioning in markets in which they participate. Many well-accepted organizational management theories consider an organization’s ability to effectively use resources to be a source of competitive advantage, particularly where operational effectiveness includes capabilities enabling an organization to rapidly adapt to changing customer requirements or environmental factors [32,33]. These and other motivations lead organizations to establish formal governance, quality management, and process improvement functions, each of which relies to some extent on effective internal IT auditing. Organizations often pursue operational effectiveness by following governance frameworks such as COBIT or quality management approaches such as Six Sigma, Total Quality Management, or activities described in standards such as ISO 9004 [34] and ISO 15504 [35].

64 Data Center and Server Security

Data center and server security is a critical operation for any organization because of the need for effective storage of confidential and valuable information. A data breach can be devastating to organizations, regardless of their size. Business partners and customers may lose their confidence that the organization can keep confidential information confidential, and this in turn may result in financial losses.

When determining the level of security for a new or existing data center or server room, a risk assessment must be conducted to assess both the data stored and the equipment in the facility using an impact versus likelihood approach. The assessment will be the basis for adequate security to potential threats. Part of the process for a data center or server security process also involves quickly identifying a breach and then containing it as soon as possible.

The following are industry standards and legal requirements for organizations that safeguard sensitive or confidential data:54

SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16 replaces the previous Statement on Auditing Standards (SAS) No. 70. The SSAE 16 is widely recognized as an auditing standard developed by the American Institute of Certified Public Accountants. Adequate controls and safeguards are required for host or process data belonging to customers. These controls may include physical security requirements such as two levels of authentication for electronic access, “man traps” on the data center floor, and a process for individuals requesting access.

Section 404 of the Sarbanes-Oxley Act of 2002 makes SSAE 16 more important for reporting the effectiveness of internal controls over financial reporting.

Introduction Industry Standards and Legal Requirements Technological and Internal Challenges 4 ANSI/TIA-942: this standard is recognized throughout the industry for data center infrastructure requirements to provide information to planners regarding the protection of data center/server assets by utilizing physical security as well as fire prevention. It recognizes the importance of providing manageable access control to data center facilities and monitoring of people and their actions. Using the Uptime Institute Tier framework as a basis, the ANSI/TIA-942 Standard makes recommendations on the facilities specifications and improving the physical security of the data/server center. These include criteria such as video surveillance recording frame rates, access control levels, and hardware and site selection. There are recommended specifications by tier as a uniform way to rate aspects of a data center design utilizing qualified architects and engineers.

The Health Information Security Rule Safeguard Standards and Payment Card Industry Data Security Standard mandate that certain access restrictions be in place for data/server center facilities and also require the reporting and auditing of access be provided. There are also directives from the Department of Homeland Security if the data are deemed vital to national and economic security.

The following are some basic principles for data center and server security:55

Do not identify the building as the “Data Center” or the room as the “Server room.” Identify by number and/or address only.

There should be four sources for utilities—electricity, water, voice, and data. Trace electricity sources back to two separate substations and water back to two main lines. The lines should be underground and come into different areas of the building. Utilize the anticipated power usage as leverage for accommodating the building’s special needs.

Use concrete walls to secure generators located outside the building.

The walls should be constructed of 1-ft-thick concrete to be effective barriers against the elements and explosive devices.

Avoid windows completely or only have them in the break room or administrative area and ensure that they are double glazed or shatter resistant.

Control access to the parking lot with permanent security officers and a guard house. The gated entry can be opened remotely or through the use of retractable bollards. A winding entry route will limit the speed of vehicles approaching the facility.

To protect from vehicles, install bollards or planters around the perimeter of the building.

Limit access points to the building—one main entrance in front and a rear entrance with a loading dock in the rear.

Utilize anti–pass-back and mantraps. Tailgating (following someone through a door before it closes) is one of the ways that an unauthorized visitor can gain access into a data center. By implementing mantraps that only allow one person through at a time; you force visitors to be identified before allowing access.

Fire doors should be exit only and equipped with intrusion detection, a propped door alarm, forced door alarm, as well as open/close alarms.

The perimeter of the building and the entry/exit points should be monitored by video surveillance. Access points throughout the building interior should also be monitored.

All contractors, vendors, and repair personnel should be escorted and accompanied at all times while on the property.

Ensure that the HVAC system has the capability to recirculate air rather than drawing it in from the outside, if necessary. This will protect building occupants and equipment should a biological, chemical, or radiological agent be introduced. You may also want to consider monitoring the air in the building.

In the secure areas of the data center, ensure that the walls run from the slab ceiling to the subflooring where wiring is typically housed. Ensure that drop-down ceilings do not provide hidden access points.

Use two-factor authentication. Biometrics is becoming the standard for access to sensitive areas of data centers. Hand geometry or fingerprint scanners are considered less invasive than retinal scanners.

Ensure you are utilizing layered security. For example, at the front door, use a card reader and entry code panel. At the inner door, ensure that the visitor area is separated from the general employee area. At the “data” location, use strict controls, such as a floor-to-ceiling turnstile to prevent piggybacking or a “mantrap” consisting of two separate doors with an airlock in between so only one door can be opened at a time.

At the door to the computer processing room where servers or mainframes are located is usually the layer that has the strongest “positive controls.” Control and track access.

At the door to an individual server cabinet, racks should have lockable front and rear doors that use a three-digit combination lock as a minimum. This is a final check, once someone has access to the data floor, to ensure they only access authorized equipment.

Do not allow food or drinks in the computer rooms, so ensure there is a common break area.

Install visitor rest rooms so that visitors, contractors, or repair persons do not have access to the secure areas in the building.

Language: A First Step in Localization

Getting the basic language right, with the correct spelling and vocabulary, and correct currency, date, and time formats is just a first step in localization. “You can’t worry about the subtlety and persuasion of the text unless you have the text translated into the correct language in the first place,” Chris Rourke reminded us. Errors in language can be subtle, such as a slight change in emphasis or an unusual word choice, but they can also create a complete change in the meaning, in the way date format errors do: 7/1/2011 might mean January 7th or July 1st, and the real meaning often cannot be inferred from the context.

There are also political nuances to how language is used in an interface. When she worked on a multinational project to test predictive text entry on mobile phones, Silvia La Hong says they found that on the Arabic language prototypes, typing the letter “I” caused the system to suggest the word “Israel,” not the best choice in the current political environment of the Middle East.

Choosing the languages for localization can be a legal requirement in countries more than one official language, such as Switzerland, New Zealand, or Canada. It can also make a statement about your commitment to a language or cultural group. For example, the US version of PayPal, for example, has English, Spanish, French, and Chinese versions. It can be a powerful statement for countries or cultural groups that are small and do not often get localized versions.

There are also variations within a language: French is spoken differently in Canada, France, and Haiti, for example. In the United States, there are many variations of Spanish, so sites either have to appeal to one of the Latino language groups or have to find a neutral language that is not biased toward one group over the other. For the National Cancer Institute, for example, this is not just a matter of voice and tone—there are different words for key medical terms that are important on that site.

17.2.2 Legal, Regulatory, and Other Requirements

It is essential that the Forensic Laboratory identifies all relevant legal and regulatory requirements for OH&S within the jurisdiction and that these are all taken into consideration when the OH&S Management System is being implemented and operated. This is defined in Chapter 12, Section 12.3.13.1. The Forensic Laboratory ensures that they at least meet the minimum requirements and they aim to exceed them wherever possible and continuously improve their OH&S Management System.

Within many jurisdictions there are different legislative and regulatory OH&S requirements that may affect the Forensic Laboratory. They may have different requirements in performing tasks such as risk assessments or to provide protection for different people (e.g., employees, members of the public, etc.). Top Management must ensure that they are aware of such differences, and it is imperative that a competent external resource is used to provide specialist advice.

Top Management must also ensure that they maintain the list of applicable legislation and regulations and that their OH&S Management System is updated to ensure compliance with any relevant changes, as defined in Chapter 12, Section 12.3.13.1.

Some examples of drivers for OH&S are given in Appendix 4.

All the Forensic Laboratory employees must be made aware of these requirements, as must anyone else who may be affected by the work that the Forensic Laboratory carries out.

1 Introduction

The European industrial landscape is faced with challenging changes in legal requirements and ambitious goals regarding emissions and the consumption of resources. Furthermore, the European market is driven by high pressure induced by the strong competition due to the imports from the Middle East and North America and a soft demand. To survive in a competitive market the industry is constantly developing methods to uncover improvement potentials and increase the cost and resource efficiency. However, due to high costs that are bound to retrofitting of mature processes or investments into new processes, the industry in Europe pursues alternative methods of process improvements.. One commonly used tool to improve the performance of processes is advanced process control (APC). However, APC solutions are usually bound to high investments. Another approach that is commonly found to improve processes is the development of first principle models. The development of these requires expert knowledge of the processes and is time intensive. A less cost intensive approach is the use of resource monitoring and energy dashboards which have been reported by Sučić et al. (2015) for building complexes and by Rahimi-Adli et al. (2019) for chemical processes. They use historical data that is prevalent in the process industry to develop baseline models for resource efficient plant operation under the given circumstances. These models are incorporated into dashboards that indicate target values for the resource efficiency to the plant operators. However, the reasons for deviations of the current plant operation from these baseline values are not always straight-forward and the performance improvement depends on the experience and the training of the operators. In this paper a concept is developed that uses historical data and statistical methods to gain insight into the process and reasons for deviations from the baseline to facilitate the transition to more resource efficient process operation.

This concept is applied to an industrial case at INEOS in Cologne, where dashboards are used to monitor the resource efficiency of the production plants of the site. The approach is used as a decision support tool to return reference values for the degrees of freedom of a process that can be used by plant operators to increase the resource efficiency significantly.

12.3.13.1 Complying with Legal Requirements

The Forensic Laboratory information systems must comply with all required legal and regulatory requirements by implementing the following processes and procedures:

identifying applicable legislation and regulation within the jurisdiction;

protecting intellectual property rights within the jurisdiction;

safeguarding the Forensic Laboratory forensic case processing and general business records;

information protection and privacy of personal information;

preventing misuse of information systems;

collecting evidence for compliance;

regulation of cryptographic controls within the jurisdiction.

Record-creating entity and records management policies

Organizations should define, document and maintain a records management policy. It is important that the highest level of management endorses such a policy. This is not new. Bureaucracies have long had organizational policies to keep control of administrative rules and procedures and the records that will be received and produced.

How strict these policies are depends not only on business and legal requirements and on risk assessment, but also on cultural aspects and traditions. In Germany, for instance, they will be different from those in Australia. The long-standing Prussian administration consists of solid rules for creating, registering, and organizing records, which fit with Prussian tradition and are in line with the existing conventions for communication and the view on government.17 In general, government organizations will have recordkeeping policies that are different from companies; small businesses will have policies, if they have any at all, that are different from those of big multinational companies; pharmaceutical companies will have different policies from those of the automotive industry; organizations in general will differ from private persons; and so on. Government organizations are much more open to outside control, laws and regulations. Accountability is an issue and the public demand for openness of governments is, increasingly, a factor. The way recordkeeping is carried out will differ between democracies and dictatorial states. So societal, cultural, and/or legal context exerts great influence on recordkeeping practices and, subsequently, on the archives. Business companies generally only preserve their records if needed for legal reasons or for conducting their business.

In general, an organization deals with records in two ways: it may determine what records should be made and kept, and also what should be done with the records and how they should be managed, e.g. access and appraisal. The practice of including decisions about what records should be made in policy considerations reflects a shift in thinking based upon the impact of information technology on record creation and recordkeeping. The nature of digital records requires a much more pro-active attitude to avoid the risk of losing information and records. Measures, therefore, have to be taken in the design stage of information systems.

The objectives of a recordkeeping policy are to ensure that authentic, reliable and usable records are created in line with business needs. Those records also need to be kept and managed as long as required. Recordkeeping policies should be translated into recordkeeping programs that include rules, criteria, methods, comprehensiveness, systematic procedures, and requirements about capturing, appraising, organizing, maintaining, preserving, and accessing the records received and created. In order to understand an archive and what it purports to be, it is necessary that this recordkeeping program or ‘regime’ is properly documented.

In the real world, however, recordkeeping practices have their ‘own life’. The human factor and the inherent cultural context influence the application of rules and requirements, so it is necessary to monitor implementation, a role sometimes undertaken by auditors or inspectors. At each operation there may be mistakes or failures, or even deliberate action to subvert the rules. This applies to the creation, the capture, the selection and the management of records. Will all records that should be created, be created? Will all records that are created, be captured? And, finally, will all captured records be properly managed, selected, and if necessary, disposed of, or, alternatively, preserved as long as required? Evidence about these actions is, indeed, found in the ‘archive’. In an electronic environment rules, criteria and requirements may be more easily incorporated into systems, either business or records systems, but, even there, human behaviour may not be restricted by these rules and their implementation in system constraints. There will always be a gap between the ideal and the real situation. It is up to an organization, that is the responsible person(s) and its records managers, to keep that gap as small as possible.

It is, therefore, important to assign the right responsibilities to appropriate people, and, subsequently, to keep them accountable. This does not apply only to records managers, but to all employees of an organization. Initially, somebody with appropriate authority should be given overall responsibility. This person takes care of matching the internal organizational and business needs with external requirements, that is the legal context or co-ordination with related institutions, or the market, and of translating the results of this analysis into a recordkeeping policy. In this sense, the archive is positioned at the crossroads of internal and external needs. The extent to which this is relevant depends on the nature of the business in which the record-creating entity is involved. This activity will be ongoing, because the organization and the organizational context will change. Therefore the recordkeeping policy and subsequent documents need to be regularly revised and updated. It is important that this is done in a policy cycle consisting of four main activities: defining and establishing; implementing; auditing; and reviewing.

One element of the recordkeeping regime is to identify the information systems that enable business processes and to assess to what extent they have or should have a role in recordkeeping. Decisions involve determining whether or not recordkeeping functionality has to be integrated in a business system or kept separate in recordkeeping systems. Relationships between these systems have to be identified and if necessary established. To what extent, for instance, can, and should, recordkeeping metadata about the business process or workflow be extracted from other systems?

Another element is the need to assess how long records should be kept, not simply for a single business process, but also for the organization as a whole. The needs of a single business process will be different from those of the organization. Here the concept of an organizational or internal corporate memory is relevant. Recently there has been a tendency to see records or the archive as an important information source that should be part of knowledge management policies. One aspect of recordkeeping policies at the organizational level may include the issue of unlocking this information asset. Integration of the archive into the other domains of information is then necessary, so it becomes part of a wider view. Multinational companies or government organizations, for instance, have intranet environments with huge amounts of information, of which records could and will be part as well The rather vague notion of ‘content management’ is often seen as a possible approach to manage and make the information sources accessible. It makes us aware of other possible approaches that may have a relationship with recordkeeping, such as knowledge management, information management, document management, and so on. These may not be well-defined domains, but they tell us about how other disciplines are looking at information resources and their management. It is therefore important to position recordkeeping in relation to them.