Victorian Electronic Records Strategy


VERS STORY	STANDARD	ASSESSMENT	PROJECTS	DIGITAL ARCHIVE	TRAINING	TOOLKIT	PUBLICATIONS

Introduction

Standard
(Version 1)
  Specification 1
  Specification 2
  Specification 3

Standard
(Version 2)
  Specification 1
  Specification 2
  Specification 3
  Specification 4
  Specification 5
  Advice 9
  Advice 10
  Advice 11
  Advice 12
  Advice 13
  Advice 14

Home > Standard > Standard (Version 2) > Advice 10 > Documenting the history of records and folders (Specification 1, section 2.6)

3.6 Documenting the history of records and folders (Specification 1, section 2.6)

The system must be capable of recording all events that affect records and folders.

Events that must be capable of being recorded include:

creation (registration) of records
import of records into the system
any modifications that affect the content of records (for example addition, deletion or modification of content)
any modifications that affect the metadata of a record (for example changing the description of a record)
changes in the classification of a folder or refiling of a record
sentencing and disposal/destruction of folders or records
export (transfer) of records from the system.

Events that are optional but should be capable of being recorded include:

any preservation actions on a record, such as migration, conversion to another format, or refreshing
any changes in policies that affect records or folders (e.g. changes in disposal or access control policies)
any decisions taken about records or folders, even if they do not result in a change (e.g. the result of a disposal review even if the decision is to keep the records or folders).

An audit trail must be maintained even if the records are protected by a digital signature, as the signature only protects the integrity of the record, while the audit log provides evidence if the record is destroyed. In systems where the records are not protected by a digital signature the audit log also provides the evidence of integrity.

The audit trail may be destroyed once the record has been disposed of (by destruction or transfer), but the fate of the record must be documented. This documentation will include the officer authorising the disposal, when the record was disposed of, and details of its fate (e.g. where the record was transferred to). This may be done at a summary level; for example, the fate of all the records in a folder may be documented in the folder history. When a recordkeeping system is decommissioned, the fate of all the records and folders held by it may be documented in a report held as a record in another recordkeeping system.

Conformance to this point is achieved by the recordkeeping system vendor demonstrating that it is possible to record the mandatory events listed above.

All accesses to records or folders must be capable of being logged.

The log will include what records or folders were retrieved, the identity of the user retrieving the records or folders, and the time of retrieval. This allows unauthorised access to records or folders to be detected.

Conformance to this point is achieved by the recordkeeping system vendor demonstrating that it is possible to log accesses.

It must not be possible for any users, records managers, or system administrators to modify the audit log without a record being made of the modification.

If an audit log can be modified without a record being kept of this modification, no trust could be placed in the audit trail. Modifications include complete or partial deletion of the audit log.

Conformance to this point is discussed in section 3.2.

printer friendly