ISACA Journal
Volume 3, 2,014 

Features 

Electronic Documents Information Security Compliance 

Haris Hamidovic, Ph.D., CIA, ISMS IA, and Amra Hamidovic 

The increased use of technologies that allow electronic document storage and electronic communication with clients by governments and enterprises has led lawmakers and courts in many jurisdictions around the world to consider the legal status of such information and the legal effect of that communication. Legislators across the globe recognized the need for new laws to permit and ensure the admissibility of electronic information as evidence and, more so, to enable contracts to be concluded and administrative submissions and requests to be made in electronic form. Perhaps the most important of these is the United Nations Commission on International Trade (UNCITRAL) Model Law on Electronic Commerce.1 In one form or another, this law has been enacted in at least 31 countries.2 Other countries have adopted digital signature legislation, generally modeled on the UNCITRAL Model Law on Electronic Signatures, which also impacts use of electronic documents to establish business relationships and perform interactions with other entities and individuals.3

Certain legal requirements and obligations of institutions and legal entities need to be fulfilled to ensure the admissibility and reliability of electronic documents. According to the UNCITRAL Model Law on Electronic Commerce, “in assessing the evidential weight of a electronic document regard shall be had to the reliability of the manner in which the electronic document was generated, stored or communicated, to the reliability of the manner in which the integrity of the information was maintained, to the manner in which its originator was identified, and to any other relevant factor.”4

Failure to take appropriate information security measures regarding electronic documents might constitute a violation of legal obligations in some countries and result in fines. So, for example, under the Bosnia and Herzegovina Law on Electronic Documents,5 breaches, subject to fines of up to €7,500, include:6

  • Prevention verification of authenticity and integrity of electronic documents
  • Archiving of electronic documents in such form and with such technologies and procedures that do not provide a reasonable guarantee of their authenticity and integrity for the entire storage time
  • Application of information systems with inadequate protection of personal data in accordance with the provisions of the law governing the protection of personal data

Compliance

To demonstrate compliance with legal requirements relating to the preservation of the authenticity and integrity of electronic documents throughout the entire electronic document life cycle, organizations should establish a documented risk-based information security management system (ISMS) and maintain records to confirm compliance. To ensure good record-keeping practices are followed to avoid problems with records acceptance in the event of litigation, an organization should periodically assess its practices and procedures.7

“Consistent use of a risk management strategy and assessment process will show outside assessors (and courts of law) that due diligence was completed and justification for any specific direction in technology implementation was documented. Will it resolve all liability and risk? No, of course not. Will it show due diligence and risk analysis? Absolutely.”8

Protection of Vital Electronic Records
Each organization must analyze its own operations and records to determine what information is vital to its continued existence. Once vital electronic records have been identified, the remaining records can then be classified as important or useful. Identified vital records and information require special protection from potential loss. Typically, only 3-7 percent of an organization’s electronic records would be classified as vital.9

The record types listed in figure 1 are examples of what might be considered in each classification. It is the responsibility of each organization to determine the classification of the records and information for that organization.10

Figure 1

Audit Trail
When preparing electronic records for use as evidence, it is often necessary to detail the storage date of the information, the movement of the information from one medium to another and the evidence of the controlled operation of the records management system (RMS). These details are known as audit trail information. The audit trail consists of a historical record of all significant events associated with the RMS.11

Procedures for audit trails and any changes to the accepted procedures must be documented in an RMS procedures manual.

Audit trails must contain sufficient and necessary information to provide evidence of the authenticity of stored records. The audit trail of an RMS shall consist of system-generated and operator-generated logs containing data about changes to the stored records. If the authenticity of stored records is questioned, the integrity of the audit trail may be fundamental in establishing the authenticity and, therefore, the evidentiary weight of the stored records.

Conclusion

The laws pertaining to electronic documents in most countries are not sector-specific. The enactment of these laws means that all organizations will have to take appropriate measures to protect document integrity while using electronic documents in their ordinary course of business. Failure to take these measures is no longer just lack of due professional care, but constitutes a violation of legal obligations and can result in fines.

Application of such laws requires knowledge from various fields, including familiarity with a number of regulations that are directly or indirectly related to its provisions. Additionally, management of IT and information security is a prerequisite for their proper utilization.

Electronic records processing systems designed and implemented in a fashion to ensure that records cannot be altered or modified without audit trails and/or history logging can produce accurate results. Such systems must follow a well-documented business process demonstrating that the process used to create, store and access the records is reliable and contains appropriate levels of security for users and system administrators, preventing unauthorized access and/or records deletion/modification.

No matter how strong its data security policies and controls are, an organization will not really know the adequacy of its defenses unless it continually verifies that its defenses are sound, uncompromised and applied in a consistent manner. To achieve such assurance, internal audit has to play a far more substantial role in evaluating information security practices or implementation than is often the case today.

Endnotes

1 The United Nations Commission on International Trade Law (UNCITRAL), Model Law on Electronic Commerce, 1996
2 Montana, John C.; John R. Kain; Kathleen Nolan, Legal Obstacles to E-Mail Message Destruction, ARMA International Educational Foundation, 19 October 2003
3 The United Nations Commission on International Trade Law (UNCITRAL), Model Law on Electronic Signatures, 2001
4 Op cit, UNCITRAL, 1996
5 This act established a legal basis for administrative bodies, local authorities, business enterprises and individuals to accept and use electronic documents in their work and daily operations. The act is fully harmonized with related European Union (EU) legislation and current global best practice. Its adoption is in line with the directives of the European Union, under which Bosnia and Herzegovina must create all preconditions for electronic access to information and e-commerce.
6 Official Gazette of the Federation of Bosnia and Herzegovina, “Law on Electronic Documents,” no. 55, 17 July 2013
7 AIIM International, AIIM TR31-2004, Legal Acceptance of Records Produced by Information Technology Systems, 2004
8 Tester, Darlene; “Is the TJ Hooper Case Relevant for Today’s Information Security Environment?,” ISACA Journal, vol. 2, 2013
9 Hilliard, Mary; “Vital Records,” ARMA Austin RIM 101, 15 June 2010, http://austin.arma.org/docs/publications/2011/08/09/20100616_Vital_Records_Workshop.pdf
10 ARMA International, ANSI/ARMA 5-2010, Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records, 2010
11 Canadian General Standards Board, CAN/CGSB-72.34-2005, Electronic Records as Documentary Evidence, 2005

Haris Hamidovic, Ph.D., CIA, ISMS IA, is chief information security officer at Microcredit Foundation EKI, Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization (NATO)-led Stabilization Force in Bosnia and Herzegovina. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina.

Amra Hamidovic is a legal advisor with extensive experience in the Organization for Security and Co-operation in Europe (OSCE). She closely follows the developments of jurisprudence before the domestic courts on the protection of private data and use of electronic document legislation in Bosnia and Herzegovina.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.