Literary Warrant for Functional Requirement #9a
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation 36 CFR PART 1234 -- ELECTRONIC RECORDS MANAGEMENT. Subpart C -- Standards for
the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.24
Extract Electronic records may be admitted in evidence to Federal courts for use in court proceedings
(Federal Rules of Evidence 803(8)) if trustworthiness is established by thoroughly documenting the
recordkeeping system's operation and the controls imposed upon it. Agencies should implement the
following procedures to enhance the legal admissibility of electronic records. (b) Substantiate that
security procedures prevent unauthorized addition, modification or deletion of a record and ensure
system protection against such problems as power interruptions.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards.
Communication of Internal Control Structure Related Matters Noted in on Audit. Appendix
Pages .2.
Extract Failures in the operation of the internal control structure [includes] .. Evidence of manipulation,
falsification, or alteration of accounting records or supporting documents.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-67
Extract One key risk to a network is unauthorized users gaining access to the network and trying to
execute applications or authorized users gaining access to applications for which they are not authorized.
The general risks posed to a network by an unauthorized user include unauthorized use of network
resources to transport data, modification or deletion of data, disclosure of data, and use of network
resources to deny legitimate use of services.
Citation Accredited Standard Committee; ASC X12 Standards: Draft Version 3 Release 3; published 12/92.
Volume 1: Control Standards, Transaction Set Tables, and Segment Directory; Document No. ASC
X12S/92-707
Pages 5
Extract 4 CONCEPTS OF AUTHENTICATION AND ENCRYPTION 4.2 THE AUTHENTICATION
PROCESS Authentication is a technique used to: * Verify the integrity of the message by detecting
changes (modifications) in a message (including transmission errors) introduced between the security
originator and the security recipient.
Citation Accredited Standard Committee; ASC X12 Standards: Draft Version 3 Release 3; published 12/92.
Volume 1: Control Standards, Transaction Set Tables, and Segment Directory; Document No. ASC
X12S/92-707
Pages 6
Extract Basic requirements for a secured business interchange include the need to detect attempts at
insertion, deletion, and replay of messages.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 94
Extract Information systems security is concerned with ensuring that data is protected against unauthorized
disclosure, modification or destruction, whether accidental or intentional.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 106
Extract ERRONEOUS RECORD KEEPING Given that the financial accounting record keeping for many
organizations is one of the key business applications run on the computer, any loss of data, distortion of
data, outdated information and human error would almost certainly result in erroneous record
keeping.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 296
Extract The data security audit in terms of the controls in place to protect the data processed by the
application system from unauthorized disclosure, modification or destruction, whether accidental or
intentional. The data security audit will have determined the adequacy of the control structure over data
files in general. The question is "are these controls in place and functioning for the application system
under review?"
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 5
Extract Electronic mail (email), a major application provided by most LANs, replaces much of the
interoffice and even interorganizational mail that is written on paper and placed in an envelope. This
envelope provides some confidentiality between the sender and receiver, and it can even be argued that
the integrity of the paper envelope provides the receiver with some degree of assurance that the message
was not altered. Using electronic mail does not provide these assurances. Simple transfers on
unprotected LANs of inadequately protected electronic mail messages can be captured and read or
perhaps even altered. For some LANs, there can be no assurance that the message actually was sent
from the named sender. Fortunately tools such as encryption, digital signatures, and message
authentication codes help solve these problems and can help provide some assurance.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 13
Extract Because LAN users share data and applications, changes to those resources must be controlled.
Unauthorized modification of data or software occurs when unauthorized changes (additions, deletions
or modifications) are made to a file or program.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 22
Extract The data and message integrity service helps to protect data and software on workstations, file
servers, and other LAN components from unauthorized modification. The unauthorized modification can
be intentional or accidental. This service can be provided by the use of cryptographic checksums, and
very granular access control and privilege mechanisms. The more granular the access control or
privilege mechanism, the less likely an unauthorized or accidental modification can occur.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 23
Extract The use of electronic signatures can also be used to detect the modification of data or messages.
An electronic signature can be generated using public key or private key cryptography. Using a public
key system, documents in a computer system are electronically signed by applying the originator's
private key to the document. The resulting digital signature and document can then be stored or
transmitted. The signature can be verified using the public key of the originator. If the signature verifies
properly, the receiver has confidence that the document was signed using the private key of the
originator and that the message had not been altered after it was signed.
Citation "Procedures and General Requirements" `NVLAP' National Voluntary Laboratory Accreditation
Program (U.S. Department of Commerce/Technology Administration and National Institute of Standards
and Technology, NIST Handbook 150)
Pages 26,27
Extract Where computers or automated equipment are used for the capture, processing, manipulation,
recording, reporting, storage or retrieval of calibration or test data, the laboratory shall ensure that: ...(iii)
procedures are established and implemented for protecting the integrity of data; such procedures shall
include, but not be limited to, integrity of data entry or capture, data storage, data transmission and data
processing;
Citation "Procedures and General Requirements" `NVLAP' National Voluntary Laboratory Accreditation
Program (U.S. Department of Commerce/Technology Administration and National Institute of Standards
and Technology, NIST Handbook 150)
Pages 26,27
Extract Where computers or automated equipment are used for the capture, processing, manipulation,
recording, reporting, storage or retrieval of calibration or test data, the laboratory shall ensure that:... (v)
it established and implements appropriate procedures for the maintenance of security of data including
the prevention of unauthorized access to, and the unauthorized amendment of, computer records.
Citation "Computer Data Authentication" Category: ADP Operations; Subcategory: Computer Security.
Federal Information Processing Standards Publication 113 (U.S. Department of Commerce/National
Bureau of Standards, 30 May 1985)
Pages 3
Extract It is therefore desirable to have an automated means of detecting both intentional and unintentional
modifications to data. Ordinary error detecting codes are not adequate because, if the algorithm for
generating the code is known, an adversary could generate the correct code after modifying the data.
Intentional modification is undetectable with such codes. However, a cryptographic Data Authentication
Algorithm (DAA) can protect against both accidental and intentional, but unauthorized, data
modification.
Citation Cross-Industry Working Team. Electronic Commerce in the NII
Pages 5.1.2
Extract For electronic commerce, existing communications mechanisms (e.g., virtual circuits, routing and
addressing, datagram, mail, file transfer, hypert
Extract transport, and image and other multimedia extensions) must be extended to incorporate *
reliable, unalterable message delivery that is not subject to repudiation
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 98-99
Extract To demonstrate to a court that a computer-originated document is admissible evidence, taxpayers
(or their representatives) must fulfill four requirements. They must prove ... 4. That the system was
reliable enough to ensure accurate and complete recall of finalized documents and, in particular, that
there was no possibility that the document could be tampered with after their finalization.
Citation Johnson, P.L. ISO 9000: meeting the new international standards. 1993.
Pages 65-66
Extract The standard [ISO 9000] outlines a few guidelines for the facility's document control scheme: ... *
Quality records and documentation should be stored in a way to prevent damage, loss and
deterioration.
Citation Wright, B. The Law of electronic commerce. 1991.
Pages 105-106
Extract In simple form, the data controls in and electronic messaging system might be analyzed as follows:
... 4. Security features throughout the system to preclude intentional tampering with messages and
records.
Citation Federal Rules of Evidence Article IX. Authentication and Identification Rule 901
Extract Requirement of Authentication or Identification (8) Ancient documents or data compilation.
Evidence that a document or data compilation, in any form, (A) is in such condition as to create no
suspicion concerning its authenticity, (B) was in a place where it, if authentic, would likely be, and (C)
has been in existence 20 years or more at the time it is offered.