Three requirements for authenticity
The requirements for authenticity of electromagnetic records in the so-called “ER/ES Guidelines,” which came into effect on April 1, 2005, are as follows
3.1.1. Authenticity of electromagnetic records
The electromagnetic record must be complete, accurate, and reliable, and the responsibility for its creation, modification, and deletion must be clear.
To ensure authenticity, the following requirements must be met.
（１）The rules and procedures for maintaining the security of the system are documented and properly implemented Security is to be maintained.
（２）The creator of the saved information must be clearly identifiable. In addition, when the once saved information is changed, the information before the change is also saved and the person who made the change can be clearly identified. It is desirable that audit trails are automatically recorded and that the recorded audit trails can be checked using a predefined procedure. The recorded audit trail should be verifiable by a predefined procedure.
（３）Electromagnetic records backup procedures are documented and properly implemented.
In other words, the three requirements for authenticity are as follows
- audit trail
There are two types of security: physical and logical.
Physical security refers to locking controls in rooms, cabinets, etc. It is.
Records of entry and exit are important. Not only the time of entry, but also the time of exit must be recorded each time. This includes even if the person leaves the room temporarily for a break or other reason.
Logical security would be the management of user IDs, passwords.
Incidentally, at least two types of information are required to authenticate a person: publicly available information and non-public information.
For example, the keyhole of a house is visible to everyone, but only the residents have the key that fits that keyhole. Also, the account number of a bank account is visible to everyone, but only the resident should know the password to the cash card.
Thus, for information that is publicly available, only those who have knowledge of non-public information are the person in question.
Now, we assume that the reader understands the importance of security.
So what is security necessary for?
The answer is “spoofing(the act of creating, altering, deleting, or approving electronic records on behalf of another person) and “tampering” is prevented. Without security, there is no way to prevent identity theft or tampering with electronic records.
The Audit Trail is the system’s automatic record of the following events
- Who created which record and when. Also its value.
- Who changed the record from what to what and when. Who changed what record from what and when, and why.
- Who deleted which records and when. Who deleted which records, when, and why?
- Who approved the record (electronically) and when.
So what is the audit trail needed for?
The answer is to detect tampering. Without an audit trail, it is impossible to detect tampering with electronic records.
I wonder if you have noticed here. “spoofing” can never be detected .
Even if a person creates, modifies, deletes, or approves an electronic record using an ID and password on behalf of that person, it cannot be detected by an audit or other means.
This is why any system is only as good as the morals of those who use it.
password management on the importance of Education and training is important because.
The third requirement for authenticity is backup. Backup is the process by which data can be restored in the event of a catastrophic disaster or fire that destroys the system.
In other words, it is a disaster recovery measure.
So, why would backup be a requirement for authenticity?
The solution is protecting the audit trail.
If no backup was made, the audit trail cannot be restored.
Regardless of the reason, electronic records for which the audit trail has been lost cannot be checked for tampering. In other words, authenticity cannot be guaranteed.
related product[blogcard url= https://xn--2lwu4a.jp/qms-csv/ title=”QMS（手順書）ひな形 CSV関連” ]