Arkib Negara ELECTRONIC RECORDS MANAGEMENT and archive mgmt guideline_eng
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
e-SPARK<br />
5.2.4 Key management<br />
As a general rule, keys <strong>and</strong> other material required to decrypt data should be accessible for<br />
the life of that data.<br />
Where encryption is only used for confidentiality during transmission, there should be no<br />
need for a key management plan. Continued access to the encryption keys is unnecessary if<br />
the sending agency retains a record of the unencrypted transaction <strong>and</strong> the receiving agency<br />
retains the decrypted record of the transaction. However, both agencies should ensure that<br />
the records are captured with recordkeeping metadata relating to the encryption process.<br />
If an agency decides to retain records in their encrypted form, then an ongoing key<br />
management plan is essential for enabling future access.<br />
The records created or received using online security processes such as PKI, should be<br />
disposed of according to the business activity to which they pertain, It is important to note<br />
that unauthorized alteration of a record as evidenced by an unverifiable digital signature, or<br />
inability to decrypt an encrypted record, may constitute de facto destruction of a record.<br />
5.2.5 Recordkeeping, security <strong>and</strong> information management framework<br />
Authentication <strong>and</strong> encryption issues need to be addressed early <strong>and</strong> considered as part of<br />
an agency’s overall recordkeeping, security <strong>and</strong> information management framework.<br />
Developing such a framework involves:<br />
• Developing a policy <strong>and</strong> strategy for information management.<br />
• Assessing <strong>and</strong> implementing recordkeeping <strong>and</strong> information systems to maintain<br />
required records.<br />
• Identifying recordkeeping requirements.<br />
• Assigning responsibilities.<br />
5.2.6 Policy <strong>and</strong> strategy<br />
To ensure the success of an online security program, especially when it involves the use of<br />
digital signatures <strong>and</strong> encryption, a strategy <strong>and</strong> companion policy for information resource<br />
management (including recordkeeping) should be developed.<br />
Preferably, the strategy should be developed as part of the online security program, <strong>and</strong> be<br />
in place before implementation of the program occurs. Recordkeeping related to online<br />
security technology should be part of an agency’s overall information management or<br />
recordkeeping policies.<br />
Copyright <strong>Arkib</strong> <strong>Negara</strong> Malaysia Page 59 of 86