Procedure for Safeguarding Organizational Records
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 06-11-2019 | 1.0 | Approved | Internal | AMS DOC | AMS-SP-31 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 29-10-2019 | 1.0 | Initial Version | Shaila, Usha | AMF | Suresh Kumar | 06-11-2019 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
Introduction
Organizational records are vital for the functioning of the business. This procedure defines process for identifying organizational records and appropriate controls implemented to safeguard them.
Scope
Organizational records are defined as those required primarily for statutory and regulatory requirements. In addition, this procedure is applicable for all accounting records, payroll files and personnel files.
ISO27001 Control Reference
A.18.1.3 Protection of records
A.18.1.4 Privacy and protection of personally identifiable information
Key Practices & Responsibility
The key practices and responsibilities are as follows:
| Srl. | Key Practice | Responsibility |
|---|---|---|
| Identify Organizational Records | Asset Owner, Head – Function | |
| Controls for Safeguarding Organizational Records | Asset Owner, Head – Function |
Key Practice Details
Identify Organizational Records
The asset owner in consultation with Head - Function will identify and document all the organizational records of the department. The details to be obtained for each record include:
Name of Record
Type of Record (Electronic/Paper)
Record/Asset Owner
Location of Record
All Organizational records will be classified as "Confidential" and receive the level of protection defined in the Procedure for Information Classification and Handling.
The Inventory of Information Assets will detail the organizational records and the appropriate retention period.
Controls for Safeguarding Organizational Records
All organizational records in hard copy format will be locked and the list of users requiring access to the record will be documented.
Organizational records that cannot be easily replaced will be stored in fireproof cabinets and a copy will be maintained in an offsite location.
Employee personnel files will be safeguarded from unauthorized access as they contain personal information about the employee.
The electronic records will be shared only on a need basis to identified individual and read-only access will be provided.
Wherever, employee records are required to be shared/furnished to an external agency, the same shall be done on the basis of a proper agreement that restricts its use to intended purposes and bound by adequate confidentiality safeguards. This shall not apply to information furnished to government agencies and other professionals organizations that are bound by confidentiality requirements laid down by law or professional bodies.
The retention period will be defined for all organizational records and the destruction/disposal of the records will be commensurate with the classification of the record. The table below indicates the sample record types and their retention periods, which are applicable to ASL's information assets:
| Record Type | Retention Period |
|---|---|
| ACCOUNTING AND FINANCE | |
| Accounts Payable ledgers and schedules | 7 years |
| Accounts Receivable ledgers and schedules | 7 years |
| Annual Audit Reports and Financial Statements | Permanent |
| Annual Plans and Budgets | 2 years |
| Bank Statements and Canceled Checks | 7 years |
| General Ledgers | Permanent |
| Bills invoices and other transactional records | 7 years |
| CONTRACTS | |
| Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supporting documentation) | 7 years after expiration or termination |
| CORPORATE RECORDS | |
| Corporate Records (minute books, signed minutes of the Board and all committees, corporate seals, articles of incorporation, bylaws, annual corporate reports) | Permanent |
| Licenses and Permits | Permanent |
| ELECTRONIC DOCUMENTS | |
| Electronic Mail | 1 Year |
| Electronic Documents | 6 years |
| Critical Logs(All authentication access logs, Change management, Firewall changes, Network configuration changes like VLAN, Security policy changes i.e. AD group policy) | 1 Year |
| Web Page Files: Internet Cookies | 1 month |
| INSURANCE RECORDS | |
| Certificates Issued | Duration of the policy and subsequent claim period allowed |
| Claims Files (including correspondence, medical records, injury documentation, etc.) | 2 years after final settlement |
| Group Insurance Plans – Active Employees | Until Plan is amended or terminated |
| Group Insurance Plans – Retirees | Permanent or until 6 years after death of last eligible participant |
| Records of Inspections of records by Statutory agencies | 3 years |
| Insurance Policies (including expired policies) | Duration of the policy and subsequent claim period allowed |
| LEGAL FILES AND PAPERS | |
| Legal Memoranda and Opinions | 7 years after close of matter |
| Litigation Files | 1 year after expiration of time allowed for appeals or time for filing appeals |
| Court Orders | Permanent |
| Statutory Records(EPF,ESI, Gratuity etc) | 7 years |
| PAYROLL DOCUMENTS | |
| Labor Distribution Cost Records | 7 years |
| Payroll Registers | 7 years |
| PERSONNEL RECORDS | |
| Commissions/Bonuses/Incentives/Awards | 7 years |
| Employee Personnel Records (including individual attendance records, application forms, job or status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training and qualification records) | 6 years after separation |
| Employment Records- Correspondence with Employment Agencies and Advertisements for Job Openings | 3 years from date of hiring decision |
| TAX RECORDS | |
| Tax-Exemption Documents and Related Correspondence | Permanent |
| Payroll Tax Records | 7 years |
| Tax Bills, Receipts, Statements | 7 years |
| Tax Returns Income, Franchise, Property | Permanent |
| MISCELLANEOUS | |
| Policy and Procedures Manuals – Original | Current version with revision history |
| Policy and Procedures Manuals Copies | Retain current version only |
| Annual Reports | Permanent |
| Internal Audit Records | 7 Years |
| Project Records | Till project completion |
Audits and Training
The evidences of Safeguarding Organizational Records like record retention period will be verified by the periodic internal audits.
If significant changes are made to the procedure on Safeguarding Organizational Records, the Quality Group along with function heads, in coordination with Training Function, conduct training sessions to train the affected groups or send communications to the affected group based on the criticality of the changes.
References
| Srl. | Document/Section Name |
| Procedure for Information Classification and Handling |