- Established: Information systems established as needed based on: operational requirements assessment, cost-benefit analysis, security requirements, and technical feasibility. Establishment requires: needs assessment, system design, security review, budget approval, and implementation plan. Establishment authority: Department Heads (for department-specific systems under $100,000), Executive Directorate (for institutional systems or systems over $100,000), SCC (for strategic systems over $1,000,000).
- Maintained: Ongoing maintenance of all information systems including: preventive maintenance (weekly system health checks, monthly performance reviews), corrective maintenance (immediate response to system failures), and enhancement maintenance (quarterly feature updates). Maintenance conducted by Technical Department with department coordination. Maintenance documented in system maintenance logs.
- Secured: Information systems secured with appropriate security measures including: access controls (MFA, RBAC), encryption (AES-256 for data at rest, TLS 1.3 for data in transit), network security (firewalls, IDS/IPS), and monitoring (SIEM, log analysis). Security measures must comply with Title X Security, CSP-1113, and NIST 800-53. Security reviewed quarterly and audited annually.
- Updated: Information systems updated as required for: security patches (applied within 30 days of release, critical patches within 7 days), feature enhancements (quarterly updates), performance improvements (as needed), and compliance requirements (as regulations change). Updates require: testing, approval, scheduled deployment, and validation. Updates documented with change logs and version control.
- Collection: Data collection conducted as authorized by: data collection authorization (from appropriate authority), data collection plan (specifying purpose, scope, methods), and legal compliance (privacy laws, data protection regulations). Collection authority: Department Heads (for operational data), Executive Directorate (for institutional data), SCC (for sensitive or strategic data). All collection documented with purpose, scope, and authorization.
- Storage: Secure storage of all data in: encrypted databases (AES-256 encryption), secure cloud storage (with encryption and access controls), or secure physical storage (for physical records). Storage locations must comply with: data residency requirements, security standards (Title X Security), and backup requirements (daily backups, off-site storage). Storage access controlled through RBAC and audit logged.
- Processing: Data processing conducted as needed for: operational purposes (transaction processing, reporting), analytical purposes (business intelligence, forecasting), and compliance purposes (regulatory reporting, audits). Processing must comply with: data protection regulations, privacy requirements, and security standards. Processing documented with purpose, methods, and results.
- Protection: Data protection with appropriate protection measures including: encryption (at rest and in transit), access controls (RBAC, MFA), backup and recovery (daily backups, tested recovery procedures), and monitoring (data access logging, anomaly detection). Protection measures must comply with Title X Security and applicable data protection regulations. Protection reviewed quarterly and audited annually.
- Creation: Proper creation of records for all: transactions, decisions, communications, and activities. Records must include: date, time, parties, purpose, content, and authorization. Records created in approved record-keeping systems with proper classification and metadata. Record creation standards established in Records Management Policy.
- Maintenance: Ongoing maintenance of records including: regular updates (as information changes), integrity verification (quarterly checks for tampering or corruption), migration (as systems change), and preservation (for long-term retention). Maintenance conducted by Records Management Department with department coordination. Maintenance documented in maintenance logs.
- Retention: Records retained as required by: legal requirements (minimum retention periods per record type), operational requirements (business need), and policy requirements (Records Management Policy). Retention periods: financial records (10 years), personnel records (7 years after termination), legal records (perpetual), operational records (5 years). Retention schedules maintained and reviewed annually.
- Disposition: Records disposed as authorized by: Records Management Policy, legal requirements, and authorization from Records Management Department. Disposition methods: secure deletion (for electronic records, using NIST 800-88 standards), secure destruction (for physical records, using certified destruction services), or transfer (to archives for permanent retention). Disposition documented with disposition date, method, and authorization.
- Channels: Established channels for internal communications including: email (for standard communications), secure messaging (for sensitive communications), intranet (for announcements and resources), video conferencing (for meetings), and official memos (for formal communications). Channels established by Communications Department with Technical Department support. Channel usage guidelines published and updated annually.
- Protocols: Communication protocols established in Communications Policy, including: communication standards (format, tone, language), approval requirements (for external-facing communications), response time requirements (24 hours for standard, 4 hours for urgent), and escalation procedures (for critical communications). Protocols reviewed and updated annually.
- Security: Internal communications secured with appropriate security measures including: encryption (TLS 1.3 for email, end-to-end encryption for sensitive messaging), access controls (authentication, authorization), and monitoring (for security threats, policy compliance). Security measures must comply with Title X Security and CSP-1113. Security reviewed quarterly.
- Documentation: Internal communications documented as required by: Communications Policy (for formal communications), Records Management Policy (for record-keeping requirements), and operational needs. Documentation includes: communication content, parties, date/time, and classification. Critical communications (decisions, approvals, policy changes) must be documented and retained per Records Management Policy.
