DAT3 Records management review guidance (formerly DAT1.2.1)
The Ohio State University Information Security Standard (ISS) and Information Security Control Requirements (ISCR) were developed to provide a definitive set of risk management objectives and security controls for all university information systems and assets under the university’s control and for the people who access these systems. Use of the standard enables Ohio State to protect its information assets; satisfy legal, regulatory, and contractual requirements; and apply best practices for information security and risk management.
Ohio State's Records Management policy intersects the Security Standard in ISCR section DAT3:
- DAT3.1: Records retention: Records should be kept in accordance with the university’s records retention schedule.
- DAT3.2: Document destruction: Organizations must properly dispose of documents containing institutional data.
Note: Documents include paper documents, paper output, and photographic media. For additional details regarding storage media disposal, please reference IT15.2.1 Storage media disposal and IT15.2.2 Restricted storage media disposal.
For campus units to establish that they have met the DAT3 standard there is a detailed security control requirement. It requires campus units to demonstrate annually they are working—or have worked—with the University Records Management to comply with the university’s Records Management Policy. Proof of compliance might include:
- A statement of having adopted the University’s General Records Retention Schedule.
- A current (less than five years old) unique records retention schedule if applicable.
- Current Certificates of Records Destruction on file with the University Records Management
- Documentation of regular communication to the staff of the unit instructing/reminding staff to follow the University’s General Records Retention Schedule and/or unit unique retention schedule, and to destroy records appropriately in a timely fashion in accordance with the schedules.
Compliance with the annual records management review should be approved by unit senior management and the university records manager. Part I of the Information Security Control Requirement and Records Management Assessment form can be completed as the annual review and submitted to lib-records@osu.edu.
Information Security Standard: DAT1, DAT2 and DAT3
To ensure proper classification, labeling, and handling of institutional data.
DAT1: Institutional Data-related Risk
DAT2: Information Access Control-related Risk
DAT3: University Records Retention-related Risk
Note: Data may be in digital or physical form.
Information Security Control Requirements: DAT3 Records management review
This control requirement is applicable for all S1, S2, S3 and S4 data (Ohio State's Institutional Data Policy)
DAT3.1.1 Records management review
Organizations must review records management requirements and practices to ensure university records are being managed properly. The records management review must:
- review the applicable university records retention schedules to determine if there have been any changes;
- assess if there have been any organizational, technology, or regulatory changes that would change the organization's record retention requirements;
- verify that records are not being discarded or destroyed before the authorized disposition date;
- Ensure the routine destruction of records once the retention period, authorized via retention schedules, has passed;
- verify certificates of records destruction are submitted to University Records Management prior to records destruction; and or
- work with University Records Management to ensure the system captures and can report on appropriate destruction metadata; and
- assess whether the organization needs to take action to be in compliance with all applicable record retention requirements.
The records management review must be performed annually or after organizational, technology, or regulatory changes.
The results of the records management review must be approved by senior management and University Records Management.
Note: The Ohio Revised Code (ORC) 149.011(G) defines a record as "...any document, device, or item, regardless of physical form or characteristic, including an electronic record as defined in section 1306.01 of the Revised Code, created or received by or coming under the jurisdiction of any public office of the state or its political subdivisions, which serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of the office."
Note: A record is a document, data, or set of data that is created or received in the course of an organization's business that has content, structure, fixity, context, and is maintained as evidence of an organization's activity. Institutional data may reside in university records, be used to produce university records, or may of itself be a university record.
DAT3.2.1 Document disposal
Organizations must properly dispose of documents containing S3 (private) and S4 (restricted) institutional data. Documents must be disposed by physical destruction (e.g., shredding). Organizations must shred documents by using:
A. an organizationally-owned shredder which must be able to perform cross-cut shredding; or
B. a university-approved shredding service.
- Note: Shredding services must provide documentation as evidence of document destruction for S4 (restricted) institutional data.
The size of the shredded material should be small enough to provide reasonable assurance that the data cannot be reconstructed.
Note: For additional details regarding storage media disposal, please reference IT15.2.1 Storage media disposal and IT15.2.2 Restricted storage media disposal.