...
Technical controls for document integrity and audit trails also contribute to binding the transaction to the entity and non-repudiation, but those controls are more appropriately discussed in the next section.
Providing Chain of Custody Audit Trails
NMFS policy directive 32-110 specifies "...audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS."
The proposed design implements the following audit trail controls:
- the NMFS employee who received the portal media will return to the office, login, and run a data import process
- the data import process will record where and when the portable media was delivered, who delivered it and who received it. The NMFS data import program will record this information, the time that the data import was run, and the raw uninterpreted contents of the submitted e-logbook file(s) into a NMFS database.
- These audit trail data items should be written to audit trail tables by the data import application using a database account which has insert privileges to the database but does not have update or delete privileges. (And update and delete privileges on the audit trail tables should be carefully controlled by the database administrator.)
- after the this audit trail information is recorded the import program can proceed to interpret the e-logbook data stream and insert the data into NMFS operational database(s).