Electronic Chattel Paper Technical Control Requirements March 17, 2005

1
Electronic Chattel Paper Technical Control
RequirementsMarch 17, 2005
2
Technical Requirements Objective

• 9-105. Control Of Electronic Chattel Paper
• A secured party has control of electronic chattel
  paper if the record or records comprising the
  chattel paper are created, stored, and assigned
  in such a manner that
• (1) a single authoritative copy of the record or
  records exists which is unique, identifiable and,
  except as otherwise provided in paragraphs (4),
  (5), and (6), unalterable
• (2) the authoritative copy identifies the secured
  party as the assignee of the record or records
• (3) the authoritative copy is communicated to and
  maintained by the secured party or its designated
  custodian
• (4) copies or revisions that add or change an
  identified assignee of the authoritative copy can
  be made only with the participation of the
  secured party
• (5) each copy of the authoritative copy and any
  copy of a copy is readily identifiable as a copy
  that is not the authoritative copy and
• (6) any revision of the authoritative copy is
  readily identifiable as an authorized or
  unauthorized revision.

3
What is a system?People, Processes, Technology

• All systems are characterized by five
  specifications
• Input
• Output
• Relationship between Input and Output called
  the transfer function
• Environment in which the system operates
• Environmental specs
• Includes the qualities that pervade across the
  entire system
• Assurance
• Audit appraisal
• Attestation
• Manageability
• Security
• Usability
• Etc.
• Performance

Performance
Transfer Function
Input
Output
Environment
4
Command vs. Control

• Command
• Input
• Output
• One Way Command Function
• Expectation that the command is carried out
• Control
• Input
• Output
• Command function
• Verification that the command is carried out
• Action taken if it isnt
• Assurance that the overall environment supports
  control

Performance
Transfer Function
Input
Output
Environment
5
Technical Control

• Control is centered in the transfer function
• Action Part
• Monitor Part
• To have control you need
• The desired relationship between input and output
• A comparator to measure the difference between
  output and input
• The action or feed-forward function
• The monitor or feed-back function
• Assurance
• Audit Appraisal
• Data level
• Process/System level
• Management Level

Performance
Transfer Function

Action
Input
Output
-
Monitor
Comparison Function
Environment
Without a monitor, there is no control
6
Requirements to Demonstrate Control
7
Control System for ECP
Control Environment
Input
Action
Secured Party Designated Custodian Added Secured
Party Electronic Record(s)
Create Store Revise Assign Secured Party (add,
change) Communicate (transfer for
maintenance) Identify Single Authoritative
Copy Make Un-authoritative Copy Restore
Integrity Maintain
Output
Action
Single Authoritative Copy Un-Authoritative Copy
Make/Send Un-authoritative Copy
Un-authoritative Copy
Monitor
Log Secured Party Participation Verify
Authoritative Copy Integrity Maintained by the
Secured Party Create Assurance Audit Trail
Output
Un-authoritative Copy
8
Next Steps

• Legal requirements to technical requirements map
  based upon this framework
• Apply the framework to other components of the
  entire system. What parts of people, process and
  technology still need controls?
• Consider the control requirements on Operations
  (change management, circumvention of controls)
• Consider the control requirements on system
  integrity and assurance
• Auditability required for attestation
• Good witnesses need good records

If you cant control it, you dont own it
9
Lastly

• Thank you to all who worked to get us this far
• Richard Keck
• Mattias Hallendorff
• Linda Rusch
• David Whitaker
• Ian Dobson
• Nick Mansfield
• Steve Mathews