31 March 2012 Literature Review #4 Jewel H. Ward
|
|
- Diane Lambert
- 5 years ago
- Views:
Transcription
1 CITATION Ward, J.H. (2012). Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"). Unpublished Manuscript, University of North Carolina at Chapel Hill. Creative Commons License: Attribution-NoDerivatives 4.0 International (CC BYND 4.0) Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 1
2 ABSTRACT Computer scientists who work with digital data that has long-term preservation value, archivists and librarians whose responsibilities include preserving digital materials, and other stakeholders in digital preservation have long called for the development and adoption of open standards in support of long-term digital preservation. Over the past fifteen years, preservation experts have defined "trust" and a "trustworthy" digital repository; defined the attributes and responsibilities of a trustworthy digital repository; defined the criteria and created a checklist for the audit and certification of a trustworthy digital repository; evolved this criteria into a standard; and defined a standard for bodies who wish to provide audit and certification to candidate trustworthy digital repositories. This literature review discusses the development of standards for the audit and certification of a trustworthy digital repository. Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 2
3 TABLE OF CONTENTS ABSTRACT... 2 INTRODUCTION... 5 TRUST... 7 THE TYPES OF AUDIT AND CERTIFICATION... 8 TRUSTED DIGITAL REPOSITORIES: ATTRIBUTES AND RESPONSIBILITIES Trusted Digital Repositories Attributes of a Trusted Digital Repository Responsibilities of a Trusted Digital Repository Certification of a Trusted Digital Repository Summary TRUSTED DIGITAL REPOSITORIES: AUDIT AND CERTIFICATION Trustworthy Repositories Audit & Certification: Criteria and Checklist I. Organizational Infrastructure II. Digital Object Management III. Technologies, Technical Infrastructure, and Security Audit and Certification of Trustworthy Digital Repositories Recommended Practice.. 25 TRUSTED DIGITAL REPOSITORIES: REQUIREMENTS FOR CERTIFIERS ISO/IEC Conformity Assessment Requirements for Bodies Providing Audit and Certification of Candidate Trustworthy Digital Repositories Recommended Practice TRUSTED DIGITAL REPOSITORIES: CRITICISMS SUMMARY REFERENCES Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 3
4 TABLE OF FIGURES Figure 1 - TRAC, A1.1 (OCLC & CRL, 2007) Figure 2 - Audit and Certification of Trustworthy Digital Repositories Recommended Practice, (CCSDS, 2011) Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 4
5 INTRODUCTION Computer scientists who work with digital data that has long-term preservation value, archivists and librarians whose responsibilities include preserving digital materials, and other stakeholders in digital preservation have long called for the development and adoption of open standards in support of long-term digital preservation (Lee, 2010; Science and Technology Council, 2007; Waters & Garrett, 1996). However, Hedstrom (1995) cautions that only "if" standards provide the conditions for the archive to conform to standard archival practices, software and hardware designers comply with the standards, and producers and users select and use the standards, will they then provide a high-level solution to some of the obstacles that may prevent the preservation of digital materials. The development of standards for the audit and certification of digital repositories as "trustworthy" is a major development towards ensuring that digital data will be curated and preserved for the indefinite long-term, as they provide the conditions so that all three of Hedstrom's criteria may be met. In 1996, the Commission on Preservation and Access and the Research Libraries Group released the now-seminal report, "Preserving Digital Information" (Waters & Garrett, 1996). The Research Libraries Group (RLG) (2002) noted three key points that lead to the interest in developing standards for the "attributes and responsibilities" of a "trusted digital repository": the requirement for 'a deep infrastructure capable of supporting a distributed system of digital archives'; 'the existence of a sufficient number of trusted organizations capable of storing, migrating, and providing access to digital collections'; and, 'a process of certification is needed to create an Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 5
6 overall climate of trust about the prospects of preserving digital information'. A few years later, the Consultative Committee on Space Data Systems (CCSDS) released the "Reference Model for an Open Archival Information System (OAIS)" (CCSDS, 2002). This document defined a set of common terms, components, and concepts for a digital archive. It provided not just a technical reference, but outlined the organization of people and systems required to preserve information for the indefinite long-term and make it accessible (RLG, 2002). However, experts and other stakeholders with an interest in preserving information for the long-term recognized that as part of defining an archival system, they also needed to form a consensus on the responsibilities and characteristics of a sustainable digital repository. In other words, they needed a method to "prove" (i.e., "trust") that an organization's systems were, in-fact, OAIS-compliant. First, they would have to define the attributes and responsibilities of a "trusted" digital repository. Next, they would have to develop a method to audit and certify that a repository may be "trusted". And, finally, they would have to create an infrastructure to certify and train the auditors. The essay "Managing Data: the Emergence & Development of Digital Curation & Digital Preservation Standards" contains sections that provide the motivations for the development of standards and an overview and example applications of, the "Audit and Certification of the Trustworthy Digital Repositories Recommended Practice" (CCSDS, 2011). That essay also covers the definitions of "reliable", "authentic", "integrity", and "trustworthy", et al. A very short discussion of this Recommended Practice and a Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 6
7 detailed discussion of the OAIS Reference Model are available in the essay, "Managing Data: Preservation Repository Design (the OAIS Reference Model)". This essay on "preservation standards and audit and certification mechanisms" is an overview of "trust"; the types of audit and certification available generally; the development of standards for the audit and certification of a repository as "trustworthy"; a brief overview of the standards themselves; and, a very brief overview of the requirements for the certification of bodies that certify the auditors of said trusted digital repositories. Thus, the scope of this particular literature review is deliberately narrow to avoid the duplication of previously discussed topics. TRUST Jøsang and Knapskog (1998) discussed "trust" as a "subjective belief" when they described a metric for a "trusted system", while Lynch (2000) described "trust" as an elusive and subjective probability. Both the former and the latter wrote that a user trusts the evaluation of the certifier, not the actual system component. Jøsang and Knapskog drew attention to that fact that an evaluator only certifies that a system has been checked against a particular set of criteria; whether or not a user should or will trust that criteria is another matter. The two researchers pointed out that most end users of a certified system do not have the necessary expertise to evaluate the appropriateness and quality of the criteria used to audit the system. They must trust that the people who established the criteria chose relevant components, and that the evaluator had the skill and knowledge to assess the system. Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 7
8 This is similar to Lynch (2001), who wrote that users tend to assume digital system designers and content creators have users' best interests at heart, which is not always the case; yet the idea of creating a formal system of trust "is complex and alien to most people". Ross & McHugh (2006) posit that "trust" may be established with the various stakeholders affiliated with a repository by providing quantifiable "evidence" such as annual financial reports, business plans, policy documents, procedure manuals, mission statements, etc., so that a system's "trustworthiness" is believable. Jøsang & Knapskog (1998) and Ross & McHugh's (2006) research goal was to provide a methodical evaluation of system components to define "trust" in a system that in and of itself was trustworthy (RLG, 2002). Finally, Merriam-Webster (Trust, 2011) defines "trust" as "one in which confidence is placed"; "a charge or duty imposed in faith or confidence or as a condition of some relationship"; and, "something committed or entrusted to one to be used or cared for in the interest of another". THE TYPES OF AUDIT AND CERTIFICATION Jøsang and Knapskog (1998) described four types of roles generally assigned to "government driven evaluation schemes": accreditor, certifier, evaluator, and, sponsor. They defined the accreditor as the body that accredits the evaluator, the certifier, and, sometimes, evaluates the system itself. They noted that the certifier is accredited based on "documented competence level, skill, and resources". They stipulated that the certifier might also be a "government body issuing certificates based on the evaluation Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 8
9 reports from the evaluators". They defined the evaluator as "yet another government agency" that is "accredited by the accreditor", and "the quality of the evaluator's work will be supervised by the certifier". They described the sponsor as the party interested in having their system evaluated (Jøsang & Knapskog, 1998). In other words, the authors wrote that someone who would like their system audited and certified by a particular evaluation criteria ("the sponsor") hires an auditor ("the evaluator") who has been certified ("the certifier") by an accredited agency ("the accreditor"). RLG (2002) defined four approaches to certification: individual, program, process, and data. They described "individual" as personnel certification. This is also called professional certification or accreditation, and it is often given to an individual when they meet some combination of work experience, education, and professional competencies. RLG noted that at the time of writing, there were no professional certifications for digital repository management or electronic archiving. They cited "program" as a type of certification for an institution or a program achieved through a combination of site visits and "self-evaluation using standardized checklists and criteria". RLG explained that the assessment areas included access, outreach, collection preservation and development, staff, facilities, governing and legal authority, and financial resources. They provided examples of this type of certification that included museums, schools and programs within a university, etc. They defined "process" as "quantitative or qualitative guidelines to internal and external requirements" that use various methods and procedures, such as the ISO 9000 family of standards (RLG, 2002). Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 9
10 Finally, the authors designated the "data" approach to certification as addressing "the persistence or reliability of data over time and data security". They wrote that this certification requires adherence to procedures manuals and international standards, such as ISO, that ensure both external and internal quality control. They note that certification will require the managers of a repository to document migration processes, to maintain and create metadata, authenticate new copies, as well as update the data or files (RLG, 2002). TRUSTED DIGITAL REPOSITORIES: ATTRIBUTES AND RESPONSIBILITIES RLG (2002) defined a "trusted digital repository" as "one whose mission is to provide reliable, long-term access to managed digital resources to its designated community, now and in the future". They described the "critical component" as "the ability to prove reliability and trustworthiness over time". The authors' stated goal for the report was to create a framework for large and small institutions that could cover different responsibilities, architectures, materials, and situations yet still provide a foundation with which to build a sustainable "trusted repository" (RLG, 2002). Trusted Digital Repositories The authors of the RLG document noted that repositories may be contracted to a third party or locally designed and maintained, regardless, the expectations for trust require that a digital repository must: Accept responsibility for the long-term maintenance of digital resources on behalf of its depositors and for the benefit of current and future users; Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 10
11 Have an organizational system that supports not only long-term viability of the repository, but also the digital information for which it has responsibility; Demonstrate fiscal responsibility and sustainability; Design its system(s) in accordance with commonly accepted conventions and standards to ensure the ongoing management, access, and security of materials deposited within it; Establish methodologies for system evaluation that meet community expectations of trustworthiness; Be depended upon to carry out its long-term responsibilities to depositors and users openly and explicitly; Have policies, practices, and performance that can be audited and measured; and Meet the responsibilities detailed in Section 3 [sic] of this paper" (RLG, 2002). Per the OAIS Reference Model (CCSDS, 2002), they noted that the repository's "designated community" will be the primary determining factor in how the content is accessed and disseminated; managed and preserved; and what, including content and format, is deposited. The authors of the report discussed and defined "trust", noting, "most cultural institutions are already trusted". Regardless, they outlined three levels of trust that administrators of a repository must consider in order to be a "trusted repository": the trust a cultural institution must earn from their designated community; the trust cultural institutions must have in third-party providers; and the trust users of the repository must have in the digital objects provided to them by the repository owner via the repository software. The report authors wrote that archives, libraries, and museums must simply keep doing what they have been doing for centuries in order to maintain the trust of their user community; they do not need to develop that trust, as institutions, they have already earned it. RLG (2002) explained that while librarians, archivists, etc., are loath to use Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 11
12 third-party providers who have not proven their reliability, the establishment of a certification program with periodic re-audits may overcome their reluctance. Finally, the authors stated that users must be able to trust that the digital items they receive from a repository are both authentic and reliable. In other words, the objects the users access must be unaltered and they must be what they purport to be (Bearman & Trant, 1998). They established that this can be accomplished by the use of checksums and other forms of validation that are common in the Computer Science and digital security communities, although security does not equal integrity (Lynch, 1994). Waters & Garrett (1996) put forth that the "central goal" of an archival repository must be "to preserve information integrity"; this includes content, fixity, reference, provenance, and context. For a discussion on "reliable", "authentic", "integrity", and "trustworthy", please see the essay, "Managing Data: the Emergence & Development of Digital Curation & Digital Preservation Standards". Attributes of a Trusted Digital Repository RLG (2002) identified seven primary attributes of a trusted digital repository. They were and are: compliance with the OAIS Reference Model; administrative responsibility; organizational viability; financial sustainability; technological and procedural suitability; system security; and procedural accountability. The authors defined "compliance with the OAIS" as the repository owners/administrators ensuring that the "overall repository system conforms" to the OAIS Reference Model. They described "administrative responsibility" as the repository administrators adhering to "community-agreed" best practices and standards, Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 12
13 particularly with regards to sustainability and long-term viability. RLG (2002) explained "organizational viability" as creating and maintaining an organization and structure that is capable of curating the objects in the repository and providing access to them for the indefinite long-term. They included as part of this maintaining trained staff, legal status, transparent business practices, succession plans, and maintaining relevant policies and procedures. RLG (2002) designated "financial sustainability" as maintaining financial fitness, engaging in financial planning, etc., with an ongoing commitment to remain financially viable over the long-term. The authors outlined "technological and procedural suitability" as the repository owners/administrators keeping the archives software and hardware up to date, as well as complying with applicable best practices and standards for technical digital preservation. They traced an outline for "system security" by describing the minimal requirements a repository must follow regarding best practices for risk management, including written policies and procedures for disaster preparedness, redundancy, firewalls, back up, authentication, data loss and corruption, etc. Finally, RLG (2002) defined "procedural accountability" as the repository owners/administrators being accountable for all of the above. That is, the authors wrote that maintaining a trusted digital repository is a complex set of "interrelated tasks and functions"; the maintainer of the repository is responsible for ensuring that all required functions, tasks, and components are carried out (RLG, 2002). Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 13
14 Responsibilities of a Trusted Digital Repository RLG (2002) described two primary responsibilities for the owners and administrators of a trusted digital repository: high-level organizational and curatorial responsibilities, and, operational responsibilities. They subdivided organizational and curatorial responsibilities into three levels. The authors noted that organizations must understand their local requirements, which other organizations may have similar requirements, and, how these responsibilities may be shared. The authors of the report summarized five primary areas in support of those three levels: the scope of the collections, preservation and lifecycle management, the wide range of stakeholders, the ownership of material and other legal issues, and, cost implications (RLG, 2002). (1) The scope of the collections: the repository owners and administrators must know exactly what they have in their digital collection, and how to adequately preserve the integrity and authenticity of the properties and characteristics of the individual items. (2) Preservation and lifecycle management: the repository owners and administrators must commit to proactive planning with regards to preserving and curating the items in the repository. (3) The wide range of stakeholders: the repository owners and administrators must take into account the interests of all stakeholders when planning for longterm access to the materials. In some instances, they will have to act in spite of their stakeholder's wishes, as some stakeholders tend to have short-term views, and they will not care about the long-term preservation of, and access to, the materials. Other stakeholders will have a differing point of view, and they will want the material preserved in the long-term. The repository owners and administrators will have to balance these competing interests. (4) The ownership of material and other legal issues: digital librarians and archivists will have to take a proactive role with content producers. They must seek to preserve materials by curating the data early in the life cycle of it, while Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 14
15 being cognizant of the copyright and intellectual property concerns of the content producers and owners. (5) Cost implications: repository owners and administrators must commit financial resources to maintaining the content over the indefinite long-term, while bearing in mind that the true costs of doing so are variable. In sum, RLG (2002) recommended incorporating preservation planning into the everyday management of the preservation repository. Next, the authors of this RLG report defined operational responsibilities in more detail than the organizational and curatorial responsibilities, above. They wrote the operational responsibilities based on the OAIS Reference Model, and added to that the "critical role" of a repository in the "promotion of standards" (RLG, 2002). They defined these areas as: (1) Negotiates for and accepts appropriate information from information producers and rights holders: this responsibility covers the submission agreement between a content Producer and the OAIS Archive. These responsibilities include preservation metadata, record keeping, authenticity checks, and legal issues. As part of fulfilling this role, a repository will have policies and procedures in place to cover collection development, copyright and intellectual property rights concerns, metadata standards, provenance and authenticity, appropriate archival assessment, and, records of all transactions with the Producer. (2) Obtains sufficient control of the information provided to support long-term preservation: this responsibility refers to the "staging" process, where ingested content is stored after submission from a Producer and before the material is ingested into the archive. The responsibilities of a repository administrator at this point encompass best practices for the ingest of materials, which includes an analysis of the digital content itself, including its "significant properties"; what requirements must be fulfilled to provide access to the material continuously; a metadata check against the repository's standards (including adding metadata to bring the current metadata up to par); the assignment of a persistent and unique identifier; integrity/fixity/authentication checks; the creation of an OAIS Archival Storage Package (AIP); and, storage into the OAIS Archive. Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 15
16 (3) Determines, either by itself of [sic] with others, the users that make up its designated community, which should be able to understand the information provided: the repository administrators and owners must determine who their user base is so that they may understand how best to serve their Designated Community. (4) Ensures that the information to be preserved is independently understandable to the designated community; that is, the community can understand the information without needing the assistance of experts: the repository owner and administrator must make the information available using generic tools that are available to the Designated Community. For example, documents might be made available via.pdf or.rtf because the software to render these documents is available for free to most users. A repository owner and/or administrator may not wish to preserve documents in the.pages file format, as this Apple file format is not commonly used and the software to render it is not free beyond a limited day trial period. (5) Follows documented policies and procedures that ensure the information is preserved against all reasonable contingencies and enables the information to be disseminated as authenticated copies of the original or as traceable to the original: the repository owners and administrators will document any unwritten policies and procedures, and follow best practice recommendations and standards where possible. These policies must include policies to define the Designated Community and its knowledge base; policies for material storage, including service-level agreements; policies for authentication and access control; a collection development policy, including preservation planning; a policy to keep policies updated with current recommendations, standards, and best practices; and, finally, links between procedures and policies, to ensure compliance across all collections in the repository. (6) Makes the preserved information available to the designated community: the repository owners and administrators must comply with legal responsibilities such as licensing, copyright, and intellectual property regarding access to the content in the repository. Within that framework, however, they should plan to provide user support, record keeping, pricing (where applicable), authentication, and, most importantly, a method for resource discovery. (7) Works closely with the repository s designated community to advocate the use of good and (where possible) standard practice in the creation of digital resources; this may include an outreach program for potential depositors: the repository owners and administrators should work with all stakeholders to advocate the use of standards and Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 16
17 recommended best practices (RLG, 2002). As the Science and Technology Council (2007) noted, using standards will reduce costs for all parties involved and better ensure the longevity of the material. In conclusion, the OAIS Reference Model has provided a useful framework "for identifying the responsibilities of a trusted digital repository" (RLG, 2002). Certification of a Trusted Digital Repository As part of the certification framework, the authors of the RLG report intended to support Waters & Garrett's (1996) assertion that archival repositories "must be able to prove that they are who they say they are by meeting or exceeding the standards and criteria of an independently-administered program for archival certification". RLG (2002) described two types of certification then in use within the libraries and archives community: the standards model and the audit model. The "standards" model is an informal process. They stated that standards are created when best practices and guidelines are established by the consensus of the expert community and then "certified" by other practitioners' acceptance and/or use of the "standard". In other words, librarians, archivists, and computer scientists who work with libraries decide what constitutes a "standard"; only rarely does a standard become formalized via ISO or another international organization. The authors described the audit model as an output of legislation or policies and procedures established by national agencies, such as the U.S. Department of Defense. That is, a governing body passes laws or policies, and the information repository's policies must conform to the governing body's requirements (RLG, 2002). Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 17
18 For a discussion of other approaches to certification, please see an earlier section, "Types of Audit and Certifications". Summary RLG (2002) described a framework for a trusted digital repository's responsibilities and attributes. They noted that these apply to repositories both large and small that hold a wide variety of content. The authors summarized their work above with several recommendations. Recommendation 1: Develop a framework and process to support the certification of digital repositories. Recommendation 2: Research and create tools to identify the attributes of digital materials that must be preserved. Recommendation 3: Research and develop models for cooperative repository networks and services. Recommendation 4: Design and develop systems for the unique, persistent identification of digital objects that expressly support long-term preservation. Recommendation 5: Investigate and disseminate information about the complex relationship between digital preservation and intellectual property rights. Recommendation 6: Investigate and determine which technical strategies best provide for continuing access to digital resources. Recommendation 7: Investigate and define the minimal-level metadata required to manage digital information for the long term. Develop tools to automatically generate and/or extract as much of the required metadata as possible (RLG, 2002). The remainder of this essay focuses on the results of Recommendation 1, above, regarding the development of certification standards for digital repositories. TRUSTED DIGITAL REPOSITORIES: AUDIT AND CERTIFICATION Several researchers have addressed the problem of audit and certification. For example, Ross & McHugh (2006) created the Digital Repository Audit Method Based On Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 18
19 Risk Assessment (DRAMBORA) to provide a self-audit method for repository administrators that provided quantifiable results (Digital Curation Centre, 2011). Dobratz, Schoger, and Strathmann (2006) created nestor, the Network of Expertise in Long-Term Storage of Digital Resources. Other lesser-known researchers such as Becker, et al. (2009) described a decision-making procedure for preservation planning that provides a means for repository administrators to consider various alternatives. This section will examine the audit and certification method known as the "Trustworthy Repositories Audit & Certification (TRAC): Criteria and Checklist" and its follow up document, the "Audit and Certification of Trustworthy Repositories Recommended Practice". Researchers and practitioners across the globe -- including Ross, McHugh, Dobratz, et al. - combined their efforts and contributed their expertise into developing TRAC from a draft into a final version (Research Libraries Group, 2005; Dale, 2007). Their efforts have led to the development and refinement of TRAC into a CCSDS "Recommended Practice"; this may eventually become an ISO standard. The essay, "Managing Data: the Emergence & Development of Digital Curation & Digital Preservation Standards" describes some of the related work in this area not covered below. Trustworthy Repositories Audit & Certification: Criteria and Checklist The authors of TRAC created it as part of a larger international effort to define an audit and certification process to ensure the longevity of digital objects. They defined a checklist that any repository manager could use to assess the trustworthiness of the repository. The checklist provided examples of the required evidence, but the list is Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 19
20 considered "prescriptive"; the authors did not try to list every possible type of example. It contained three sections: "organizational infrastructure", "digital object management", and, "technologies, technical infrastructure, and security". The authors provided a spreadsheet-style "audit checklist" called "Criteria for Measuring Trustworthiness of Digital Repositories and Archives". They note that the criteria measured is applicable to any kind of repository, using documentation (evidence), transparency (both internal and external), adequacy (individual context), and, measurability (i.e., objective controls). The authors stated that a full certification process must include not just an external audit, but tools to allow for self-examination and planning prior to an audit (OCLC & CRL, 2007). The terminology in the audit checklist conformed to the OAIS Reference Model. A typical policy in TRAC followed the model of statement, explanation, and evidence (see Figure 1, below). Figure 1 - TRAC, A1.1 (OCLC & CRL, 2007). I. Organizational Infrastructure The authors of TRAC considered the organizational infrastructure to be as critical a component as the technical infrastructure (OCLC & CRL, 2007). This reflected the view of the authors of the OAIS Reference Model, who consider an OAIS to be "an Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 20
21 archive, consisting of an organization of people and systems, that has accepted the responsibility to preserve information and make it available for a Designated Community" (CCSDS, 2002). OCLC & CRL (2007) considered "organizational attributes" to be a characteristic of a trusted digital repository, and these characteristics are reflected RLG's (2002) grouping of financial sustainability, organizational viability, procedural accountability, and administrative responsibility as four of the seven attributes of a trusted digital repository. The authors of TRAC considered the following ten elements to be part of organizational infrastructure, but they did not limit it to only these elements. (1) Governance (2) Organizational structure (3) Mandate or purpose (4) Scope (5) Roles and responsibilities (6) Policy framework (7) Funding system (8) Financial issues, including assets (9) Contracts, licenses, and liabilities (10) Transparency (OCLC & CRL, 2007). In addition, they grouped the above elements into five areas: (1) Governance and organizational viability: the owners and managers of a repository must commit to established best practices and standards for the long term. This includes mission statements, and succession/contingency plans. (2) Organizational structure and staffing: the repository owners and managers must commit to hiring an appropriate number of qualified staff that receives regular ongoing professional development. (3) Procedural accountability and policy framework: the repository owners and managers must provide transparency with regards to documentation related the long-term preservation and access of the archival data. This requirement provides evidence to stakeholders of the repository's trustworthiness. This Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 21
22 documentation may define the Designated Community, what policies and procedures are in place, legal requirements and obligations, reviews, feedback, self-assessment, provenance and integrity, and operations and management. (4) Financial sustainability: the repository owners and administrators must follow solid business practices that provide for the long-term sustainability of the organization and the digital archive. This includes business plans, annual reviews, financial audits, risk management, and possible funding gaps. (5) Contracts, licenses, and liabilities: the repository owners and administrators must make contracts and licenses "available for audits so that liabilities and risks may be evaluated". This requirement includes deposit agreements, licenses, preservation rights, collection maintenance agreements, intellectual property and copyright, and, ingest (OCLC & CRL, 2007). II. Digital Object Management The authors described this section as a combination of technical and organizational aspects. They organized the requirements for this section to align with six of the seven OAIS Functional Entities: Ingest, Archival Storage, Preservation Planning, Data Management, Administration, and Access (OCLC & CRL, 2007; CCSDS, 2002). The authors of the TRAC audit & checklist defined these six sections as follows. (1) The initial phase of ingest that addresses acquisition of digital content. (2) The final phase of ingest that places the acquired digital content into the forms, often referred to as Archival Information Packages (AIPs), used by the repository for long-term preservation. (3) Current, sound, and documented preservation strategies along with mechanisms to keep them up to date in the face of changing technical environments. (4) Minimal conditions for performing long-term preservation of AIPs. (5) Minimal-level metadata to allow digital objects to be located and managed within the system. (6) The repository s ability to produce and disseminate accurate, authentic versions of the digital objects (OCLC & CRL, 2007). The authors further elucidated the above areas as follows. (1) Ingest: acquisition of content Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 22
23 This section covered the process required to acquire content; this generally falls under the realm of a Submission Agreement between the Producer and the repository. The Producer may be external or internal to the repository's governing organization. The authors recommended considering the object's properties, any information that needs to be associated with the submitted object (s), mechanisms to authenticate the materials, verify each ingested object for integrity, maintaining control of the bits so that none may be altered at any time, regular contact with the Producer as appropriate, a formal acceptance process with the Producer for all content, and, an audit trail of the Ingest process. (2) Ingest: creation of the archival package The actions in this section covered the creation of an AIP. These actions involved documentation: of each AIP preserved by the repository; that each AIP created is actually adequate for preservation purposes; of the process of constructing an AIP from a SIP; of the actions performed on each SIP (deletion or creation as an AIP); of the use of persistent and unique naming schemas/identifiers, else, of the preservation of the existing unique naming schema; of the context for each AIP; of an audit trail of the metadata records ingested; of associated preservation metadata; of testing the ability of current tools to render the information content; of the verification of completeness of each AIP; of an integrity audit mechanism for the content; and, of any actions and process related to AIP creation. (3) Preservation planning The authors recommended four simple actions a repository administrator may take regarding keeping the archive current. The administrator must document their current preservation strategies; monitor format, etc., obsolescence; adjust the preservation plan if or when conditions change; and, provide evidence that the preservation plan used is actually effective. (4) Archival storage & preservation/maintenance of AIPs The actions in this section covered what is required to ensure that an AIP is actually being preserved. This involved examining multiple aspects of object maintenance, including, but not limited to, storage, tracking, checksums, migration, transformations, and copies/replicas. The repository administrator must be able to demonstrate the use of standard preservation strategies; that the repository actually implements these strategies; that the Content Information is preserved; that the integrity of the AIP is audited; and that there is an audit trail of any actions performed on an AIP. (5) Information management This section addressed the requirements related to descriptive metadata. The repository owner must identify the minimal metadata required for retrieval by the Designated Community; create a minimal amount of descriptive metadata and Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 23
24 attach it to the described object; and, prove there is referential integrity between each AIP and its associated metadata (both creation and maintenance of). (6) Access management The authors designed this section to address methods for providing access to the content (i.e., DIPs) in the repository to the Designated Community; they wrote that the degree of sophistication of this would vary based on the context of the repository itself and the requirements of the Designated Community. They further subdivided this section into four areas: access conditions and actions, access security, access functionality, and, provenance. In order to fulfill the requirements presented in this section, a repository owner must: provide information to the Designated Community as to what access and delivery options are actually available; require an audit of all access actions; only provide access to particular Designated Community members as agreed to with the Producer; ensure access policies are documented and comply with deposit agreements; fully implement the stated access policy; log all access failures; demonstrate the DIP generated is what the user requested; prove that access success or failure is made known to the user within a reasonable length of time; and, all DIPs generated may be traced to an authentic original and themselves authentic (OCLC & CRL, 2007). In summary, OCLC & CRL (2007) designed this section to make it mandatory for a trustworthy digital repository to be able to produce a DIP, "however primitive". III. Technologies, Technical Infrastructure, and Security The authors of TRAC did not want to make specific software and hardware requirements, as many of these would fall under standard computer science best practices and they are covered by other standards. Therefore, they addressed general information technology areas as related to digital preservation. These areas fall under one of three categories: system infrastructure, appropriate technologies, and security (OCLC & CRL, 2007). (1) System infrastructure This section addressed the basic infrastructure required to ensure the trustworthiness of any actions performed on an AIP. This meant that the repository administrator must be able to demonstrate that the operating systems Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 24
25 and other core software are maintained and updated; the software and hardware are adequate to provide back ups; the number and location of all digital objects, including duplicates, are managed; all known copies are synched; audit mechanisms are in place to discover bit-level changes; any such bit-level changes are reported to management, including the steps taken to prevent further loss and replace/repair the current corruption and loss; processes are in place for hardware and software changes (e.g., migration); a change management process is in place to mitigate changes to critical processes; there is process for testing the effect of critical changes prior to an actual implementation; and, software security updates are implemented with an awareness of the risks versus benefits of doing so. (2) Appropriate technologies The authors recommended that a repository administrator should look to the Designated Community for relevant standards and strategies. They proposed that the hardware and software technologies in place are appropriate for the Designated Community, and that appropriate monitoring is in place to update hardware and software as appropriate. (3) Security This section addressed non-it security, as well as IT security. The authors recommended that a repository administrator conducts a regular risk assessment of internal and external threats; ensures controls are in place to address any assessed threats; decides which staff members are authorized to do what and when; and, has an appropriate disaster preparedness plan in place, including offsite recovery plan copies (OCLC & CRL, 2007). In conclusion, the archivists, librarians, computer scientists, and other experts who contributed to the development of TRAC created a document that encompassed the minimum requirements for an OAIS Archive to be considered "trustworthy". Audit and Certification of Trustworthy Digital Repositories Recommended Practice The CCSDS released the "Audit and Certification of Trustworthy Digital Repositories Recommended Practice" (v. CCSDS M-1, the "Magenta Book") in September 2011 (CCSDS, 2011). This section will discuss the Recommended Practice only with regards to major differences with TRAC (OCLC & CRL, 2007), above. This is Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 25
26 because the two documents are similar enough that to repeat a description of each of the sections would be gratuitous. The CCSDS described the purpose of the Recommended Practice as that of providing the documentation "on which to base an audit and certification process for assessing the trustworthiness of digital repositories" (CCSDS, 2011). The essay "Managing Data: the Emergence & Development of Digital Curation & Digital Preservation Standards" contains an overview of this Recommended Practice. This section will cover areas not covered by the overview in that essay or earlier in this document. The three major sections of the Recommended Practice are the same as for TRAC, except that the last section has been re-named. Therefore, instead of "organizational infrastructure", "digital object management", and, "technologies, technical infrastructure, & security", the authors of the Recommended Practice renamed the last section, "infrastructure and security risk management". Within that technology section, the sections were reduced from three to two. Therefore, instead of, "system infrastructure", "appropriate technologies", and "security", the Recommended Practice contains sub-sections on "technical infrastructure risk management" and "security risk management". The subsections for "organizational infrastructure" and "digital object management" remained the same. The CCSDS re-worded, re-organized, and expanded the content of the sub-sections, but the general ideas behind each section stayed in place. So for example, Figure 2, below, is the Recommended Practice version of the same content in the same section in TRAC from Figure 1, above. Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 26
27 Figure 2 - Audit and Certification of Trustworthy Digital Repositories Recommended Practice, (CCSDS, 2011). In short, the members of the CCSDS evolved and expanded the original TRAC checklist to create the Recommended Practice, but overall, the ideas in the original version have held up well during the four-year transition to a Recommended Standard. TRUSTED DIGITAL REPOSITORIES: REQUIREMENTS FOR CERTIFIERS Both Waters & Garrett (1996) and RLG (2002) recommended the creation of a certification program for trusted digital repositories. As a result, librarians, archivists, computer scientists and other experts and stakeholders in digital preservation created Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 27
28 the "Trustworthy repositories audit & certification: criteria and checklist" in order to create a common set of standards and terminology by which a repository may be certified. These experts and others then took TRAC, via the CCSDS, and created the "Audit and Certification of Trustworthy Digital Repositories (CCSDS M-1) Recommended Practice". As part of the process of creating this Recommended Practice, these experts also determined the requirements for bodies that will provide the audit and certification of "candidate" trustworthy digital repositories. They created a second Recommended Practice, "Requirements for bodies providing audit and certification of candidate trustworthy digital repositories CCSDS M-1". This Recommended Practice for bodies providing audit and certification is a supplement to an existing ISO Standard that outlines the requirements for a body performing audit and certification, "Conformity assessment -- Requirements for bodies providing audit and certification of management systems" (ISO/IEC 17021, 2011). ISO/IEC Conformity Assessment The authors of this standard covered seven primary areas: principles, general requirements, structural requirements, resource requirements, information requirements, process requirements, and, management of system requirements for certification bodies. They defined "principles" as covering impartiality, competence, responsibility, openness, confidentiality, and responsiveness to complaints. They described "general requirements" as covering legal and contractual matters, management of impartiality, and liability and financing. They kept "structural requirements" simple -- this is about the Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 28
29 organizational structure and top management, and a committee for safeguarding impartiality. The authors detailed "resource requirements" as covering the competence of management and personnel, the personnel involved in the certification activities, the use of individual auditors and external technical experts, personnel records, and outsourcing. They outlined "information requirements" as publicly accessible information, certification documents, directory of certified clients, reference to certification and use of marks, confidentiality, and the information exchange between a certification body and its clients. The authors delineated "process requirements" as covering general requirements, audit and certification, surveillance activities, recertification, special audits, suspending, withdrawing or reducing the scope of certification, appeals, complaints, and, the records of applicants and clients. Finally, the authors provided three options for "management systems requirements for certification bodies" that includes general management requirements and management system requirements that are in accordance with ISO In document appendices, the authors discussed the required knowledge and skills to be an auditor, the possible types of evaluation methods, provided an example of a process flow for determining and maintaining competence, desired personal behaviors, the requirements for a third-party audit and certification process, and, considerations for the audit programme, scope or plan (ISO/IEC 17021, 2011). Requirements for Bodies Providing Audit and Certification of Candidate Trustworthy Digital Repositories Recommended Practice Managing Data: Preservation Standards & Audit & Certification Mechanisms (i.e., "policies"), v. final 29
Agenda. Bibliography
Humor 2 1 Agenda 3 Trusted Digital Repositories (TDR) definition Open Archival Information System (OAIS) its relevance to TDRs Requirements for a TDR Trustworthy Repositories Audit & Certification: Criteria
More informationTrusted Digital Repositories. A systems approach to determining trustworthiness using DRAMBORA
Trusted Digital Repositories A systems approach to determining trustworthiness using DRAMBORA DRAMBORA Digital Repository Audit Method Based on Risk Assessment A self-audit toolkit developed by the Digital
More informationUNT Libraries TRAC Audit Checklist
UNT Libraries TRAC Audit Checklist Date: October 2015 Version: 1.0 Contributors: Mark Phillips Assistant Dean for Digital Libraries Daniel Alemneh Supervisor, Digital Curation Unit Ana Krahmer Supervisor,
More informationConducting a Self-Assessment of a Long-Term Archive for Interdisciplinary Scientific Data as a Trustworthy Digital Repository
Conducting a Self-Assessment of a Long-Term Archive for Interdisciplinary Scientific Data as a Trustworthy Digital Repository Robert R. Downs and Robert S. Chen Center for International Earth Science Information
More informationData Curation Handbook Steps
Data Curation Handbook Steps By Lisa R. Johnston Preliminary Step 0: Establish Your Data Curation Service: Repository data curation services should be sustained through appropriate staffing and business
More informationImproving a Trustworthy Data Repository with ISO 16363
Improving a Trustworthy Data Repository with ISO 16363 Robert R. Downs 1 1 rdowns@ciesin.columbia.edu NASA Socioeconomic Data and Applications Center (SEDAC) Center for International Earth Science Information
More informationThe OAIS Reference Model: current implementations
The OAIS Reference Model: current implementations Michael Day, UKOLN, University of Bath m.day@ukoln.ac.uk Chinese-European Workshop on Digital Preservation, Beijing, China, 14-16 July 2004 Presentation
More informationUniversity of British Columbia Library. Persistent Digital Collections Implementation Plan. Final project report Summary version
University of British Columbia Library Persistent Digital Collections Implementation Plan Final project report Summary version May 16, 2012 Prepared by 1. Introduction In 2011 Artefactual Systems Inc.
More informationISO Self-Assessment at the British Library. Caylin Smith Repository
ISO 16363 Self-Assessment at the British Library Caylin Smith Repository Manager caylin.smith@bl.uk @caylinssmith Outline Digital Preservation at the British Library The Library s Digital Collections Achieving
More informationMinimum Requirements For The Operation of Management System Certification Bodies
ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation of Management System Certification Bodies April 2011 Page 1 of 11 No. Content Page 1. Introduction 2 2. Scope 2 3. Definitions
More informationApplying Archival Science to Digital Curation: Advocacy for the Archivist s Role in Implementing and Managing Trusted Digital Repositories
Purdue University Purdue e-pubs Libraries Faculty and Staff Presentations Purdue Libraries 2015 Applying Archival Science to Digital Curation: Advocacy for the Archivist s Role in Implementing and Managing
More informationDRS Policy Guide. Management of DRS operations is the responsibility of staff in Library Technology Services (LTS).
Harvard University Library Office for Information Systems DRS Policy Guide This Guide defines the policies associated with the Harvard Library Digital Repository Service (DRS) and is intended for Harvard
More informationCertification Efforts at Nestor Working Group and cooperation with Certification Efforts at RLG/OCLC to become an international ISO standard
Certification Efforts at Nestor Working Group and cooperation with Certification Efforts at RLG/OCLC to become an international ISO standard Paper presented at the ipres 2007 in Beijing by Christian Keitel,
More informationMAPPING STANDARDS! FOR RICHER ASSESSMENTS. Bertram Lyons AVPreserve Digital Preservation 2014 Washington, DC
MAPPING STANDARDS! FOR RICHER ASSESSMENTS Bertram Lyons AVPreserve Digital Preservation 2014 Washington, DC NDSA Levels of Digital Preservation! Matrix (Version 1) ISO 16363:2012! Audit & Certification
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationCERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION
CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited
More informationISO/IEC INTERNATIONAL STANDARD
INTERNATIONAL STANDARD ISO/IEC 27006 Second edition 2011-12-01 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems
More informationMetaArchive Cooperative TRAC Audit Checklist
Educopia Institute 1230 Peachtree Street, Suite 1900 Phone 404 783 2534 Atlanta, GA 30309 MetaArchive Cooperative TRAC Audit Checklist PREPARED BY CONTRACT AUDITOR MATT SCHULTZ APRIL 2010 LAST REVISED
More informationTrust and Certification: the case for Trustworthy Digital Repositories. RDA Europe webinar, 14 February 2017 Ingrid Dillo, DANS, The Netherlands
Trust and Certification: the case for Trustworthy Digital Repositories RDA Europe webinar, 14 February 2017 Ingrid Dillo, DANS, The Netherlands Perhaps the biggest challenge in sharing data is trust: how
More informationVOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES
VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE 1. Scope REQUIREMENTS FOR CERTIFICATION BODIES 1.1 This document describes the requirements the Certification Bodies (CBs) are expected to meet
More informationISO/IEC INTERNATIONAL STANDARD
INTERNATIONAL STANDARD ISO/IEC 27006 First edition 2007-03-01 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems
More informationAn overview of the OAIS and Representation Information
An overview of the OAIS and Representation Information JORUM, DCC and JISC Forum Long-term Curation and Preservation of Learning Objects February 9 th 2006 University of Glasgow Manjula Patel UKOLN and
More informationFrom production to preservation to access to use: OAIS, TDR, and the FDLP OAIS TRAC / TDR
From production to preservation to access to use: OAIS, TDR, and the FDLP Federal Depository Library Conference, October 2011 Presentation Handout James A. Jacobs Data Services Librarian emeritus, University
More information<goals> 10/15/11% From production to preservation to access to use: OAIS, TDR, and the FDLP
From production to preservation to access to use:, TDR, and the FDLP Depository Library Council Meeting Federal Depository Library Conference October 2011 James A. Jacobs Data Services Librarian Emeritus
More informationPROTERRA CERTIFICATION PROTOCOL V2.2
PROTERRA CERTIFICATION PROTOCOL V2.2 TABLE OF CONTENTS 1. Introduction 2. Scope of this document 3. Definitions and Abbreviations 4. Approval procedure for Certification Bodies 5. Certification Requirements
More information30 April 2012 Comprehensive Exam #3 Jewel H. Ward
CITATION Ward, Jewel H. (2012). Doctoral Comprehensive Exam No.3, Managing Data: Preservation Repository Design (the OAIS Reference Model). Unpublished, University of North Carolina at Chapel Hill. Creative
More informationETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies
ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation Of Product Certification Bodies April 2011 Page 1 of 7 NO CONTENTS Page 1. Introduction 2 2. Scope 2 3. Definitions 2 4 Management
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationConference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions
Conference for Food Protection Standards for Accreditation of Food Protection Manager Certification Programs Frequently Asked Questions Q. What was the primary purpose for the Conference for Food Protection
More informationInternational Audit and Certification of Digital Repositories
International Audit and Certification of Digital Repositories PV 2009 David Giaretta Digital Preservation Easy to do as long as you can provide money forever Easy to test claims about repositories as long
More informationIT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive
IT Governance ISO/IEC 27001:2013 ISMS Implementation Service description Protect Comply Thrive 100% guaranteed ISO 27001 certification with the global experts With the IT Governance ISO 27001 Implementation
More informationDRI: Preservation Planning Case Study Getting Started in Digital Preservation Digital Preservation Coalition November 2013 Dublin, Ireland
DRI: Preservation Planning Case Study Getting Started in Digital Preservation Digital Preservation Coalition November 2013 Dublin, Ireland Dr Aileen O Carroll Policy Manager Digital Repository of Ireland
More informationCERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015
CERTIFICATE SCHEME For THE MATERIAL HEALTH CERTIFICATE PROGRAM Version 1.1 April 2015 Copyright Cradle to Cradle Products Innovation Institute, 2015 1 Purpose The intention of the Certificate Scheme is
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 20000 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 20000 Lead Auditor examination is to ensure that the candidate
More informationChecklist According to ISO IEC 17024:2012 for Certification Bodies for person
Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical
More informationDocument Title Ingest Guide for University Electronic Records
Digital Collections and Archives, Manuscripts & Archives, Document Title Ingest Guide for University Electronic Records Document Number 3.1 Version Draft for Comment 3 rd version Date 09/30/05 NHPRC Grant
More informationDifferent Aspects of Digital Preservation
Different Aspects of Digital Preservation DCH-RP and EUDAT Workshop in Stockholm 3rd of June 2014 Börje Justrell Table of Content Definitions Strategies The Digital Archive Lifecycle 2 Digital preservation
More informationCertification. F. Genova (thanks to I. Dillo and Hervé L Hours)
Certification F. Genova (thanks to I. Dillo and Hervé L Hours) Perhaps the biggest challenge in sharing data is trust: how do you create a system robust enough for scientists to trust that, if they share,
More informationPolicy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2
Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme Version 1.2 July 2015 Copyright, Cradle to Cradle Products Innovation Institute, 2015
More informationInformation technology Security techniques Requirements for bodies providing audit and certification of information security management systems
Provläsningsexemplar / Preview INTERNATIONAL STANDARD ISO/IEC 27006 Third edition 2015-10-01 Information technology Security techniques Requirements for bodies providing audit and certification of information
More informationUniversity of Maryland Libraries: Digital Preservation Policy
University of Maryland Libraries: Digital Preservation Policy July 28, 2013 Approved by the Library Management Group: January 7, 2014 Digital Preservation Policy Task Force: Joanne Archer Jennie Levine
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 9001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 9001 Lead Auditor examination is to ensure that the candidate possesses
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified Management System Auditor www.pecb.com The objective of the PECB Certified Management System Auditor examination is to ensure that the candidates
More informationData Curation Profile Human Genomics
Data Curation Profile Human Genomics Profile Author Profile Author Institution Name Contact J. Carlson N. Brown Purdue University J. Carlson, jrcarlso@purdue.edu Date of Creation October 27, 2009 Date
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Auditor www.pecb.com The objective of the Certified ISO 22000 Lead Auditor examination is to ensure that the candidate has
More informationRules for LNE Certification of Management Systems
Rules for LNE Certification of Management Systems Application date: March 10 th, 2017 Rev. 040716 RULES FOR LNE CERTIFICATION OF MANAGEMENT SYSTEMS CONTENTS 1. PURPOSE... 3 2. SCOPE... 3 3. DEFINITION
More informationTimber Products Inspection, Inc.
Timber Products Inspection, Inc. Product Certification Public Document Timber Products Inspection, Inc. P.O. Box 919 Conyers, GA 30012 Phone: (770) 922-8000 Fax: (770) 922-1290 TP Product Certification
More informationChecklist According to ISO IEC 17065:2012 for bodies certifying products, process and services
Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical
More informationPTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and
1. Policy It is the policy of Pavement Testing Services Ltd (hereafter PTS) to operate its certification/ assessment services in a non-discriminatory manner. PTS shall not use procedures / processes to
More informationDEVELOPING, ENABLING, AND SUPPORTING DATA AND REPOSITORY CERTIFICATION
DEVELOPING, ENABLING, AND SUPPORTING DATA AND REPOSITORY CERTIFICATION Plato Smith, Ph.D., Data Management Librarian DataONE Member Node Special Topics Discussion June 8, 2017, 2pm - 2:30 pm ASSESSING
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO 50001 Lead Auditor The objective of the PECB Certified ISO 50001 Lead Auditor examination is to ensure that the candidate has the knowledge and skills to plan
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationSession Two: OAIS Model & Digital Curation Lifecycle Model
From the SelectedWorks of Group 4 SundbergVernonDhaliwal Winter January 19, 2016 Session Two: OAIS Model & Digital Curation Lifecycle Model Dr. Eun G Park Available at: https://works.bepress.com/group4-sundbergvernondhaliwal/10/
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 17025 Lead Auditor The objective of the PECB Certified ISO/IEC 17025 Lead Auditor examination is to ensure that the candidate possesses the needed expertise
More information"Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines
MINISTRY OF ENVIRONMENT, ENERGY AND THE SEA "Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines Contents FOREWORD... 3 INTRODUCTION... 4 I. INITIAL CERTIFICATION
More informationEuropean digital repository certification: the way forward
Data Archiving and Networked Services European digital repository certification: the way forward Ingrid Dillo (DANS) EUDAT 3 rd User Forum Prague, 24 April 2014 DANS is an institute of KNAW en NWO Content
More informationEA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits
Publication Reference EA-7/05 EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits PURPOSE This document has been prepared by a task force under the direction of the European Cooperation
More informationVOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE
VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE - REQUIREMENTS FOR CERTIFICATION BODIES 1. INTRODUCTION 1.1 The Certification Bodies (CBs) are expected to meet the process for their approval
More informationProfessional Evaluation and Certification Board Frequently Asked Questions
Professional Evaluation and Certification Board Frequently Asked Questions 1. About PECB... 2 2. General... 2 3. PECB Official Training Courses... 4 4. Course Registration... 5 5. Certification... 5 6.
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationDigital Preservation with Special Reference to the Open Archival Information System (OAIS) Reference Model: An Overview
University of Kalyani, India From the SelectedWorks of Sibsankar Jana February 27, 2009 Digital Preservation with Special Reference to the Open Archival Information System (OAIS) Reference Model: An Overview
More informationAn Audit Checklist for the Certification of Trusted Digital Repositories DRAFT FOR PUBLIC COMMENT
An Audit Checklist for the Certification of Trusted Digital Repositories DRAFT FOR PUBLIC COMMENT RLG Mountain View, CA August 2005 Copyright 2005 RLG and NARA National Archives and Records Administration
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationDefining OAIS requirements by Deconstructing the OAIS Reference Model Date last revised: August 28, 2005
Defining OAIS requirements by Deconstructing the OAIS Reference Model Date last revised: August 28, 2005 This table includes text extracted directly from the OAIS reference model (Blue Book, 2002 version)
More informationAn Overview of ISO/IEC family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationDeveloping a Research Data Policy
Developing a Research Data Policy Core Elements of the Content of a Research Data Management Policy This document may be useful for defining research data, explaining what RDM is, illustrating workflows,
More informationSession 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security
Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security An Overview of Recent Changes to ISO 20000 Ron Lester Enterprise Service Management Consultant, Information Technology
More informationDigital Preservation Policy. Principles of digital preservation at the Data Archive for the Social Sciences
Digital Preservation Policy Principles of digital preservation at the Data Archive for the Social Sciences 1 Document created by N. Schumann Document translated by A. Recker, L. Horton Date created 18.06.2013
More informationUNIVERSITY OF NOTTINGHAM LIBRARIES, RESEARCH AND LEARNING RESOURCES
UNIVERSITY OF NOTTINGHAM LIBRARIES, RESEARCH AND LEARNING RESOURCES Digital Preservation and Access Policy 2015 Contents 1.0 Document Control... 3 2.0 Aim... 5 2.1 Purpose... 5 2.2 Digital Preservation
More informationPRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS. Overview
Overview PRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS The Product Safety Professional Certification Program at the Richard A. Chaifetz School of Business focuses on the theoretical as well
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationReference Framework for the FERMA Certification Programme
Brussels, 23/07/2015 Dear Sir/Madam, Subject: Invitation to Tender Reference Framework for the FERMA Certification Programme Background The Federation of European Risk Management Associations (FERMA) brings
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationTrust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)
Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014) This document has been developed by representatives of Apple, Google, Microsoft, and Mozilla. Document History
More informationQMS/EMS CB Accreditation Criteria
QMS/EMS CB Accreditation Criteria 2015-04-15 Korea Accreditation Board (KAB) QMS/EMS CB ACCREDITATION CRITERIA ( 1 /92 ) Introduction 1. This document set outs criteria for bodies operating assessment
More informationSTRATEGIC PLAN. USF Emergency Management
2016-2020 STRATEGIC PLAN USF Emergency Management This page intentionally left blank. Organization Overview The Department of Emergency Management (EM) is a USF System-wide function based out of the Tampa
More informationWhen Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.
When Recognition Matters WHITEPAPER ISO 28000 SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS www.pecb.com CONTENT 3 4 4 4 4 5 6 6 7 7 7 8 9 10 11 12 Introduction An overview of ISO 28000:2007 Key clauses of
More informationRegulation for the accreditation of product Certification Bodies
Title Reference Regulation for the accreditation of product Certification Bodies RG-01-03 Revision 00 Date 2014-04-14 Preparation Approval Authorization of issue Application date Director of the Dept.
More informationIS Audit and Assurance Guideline 2001 Audit Charter
IS Audit and Assurance Guideline 2001 Audit Charter The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate
More informationASBO International. SFO Recertification Guide One-Step Process. Updated February 1, 2018 Tel: x
SM ASBO International SFO Recertification Guide One-Step Process Updated February 1, 2018 Tel: 866.682.2729 x7079 Email: certification@asbointl.org Contents Recertification Guide One-Step Process.... 3
More informationCRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS
CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS Approved By: Executive: Accreditation: Mpho Phaloane Revised By: RBI STC Working Group Members Date
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 14001 Lead Implementer www.pecb.com The objective of the PECB Certified ISO 14001 Lead Implementer examination is to ensure that the candidate
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 37001 Lead Auditor www.pecb.com The objective of the Certified ISO 37001 Lead Auditor examination is to ensure that the candidate possesses
More informationPEFC Certification System Netherlands - Certification Procedures
PCSN SCHEME DOCUMENT PCSN IV Issue 2 10-03-2017 PEFC Certification System Netherlands - Certification Procedures PEFC Netherlands Kokermolen 11 3994 DG Houten The Netherlands Tel: +31 30 693 0040 Fax:
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO 39001 Lead Auditor The objective of the PECB Certified ISO 39001 Lead Auditor examination is to ensure that the candidate has the knowledge and skills to plan
More informationStandards for Accrediting Forensic Specialty Certification Boards
FORENSIC SPECIALTIES ACCREDITATION BOARD, Inc. 410 North 21 st Street, Colorado Springs, CO 80904 Standards for Accrediting Forensic Specialty Certification Boards 1. Scope This document outlines the standards
More informationAdministrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs
Administrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs Purpose This document contains the mandatory Continuing Professional Education (CPE) requirements
More informationFSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN
FOREST STEWARDSHIP COUNCIL INTERNATIONAL CENTER FSC STANDARD Standard for Multi-site Certification of Chain of Custody Operations FSC-STD-40-003 (Version 1-0) EN 2007 Forest Stewardship Council A.C. All
More informationBuilding a Digital Repository on a Shoestring Budget
Building a Digital Repository on a Shoestring Budget Christinger Tomer University of Pittsburgh! PALA September 30, 2014 A version this presentation is available at http://www.pitt.edu/~ctomer/shoestring/
More informationThe International Journal of Digital Curation Issue 1, Volume
92 Digital Archive Policies Issue 1, Volume 2 2007 Digital Archive Policies and Trusted Digital Repositories MacKenzie Smith, MIT Libraries Reagan W. Moore, San Diego Supercomputer Center June 2007 Abstract
More informationWorkshop Item 1 - ISO 9001: 2008 migration
Workshop Item 1 - ISO 9001: 2008 migration Joint IAF-ISO Communiqué on migration to ISO 9001: 2008 ISO 9001: 2008 does not contain any new requirements Accredited Certification to ISO 9001:2008 shall not
More informationSystems and software engineering Requirements for managers of information for users of systems, software, and services
This is a preview - click here to buy the full publication INTERNATIONAL STANDARD ISO/IEC/ IEEE 26511 Second edition 2018-12 Systems and software engineering Requirements for managers of information for
More informationILNAS/PSCQ/Pr004 Qualification of technical assessors
Version 1.1 21.6.2016 Page 1 of 6 ILNAS/PSCQ/Pr004 Qualification of technical assessors Modifications: review of the document 1, avenue du Swing L-4367 Belvaux Tél.: (+352) 247 743-53 Fax: (+352) 247 943-50
More informationOAIS: What is it and Where is it Going?
OAIS: What is it and Where is it Going? Presentation on the Reference Model for an Open Archival System (OAIS) Don Sawyer/NASA/GSFC Lou Reich/NASA/CSC FAFLRT/ALA FAFLRT/ALA 1 Organizational Background
More information1.1 Levels of qualification
1 The ITIL Qualification Scheme ITIL (formerly known as the Information Technology Infrastructure Library) is best-practice guidance for IT Service Management, which is used by many hundreds of organizations
More informationACCAB. Accreditation Commission For Conformity Assessment Bodies
ACCAB Accreditation Commission For Conformity Assessment Bodies ACCAB Platinum Plus Accreditation For Certification Bodies, Inspection Bodies, Testing & Calibration Laboratories and Medical Laboratories
More information