Agenda. Bibliography

Similar documents
UNT Libraries TRAC Audit Checklist

Trusted Digital Repositories. A systems approach to determining trustworthiness using DRAMBORA

31 March 2012 Literature Review #4 Jewel H. Ward

Conducting a Self-Assessment of a Long-Term Archive for Interdisciplinary Scientific Data as a Trustworthy Digital Repository

MAPPING STANDARDS! FOR RICHER ASSESSMENTS. Bertram Lyons AVPreserve Digital Preservation 2014 Washington, DC

University of British Columbia Library. Persistent Digital Collections Implementation Plan. Final project report Summary version

Data Curation Handbook Steps

Certification Efforts at Nestor Working Group and cooperation with Certification Efforts at RLG/OCLC to become an international ISO standard

MetaArchive Cooperative TRAC Audit Checklist

Improving a Trustworthy Data Repository with ISO 16363

Certification. F. Genova (thanks to I. Dillo and Hervé L Hours)

Trust and Certification: the case for Trustworthy Digital Repositories. RDA Europe webinar, 14 February 2017 Ingrid Dillo, DANS, The Netherlands

DRS Policy Guide. Management of DRS operations is the responsibility of staff in Library Technology Services (LTS).

Report on compliance validation

An Audit Checklist for the Certification of Trusted Digital Repositories DRAFT FOR PUBLIC COMMENT

University of Maryland Libraries: Digital Preservation Policy

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The OAIS Reference Model: current implementations

An overview of the OAIS and Representation Information

ISO Self-Assessment at the British Library. Caylin Smith Repository

Emory Libraries Digital Collections Steering Committee Policy Suite

Information Security Policy

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

The International Journal of Digital Curation Issue 1, Volume

Digital Preservation with Special Reference to the Open Archival Information System (OAIS) Reference Model: An Overview

GEOSS Data Management Principles: Importance and Implementation

DRI: Preservation Planning Case Study Getting Started in Digital Preservation Digital Preservation Coalition November 2013 Dublin, Ireland

Information Technology General Control Review

Digital Preservation Policy. Principles of digital preservation at the Data Archive for the Social Sciences

PROTERRA CERTIFICATION PROTOCOL V2.2

An Overview of ISO/IEC family of Information Security Management System Standards

Building a Digital Repository on a Shoestring Budget

Session Two: OAIS Model & Digital Curation Lifecycle Model

Applying Archival Science to Digital Curation: Advocacy for the Archivist s Role in Implementing and Managing Trusted Digital Repositories

Advent IM Ltd ISO/IEC 27001:2013 vs

GETTING STARTED WITH DIGITAL COMMONWEALTH

From production to preservation to access to use: OAIS, TDR, and the FDLP OAIS TRAC / TDR

ISO Information and documentation Digital records conversion and migration process

Ensuring Proper Storage for Earth Science Data: The USGS Process to Certify Trusted Digital Repositories

Security Management Models And Practices Feb 5, 2008

DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018

DCH-RP Trust-Building Report

<goals> 10/15/11% From production to preservation to access to use: OAIS, TDR, and the FDLP

Security and Privacy Governance Program Guidelines

Developing a Research Data Policy

TEL2813/IS2820 Security Management

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

Google Cloud & the General Data Protection Regulation (GDPR)

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Document Title Ingest Guide for University Electronic Records

Version 1/2018. GDPR Processor Security Controls

Checklist According to ISO IEC 17024:2012 for Certification Bodies for person

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CCISO Blueprint v1. EC-Council

Protecting your data. EY s approach to data privacy and information security

Woodson Research Center Digital Preservation Policy

John Snare Chair Standards Australia Committee IT/12/4

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

ISO 9001 Auditing Practices Group Guidance on:

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

ADIENT VENDOR SECURITY STANDARD

International Audit and Certification of Digital Repositories

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

OAIS: What is it and Where is it Going?

Information Technology Branch Organization of Cyber Security Technical Standard

DRS Update. HL Digital Preservation Services & Library Technology Services Created 2/2017, Updated 4/2017

J. Welles Henderson Archives & Library Digital Preservation Policy Approved: October 26, 2016

Information technology Security techniques Information security controls for the energy utility industry

Minimum Requirements For The Operation of Management System Certification Bodies

Digital Preservation DMFUG 2017

Continuous protection to reduce risk and maintain production availability

Canada Life Cyber Security Statement 2018

Establishing Trust in Data Curation: OAIS and TRAC applied to a Data Staging Repository (DataStaR)

OpenChain Specification Version 1.3 (DRAFT)

Audit Report. The Prince s Trust. 27 September 2017

RSB Standard for participating operators

ROLE DESCRIPTION IT SPECIALIST

Workshop Item 1 - ISO 9001: 2008 migration

Digital Archiving at the Archaeology Data Service: A Quest for OAIS Compliance

Digital Preservation at NARA

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

ISO/IEC Information technology Security techniques Code of practice for information security management

IT Information Security Manager Job Description

April Appendix 3. IA System Security. Sida 1 (8)

Digital Preservation Standards Using ISO for assessment

ISO27001 Preparing your business with Snare

Chain of Preservation Model Diagrams and Definitions

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

UNIVERSITY OF NOTTINGHAM LIBRARIES, RESEARCH AND LEARNING RESOURCES

Grid Security Policy

Introduction to Digital Preservation. Danielle Mericle University of Oregon

Managing SaaS risks for cloud customers

Digital Preservation Capability Maturity Model (DPCMM) BACKGROUND AND PERFORMANCE METRICS

Checklist and guidance for a Data Management Plan, v1.0

Checklist: Credit Union Information Security and Privacy Policies

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Scheme Document SD 003

Guidance Solvency II data quality management by insurers

Transcription:

Humor 2 1

Agenda 3 Trusted Digital Repositories (TDR) definition Open Archival Information System (OAIS) its relevance to TDRs Requirements for a TDR Trustworthy Repositories Audit & Certification: Criteria and Checklist (TRAC) Bibliography 4 Consultative Committee for Space Data Systems. Reference Model for an Open Archival Information System (OAIS). http://public.ccsds.org/publications/archive/650x0b 1.pdf The basis of TDRs OCLC, CRL, NARA. Trustworthy Repositories Audit & Certification: Criteria and Checklist. http://www.crl.edu/pdf/trac.pdf Trusted Digital Repositories: Attributes and Responsibilities: An RLG-OCLC Report. http://www.rlg.org/legacy/longterm/repositories.pdf Dated but still relevant 2

TDR Definition 5 A trusted digital repository is one whose mission is to provide reliable, long-term access to managed digital resources to its designated community, now and in the future. Trusted digital repositories may take different forms: some institutions may choose to build local repositories while others may choose to manage the logical and intellectual aspects of a repository while contracting with a third-party provider for its storage and maintenance. Requirements 6 Accept responsibility for the long-term maintenance of digital resources on behalf of its depositors and for the benefit of current and future users; Have an organizational system that supports not only long-term viability of the repository, but also the digital information for which it has responsibility; 3

Requirements 7 Demonstrate fiscal responsibility and sustainability; Design its system(s) in accordance with commonly accepted conventions and standards to ensure the ongoing management, access, and security of materials deposited within it; Establish methodologies for system evaluation that meet community expectations of trustworthiness; Requirements 8 Be depended upon to carry out its longterm responsibilities to depositors and users openly and explicitly; Have policies, practices, and performance that can be audited and measured; High-level organizational and curatorial responsibilities 4

High-level organizational and curatorial responsibilities 9 Understand your local requirements Identify organizations that might share responsibilities for providing access and preservation services Identify which responsibilities can be shared Attributes of a Trusted Digital Repository 10 Compliance with the Reference Model for an Open Archiavl Information System (OAIS) Administrative responsibility Organizational Viability Financial sustainability Technological and procedural suitability System Security Procedural accountability 5

OAIS Information Model Parts of the OAIS 12 Submission Information Package (SIP) Package sent to OAIS by producer Form and content negotiated Archival Information Package (AIP) All of the qualities needed for permanent long term preservation of an Information Object Preservation Description Information (PDI)s 6

Dissemination Information Package 13 The version of the resource sent to the user. May be one or more AIPs May be all or parts of AIPs 14 7

OAIS, TDR & TRAC 15 TDR and TRAC use OAIS as a model for understanding the processes of ingest, storage and preservation, and dissemination. TRAC 16 Full name: Trustworthy Repositories Audit and Certification: Criteria and Checklist (TRAC) Product of the RLG-NARA Task Force on Digital Repository Certification 8

Uses of TRAC 17 Repository planning guidance Planning and development of a certified repository Periodic internal assessment of a repository Analysis of institutional repository services Objective, third party evaluation of archiving and repository services Mission of a TDR 18 "Provide reliable, long-term access to managed digital resources to its designated community, now and into the future" (TDR 2002) 9

Determining Trustworthiness 19 Evaluate entire system in which digital information is managed Threats and risks within systems Transparency Proofs of Certification 20 Documentation (evidence) workflows, procedures, logs Regularly reviewed and updated Transparency "Only a repository that exposes its design, specifications, practices, policies and procedures for risk analysis can be trusted" (TRAC p. 6) 10

Proofs of Certification 21 Adequacy can the repository meet its stated commitments? Is it doing what it says it's doing? Measurability objective controls against which repositories can be evaluated. If no measurable criteria, then evaluation must note indicators of the degree of trustworthiness Audit & Certification Criteria 22 Organizational infrastructure Digital Object management Technologies, technical infrastructure, and security 11

A. Organizational infrastructure 23 A1. Governance and organizational viability A2. Organizational structure & staffing A3. Procedural accountability & policy framework A4. Financial sustainability A5. Contracts, licenses, & liabilities A1 Governance & Organizational Viability Sample 24 A1.1 Repository has a mission statement that reflects a commitment to the long-term retention of, management of, and access to digital information. The mission statement of the repository must be clearly identified and accessible to depositors and other stakeholders and contain an explicit long-term commitment. Evidence: Mission statement for the repository; mission statement for the organizational context in which the repository sits; legal or legislative mandate; regulatory requirements. 12

A2 Organizational structure & staffing Sample A2.1 Repository has identified and established the duties that it needs to perform and has appointed staff with adequate skills and experience to fulfill these duties. The repository must identify the competencies and skill sets required to operate the repository over time and demonstrate that the staff and consultants have the range of requisite skills e.g., archival training, technical skills, and legal expertise. Evidence: A staffing plan; competency definitions; job description; development plans; plus evidence that the repository review and maintains these documents as requirements evolve. 25 A3. Procedural accountability & policy framework--sample 26 A3.4 Repository is committed to formal, periodic review and assessment to ensure responsiveness to technological developments and evolving requirements. Long-term preservation is a shared and complex responsibility. A trusted digital repository contributes to and benefits from the breadth and depth of community-based standards and practice. Regular review is a requisite for ongoing and healthy development of the repository. The organizational context of the repository should determine the frequency of, extent of, and process for self-assessment. The repository must also be able to provide a specific set of requirements it has defined, is maintaining, and is striving to meet. (See also A3.9.) Evidence: A self-assessment schedule, timetables for review and certification; results of self-assessment; evidence of implementation of review outcomes. 13

A4. Financial sustainability Sample 27 A4.3 Repository s financial practices and procedures are transparent, compliant with relevant accounting standards and practices, and audited by third parties in accordance with territorial legal requirements. The repository cannot just claim transparency, it must show that it adjusts its business practices to keep them transparent, compliant, and auditable. Confidentiality requirements may prohibit making information about the repository s finances public, but the repository should be able to demonstrate that it is as transparent as it needs to be and can be within the scope of its community. Evidence: Demonstrated dissemination requirements for business planning and practices; citations to and/or examples of accounting and audit requirements, standards, and practice; evidence of financial audits already taking place. A5. Contracts, licenses, & liabilities Sample 28 A5.4 Repository tracks and manages intellectual property rights and restrictions on use of repository content as required by deposit agreement, contract, or license. The repository should have a mechanism for tracking licenses and contracts to which it is obligated. Whatever the format of the tracking system, it must be sufficient for the institution to track, act on, and verify rights and restrictions related to the use of the digital objects within the repository. Evidence: A policy statement that defines and specifies the repository s requirements and process for managing intellectual property rights; depositor agreements; samples of agreements and other documents that specify and address intellectual property rights; demonstrable way to monitor intellectual property; results from monitoring. 14

B. Digital Object Management 29 B1. The initial phase of ingest that addresses acquisition of digital content B2. The final phase of ingest that places the acquired digital content into the forms, often referred to as Archival Information Packages (AIPs) used by the repository for long-term preservation B3. Current, sound and documented preservation strategies along with mechanisms to keep them up to date in the face of changing technical environments. B. Digital Object Management 30 B4. Minimal conditions for performing longterm preservation of AIPs B5. Minimal-level metadata to allow digital objects to be located and managed within the system B6. The repository's ability to produce and disseminate accurate, authentic, versions of the digital objects. 15

B1: Ingest Sample B1.3 Repository has mechanisms to authenticate the source of all materials. The repository s written standard operating procedures and actual practices must ensure the digital objects are obtained from the expected source, that the appropriate provenance has been maintained, and that the objects are the expected objects. Confirmation can use various means including, but not limited to, digital processing and data verification and validation, and through exchange of appropriate instrument of ownership (e.g., submission agreements/deposit agreement/deed of gift). Evidence: Submission agreements/deposit agreements/deeds of gift; workflow documents; evidence of appropriate technological measures; logs from procedures and authentications. 31 B2: AIPs Sample B2.4 Repository can demonstrate that all submitted objects (i.e., SIPs) are either accepted as whole or part of an eventual archival object (i.e., AIP), or otherwise disposed of in a recorded fashion. The timescale of this process will vary between repositories from seconds to many months, but SIPs must not remain in a limbo-like state forever. The accessioning procedures and the internal processing and audit logs should maintain records of all internal transformations of SIPs to demonstrate that they either become AIPs (or part of AIPs) or are disposed of. Appropriate descriptive information should also document the provenance of all digital objects. Evidence: System processing files; disposal records; donor or depositor agreements/deeds of gift; provenance tracking system; system log files. 32 16

B3: Preservation Strategies Sample 33 B3.1 Repository has documented preservation strategies. A repository or archiving system must have current, sound, and documented preservation strategies. These will typically address the degradation of storage media, the obsolescence of media drives, and the obsolescence of Representation Information (including formats), safeguards against accidental or intentional digital corruption. For example, if migration is the chosen approach to some of these issues, there also needs to be policy on what triggers a migration and what types of migration are expected for the solution of each preservation issue identified. Evidence: Documentation identifying each preservation issue and the strategy for dealing with that issue. B4: Long-Term Preservation Sample 34 B4.3 Repository preserves the Content Information of archival objects (i.e., AIPs). The repository must be able to demonstrate that the AIPs faithfully reflect what was captured during ingest and that any subsequent or future planned transformations will continue to preserve that aspect of the repository s holdings. This requirement assumes that the repository has a policy specifying that AIPs cannot be deleted at any time. This particularly simple and robust implementation preserves links between what was originally ingested, as well as new versions that have been transformed or changed in any way. Depending upon implementation, these newer objects may be completely new AIPs or merely updated AIPs. Either way, persistent links between the ingested object and the AIP should be maintained. Evidence: Policy documents specifying treatment of AIPs and whether they may ever be deleted; ability to demonstrate the chain of AIPs for any particular digital object or group of objects ingested; workflow procedure documentation. 17

B5: Metadata 35 B5.2 Repository captures or creates minimum descriptive metadata and ensures that it is associated with the archived object (i.e., AIP). The repository has to show how it gets its required metadata. Does it require the producers to provide it (refusing a deposit that lacks it) or does it supply some metadata itself during ingest? Associating the metadata with the object is important, though it does not require a one-to-one correspondence, and metadata need not necessarily be stored with the AIP. Hierarchical schemes of description allow some descriptive elements to be associated with many items. The association should be unbreakable it must never be lost even if other associations are created. Evidence: Descriptive metadata; persistent identifier/locator associated with AIP; system documentation and technical architecture; depositor agreements; metadata policy documentation, incorporating details of metadata requirements and a statement describing where responsibility for its procurement falls; process workflow documentation. B6: Access Management Sample 36 B6.1 Repository documents and communicates to its designated community(ies) what access and delivery options are available. Repository policies should document the various aspects of access to and delivery of the preserved information. Generally, the designated community(ies) should know the policies or at least the consequences of them. The users should know what they can ask for, when, and how, and what it costs, among other things. See Appendix 6: Understanding Digital Repositories & Access Functionality for an in-depth review of digital repository access requirements. Repositories might have to deal with a single, homogeneous community or with multiple or disparate communities. Different policies might be needed for different communities as well as for different collection types. Evidence: Public versions of access policies; delivery policies; fee policies. 18

Technologies Technical Infrastructure & Security 37 C1. General system infrastructure requirements C2. Appropriate technologies, building on the system infrastructure requirements, with additional criteria specifying the use technologies and strategies appropriate to the repository s designated community(ies). C3. Security from IT systems, such as servers, firewalls, or routers to fire protection systems and flood detection to systems that involve actions by people. C1. General system infrastructure requirements Sample 38 C1.1 Repository functions on well-supported operating systems and other core infrastructural software. The requirement specifies well-supported as opposed to manufacturersupported or other similar phrases. The level of support for these elements of the infrastructure must be appropriate to their uses; the repository must show that it understands where the risks lie. The degree of support required relates to the criticality of the subsystem involved. A repository may deliberately have an old system using out-of-date software to support some aspects of its ingest function. If this system fails, it may take some time to replace it, if it can be replaced at all. As long as its failure does not affect mission-critical functions, this is acceptable. Systems used for internal development may not be protected or supported to the same level as those for end-user service. Evidence: Software inventory; system documentation; support contracts; use of strongly community supported software (i.e., Apache). 19

C2: Appropriate technologies Sample 39 C2.1 Repository has hardware technologies appropriate to the services it provides to its designated community(ies) and has procedures in place to receive and monitor notifications, and evaluate when hardware technology changes are needed. The repository needs to be aware of the types of access services expected by its designated community(ies), including, where applicable, the types of media to be delivered, and needs to make sure its hardware capabilities can support these services. For example, it may need to improve its networking bandwidth over time to meet growing access data volumes and expectations. Evidence: Technology watch; documentation of procedures; designated community profiles; user needs evaluation; hardware inventory. C3: Security Sample 40 C3.1 Repository maintains a systematic analysis of such factors as data, systems, personnel, physical plant, and security needs. Regular risk assessment should address external threats and denial of service attacks. These analyses are likely to be documented in several different places, and need not be comprehensively contained in a single document Evidence: ISO 17799 certification; documentation describing analysis and risk assessments undertaken and their outputs; logs from environmental recorders; confirmation of successful staff vetting. 20

Sample TDR Checklist Page 41 What Does this Mean for My Institution? 42 You need assurances Are my digital assets accessible and authentic? Will they be accessible and authentic in the future? What threats to my assets must I address? 21

Your Institution and TDRs 43 You may wish to create a TDR Assumes organizational viability, funding and adequate technological viability TRAC as a self-evaluation tool Your institution joins a consortial TDR Members expect repository to meet TRAC certification TRAC as a tool for establishing trust Repository must be transparent in its practices to its members Your Institution and TDRs 44 Your institution uses a vendor to provide repository services TRAC as a criterion for choosing repository services Repository must be transparent in its practices to its customers Requirements are flexible make sure vendor follows TRAC in a way that meets your needs. 22

TDRS Not a Silver Bullet 45 TDRs do not represent the complete solution for digital preservation No one has the complete solution TDRs deal with two issues Organization management Near-term preservation measures 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback