Notes from MM 20 June 2007

4pm UK time using MegaMeeting at RAC

Present

MarkConrad NARA
RobertDowns CIESIN, Columbia University
JohnGarrett NASA GSFC
SimonLambert STFC
DonaldSawyer NASA's Goddard Space Flight Center

Discussion

The discussion continued from the previous meeting and subsequent emails, and began with the question of whether an unbroken chain of custody can be a requirement. Some archives will certainly need to be concerned with this, the extent to which an archive is required to validate what it receives from the producer. At the moment TRAC just says to let the producer know - there is no verification between producer and archive. One of the issues is understanding what is the "original" in terms of the archive. In some cases such as archiving Web content there will not be a "producer". MarkConrad argued for non-repudiation both ways, to take account of the risk of spoofing, for example.

This leads to a more general question is the intended scope of the certification, and which organisations will want their repository certified. Making the requirements too rigorous might be unacceptable to some. MarkConrad proposed using a risk assessment approach rather than mandatory requirements.

MarkConrad - 27 Jun 2007 I did not propose using the risk assessment approach. I pointed out that that was what was proposed at the original BOF meeting.

Requirements for the standard

Proposed requirements for the standard

* support accreditation and certification processes * provide guidance/hints to help production of "best practice" guides * provide ability for "self-certification" * provide the basis for tools - e.g. expert assistant * proposed standard should use a continuous quality improvement model or maturity model * the quality improvement model should be based on the PDCA approach used in ISO 27001 and 9001, which themselves base the approach on the OECD document OECD Guidelines for the Security of Information Systems and Networks * the proposed standard should use a risk assessment approach rather than a fully mandated approach. * should be explicitly "aligned" with a number of other ISO standards such as ISO9000.

DonaldSawyer argued that the standard cannot require all producers to publish what they submit, for example in the case of dark archives.

Working with the TRAC document on the wiki, it was agreed to delete B2.6 and incorporate it as example in B1.1.

It was agreed to make edits directly on the wiki but to use formatting (e.g. underline) to show where text has been added. It will also need to be made clear that the document is now an edited version of TRAC rather than the original.

It was agreed to flag any non-OAIS terms encountered, keeping the original but tagging it with a possible OAIS equivalent.

ACTION: on SimonLambert to add the full text of the TRAC document to the wiki.

ACTION: on DonaldSawyer to continue looking at NSSDC (ongoing from previous meeting).

ACTION: on MarkConrad to examine section B1 from the perspective of chain of custody.

ACTION: on all to continue annotation of working documentusing approach agreed above.

-- SimonLambert - 21 Jun 2007

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-06-27 - MarkConrad
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback