Notes from Megameeting 12th October 2009

Attendees

Summary

Section 7.2.1.1 of the "Requirements for Bodies ..." document was discussed. The implications of the requirement for training were clarified (see transcript below for details).

It was agreed:

• to drop point (d) from the list as it is covered by 7.2.1.1.1
• to drop point (h) as it does not add anything (I think this was agreed)

To look at next time:

• Continue from section 7.2.1.1

Transcript of chat

BruceAmbacher >> (All): John, Thanks for the version that incorporates the  
standard into it.  It is helpful
BruceAmbacher >> (All): Are there enough of us to accomplish anything?
JOhnGarrett >> (All): Good, I was hoping it would be.  It certainly helps me see 
what the requirements really are.
SimonLambert >> (All): Yes, agreed, it gives essental context
BruceAmbacher >> (All): This will be very helpful for Terry
JOhnGarrett >> (All): Since our group is normally small so far for this, I think 
we could do something if we feel like it.  
SimonLambert >> (All): We said last time we'd look at Section 7.2.1.1 d, g and h
SimonLambert >> (All): and 9.2
JOhnGarrett >> (All): We can either work on the areas that Simon identified and 
we started on last time.  Or march through sections where we just picked up 
17021 requirements and agree we don't need other stuff.
JOhnGarrett >> (All): OK with me if we start as we said last week.
SimonLambert >> (All): though what John said should be checked some time to
make sure nothing important is missed
RobertDowns >> (All): For 7.2.1.1d, it looks like the word "activity" needs 
clarification.
SimonLambert >> (All): Yes - does it really mean "repository"? Or area of 
concern of the repository?
RobertDowns >> (All): It could either refer to the repository or the type of 
data.
BruceAmbacher >> (All): Could we substitute something like designated community 
discipline or the repository's main areas of collecting responsibility?
BruceAmbacher >> (All): It also could relate to the repository's technical 
systems that support its activities - ingest, storage, decsription, preservation 
access.
SimonLambert >> (All): This brings us to last week's discussion: how much the 
auditor can be expected to know of this particular repository in advance.
BruceAmbacher >> (All): So by rephrasing "activity" we get to clarify and 
specify what we want to do.
RobertDowns >> (All): would "capabilities and responsibilities" cover all of 
these activities?
BruceAmbacher >> (All): That seems just as vague.
RobertDowns >> (All): How about something like "infrastructure and services for 
epository collections"?
BruceAmbacher >> (All): What do we want the audit to accomplish?  I think we are 
focusing on the repository's ability tokeep information accessible and 
understandable over time so we need to focus on which aspects of its activities 
allow that to happen - mission statement, ingest poliyc/procedures, storage, 
description, technology watch, etc.
BruceAmbacher >> (All): infrastructure could be the IT systems; it also could be 
the staff organization/hierarchy (which I don't think we care about except as it 
relates to long-term access and preservation).
JOhnGarrett >> (All): I think that we are asking for technical knowledge of 
repository functions in general (i.e. not the specific tools used within an 
individual archives).  Also notice that d) abilities are shared among the whole 
team and all the others need to be for each auditor.
BruceAmbacher >> (All): John, How did you arrive at that distinction?
JOhnGarrett >> (All): Looking at this now, I think I would be in favor of 
dropping d) since this seems to duplicate what is being asked for in 7.2.1.1.1
BruceAmbacher >> (All): Ah, I had not scrolled down the page far enough
BruceAmbacher >> (All): Simon, is d something we added or is it in the standard 
we are following?
SimonLambert >> (All): It must have been in the standard, and I just flagged it 
as needing clarification
BruceAmbacher >> (All): Does that mean we can extend it but cannot delete it?
SimonLambert >> (All): I think we're free to delete if we wish
SimonLambert >> (All): The "additional" text comes entirely from ISO 27006 on 
info security, minimally edited for our purposes
SimonLambert >> (All): So I don't think we're under any obligation to keep any 
of it - it was just a useful starting point
JOhnGarrett >> (All): I think we can delete anything here.  We picked up a 
standard on information security systems as our basis and my first pass, I 
mostly just did a global replace on to insert Digital Preservation.  Then Simon 
took it and did more intelligent editing.
RobertDowns >> (All): Section 7.2.1.1.1 might be more appropriate for describing 
technical knowlege requirements of the group.
JOhnGarrett >> (All): So I think we can get rid of anything we want.  They were 
really added for another domain, but we probably want to try to keep all the 
boxed material since all audits normally use that as the base.
JOhnGarrett >> (All): Do others think we can drop d) and use 7.2.1.1.1 to 
describe the technical knowledge of the group?
BruceAmbacher >> (All): If you look at the list, d is the only one that 
addresses knowledge of the content and/or how it is maintained.  So we can 
restrict it to domain content and leave the technical side to 7.2.1.1.1
JOhnGarrett >> (All): Seemed a bit strange to have a section where everything 
applied to everyone except this one item.
BruceAmbacher >> (All): So, should we make that recommendation to be approved 
next week or vote it now?
SimonLambert >> (All): I'm in favour of dropping (d).
BruceAmbacher >> (All): ok with me.
RobertDowns >> (All): ok with me, too.
JOhnGarrett >> (All): Either way works for me.  I would tend to vote it now and 
reopen the issue if anyone objects next week or anytime before we finish.
JOhnGarrett >> (All): Sounds like it is dropped.
BruceAmbacher >> (All): Welcome Terry.  Did you see the new version John worked 
up with the standard text added in?
BruceAmbacher >> (All): It is the first item at: http://wiki.digitalrepositoryauditandcertification.org/bin/view/Main/ReqtsForAuditors
Terry Longstreth >> (All): Yes, and I'm catching up with your conversation.  
I've naught to add at the moment...
BruceAmbacher >> (All): Does dropping d make any change to g and h moot or 
should we look at rephrasing them?
SimonLambert >> (All): Not sure what (h) really means ...
Terry Longstreth >> (All): I was confused about the respective roles of 17021 
and  27006.  We probably should list the latter as an informative reference.
JOhnGarrett >> (All): I don't think we need to list 27006.  Once we create our 
standard, we are completely divorced from it.  We really just picked it up as a 
template for the format and as an indication of what they thought the base 
standard missed.  We could have picked up any of a dozen other similar 
standards.  We only picked 27006 because some people had already seen it in 
their other duties.
Terry Longstreth >> (All): Ok - I'll drop that subject.
RobertDowns >> (All): h does seem a bit ambiguous
JOhnGarrett >> (All): I'll have to agree, I don't think h) adds much to my 
understanding of what an auditor needs to know.
BruceAmbacher >> (All): Is it just saying the team should know the standard and 
any base measures the audit body has established?
BruceAmbacher >> (All): Should we drop it?
SimonLambert >> (All): I think so.
Terry Longstreth >> (All): On g and h -- in fact the whole list --shouldn't it 
be in lock step with audit requirements themselves? Everything in the list might 
apply to audits themselves.
RobertDowns >> (All): One thought is to refer to the procedure to be used for 
auditing a TDR.
RobertDowns >> (All): Of course, that implies that the team has established a 
procedure for conducting audits.
BruceAmbacher >> (All): Based on the language before a (The certification body 
shall have criteria for the training of audit teams that ensures) I think this 
is more a list that the audit body must develop to guide an audit team in the 
following areas.
BruceAmbacher >> (All): This section is: 7.2.1.1 Training of audit teams.  So
isn't this where the audit body develops the scope of training in each 
enumerated point?
JOhnGarrett >> (All): Yes, there should be requirements both that the team 
understands the standard they are using for the audit (our TDR checklist in this 
case) and that they have a process.  I think those are both inherited from the 
17021 text in the boxes (but I'll have to look).  I think we also need to 
mention the particular standard we are using the TDR checklist somewhere.  But I 
think we do.  
Terry Longstreth >> (All): Why do we insist on training? Can't the auditors know 
this stuff some other way?
JOhnGarrett >> (All): I think the current wording allows them to have outside 
training.  "The certification body shall have CRITERIA ... that ENSURES ..."
BruceAmbacher >> (All): Terry, I agree but standardizing how to apply their 
knowledge and to equalize their assessments, exactly what areas to explore, what 
areas can be determined from documents and what from actual testing is what the 
training should focus on (imho)
Terry Longstreth >> (All): So we're not asking the auditing body to have a 
training program?
JOhnGarrett >> (All): Right now it looks like each Auditing Body can set their 
own training criteria.
BruceAmbacher >> (All): Yes but we do specify a 5 day training program for TDR 
auditors.
JOhnGarrett >> (All): I think, but need to check, that for general knowledge 
that Auditing Bodies need to set criteria, but there may be some small area of 
the Auditing Bodies own processes that need training.
JOhnGarrett >> (All): I think that the 5 day training would be desirable in the 
future to "equalize" auditing across Auditing Bodies, but I don't think we will 
have training set up immediately, so I would expect we might drop it until such 
programs exist and then we add it in an update when standard comes up for its 5 
year review.
Terry Longstreth >> (All): They need auditors with the appropriate skills, but 
training may not be the best or only way to ensure that level of auditor 
competence.
JOhnGarrett >> (All): But I think it would be a great business opportunity for 
some Universities, etc.
JOhnGarrett >> (All): In the same line of thinking, I don't think it is 
reasonable to expect auditors to have 5 audits and 20 days of TDR under their 
belt at the start.
BruceAmbacher >> (All): I have to sign off now to make other commitments.  Next 
week at 30 minutes after the hour.
JOhnGarrett >> (All): OK, see you then
JOhnGarrett >> (All): Acually, it's time for me to run off also.  Thanks all!  I 
think there was good progress today.
RobertDowns >> (All): Bye
SimonLambert >> (All): OK - I'll put notes on wiki

-- SimonLambert - 12 Oct 2009