Notes from Megameeting 22nd February 2010

Attendees

DavidGiaretta STFC
JohnGarrett GSFC
MarkConrad NARA
RobertDowns CIESIN, Columbia University
SimonLambert STFC
TerryLongstreth  

Summary

Discussion continued of the "Requirements for Bodies ..." document, starting from section 8. There was particular discussion of 9.2.1 and how many of the additional requirements need to be retained. It was agreed that having a single auditor should not be an acceptable option. David also noted that there may be some whole sections from 27006 we may want to remove.

Actions

  • David/Simon to put new baseline document on wiki, without boxed text, but including changes from meeting on 1st February
  • All to review the baseline document and put comments on the wiki

Transcript of chat

TerryLongstreth >> (All): Have we an agenda for today?
David Giaretta >> (All): I think the plan is to plough through the rest of the 
doc - from section 8
David Giaretta >> (All): People were to have marked up the WIki for contentious 
points but I don't see anything there
David Giaretta >> (All): The wiki page is 
http://wiki.digitalrepositoryauditandcertification.org/bin/view/Main/AuditorGuidelinesIssues 
David Giaretta >> (All): Otherwise there were some points which Simon marked up 
a long time ago which we should just check.
RobertDowns >> (All): Hi
David Giaretta >> (All): Hi Robert
David Giaretta >> (All): Just waiting for a few more to join
David Giaretta >> (All): Terry asked about the agenda - you should be able to 
see the chat above
David Giaretta >> (All): Should we wait a few more minutes?
David Giaretta >> (All): Maybe we should start
RobertDowns >> (All): I believe that Bruce sent around a message stating that he 
was expecting to have a conflict, today.
TerryLongstreth >> (All): Ambacher sent a note about a schedule conflict.  Any 
word from John Garrett?
David Giaretta >> (All): Yes that's right
David Giaretta >> (All): Nothing from John
David Giaretta >> (All): I suggest, few as we are, we take a quick run through 
the Wiki page to pick up anything obvious
David Giaretta >> (All): Hi Mark
Mark Conrad >> (All): Hello.
David Giaretta >> (All): No naysayers - so let's look at section 8 in 
http://wiki.digitalrepositoryauditandcertification.org/bin/view/Main/AuditorGuidelinesIssues
David Giaretta >> (All): In 8.1.1 there were some words added which were along 
the lines of providing flexibility as before through the initial audit committee
JohnGarrett >> (All): HI, I've made it
RobertDowns >> (All): There seems to be a missing word in the first sentence of 
8.1.1, after "conforms to".
David Giaretta >> (All): Robert - well spotted. What have we deleted by mistake?
SimonLambert >> (All): I suspect a doc title in <> 
SimonLambert >> (All): probably the main metrics doc
David Giaretta >> (All): SOunds right
SimonLambert >> (All): Indeed looking at raw view "<ISO XXXXX - RAC Document>"
Mark Conrad >> (All): Last time we met weren't we working from a different 
document? I remember making comments on the wiki, but I don't think it was to 
this document.
JohnGarrett >> (All): Yes, I think we were discussing the RIDs to  the actual 
metrics document
David Giaretta >> (All): Yes, and we have finished with that - the Metrics 
document is in ISO somewhere
RobertDowns >> (All): That's good to see.
David Giaretta >> (All): Yes, although I'd like to see some evidence of progress 
in ISO. I'll keep asking
RobertDowns >> (All): The rest of 8.1.1 seems consistent with our discussions, 
unless I am missing something.
David Giaretta >> (All): The wiki editing is waking up - so I cannot edit just 
yet - let's put an ACTION - fix 1st sentence 8.1.1
TerryLongstreth >> (All): Is there to be an 8.2? If not, we should rebalance the 
text under 8
SimonLambert >> (All): Remember that this page is not the full doc
SimonLambert >> (All): it is only some areas that I pulled out as I thought they 
needed revision for the TDR context
TerryLongstreth >> (All): sorry
SimonLambert >> (All): so there probably is an 8.2 but I thought it was fine as 
is
David Giaretta >> (All): I think a version with "boxes" is in 
http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-rev2009Sep09w17021InBoxes.doc
Mark Conrad >> (All): Looking at the notes from two meetings ago it looks like 
we were looking at the full document and that we stopped at 9.2.1.
David Giaretta >> (All): actually http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-CCSDS-format-1.doc
David Giaretta >> (All): Mark - yes we did get into 9 I think now you mention it
David Giaretta >> (All): 9.2.1 is all pretty high level
David Giaretta >> (All): I guess we put in TDR and preservation at various 
points
David Giaretta >> (All): One that looks odd is (5) identifying the 
vulnerabilities of the client organization and understanding the likelihood of 
their exploitation, their impact and their mitigation and control, 
David Giaretta >> (All): Obviously based on security concerns
David Giaretta >> (All): How about: identifying the vulnerabilities of the 
client organization to loss of understandability of its holdings and 
understanding the likelihood of their occurence, their impact and their 
mitigation and control, 
David Giaretta >> (All): or just : identifying the threats to the organisations 
preserved content and understanding the likelihood of their occurence, their 
impact and their mitigation and control, 
TerryLongstreth >> (All): perhaps to include tracking semantic and technology 
drift that would make the holdings unusable
TerryLongstreth >> (All): c/tracking/projecting
David Giaretta >> (All): I'd definitely include those as threats but I don't 
think we have to be that detailed here since there are lots of other threats
TerryLongstreth >> (All): They are distinguished from security threats
Mark Conrad >> (All): Why do we need any of this additional text? The text from 
9.2.1. in ISO 17021 appears adequate?
David Giaretta >> (All): Mark - fine by me - just throwing out a few 
possibilities
David Giaretta >> (All): What do others think? Shall we stick with the current 
wording?
Mark Conrad >> (All): Just to be clear, I am talking about the text in the box 
for 9.2.1. I don't think we need anything other than what is in the box for 
9.2.1.
TerryLongstreth >> (All): I'm lost.  9.2.1 in the format-1-doc is about initial 
audit application. In the wiki it's about about audit team competence. Are 
either of those synched with 17021?
JohnGarrett >> (All): It's OK with me to drop extra text.  Remember extra text 
mostly came from redoing the Security version of the standard and they would 
have had extra emphasis on security matters.
TerryLongstreth >> (All): I sure would like to emphasize some long-view 
concerns; securtiy is so bound to immediate threats
David Giaretta >> (All): Looks as if our numbering went a little funny 
SimonLambert >> (All): Terry - this is confusing - I think the boxed text adopts 
an independent numbering system???
TerryLongstreth >> (All): I'm just trying to find my ass with my elbow
David Giaretta >> (All): As far as I can see this has been added in the security 
doc - and is the only place "audit team competence" is mantioned
TerryLongstreth >> (All): We still have to either accept or reject it (and our 
policy is acceptance is the default?)
David Giaretta >> (All): In 7.2.1 we have details of "Competence of 
certification body personnel " - maybe this was added to complete the logic
JohnGarrett >> (All): Section 7.1 has discussion of competence
David Giaretta >> (All): I think I'd go with Mark and delete this part - it is 
covered elsewhere
David Giaretta >> (All): ... and 7.2.1.1.1  talks about the selection of the 
team
JohnGarrett >> (All): I think I agree, but what are we proposing to drop now?
David Giaretta >> (All): the list below "The following requirements apply to the 
audit team as a whole. "
David Giaretta >> (All): ... a) then 1-12
David Giaretta >> (All): Is that right?
Mark Conrad >> (All): I was actually suggesting everything under 9.2.1.
JohnGarrett >> (All): Yes, that's OK with me.  Looks like it is mostly just 
restating 7.1 and 7.2 from 17021 which I think is saying the team needs 
competence in these things.
David Giaretta >> (All): So we would just have "9.2 Initial audit and 
certification<br>The requirements from ISO/IEC 17021:2006, Clause 9.2 apply"
Mark Conrad >> (All): I would say 9.2.1. Some of the stuff under 9.2.1.1. and 
below we may want to retain.
Mark Conrad >> (All): For example I think we would want to retain some of the 
text under 9.2.3.
David Giaretta >> (All): OK - that makes sense - I was too hasty - so things 
under "9.2.1 TDR 9.2.1 Audit team competence " down to and including item (12)
David Giaretta >> (All): ... would be deleted
Mark Conrad >> (All): Down through c. would be deleted.
JohnGarrett >> (All): I would like to retain 9.2.1 c) and the fact that Audit 
Team can be 1 person if they have competence in all areas.  I need to look if 
that is covered other places.
Mark Conrad >> (All): I believe a 1 person team contradicts 17021.
David Giaretta >> (All): Yes, it does sound a bit odd
JohnGarrett >> (All): I think that is true for initial audit, but maybe not for 
updates, but I may be wrong.
Mark Conrad >> (All): I believe that it is the case for all audits.
David Giaretta >> (All): Yes, I would be unhappy with an audit team of 1 person
David Giaretta >> (All): ...although it would be cheap!!
TerryLongstreth >> (All): Does our certification include 17021 credentialing?  
If not, then we can have a 1 person team
JohnGarrett >> (All): Yes, so far, we are still 17021 compliant I think.  But 
that could still change.
TerryLongstreth >> (All): It's a recurring question. How tightly do we expect 
our auditoers to cleave to 17021?
TerryLongstreth >> (All): If the TDRs expect to be credentailed for 17021 
compliance, then we can't take any liberties
Mark Conrad >> (All): We have already agreed on text that says we will not be 
totally compliant with 17021. See the discussion from earlier meetings.
TerryLongstreth >> (All): expect to gain 17021 credentials.by our process...
RobertDowns >> (All): I also recall that we provided some exceptions to 17021, 
but I do not recall exactly what they were. 
TerryLongstreth >> (All): and as I said in earlier meetings, I think we must 
identify any place where we won't be 17021 compliant.  It completely changes the 
scope of our audit
David Giaretta >> (All): I thought 17021 was a more abstract standard to which 
we should adhere - but we are making additions and changes as we require. So we 
could I guess make a 1 person team OK but would we want to?
David Giaretta >> (All): Oops - So I guess we could make a 1 person team OK but 
would we want to?
TerryLongstreth >> (All): Sure we want to: let the security inspection have a 
n>1 team
JohnGarrett >> (All): For initial reviews I think more than one person is 
necessary.  I could go either way on annual reinspections.
TerryLongstreth >> (All): the 17021 inspectors can reveiw the TDR resutls and 
keep our lone auditor honest
David Giaretta >> (All): How about keeping at least two and then we review the 
situation when the standard is updated
TerryLongstreth >> (All): We might even suggest a joint audit team
David Giaretta >> (All): Not sure how that would work
David Giaretta >> (All): I assume the "team of 1" comes from the security doc we 
based our doc on
Mark Conrad >> (All): Terry, Are you saying that the repositories would have to 
have a TDR audit and a 17021 audit to be certified?
TerryLongstreth >> (All): For organizations with near term security threat 
concerns, 17021 would be paramount.  For organizations with long term 
preservationand utility concerns TDR audit would be paramount.
JohnGarrett >> (All): 17021 is not a security standard.  17021 is a standard for 
auditors.
TerryLongstreth >> (All): Some places would only do 17021, others, conceivably, 
only TDR
David Giaretta >> (All): John - that's right. The security standard on which we 
based our doc is....something else
TerryLongstreth >> (All): 17021 is a standard for auditing security of 
management systems, not digital repositories
David Giaretta >> (All): It was 27006
David Giaretta >> (All): The security standard on which we based our doc is ISO 
27006 - that is the one that added "An audit team may consist of one person 
provided that the person meets all the criteria set out in a) above."
TerryLongstreth >> (All): Damn.  I always get that wrong
David Giaretta >> (All): ...which does seem very odd for something about 
security!!
TerryLongstreth >> (All): From the security perspective, the larger team 
mitigates against subornation
David Giaretta >> (All): SO it looks as if 27006 9.2.1 list of competences is 
all about being about to put that sentence in. Maybe theye were worried about 
costs.
TerryLongstreth >> (All): If you're not too worried about bribery, you can do it 
alll with one person (time permitting)
David Giaretta >> (All): SO if we don't like it then we can remove the list as 
Mark was suggesting.
David Giaretta >> (All): We can probably remove bullets (b) and (c)  also
David Giaretta >> (All): 9.2.1.1 could also be removed
David Giaretta >> (All): That would take us straight into what is currently 
9.2.2
TerryLongstreth >> (All): There are other ways to mitigate: reveiw of results by 
a higher echelon, performance / security bonding
JohnGarrett >> (All): But the number of individuals who are competent in all 
areas of archiving is somewhat small and hiring someone like that to spend all 
the time needed to do a complete audit is probably more costly than having a 
several member team.
TerryLongstreth >> (All): We can't really project how the audit competencies 
will evolve, can we?
TerryLongstreth >> (All): the more people involved, the greater the total labor 
requireed
David Giaretta >> (All): I'd suggest eliminating the option of a single auditor 
 we can always revisit it when we update the standard in a few years time
Mark Conrad >> (All): At one point we talked about taking a look at the document 
without the boxes and seeing if it still made sense. I think we should do that 
for next week.
TerryLongstreth >> (All): I'll drink to that!
RobertDowns >> (All): That makes sense. The document should stand on its own.
David Giaretta >> (All): This discussion has flagged up in my mind that there 
may be some whole sections from 27006 we may want to remove
JohnGarrett >> (All): I'm all for looking at it without the boxes, but the 
requirements in the boxes are still requirements.
David Giaretta >> (All): The only thing is that we know that it will not stand 
on its own - too many references to 17021
RobertDowns >> (All): Yes, but it should be clear where the references are 
needed.
Mark Conrad >> (All): David, This document is based on 17021 - not 27006.
David Giaretta >> (All): We copies lots of text from 27006
JohnGarrett >> (All): So are we talking about dropping 17021, which ISO uses as 
basis for all auditing?
David Giaretta >> (All): No no
Mark Conrad >> (All): No!
RobertDowns >> (All): No
TerryLongstreth >> (All): we could adopt a citation formula; perhaps something 
like "Section xxx.y of 17021, dealing with use of hard candies, is amended as 
follows:"
David Giaretta >> (All): I'm saying we may have copied things that we may not 
need - as shown in this discussion
David Giaretta >> (All): ..copied things from 27006
David Giaretta >> (All): We have not copied anything from 17021 - we just refer 
to it
JohnGarrett >> (All): Sure, I'm in favor of dropping anything we don't want that 
was carried over from 27006.
Mark Conrad >> (All): 17021 and 27006 look very similar.
David Giaretta >> (All): We are very near the end of the WIki stuff - can we 
take a look at that and see if there is anything we need to deal with and then 
we look at the whole thing as Mark suggests
JohnGarrett >> (All): 27006 is also based on 17021.
David Giaretta >> (All): ... and it keeps saying "The requirements from ISO/IEC 
17021..." - hwich we copied
Mark Conrad >> (All): Do we have a version of the document without the boxes 
that reflects the changes we made 2 meetings ago?
David Giaretta >> (All): Not sure it's on the Wiki
Mark Conrad >> (All): That would be a useful starting point for further 
discussions.
TerryLongstreth >> (All): What is our next deadline?
Mark Conrad >> (All): The version of the Word doc without boxes on the wiki. 
Does not reflect the changes made two meetings ago.
Mark Conrad >> (All): Action items?
Mark Conrad >> (All): Is anyone there?
RobertDowns >> (All): Yes
David Giaretta >> (All): on the phone
Terry Longstreth >> (All): yes
JohnGarrett >> (All): Yes.  I'm just not sure where to go from here.  We keep 
skipping to new directions.
Terry Longstreth >> (All): AI #1: new baseline document, without boxes, but with 
changes as of 1 Feb
Terry Longstreth >> (All): Who'll accept the assignment?
Mark Conrad >> (All): Action Item #2 everyone read the document and send in 
comments before our next meeting.
David Giaretta >> (All): I guess Simon and I will
Mark Conrad >> (All): Are we done for today?
Terry Longstreth >> (All): for AI 2, could we put our comments on the wiki?
David Giaretta >> (All): Yes I think so
Mark Conrad >> (All): Terry, Assuming the document is posted in wiki form.
Terry Longstreth >> (All): Yes we're done or put comments on fhe wiki? if 
latter, where
David Giaretta >> (All): I think I have to go in a few minutes so bye bye
Mark Conrad >> (All): Terry, I guess we will have to wait and see what David and 
Simon post.
Mark Conrad >> (All): See you all next week.
Terry Longstreth >> (All): Hokay.  Over and out
RobertDowns >> (All): Bye
JohnGarrett >> (All): Bye

-- SimonLambert - 22 Feb 2010

Topic revision: r1 - 2010-02-22 - SimonLambert
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback