Notes from Megameeting 8th March 2010

Attendees

Summary

The group started examining Mark's comments on the "Requirements for Bodies ..." document. It was agreed to use the word "candidate" to describe a repository that has not yet been certified; that section 1.1 should include the wording "and provides recommendations regarding appropriate certification". There was debate about whether to mention "improvement plan" as an output of the audit certification activity.

NB Next week the US on will be on Daylight Saving Time.

Actions

• David to insert Terry's table of comments on the Wiki
• David to put Mark's doc as PDF on the Wiki so we can see the reference number for the comments
• All to check Terry's and Mark's comments and say yes/no to them where applicable or add answer to any question. Submit by email before Monday.

Transcript of chat

David Giaretta >> (All): Just got your doc Mark
TerryLongstreth >> (All): Did everyone get mine?
Mark Conrad >> (All): No.
BarbaraSierman >> (All): hallo, I did not receive a doc?
David Giaretta >> (All): No, and there is nothing to indicate the mail exploder 
blocked anything as far as I can see
TerryLongstreth >> (All): I tried to attach  the word doc.  It may have been 
stripped by email filters. I'll resend the email text and try to post the doc to 
twiki
David Giaretta >> (All): OK
TerryLongstreth >> (All): Changed my mind.  Just sent the whole magilla to David
BruceAmbacher >> (All): a reminder that next week the US will be on Daylight 
Savings Time (Summer Time)
David Giaretta >> (All): Terry - just got something from you
Mark Conrad >> (All): I will not be here next week.
BruceAmbacher >> (All): I also probably willnot be here next week.  I will be 
away and not have easy web access.
David Giaretta >> (All): Did everyone else get Terry's doc?
BarbaraSierman >> (All): no
Mark Conrad >> (All): I am uploading my document to the wiki as we "speak".
RobertDowns >> (All): I received Mark's doc, but did not receive Terry's doc.
David Giaretta >> (All): I'll upload both docs to the Wiki
Mark Conrad >> (All): David, Mine is in process of uploading.
David Giaretta >> (All): We were just uploading Mark's and Terry's mark-up to 
the Wiki - should be available shortly
Helen Tibbo >> (All): I have not received a doc from Terry
David Giaretta >> (All): I got it but not others
David Giaretta >> (All): ...so I'm uploading what I received
David Giaretta >> (All): I assume you got Mark's
TerryLongstreth >> (All): I resent the full entry only to David, but everyone 
should have gotten my resend of the email without attachment
TerryLongstreth >> (All): I may have to complain to Comcast
Helen Tibbo >> (All): I have read through most of the doc (not quite all) and 
found a couple of grammatical things but for the most part it seems in order. I 
do agree that the re-certification schedule of every three years will be 
overwhelming for most repositories.
David Giaretta >> (All): I'm looking at Mark's mark-up - and also Terry's
David Giaretta >> (All): The upload seems slow. Maybe we should look at Mark's 
to start with
Mark Conrad >> (All): My document allegedly finished loading to the wiki, but I 
do not find it on the wiki.
David Giaretta >> (All): But people got yours by email
Mark Conrad >> (All): Ok. So shall we start?
David Giaretta >> (All): You want to lead?
David Giaretta >> (All): Terry's is there at http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-CCSDS-format-2-without-boxes-longstreth.doc
Mark Conrad >> (All): So now how would you like to proceed?
David Giaretta >> (All): Mark's doc is at http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-CCSDS-format-2-without-boxesmc.doc
David Giaretta >> (All): Mark - how about most important first
David Giaretta >> (All): ...I saw there were several points about names etc 
which we could decide without much discussion.
Mark Conrad >> (All): 1.1. is about scope and applicability. The questions about 
names there were to establish the scope of this document.
BruceAmbacher >> (All): Can we globally accept (with a little caution) the 
substitute for TDR where it is not yet certified?
JohnGarrett >> (All): Hi, all.   Sorry, I lost track of time looking through 
Mark's document.  I did not get Terry's.
BarbaraSierman >> (All): bruce, yes agree
David Giaretta >> (All): Terry's is at http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-CCSDS-format-2-without-boxes-longstreth.doc
Helen Tibbo >> (All): The "T" in TDR is "Trustworthy" as Mark points out.
David Giaretta >> (All): Bruce - I think we did discuss this and we forgot to 
correct things in the doc 
David Giaretta >> (All): Helen - yes - another typo change we missed
David Giaretta >> (All): Mark in MC1 what title could you propose?
David Giaretta >> (All): ...sorry "would"
Helen Tibbo >> (All): this "some additional requirements and guidance to ISO/IEC 
17021 are necessary." needs to move the "additional" after guidance, i.e.,
"some requirements and guidance that is additional to ISO/IEC 17021 are 
necessary."
David Giaretta >> (All): OK
Mark Conrad >> (All): Sorry, I can't remember why I was suggesting renaming this 
document.
David Giaretta >> (All): It might come back to you later
BruceAmbacher >> (All): The title, as written, applies only to repositories that 
have already been certified.
Mark Conrad >> (All): It had something to do with the scope of this document 
from our discussions last week.
BarbaraSierman >> (All): bruce is right I think
BruceAmbacher >> (All): Title could be: REQUIREMENTS FOR BODIES PROVIDING AUDIT 
AND CERTIFICATION OF potential TRUSTWORTHY DIGITAL REPOSITORIES
Mark Conrad >> (All): Yes. That was it!~ Thank you.
Helen Tibbo >> (All): Don't mean to be picky... In 1.1 "organization(s) which 
performs " should be "organizations THAT perform.." Use "that" when the clause 
to follow is essential and not just modifyng.
Helen Tibbo >> (All): I like Mark and Bruce's title.
TerryLongstreth >> (All): requirements for Candidate bodies?
RobertDowns >> (All): The title proposed by Bruce, above, looks fine to me.
Mark Conrad >> (All): The same would apply to the RAC document.
JohnGarrett >> (All): Earlier we had a long discussion to ensure TDR was in the 
title
David Giaretta >> (All): OK
TerryLongstreth >> (All): For 1.1, I proposed adding a terminal phrase: upon 
successful audit completion
BruceAmbacher >> (All): John, Yes.  That establishes the lineage to TRAC and 
keeps the TDR concept that has been around for 10+ years.
TerryLongstreth >> (All): I prefer candidate over potential
David Giaretta >> (All): I think those changes - i.e. making it clear that 
things are not TDRs until they are certificad as such is fine by me
JohnGarrett >> (All): Also OK with me
BruceAmbacher >> (All): I can accept candidate
Mark Conrad >> (All): Terry, Upon completeion of which successful audit?
RobertDowns >> (All): Candidate is fine with me
Mark Conrad >> (All): Candidate is fine with me.
Helen Tibbo >> (All): candidate is fine with me too
BarbaraSierman >> (All): fine with me too
TerryLongstreth >> (All): My version of full 1.1: The main purpose of this 
document is to define a CCSDS Recommended Practice on which to base the 
operations of the organization which performs audits for assessing the 
trustworthiness of digital repositories using [1] and provides the appropriate 
certification upon successful audit completion.
BruceAmbacher >> (All): "Candidate TDR" should become a global change
David Giaretta >> (All): ...so I'd go with then en-bloc and we can produce a doc 
with merged updates in that area
Mark Conrad >> (All): Terry, which audit. Initial, surveillance, recert?
RobertDowns >> (All): I agree with Bruce, the global change to candidate TDR 
would be consistent with the title change.
TerryLongstreth >> (All): all of the above, but they may each produce a 
different class of certificaiton
Mark Conrad >> (All): Terry, actually the certification decision is a separate 
decision - made by a separate body.
TerryLongstreth >> (All): Ok.  But the audit should produce some tangible 
evidence of success
BruceAmbacher >> (All): Isn't that tangible result the audit report and its 
recommendations?
TerryLongstreth >> (All): unless you mean gthe audit only to produce negative 
findings?
David Giaretta >> (All): Of  course we don't expect a yes/no certification
BruceAmbacher >> (All): Another question in 1.1:  Once this is an ISO standard, 
is it still only a CCSDS Recommended Practice ?
David Giaretta >> (All): .....but somethning with an improvement plan 
TerryLongstreth >> (All): Going back to 1.1 - It implies the practice results in 
Certification.  That was the itch I was trying to scratch.  
David Giaretta >> (All): Bruce - it will be a CCSDS Recommended Practice but an 
ISO standard
Mark Conrad >> (All): I can live with the addition, I just am not sure what it 
adds.
David Giaretta >> (All): Terry - OK by me
BruceAmbacher >> (All): and the improvement plan sets part of the stage for 
ongoing surveillance
JohnGarrett >> (All): I think we provide something with an improvement plan, but 
I think there is also a decision about whether to grant certification or not.
RobertDowns >> (All): Should 1.1 contain "provides recommendations regarding 
appropriate certification ..."
David Giaretta >> (All): Bruce - yes I think that's it
TerryLongstreth >> (All): I could go with Robert's 
JohnGarrett >> (All): Yes, Bruce.
David Giaretta >> (All): John - yes they get a certificate but its not just a 
yes/no - that's all I was trying to say
JohnGarrett >> (All): Sure I agree
Mark Conrad >> (All): So are we accepting Terry's suggested text or are you 
proposing a modification?
David Giaretta >> (All): Mark - who are you asking?
Mark Conrad >> (All): Everybody. Lots of folks appeared to be offering changes.
BruceAmbacher >> (All): We have put a few concepts and phrasing out and I sense
a consensus on them
Mark Conrad >> (All): What is that consensus?
RobertDowns >> (All): How about the following: "provides recommendations 
regarding the appropriate certification upon successful audit completion."
TerryLongstreth >> (All): Replace my suggested text with Robert's:...[1] and 
provides recommendations regarding appropriate certification ."
David Giaretta >> (All): Ah-ha - OK
RobertDowns >> (All): Terry's last suggestion, above, is better, yet
BruceAmbacher >> (All): To me, they are 1) candidate TDR, 2) recommendations on 
certificate and improvement plan
Mark Conrad >> (All): Doesn't the body actually provide the certification as 
well?
JohnGarrett >> (All): What are type of certification.  I think we are only 
providing one certification and that is to the RAC checklist
BruceAmbacher >> (All): Mark, to me yes but the audit team is not the "body"
TerryLongstreth >> (All): David says no.  That's a separate group
JohnGarrett >> (All): I like Bruce's suggestion
Mark Conrad >> (All): What do you mean by an improvement plan? 17021 says you 
can't offer specific suggestions for fixing problems.
David Giaretta >> (All): Good point Mark - this doc applies to the whole body 
not just the audit team 
JohnGarrett >> (All): The audit team is a entity set up by the body
Mark Conrad >> (All): Right but the body also provides certification.
BruceAmbacher >> (All): Mark, is your reference to the part of 17021 that 
discusses the conflicts of interest?
BruceAmbacher >> (All): Mark, if so, those pre-audit actions are one thing and 
the audit, recommendation on certification, and improvement plan are another.
Mark Conrad >> (All): Bruce, There are references to this throughout 17021. 
Under audit reports, conducting the audit, etc.
David Giaretta >> (All): I think what Mark means is that the improvement plan 
can say - needs a better backup system - but without specifying what that system 
is
BruceAmbacher >> (All): agreed.
JohnGarrett >> (All): rather than improvement plan can we say something like 
identification of areas that could use improvement
BruceAmbacher >> (All): Isn't it just "great" that after all these months we are 
still "discussing" 1.1!
David Giaretta >> (All): I think we can just say "appropriate certification" and 
leave it at that since we will have a separate internal doc to define what the 
certificate says - we don't have to spell it out here.
JohnGarrett >> (All): I don't sense much disagreement though.  Mostly just 
wording issues that resound with everyone.
BruceAmbacher >> (All): David, but do we need to state to candidate TDRs that 
they can expect an improvement plan?
David Giaretta >> (All): Bruce - I think it exemplifies my concern that whatever 
we look at we can discuss for several months!!
TerryLongstreth >> (All): improvement plan or findings?
David Giaretta >> (All): Bruce - the candate TDRs should be able to see what to 
expect from the body's docs - they will not be expected to read THIS doc
JohnGarrett >> (All): As Mark said, I don't think we can provide an improvement 
"plan", but we can note areas for improvement.  And I don't think we need to 
call it out here unless we want to.
Mark Conrad >> (All): 9.1.10 The certification body shall provide a written 
report for each audit. The report shall be based onrelevant guidance provided in 
ISO 19011. The audit team may identify opportunities for improvement but 
shall not recommend specific solutions.
BruceAmbacher >> (All): Will the plan or findings be followed up with an action 
plan thatsets "deadlines" for when the changes must be made to retain the 
certificate?
Mark Conrad >> (All): Sorry, The above is from 17021
Mark Conrad >> (All): Bruce, That is covered in 17021
BruceAmbacher >> (All): ok
David Giaretta >> (All): Bruce - not sure we have to specify that here - apart 
from the things about the re-certification
BruceAmbacher >> (All): yes
Mark Conrad >> (All): yes
RobertDowns >> (All): yes
TerryLongstreth >> (All): Bruce/Robert - Can you hear David?
Helen Tibbo >> (All): I would not call it an improvement plan - they need to 
come up with that on other own for a new attempt at certification. We would have 
findings or note places for improvement, but not an improvement plan.
RobertDowns >> (All): yes
TerryLongstreth >> (All): David.  I put a table in my email listing my changes.  
Can  we put the body of my email on the wiki?
BruceAmbacher >> (All): Mark,
BruceAmbacher >> (All): Are there any big/controversial issues in your document 
comments?
Mark Conrad >> (All): Yes.
BruceAmbacher >> (All): Mark, lead us to them.
Helen Tibbo >> (All): I can't hear bruce
BruceAmbacher >> (All): That was Terry.
TerryLongstreth >> (All): If we mean 17021, say that, but what do we use to 
refer to the document we're looking at?
RobertDowns >> (All): I agree to deleting everything after the comma in the 
second paragraph of 1.2 
Mark Conrad >> (All): Ok with me to delete from the comma.
BarbaraSierman >> (All): ok
BruceAmbacher >> (All): ok
TerryLongstreth >> (All): I added some words to 1.4
RobertDowns >> (All): I cannot hear Terry
BarbaraSierman >> (All): nor can I
BruceAmbacher >> (All): But 1.4 says we label each section as TDR
BruceAmbacher >> (All): Isn't the issue how we align with 17021 without 
requiring others to buy that standard?
BruceAmbacher >> (All): But candidate TDRs would be shortsighted to not read 
this doc to understand what the audit will do
TerryLongstreth >> (All): I intended that the summaries would help others 
understand what they're missing if they haven't got 17021 handy
BruceAmbacher >> (All): "How to prepare for a TDR Audit and Certification"
TerryLongstreth >> (All): In my email, I volunteered to write the "teasers"
BruceAmbacher >> (All): Some of us may be trying to put too much into this 
document.
Mark Conrad >> (All): I believe this document should be a minimalist document.
David Giaretta >> (All): Yes
RobertDowns >> (All): yes
JohnGarrett >> (All): Yes, I agree with Mark
Helen Tibbo >> (All): Well, I read through most of the document but was not 
clear on what could actually be changed.
Helen Tibbo >> (All): What about the major issue of the number of years in 
between audits?
Helen Tibbo >> (All): I wan't reading with the goal of changes much.
BarbaraSierman >> (All): I'll have a look but need to go now. It would be 
helpful if we agree on whether this should be a minimalist document or not. It 
might be helpful for the discussion to have a seperate document with some 
starting points, like this is not meant for the repositories, etc.
Helen Tibbo >> (All): So there's a ton of stuff in this for which we have no 
plan ,etc. like training the auditors and testing auditors.
Helen Tibbo >> (All): This document says we (or someone) has a plan for all this
Helen Tibbo >> (All): So it seems to me that we can't micro edit this present 
document that is so global when we don't  have the rest spelled out yet.
Helen Tibbo >> (All): That's why I pretty much thought most of this document is 
OK 
BruceAmbacher >> (All): But if we develop the table of contents/issues that will 
be in that document we will be able to develop this minimalist document
Helen Tibbo >> (All): So, who will be the legal body?? ISO or us???
Helen Tibbo >> (All): whoever "us" is
Helen Tibbo >> (All): So, we are the ones who can be sued
Helen Tibbo >> (All): That's right!!!
Helen Tibbo >> (All): The US is pretty letigious
Helen Tibbo >> (All): litigious
Helen Tibbo >> (All): Right, so we are finally coming back to close the circle 
to those original discussions of how we are actually going to do this stuff.
Helen Tibbo >> (All): in looking at my paper marked up copy from the plane 
yesterday I think Mark caught many of the same things I had. I will take his 
document and add any additional comments I have to it.
Mark Conrad >> (All): Sure.
RobertDowns >> (All): yes
Mark Conrad >> (All): ok
BruceAmbacher >> (All): I will try to get to a public internet site for the 
meeting.
Helen Tibbo >> (All): In looking through Mark's document it is hard to believe 
there are too many more comments to be made.
Helen Tibbo >> (All): I think we should be focusing on Mark and terry's docs 
primarily
Helen Tibbo >> (All): If there's more stuff we'll never finish!!
Mark Conrad >> (All): yes
RobertDowns >> (All): yes
BruceAmbacher >> (All): absolutely
Helen Tibbo >> (All):  yes
Helen Tibbo >> (All): bye
Mark Conrad >> (All): bye
RobertDowns >> (All): bye
David Giaretta >> (All): ACTION: Insert Terry's table of comments on the Wiki
David Giaretta >> (All): ACTION: DG: Put Mark's doc as PDF on the Wiki so we can 
see the reference number for the comments
David Giaretta >> (All): ACTION : ALL: check Terry's and Mark's comemnts and say 
yes/no to them where applicable or add answer to any question. SUbmit by email 
before Monday.

-- SimonLambert - 08 Mar 2010