Notes from Megameeting 3rd May 2010

Attendees

BruceAmbacher UM
JohnGarrett GSFC
MarkConrad NARA
RobertDowns CIESIN, Columbia University
SimonLambert STFC
TerryLongstreth  

Summary

There was a discussion of Terry Longstreth's proposed rewording for section 9.1.2 of the "Requirements for Bodies" document. The final revised wording was:

"The audit team shall audit the digital repository of the client organization in terms of the criteria specified in [ISO XXXX – RAC Document] . The certification body shall ensure the following: 1) that the scope and boundaries of the digital repository of the client organization are clearly defined in terms of the characteristics of the business, the organization, its location, assets and technology. 2) That the digital repository’s organization, plans, and procedures for preservation fully cover all applicable activities defined in the [ISO XXXX – RAC Document]."

Transcript of chat

TerryLongstreth >> (All): I've got a submission for 9.1.2.  Can I just put it in 
the chat?
BruceAmbacher >> (All): Simon, do you recall exactly where we are?  Did we 
discuss David's suggestions for 9.2.1
Mark Conrad >> (All): Terry, fire away!
RobertDowns >> (All): Yes, please
TerryLongstreth >> (All): 9.1.2  Scope of certificationThe audit team shall 
audit the digital repository of the client organization covered by the defined 
scope against all applicable certification requirements. The certification body 
shall ensure the following: 1)   that the scope and boundaries of the digital 
repository of the client organization are clearly defined in terms of the 
characteristics of the business, the organization, its location, assets and 
technology. 2)   That the digital repository’s preservation risk assessment and 
associated risk plans and procedures fully cover all activities devined in the 
[ISO XXXX – RAC Document] . Evidence of appropriate risk management measures 
must be reflected in the digital repository’s Statement of Applicability.
SimonLambert >> (All): I think we reached 9.2.3
TerryLongstreth >> (All): d---, dropped a word
TerryLongstreth >> (All): in item 2, insert /mitigation/ between /risk/ and 
/plans/
Mark Conrad >> (All): Which document are we working from today?
TerryLongstreth >> (All): format 6, 20100426
SimonLambert >> (All): The latest draft is 
http://wiki.digitalrepositoryauditandcertification.org/pub/Main/ReqtsForAuditors/AuditorGuidelines-CCSDS-format-6-20100426.doc
Mark Conrad >> (All): Thank you.
BruceAmbacher >> (All): Terry, in the next to last sentence what does "devined" 
mean?  Is there a better word?
TerryLongstreth >> (All): whoops c/v/f/
Mark Conrad >> (All): Is it supposed to be defined?
TerryLongstreth >> (All): richtig
BruceAmbacher >> (All): And, this is intended to replace the two paragraphs in 
blue, correct?
TerryLongstreth >> (All): No. It replaces all 3
John Garrett >> (All): Hello,  I'm at the CCSDS Meeting.  Still in a plenary, 
but should be breaking soon.
BruceAmbacher >> (All): Right, you refined the wording in the first paragraph.
Mark Conrad >> (All): I would vote to remove the last two paragraphs and I am 
not sure why we need the first one.
TerryLongstreth >> (All): ..and intended to include the main sense of pp2.  I've 
pretty much removed the external interface ideas in 3
RobertDowns >> (All): Mark - Are you suggesting that we replace all 3 paragraphs 
in 9.1.2 or that we replace them with Terry's suggested text?
BruceAmbacher >> (All): Mark, Are you saying we should not define, confine the 
scope of the audit?  We need to bound it in the digital preservation functions.
TerryLongstreth >> (All): I retained the Statement of Applicability.  If such a 
thing exists in the RAC, then it's appropriate to bring it to the reader's 
attention here
BruceAmbacher >> (All): The reader, in this case, is the qualified auditor 
primarily, and the digital curator preparing for the audit secondarily.
Mark Conrad >> (All): The statement of Applicability refers to information 
security. This whole section is related to security - not digital preservation 
per se.
BruceAmbacher >> (All): Mark, Have we not, by our added language, extended the 
audit to digital curation also?
TerryLongstreth >> (All): then delete the last sentence
Mark Conrad >> (All): Bruce, I don't know about curation. I don't work in a 
museum.
Mark Conrad >> (All): Here is the text that this text was taken from (ISO 
27006): 9.1.2 IS 9.1.2 Scope of certificationThe audit team shall audit the ISMS 
of the client organization covered by the defined scope against allapplicable 
certification requirements. The certification body shall ensure that the scope 
and boundaries of theISMS of the client organization are clearly defined in 
terms of the characteristics of the business, theorganization, its location, 
assets and technology. The certification body shall confirm, in the scope of 
theirISMS, that client organizations address the requirements stated in Clause 
1.2 of ISO/IEC 27001:2005.Certification bodies shall ensure that the client 
organization’s information security risk assessment and risktreatment properly 
reflects its activities and extends to the boundaries of its activities as 
defined in the ISMSstandard ISO/IEC 27001. Certification bodies shall confirm 
that this is reflected in the client organization’sscope of their ISMS and 
Statement of Applicability.Certification bodies shall ensure that interfaces 
with services or activities that are not completely within thescope of the ISMS 
are addressed within the ISMS subject to certification and are included in the 
clientorganization's information security risk assessment. An example of such a 
situation is the sharing of facilities(e.g. IT systems, databases and 
telecommunication systems) with other organizations.
TerryLongstreth >> (All): We were trying to restate it in terms of the RAC
TerryLongstreth >> (All): is there no corresponding item in 17021?
BruceAmbacher >> (All): Back to square 1.  I thought 27006 was being used as the 
template for the structure of the audit, not the information security criteria 
per se.  Where did I go astray?
Mark Conrad >> (All): You didn't, Bruce. This is just something that got cookie
-cuttered in.
RobertDowns >> (All): Generally, defining the scope of the audit audit would 
offer guidance to auditors so that they do not go beyond the scope of the audit.
RobertDowns >> (All): correction: audit activities
BruceAmbacher >> (All): It also alerts those being audited of what is in or out 
of scope, where they must go to other parts of their organization for guidance 
and documents.
TerryLongstreth >> (All): Scope is certainly not particularly a security issue 
Mark Conrad >> (All): I would then vote to leave in the first paragraph, but 
remove the phrase "against all applicable certification requirements" from the 
first sentence.
BruceAmbacher >> (All): Why delete that?  It can be used to limit the scope when 
a repository does not do/is not responsible for some functions that are usually 
includede in an audit.  And no I do not have anything specific in mind.
TerryLongstreth >> (All): I'd agree, if we can't or haven't indicated where the 
'applicable requirements' may be found
TerryLongstreth >> (All): wordsmithing: in any case remove /all/
RobertDowns >> (All): Instead of "all applicable requirement", perhaps we should 
specify the requirements document.
Mark Conrad >> (All): All applicable requirements will lead you down many roads 
in the ISO world because of the references to other standards in each standard.
Mark Conrad >> (All): Bob, See 9.1.1.1.
BruceAmbacher >> (All): 'We have to remember that the entire document is not 
summed up in any one clause.  At some point someone (the technical editor) has 
to get back up to the 10,000 ft level
Mark Conrad >> (All): My philosophy is when in doubt leave it out.
RobertDowns >> (All): In 9.1.1.1, other documents could be interpreted quite 
widely.
TerryLongstreth >> (All): Certainty isn't always available
TerryLongstreth >> (All): we want to convey the sense of a bounded audit
RobertDowns >> (All): So, perhaps we should remove from 9.1.1.1, "and other 
documents required for certification relevant to the function performed".
Mark Conrad >> (All): I would vote for that.
BruceAmbacher >> (All): Mark, Where else do we tell the auditors and/or the 
repository what is in or out?  Do we then rely upon the RAC document?
Mark Conrad >> (All): Bruce, See the 1.2. Scope
BruceAmbacher >> (All): I can support that.
TerryLongstreth >> (All): so does 9.2.1 add useful guidance to an auditor?
TerryLongstreth >> (All): i meant 9.1.2
John Garrett >> (All): Hi, back again at CCSDS meeting.  Our agenda has us 
sitting in on RAC megameeting now.  Just Jim Thieman and I right now and Don 
Sawyer when he gets back from checking into his room.
Mark Conrad >> (All): The last sentence of the first paragraph might be useful.
TerryLongstreth >> (All): I think it is useful, in that it fulfills a promise 
implied in 1.2
John Garrett >> (All): And Steve Hughes is here also now.
TerryLongstreth >> (All): shall we suspend for a few minutes, to let the newbies 
catch up on the chat log?
Mark Conrad >> (All): ok
BruceAmbacher >> (All): So have we gotten to just the first sentence surviving?
John Garrett >> (All): Actually just keep going.  I'm projecting the chat and 
others will feed comments
Mark Conrad >> (All): My vote is for the last sentence in the first paragraph.
RobertDowns >> (All): I agree that we should keep the last sentence of the first 
paragraph.
TerryLongstreth >> (All): I think 2) in particular should stay
TerryLongstreth >> (All): because it reinforces the tie to the RAC
TerryLongstreth >> (All): So here's a revision: 9.1.2 - Scope of certification
TerryLongstreth >> (All): The audit team shall audit the digital repository of 
the client organization covered by the defined scope against applicable 
certification requirements. The certification body shall ensure that the digital 
repository’s preservation risk assessment and associated risk mitigation plans 
and procedures fully cover all activities defined in the [ISO XXXX – RAC 
Document] . 
BruceAmbacher >> (All): OK.   and the next two paragraphs also disappear, 
correct.
TerryLongstreth >> (All): yessir
RobertDowns >> (All): I thought that we were going to keep the last sentence of 
the first paragraph
Mark Conrad >> (All): Terry, I believe the last sentence in the first paragraph 
is more important than the first.
RobertDowns >> (All): Here is the last sentence of the first paragraph: "The 
certification body shall ensure that the scope and boundaries of the digital 
repositoryof the client organization are clearly defined in terms of the 
characteristics of the business, the organization, its location, assets and 
technology."
TerryLongstreth >> (All): by 'last sentence', do you mean both numbered parts?
Mark Conrad >> (All): Last sentence of the first paragraph in the present 
working document.
TerryLongstreth >> (All): Mark - that's my initial 1?
TerryLongstreth >> (All): 1)
Mark Conrad >> (All): Terry, Yes.
TerryLongstreth >> (All): I think 2) is more important, because of the tie to 
RAC, but I can retain 1) easily enough
TerryLongstreth >> (All): OK - my original with only the minor changes we 
discussed:  / defined/'; remove 'all' ; remove reference to Statement of 
Applicability
TerryLongstreth >> (All): 9.1.2  Scope of certification     The audit team shall 
audit the digital repository of the client organization covered by the defined 
scope against applicable certification requirements. The certification body 
shall ensure the following: 1)   that the scope and boundaries of the digital 
repository of the client organization are clearly defined in terms of the 
characteristics of the business, the organization, its location, assets and 
technology. 2)   That the digital repository’s preservation risk assessment and 
associated risk mitigation plans and procedures fully cover all activities 
defined in the [ISO XXXX – RAC Document] . 
John Garrett >> (All): ok WITH ME
Mark Conrad >> (All): 2) appears to limit the scope to risk assessement and risk 
mitigation. 9.1.1.1. ties the scope to RAC.
John Garrett >> (All): Is someone talking? I'm not hearing anything
BruceAmbacher >> (All): The draft has the thought in the second par. which is 
highlighted in blue.  I thought both blue par. were being deleted.
Mark Conrad >> (All): Bruce, Don't use colors. They show up differently on 
different people's screens.
Mark Conrad >> (All): David and I have both suggested that paragraphs 2 and 3 in 
the draft could be removed.
TerryLongstreth >> (All): Bruce- last week you typed: "BruceAmbacher >> (All): 
The link to RAC that we want is in the first par to be deleted.  Can we move 
that to the first par?"
John Garrett >> (All): My understanding is that the 2 highlighted paragraphs are 
being replaced by Terry's rewrite.  Is that correct?
TerryLongstreth >> (All): That's my intent
TerryLongstreth >> (All): except that I've consolidated into a single, longer PP
BruceAmbacher >> (All): Terry, I surely can't argue against myself
TerryLongstreth >> (All): I do itall the time
TerryLongstreth >> (All): On good days, I win the arguments
TerryLongstreth >> (All): NO, you don't
John Garrett >> (All): Ok, are we agreed? 
Mark Conrad >> (All): On what?
BruceAmbacher >> (All): I accept Terry's rewrite as the entire section 9.1.2
Mark Conrad >> (All): Bruce which version of the rewrite?
BruceAmbacher >> (All): 9.1.2  Scope of certification     The audit team shall 
audit the digital repository of the client organization covered by the defined 
scope against applicable certification requirements. The certification body 
shall ensure the following: 1)   that the scope and boundaries of the digital 
repository of the client organization are clearly defined in terms of the 
characteristics of the business, the organization, its location, assets and 
technology. 2)   That the digital repository’s preservation risk assessment and 
associated risk mitigation plans and procedures fully cover all activities 
defined in the [ISO XXXX – RAC Document] . 
TerryLongstreth >> (All): The one immediatley preceding John's: ok WITH ME
John Garrett >> (All): Any objections?  Going once...
Mark Conrad >> (All): I don't understand how anyone meets 2).
Mark Conrad >> (All): Not all of the activities listed in the RAC are subject to 
risk assessment and risk mitigation are they?
RobertDowns >> (All): Please consider this revision: "The audit team shall audit 
the digital repository of the client organization in terms of the criteria 
specified in [ISO XXXX – RAC Document] . The certification body shall ensure the 
following: 1) that the scope and boundaries of the digital repository of the 
client organization are clearly defined in terms of the characteristics of the 
business, the organization, its location, assets and technology. 2) That the 
digital repository’s organization, plans, and procedures for preservation fully 
cover all activities defined in the [ISO XXXX – RAC Document]. "
Mark Conrad >> (All): I like that.
TerryLongstreth >> (All): delete all mention of risks?
John Garrett >> (All): That is OK with also.
BruceAmbacher >> (All): Robert, would you accept a friendly amendment to add "as 
applicable" in 2)?  Not all aspects of RAC are equally applicable to all 
repositories
RobertDowns >> (All): Bruce - That seems reasonable.
BruceAmbacher >> (All): or "all applicable activities . . ."
Mark Conrad >> (All): Terry, Risks are covered in context in the RAC.
John Garrett >> (All): But the RAC metrics document itself says what is required 
and what is required only when applicable.
TerryLongstreth >> (All): and the intent of the risk sentence was to be clearly 
tied to the RAC
BruceAmbacher >> (All): John, Is there any problem, from an ISO aspect, with 
repeating?  reminding auditors that not everything applies equallly to all 
repositories.
Mark Conrad >> (All): RAC covers more than just risks. 9.1.1.1. also directly 
ties the scope to RAC.
John Garrett >> (All): No there is no real problem with repeating things. 
TerryLongstreth >> (All): IF we can return to my 2), I'd like to insert 'risk 
management' in front of last 'activities'
TerryLongstreth >> (All): If we migrate to Robert's, I'd propose the same change
BruceAmbacher >> (All): Why are we singling risk management out from all of the 
RAC activities?  What places it front and center over other aspects?
John Garrett >> (All): Terry, seems like you would then be covering only the 
risk management activities and not the other activities.  Is that your 
intention?
Mark Conrad >> (All): I vote for Dr. Downs' revision with Bruce's second 
friendly amendment.
John Garrett >> (All): That is acceptable to me
John Garrett >> (All): Terry and Simon, OK with you?
BruceAmbacher >> (All): I withdraw my friendly amendment and vote ok to the text 
as submitted
TerryLongstreth >> (All): It's a temporizing notion; nothing is perfect, and 
risk management allows the imperfections to be explored and dealt with
BruceAmbacher >> (All): As much as I would like to continue this discussion, I 
have 30 digital preservation case studies awaiting grading.  Next week, same 
time, same place.
Mark Conrad >> (All): "The audit team shall audit the digital repository of the 
client organization in terms of the criteria specified in [ISO XXXX – RAC 
Document] . The certification body shall ensure the following: 1) that the scope 
and boundaries of the digital repository of the client organization are clearly 
defined in terms of the characteristics of the business, the organization, its 
location, assets and technology. 2) That the digital repository’s organization, 
plans, and procedures for preservation fully cover all applicable activities 
defined in the [ISO XXXX – RAC Document]. "?
TerryLongstreth >> (All): I think it's of overriding importance that the Auditor 
be enjoined not to treat risks as of the same order and class as other digital 
preservation activities
Mark Conrad >> (All): Terry, Take a look at what the RAC document has to say 
about risks and risk mitigation. They are treated as of the same order as other 
RAC activities.
TerryLongstreth >> (All): Mark - You're right.  I need to reread the RAC.  Let's 
defer this for now.
Mark Conrad >> (All): So same time same place next week?
Mark Conrad >> (All): See you next week.
John Garrett >> (All): OK bye

-- SimonLambert - 03 May 2010

Topic revision: r1 - 2010-05-03 - SimonLambert
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback