TWiki>
Main Web>AvailabilityMatrix>WorkingDocuments>DocAnalyses>Trac27001Analysis (11 Apr 2007, ChrisRusbridge)
EditAttach
Main Web>AvailabilityMatrix>WorkingDocuments>DocAnalyses>Trac27001Analysis (11 Apr 2007, ChrisRusbridge) EditAttachStructured analysis of TRAC by section with reference to ISO 27001
The aim of this page is for people to add comments on the relevance of specific sections of TRAC in tertms of their relationships with ISO 27001. The initial analysis is not complete; it is largely complementary to that in the 27001 section by section analysis for Appendix A (which itself refers to ISO 17799 controls). (Chris Rusbridge, repeat from 27001 detailed analysis comment) A re-reading of ISO 27001 indicates that ALL of 27001 applies to an OAIS. The requirements of 27001 are NECESSARY, although not SUFFICIENT, for the operation of an OAIS. I was not able to find a single optional requirement. Some 27001 controls are better specified, and a close reading of 27001 points out weaknesses in the TRAC document; for example, there is in TRAC (extraordinarily!) no control or set of controls that adequately matches the controls in A.10.1 (although sections C1.7 to C1.10 of TRAC do address aspects). In effect I believe that TRAC specifies a set of additional controls that should be applied to a business claiming to be an OAIS. However, most of the controls in section C of TRAC are incomplete in comparison to those specified in 27001, and we would be better to completely remove them from any standard. The exceptions would include TRAC sections C1.3 and C1.4, for instance, which address specific controls that relate to the long term nature of an OAIS. Sections of 27001 will be prefixed by 27, eg section A.5 of 27001 will be referenced as 27A.5.A. Organizational Infrastructure
A1. Governance and organizational viability
A1.1 Repository mission statement
See 27A5.1.1A1.2 Formal succession/contingency plans
See 27A14.1A2. Organizational structure & staffing
See 27A6.1.1, 27A8A2.1 Identified duties and has skilled staff
A2.2 Appropriate number of staff
A2.3 Active professional development program
See 27A8.2.2A3. Procedural accountability & policy framework
A3.1 Defined designated communities and knowledge bases
Partially 27A5.1.1? Really a specialist area!A3.2 Procedures, policies and review mechanisms
See 27A5.1.1 and 27A5.1.2A3.3 Written policies re legal permissions
See 27A6.1.4?A3.4 Committed to formal periodic review
See 27A5.1.2 and 27A6.1.8A3.5 Policies and procedures on feedback
See 27A6.1.7A3.6 Documented history of changes
???A3.7 Commits to transparency
!!!!!A3.8 Commits to collecting information integrity measurements
See 27A12.2.2A3.9 Commits to regular self assessment
Isn't this very similar to A3.4? See 27A6.1.8A4. Financial sustainability
A5. Contracts, licenses, & liabilities
See 27A6.2B. Digital Object Management
See 27A7.2B1. Ingest: acquisition of content
B1.1 Identifies properties it will preserve
B1.2 Specifies the SIP
B1.3 Mechanisms to authenticate source of ALL materials
B1.4 Ingest process verifies each SIP
See 27A12.2.1B1.5 Obtains sufficient control to preserve
(Could this be where cryptography comes in? Eg if SIP is encrypted there is not sufficient control? Should be spelled out!)B1.6 Provides responses during ingest
B1.7 Demonstrate when responsibbility accepted
B1.8 Contemporaneous records of actions and processes
B2. Ingest: creation of the archivable package
...B2.11 Verify each AIP for completeness or correctness
See 27A12.2.2 and 27A12.2.3 ...B3. Preservation planning
...B4. Archival storage & preservation/maintenance of AIPs
...B5. Information management
...B6. Access management
See 27A11.4 and 27A11.5 ...B6.6 Logs all access management failures
See 27A13.1.1B6.7 Can demonstrate that the DIP process is completed
See 27A12.2.4? (see also B6.8?)C. Technologies, Technical Infrastructure, & Security
C1. System infrastructure
Adequacy of operations, eg documented controls as in 27A10.1 are not required in TRAC!C1.1 Well-supported operating systems
See 27A11.5? Also 27A12.1?C1.2 Adequate backup facilities
See 27A10.5.1C1.3 Manage location of copies
C1.4 Mechanisms for synchronization of copies
C1.5 Mechanisms to detect bit corruption or loss
See 27A10.10.5?C1.6 Reports all data corruption or loss
C1.7 Defined processes for media management
Se 27A10.1.1 and 27A10.7C1.8 Documented change management process
See 27A10.1.2 and 27A12.5.1C1.9 Documented change testing process
See 27A10.1.1 and 27A10.3.2C1.10 Process on new software and security updates
See 27A10.1.2 and 27A10.4C2. Appropriate technologies
See 27A10.3.1C3. Security
...Documented disaster and recovery plans
See 27A14.1 -- ChrisRusbridge - 11 Apr 2007 Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | More topic actionsTopic revision: r2 - 11 Apr 2007 - ChrisRusbridge
Main Web
Users
Groups
Index
Search
Changes
Notifications
Statistics
Preferences
Main |
|
Copyright © 2008-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback