Structured analysis of TRAC by section with reference to ISO 27001

The aim of this page is for people to add comments on the relevance of specific sections of TRAC in tertms of their relationships with ISO 27001. The initial analysis is not complete; it is largely complementary to that in the 27001 section by section analysis for Appendix A (which itself refers to ISO 17799 controls).

(Chris Rusbridge, repeat from 27001 detailed analysis comment) A re-reading of ISO 27001 indicates that ALL of 27001 applies to an OAIS. The requirements of 27001 are NECESSARY, although not SUFFICIENT, for the operation of an OAIS. I was not able to find a single optional requirement. Some 27001 controls are better specified, and a close reading of 27001 points out weaknesses in the TRAC document; for example, there is in TRAC (extraordinarily!) no control or set of controls that adequately matches the controls in A.10.1 (although sections C1.7 to C1.10 of TRAC do address aspects). In effect I believe that TRAC specifies a set of additional controls that should be applied to a business claiming to be an OAIS. However, most of the controls in section C of TRAC are incomplete in comparison to those specified in 27001, and we would be better to completely remove them from any standard. The exceptions would include TRAC sections C1.3 and C1.4, for instance, which address specific controls that relate to the long term nature of an OAIS.

Sections of 27001 will be prefixed by 27, eg section A.5 of 27001 will be referenced as 27A.5.

A. Organizational Infrastructure

A1. Governance and organizational viability

A1.1 Repository mission statement

See 27A5.1.1

A1.2 Formal succession/contingency plans

See 27A14.1

A2. Organizational structure & staffing

See 27A6.1.1, 27A8

A2.1 Identified duties and has skilled staff

A2.2 Appropriate number of staff

A2.3 Active professional development program

See 27A8.2.2

A3. Procedural accountability & policy framework

A3.1 Defined designated communities and knowledge bases

Partially 27A5.1.1? Really a specialist area!

A3.2 Procedures, policies and review mechanisms

See 27A5.1.1 and 27A5.1.2

A3.3 Written policies re legal permissions

See 27A6.1.4?

A3.4 Committed to formal periodic review

See 27A5.1.2 and 27A6.1.8

A3.5 Policies and procedures on feedback

See 27A6.1.7

A3.6 Documented history of changes

???

A3.7 Commits to transparency

!!!!!

A3.8 Commits to collecting information integrity measurements

See 27A12.2.2

A3.9 Commits to regular self assessment

Isn't this very similar to A3.4? See 27A6.1.8

A4. Financial sustainability

A5. Contracts, licenses, & liabilities

See 27A6.2

B. Digital Object Management

See 27A7.2

B1. Ingest: acquisition of content

B1.1 Identifies properties it will preserve

B1.2 Specifies the SIP

B1.3 Mechanisms to authenticate source of ALL materials

B1.4 Ingest process verifies each SIP

See 27A12.2.1

B1.5 Obtains sufficient control to preserve

(Could this be where cryptography comes in? Eg if SIP is encrypted there is not sufficient control? Should be spelled out!)

B1.6 Provides responses during ingest

B1.7 Demonstrate when responsibbility accepted

B1.8 Contemporaneous records of actions and processes

B2. Ingest: creation of the archivable package

...

B2.11 Verify each AIP for completeness or correctness

See 27A12.2.2 and 27A12.2.3

...

B3. Preservation planning

...

B4. Archival storage & preservation/maintenance of AIPs

...

B5. Information management

...

B6. Access management

See 27A11.4 and 27A11.5

...

B6.6 Logs all access management failures

See 27A13.1.1

B6.7 Can demonstrate that the DIP process is completed

See 27A12.2.4? (see also B6.8?)

C. Technologies, Technical Infrastructure, & Security

C1. System infrastructure

Adequacy of operations, eg documented controls as in 27A10.1 are not required in TRAC!

C1.1 Well-supported operating systems

See 27A11.5? Also 27A12.1?

C1.2 Adequate backup facilities

See 27A10.5.1

C1.3 Manage location of copies

C1.4 Mechanisms for synchronization of copies

C1.5 Mechanisms to detect bit corruption or loss

See 27A10.10.5?

C1.6 Reports all data corruption or loss

C1.7 Defined processes for media management

Se 27A10.1.1 and 27A10.7

C1.8 Documented change management process

See 27A10.1.2 and 27A12.5.1

C1.9 Documented change testing process

See 27A10.1.1 and 27A10.3.2

C1.10 Process on new software and security updates

See 27A10.1.2 and 27A10.4

C2. Appropriate technologies

See 27A10.3.1

C3. Security

...

Documented disaster and recovery plans

See 27A14.1

-- ChrisRusbridge - 11 Apr 2007

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-04-11 - ChrisRusbridge
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback