[Moims-rac] Analysis of ISO 27001

Barbara Sierman Barbara.Sierman at KB.nl
Wed Mar 28 07:35:21 EST 2007 

A nice example of the shoe factory in practice and I agree with you and
Helen Tibbo that it all comes down to the materials preserved. However,
I also think that another aspect is the responsibility of the repository
towards, not only its current stakeholders, but also to the unknown
stakeholders in future. This will mean more registration of changes made
in the software of the system, preservation actions done, checksums etc.
The scope of these actions is, I think, different from that of the shoe
factory.  The temporal perspective is, I think indeed an important
issue, which could lead to other requirements compared to the shoe
factory.

Kind regards
 
Barbara Sierman

-----Oorspronkelijk bericht-----
Van: moims-rac-bounces at mailman.ccsds.org
[mailto:moims-rac-bounces at mailman.ccsds.org] Namens Alison Macdonald
Verzonden: woensdag 28 maart 2007 13:56
Aan: tibbo at ils.unc.edu; MOIMS-Repository Audit and Certification BOF
Onderwerp: RE: [Moims-rac] Analysis of ISO 27001

Just a quick musing on the shoe factory's needs:  Barbara's example took
me
back about ?6,7 years:  I was involved in a $billion acquisition of
Texon
www.texon.com - we had to work through documents many of which were many
years old - accounts, pensions scheme info, corporate documents, claims
documents, documentation on manufacturing processes & techniques
(including
technical documentation, CAD drawings, SOPs, architectural drawings,
health
& safety...)  .  The shoe factory company has responsibilities to
stakeholders, including its employees, which extend forward beyond 5
years
(again, pensions, possible liability claims from working environment,
tax
data, etc).   For the purchasing company, the reliability (eg integrity
and
authenticity) of these documents was very important, and not necessarily
taken for granted:  purchasing companies would usually require the
vendor to
provide warranties about several things (eg the reliability of
information),
to which financial penalties are attached.  These warranties usually
have
specified durations of several years (I've seen some in double digits).

I have also worked on other instances (not Texon) where these warranties
are
invoked, to the substantial cost of the previous vendor (and to the
substantial benefit of the employees).

But even for day-to-day operations, a shoe factory will need to be able
to
rely on its documents over considerable spans of time.  Operationally,
however, it might never have to demonstrate integrity and authenticity
(but
how can it be confident that it won't?!)  It is likely that many of the
objects/materials it needs to keep over time are relatively simple from
a
preservation perspective, but not all.

I agree with Helen that it comes down to the essential properties of the
materials to be preserved.  Are these "essential properties"
non-variables
..  a sine qua non?

So a trusted digital repository might support either a specified set of
properties of the materials it holds, or it could support variations.

Getting back to ISO 27001, (a) a trusted digital repository should
comply
with it, and (b) the information security in that standard is more about
information security over a restricted span of time (really, the
temporal
perspective is missing).

Alison

Alison Macdonald
Digital Archiving Consultancy Limited
2 Wayside Court, Twickenham UK
alison at d-archiving.com
Tel: +44-208 607 9102



-----Original Message-----
From: moims-rac-bounces at mailman.ccsds.org
[mailto:moims-rac-bounces at mailman.ccsds.org]On Behalf Of Helen Tibbo
Sent: 28 March 2007 10:19
To: 'MOIMS-Repository Audit and Certification BOF'
Subject: RE: [Moims-rac] Analysis of ISO 27001


Hello everyone. I hope to be able to join you today at the conference
now
that daylight savings time has been resolved. Certainly the nature of
what
is being preserved makes a difference here. It's one think to keep data
safe, another to provide long-term preservation to authentic digital
objects. This comes down, at least in part, to what we mean by
"authentic"
and what the essential properties are of the materials that need to be
preserved. While the shoe factory may have just as rigorous requirements
as
any other repository, it probably doesn't. Length of time to preserve is
also a factor in the complexity of what must be understood, done, and
planned for. However, in theory I think the requirements could be same;
in
practice they would probably be quite different.  -Helen


Dr. Helen R. Tibbo, Professor
School of Information and Library Science
201 Manning Hall
University of North Carolina at Chapel Hill
Chapel Hill, NC 27599-3360
tibbo at ils.unc.edu
Tel: 919.962.8063
Fax: 919.962.8071

-----Original Message-----
From: moims-rac-bounces at mailman.ccsds.org
[mailto:moims-rac-bounces at mailman.ccsds.org] On Behalf Of Barbara
Sierman
Sent: Tuesday, March 27, 2007 9:42 AM
To: moims-rac at mailman.ccsds.org
Subject: [Moims-rac] Analysis of ISO 27001

Dear all,

After having read the ISO 27001 and thecomments of Chris Rusbridge and
David
Giaretta, I wondered whether we should not pay some attention to a
fundamental question (in my opinion): what is the difference between a
long
term preservation environment and an information security management
system
of let's say a shoe factory. Is there a difference? I think there is. If
we
are able to determine these differences, we could also be more explicit
about the requirements.
For example: Managing a long term preservation environment, could mean
that
it is important to lay down the decisions made with regard to this
system,
while this information might be crucial information to the next
generations,
maintaining this material. Long term preservation also means that the
management of the "repository 'has some responsibility to the next
generations. In the shoe factory this is less important, after all the
system will be replaced after 5 years and after a conversion of the
data,
the factory is just working with a new system.
I'm sure there are more differences. I wonder what other people's
opinion
is? May be something to discuss tomorrow?

Kind regards


Barbara Sierman
Digital Preservation Officer

Koninklijke Bibliotheek
PO Box 90407
2509 LK Den Haag, The Netherlands

+31 70 3140109
barbara.sierman at kb.nl

www.kb.nl


_______________________________________________
Moims-rac mailing list
Moims-rac at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/moims-rac



_______________________________________________
Moims-rac mailing list
Moims-rac at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/moims-rac



_______________________________________________
Moims-rac mailing list
Moims-rac at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/moims-rac

More information about the Moims-rac mailing list