[Moims-dai] FW: [EXTERNAL] CESG Polls - responses from MOIMS-DAI

david at giaretta.org david at giaretta.org
Mon Oct 21 21:46:08 UTC 2024 

Erik agrees with our proposals.

 

..David

 

From: Barkley, Erik J (US 3970) <erik.j.barkley at jpl.nasa.gov> 
Sent: 21 October 2024 18:01
To: david at giaretta.org
Cc: Thomas Gannett <thomas.gannett at tgannett.net>
Subject: RE: [EXTERNAL] CESG Polls - responses from MOIMS-DAI

 

Dear David,

 

Please consider the conditions satisfied and retired.  Thank you for the
timely reply. In order, here are item specific responses:

 

1.	Thank you for the additional example statements.  I think that
really helps.
2.	Fair enough regarding the established terminology. More a matter of
style/editorial concern and so it is fine to leave it as is.
3.	Thank you for adding the indication regarding use of UML class
diagrams.
4.	I think the updated security section is definitely better and
adequately addresses the concern. 

 

Best regards,

-Erik

 

 

From: david at giaretta.org <mailto:david at giaretta.org>  <david at giaretta.org
<mailto:david at giaretta.org> > 
Sent: Monday, October 21, 2024 03:26
To: Barkley, Erik J (US 3970) <erik.j.barkley at jpl.nasa.gov
<mailto:erik.j.barkley at jpl.nasa.gov> >
Cc: Thomas Gannett <thomas.gannett at tgannett.net
<mailto:thomas.gannett at tgannett.net> >
Subject: [EXTERNAL] CESG Polls - responses from MOIMS-DAI

 

Dear Erik

 

Here are the MOIMS-DAI responses to your conditions.

Please let us know is our proposals address these adequately.

 

Regards

 

..David

Chair, MOIMS-DAI

 

 

CESG E-Poll Identifier:  CESG-P-2024-09-004 Approval to publish CCSDS
653.0-M-1, Information Preparation to Enable Long Term Use (Magenta Book,
Issue 1)

Erik Barkley (Approve with Conditions):  

1) (Essentially editorial):  

pg 1-1: For the sentence that reads "However, it is widely recognized that
many such endeavours are not able, for one reason or another, to leave a
sufficient legacy of information so others can reuse and fully leverage the
effort that has gone into the endeavor.", suggest citing at least one and
perhaps two concrete examples rather than the generic "for one reason or
another".  Rationale: if there is a "well-recognized need" then it seems
there should be well-recognized examples re "one reason or another" that
this recommendation is addressing.

 


MOIMS-DAI PROPOSAL http://review.oais.info/show_bug.cgi?id=393
<https://urldefense.us/v3/__http:/review.oais.info/show_bug.cgi?id=393__;!!P
vBDto6Hs4WbVuu7!IyPZ-2oHHu7F5lIM7lp2ZpUODXW1_hzL61_AFFuzkj2K8zw6vLHphjwY4dT8
mvuel9PbgXspRiMfriuY0Zgbd7hD$> :

Add after the quoted sentence:

"Such reasons include the focus on hardware by those involved in earlier
stages of a project means that they may not always think about collecting
and saving information about design decisions and calibrations needed for
analysis of the data the hardware will collect or create; lack of
understanding that there must be a budget allocation to fund the collection
of such information; uncertainty about what information to collect at
various stages often means that very little is collected; information may
not be collected if it is not needed for the primary use of the data
collected, which means that alternative uses are limited."

 

 

 

CESG E-Poll Identifier:  CESG-P-2024-09-001 Approval to publish CCSDS
650.0-M-3, Reference Model for an Open Archival Information System (OAIS)
(Magenta Book, Issue 3)

     Erik Barkley (Approve with Conditions):  

1) Minor editorial suggestion: the general form re figure annotions of
"Functions of the <xyz> Functional Entity" seems a little clunky. Why not
just phrase it as "<xyz> Entity Functions" ?

 

2) Pg 4-39 -- please identify the specific type of UML diagram -- It looks
like a UML Class Diagram?  This will help the reader identify the semantics
of the diagram. This also applies through the document -- perhaps just
indicate somewhere in the introductory material that class diagrams are
being used ? ( This could save some editing effort)

 

3) The security sections could be more to the point, and given that we are
talking about securing archives which may (or likely will) contain key
information to be preserved for a significant length of time, seems a bit
lacking.  At a minimum suggest referencing NIST 800-209 and ISO/IEC 27040
for more detailed guidance on data storage security.  If it helps, I can
also think of making sure this section addresses the following points:

 

    Regular Backups: Regularly backup critical data to ensure its
availability in case of accidental deletion, hardware failure, or
cyberattacks.

    Encryption: Implement encryption during both storage and transmission to
protect data from unauthorized access.

    Access Controls: Set up robust access controls and authentication
systems to ensure only authorized personnel can access the archived data.

    Multi-Factor Authentication (MFA): Enable MFA to add an extra layer of
security.

    Secure Off-Site Storage: Use secure off-site storage solutions to
protect data from physical threats.

    Regular Audits: Conduct regular audits and monitoring to detect and
respond to any unauthorized access attempts.

    Anti-Malware and Firewalls: Use anti-malware software and firewalls to
protect against cyber threats.

    Disaster Recovery Plan: Establish a disaster recovery plan to ensure
data can be quickly restored in case of a major incident.

 


MOIMS-DAI PROPOSAL http://review.oais.info/show_bug.cgi?id=395
<https://urldefense.us/v3/__http:/review.oais.info/show_bug.cgi?id=395__;!!P
vBDto6Hs4WbVuu7!IyPZ-2oHHu7F5lIM7lp2ZpUODXW1_hzL61_AFFuzkj2K8zw6vLHphjwY4dT8
mvuel9PbgXspRiMfriuY0aIGnIgW$> 

1) We believe that changing the well established terminology will cause
confusion.

2) In sections 1.5.2 and 4.3.1, and in Annex C,  we will clarify that we are
using UML Class diagrams. 

3) In Annex F, change 

FROM

"This should include all appropriate security measures such as physical
access, backups and periodic integrity checking."

TO:

"This should include all appropriate security measures such as physical
access,  backup and recovery processes, periodic integrity checking,  and
other measures for example from ISO ISO/IEC 27040 and audits such as those
under ISO/IEC 16363."

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/moims-dai/attachments/20241021/72bd24a7/attachment-0001.htm>

More information about the MOIMS-DAI mailing list