Difference between revisions of "5) Infrastructure and Security Risk Management"
From CLOCKSS Trusted Digital Repository Documents
(Initial version) |
(Initial version) |
||
| Line 1: | Line 1: | ||
= Infrastructure and Security Risk Management = | = Infrastructure and Security Risk Management = | ||
| − | + | == 5.1) Technical Infrastructure Risk Management == | |
| − | [[5.2) Security Risk Management]] | + | * [[5.1.1 Identify and manage the risks to its preservation operations and goals associated with system infrastructure | 5.1.1 - The repository shall identify and manage the risks to its preservation operations and goals associated with system infrastructure.]] |
| + | * [[5.1.1.1 Employ technology watches or other technology monitoring notification systems | 5.1.1.1 - The repository shall employ technology watches or other technology monitoring notification systems.]] | ||
| + | * [[5.1.1.1.1 Hardware technologies appropriate to the services it provides to its designated communities | 5.1.1.1.1 - The repository shall have hardware technologies appropriate to the services it provides to its designated communities.]] | ||
| + | * [[5.1.1.1.2 Procedures in place to monitor and receive notifications when hardware technology changes are needed | 5.1.1.1.2 - The repository shall have procedures in place to monitor and receive notifications when hardware technology changes are needed.]] | ||
| + | * [[5.1.1.1.3 Procedures in place to evaluate when changes are needed to current hardware | 5.1.1.1.3 - The repository shall have procedures in place to evaluate when changes are needed to current hardware.]] | ||
| + | * [[5.1.1.1.4 Procedures, commitment and funding to replace hardware when evaluation indicates the need to do so | 5.1.1.1.4 - The repository shall have procedures, commitment and funding to replace hardware when evaluation indicates the need to do so.]] | ||
| + | * [[5.1.1.1.5 Software technologies appropriate to the services it provides to its designated communities | 5.1.1.1.5 - The repository shall have software technologies appropriate to the services it provides to its designated communities.]] | ||
| + | * [[5.1.1.1.6 Procedures in place to monitor and receive notifications when software changes are needed | 5.1.1.1.6 - The repository shall have procedures in place to monitor and receive notifications when software changes are needed.]] | ||
| + | * [[5.1.1.1.7 Procedures in place to evaluate when changes are needed to current software | 5.1.1.1.7 - The repository shall have procedures in place to evaluate when changes are needed to current software.]] | ||
| + | * [[ 5.1.1.1.8 Procedures, commitment and funding to replace software when evaluation indicates the need to do so | 5.1.1.1.8 - The repository shall have procedures, commitment and funding to replace software when evaluation indicates the need to do so.]] | ||
| + | * [[5.1.1.2 Adequate hardware and software support for backup functionality sufficient for preserving the repository content and tracking repository functions | 5.1.1.2 - The repository shall have adequate hardware and software support for backup functionality sufficient for preserving the repository content and tracking repository functions.]] | ||
| + | * [[5.1.1.3 Effective mechanisms to detect bit corruption or loss | 5.1.1.3 - The repository shall have effective mechanisms to detect bit corruption or loss.]] | ||
| + | * [[5.1.1.3.1 Record and report to its administration all incidents of data corruption or loss, and steps shall be taken to repair/replace | 5.1.1.3.1 - The repository shall record and report to its administration all incidents of data corruption or loss, and steps shall be taken to repair/replace corrupt or lost data.]] | ||
| + | * [[5.1.1.4 Process to record and react to the availability of new security updates based on a risk-benefit assessment | 5.1.1.4 - The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.]] | ||
| + | * [[5.1.1.5 Defined processes for storage media and/or hardware change (e.g., refreshing, migration) | 5.1.1.5 - The repository shall have defined processes for storage media and/or hardware change (e.g., refreshing, migration).]] | ||
| + | * [[5.1.1.6 Identified and documented critical processes that affect its ability to comply with its mandatory responsibilities | 5.1.1.6 - The repository shall have identified and documented critical processes that affect its ability to comply with its mandatory responsibilities.]] | ||
| + | * [[5.1.1.6.1 Documented change management process that identifies changes to critical processes that potentially affect the repository's ability to comply with its mandatory responsibilities | 5.1.1.6.1 - The repository shall have a documented change management process that identifies changes to critical processes that potentially affect the repository's ability to comply with its mandatory responsibilities.]] | ||
| + | * [[5.1.1.6.2 Process for testing and evaluating the effect of changes to the repository's critical processes | 5.1.1.6.2 - The repository shall have a process for testing and evaluating the effect of changes to the repository's critical processes.]] | ||
| + | * [[5.1.2 Manage the number and location of copies of all digital objects | 5.1.2 - The repository shall manage the number and location of copies of all digital objects.]] | ||
| + | * [[5.1.2.1 Mechanisms in place to ensure any/multiple copies of digital objects are synchronized | 5.1.2.1 - The repository shall have mechanisms in place to ensure any/multiple copies of digital objects are synchronized.]] | ||
| + | |||
| + | == 5.2) Security Risk Management == | ||
| + | |||
| + | * [[5.2.1 Maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant | 5.2.1 - The repository shall maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant.]] | ||
| + | * [[5.2.2 Implemented controls to adequately address each of the defined security risks | 5.2.2 - The repository shall have implemented controls to adequately address each of the defined security risks.]] | ||
| + | * [[5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes | 5.2.3 - The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system.]] | ||
| + | * [[5.2.4 Suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information together with an offsite copy of the recovery plan(s) | 5.2.4 - The repository shall have suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information together with an offsite copy of the recovery plan(s).]] | ||
Latest revision as of 00:20, 22 September 2013
Infrastructure and Security Risk Management
5.1) Technical Infrastructure Risk Management
- 5.1.1 - The repository shall identify and manage the risks to its preservation operations and goals associated with system infrastructure.
- 5.1.1.1 - The repository shall employ technology watches or other technology monitoring notification systems.
- 5.1.1.1.1 - The repository shall have hardware technologies appropriate to the services it provides to its designated communities.
- 5.1.1.1.2 - The repository shall have procedures in place to monitor and receive notifications when hardware technology changes are needed.
- 5.1.1.1.3 - The repository shall have procedures in place to evaluate when changes are needed to current hardware.
- 5.1.1.1.4 - The repository shall have procedures, commitment and funding to replace hardware when evaluation indicates the need to do so.
- 5.1.1.1.5 - The repository shall have software technologies appropriate to the services it provides to its designated communities.
- 5.1.1.1.6 - The repository shall have procedures in place to monitor and receive notifications when software changes are needed.
- 5.1.1.1.7 - The repository shall have procedures in place to evaluate when changes are needed to current software.
- 5.1.1.1.8 - The repository shall have procedures, commitment and funding to replace software when evaluation indicates the need to do so.
- 5.1.1.2 - The repository shall have adequate hardware and software support for backup functionality sufficient for preserving the repository content and tracking repository functions.
- 5.1.1.3 - The repository shall have effective mechanisms to detect bit corruption or loss.
- 5.1.1.3.1 - The repository shall record and report to its administration all incidents of data corruption or loss, and steps shall be taken to repair/replace corrupt or lost data.
- 5.1.1.4 - The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.
- 5.1.1.5 - The repository shall have defined processes for storage media and/or hardware change (e.g., refreshing, migration).
- 5.1.1.6 - The repository shall have identified and documented critical processes that affect its ability to comply with its mandatory responsibilities.
- 5.1.1.6.1 - The repository shall have a documented change management process that identifies changes to critical processes that potentially affect the repository's ability to comply with its mandatory responsibilities.
- 5.1.1.6.2 - The repository shall have a process for testing and evaluating the effect of changes to the repository's critical processes.
- 5.1.2 - The repository shall manage the number and location of copies of all digital objects.
- 5.1.2.1 - The repository shall have mechanisms in place to ensure any/multiple copies of digital objects are synchronized.
5.2) Security Risk Management
- 5.2.1 - The repository shall maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant.
- 5.2.2 - The repository shall have implemented controls to adequately address each of the defined security risks.
- 5.2.3 - The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system.
- 5.2.4 - The repository shall have suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information together with an offsite copy of the recovery plan(s).
