National Archives of Finland long-term preservation permission procedure for governmental agencies...
-
Upload
victoria-edwards -
Category
Documents
-
view
213 -
download
0
Transcript of National Archives of Finland long-term preservation permission procedure for governmental agencies...
National Archives of Finland long-term preservation permission procedure for
governmental agencies and development of national auditing and certification system
Markus MerenmiesNational Archives of Finland
DLM Forum Members MeetingBudapest, Hungary 12th-13th May 2011
Why permission?
• Based on archives act• Permanent preservation only in digital
format requires a permission• ”Proactive risk mitigation”• To verify the fullfillment of requirements
before records are produced
Requirement categories
• Information and task classification– Quality and accordance with ”real life”– Maintenance classification
• Records management process– How task classification is used
• Disposal of non-permanent records– Documented and managed administrative process– Required audit-trail of disposal
• Transfer– Documented and managed administrative process– Proper file formats (and content) and valid XML-structure– Error handling and transfer management
• General ”Good governance”– Log-file management– Information security
Auditing and certification system
Governmental agencies
National Archives
Sähkerequirements
Sähkerequirements
Long-term preservation Permission procedure
RequestFor permission
preservationagreement
State Treasury Office
AuditingserviceAuditingservice
Securityrequirements
Securityrequirements
Records
Qualitycontrol
What we have to know?
What we want to have?
Have they doneIt right?
TransferTest Service
TransferTest Service Process and
metadataProcess and
metadata
Softwarefunctionalities
Softwarefunctionalities
informationsecurity
informationsecurity
RecordsManagement
schedule
RecordsManagement
schedule
What we have to do?
Auditing
• Management of processes and information• Pre-defined requirements and measuring
quidelines (auditing toolbox)• Documented awareness of responsibilities • ERMS should be sertified, if not, then
auditing should cover it also
Auditing process
• Outsourced pre-defined auditing package– 3 days, 2800€– Security audit: 6 days, 5500€
• Assisted systematic self-assesment– Pre-requirements for documentation– Self-assesment questions– Auditing workshop
• To recommend (or not) permission for long-term preservation
• Separate technical transfer-test service
Sertification of ERMS
• ERMS Functionalities and Sähke2-requirements
• Challenge: How requirements are stated and how to measure?
• Status: re-writing Sähke2-requirements and development of sertification framework
• But… Normally products are customized
Good governance
• How ownership of the system/process is defined and managed?
• Logfiles: how produced, why used?• Security audit and risk management
• Development of Governmental Enterprise Architecture– General rules for information
management and responsibilities
Should we do it ourselves?
• Yes– Difficult to outsource – Required expertice only in archives
• No– Not enough own resources– Software auditing requires special skills
What we’ve learnt?
• How to verify? That must be clear when writing requirements. – Sähke3 should support certification– Compliance with Moreq2010
• Define first, what you need to know• Different tools for different means• What you measure, that you’ll get. Keep
focus on important issues• Everything is simple, until you try it
Environment of requirements
Publicorganization
Nationalarchives
Board ofantiqueties
Nationallibrary
Ministry ofEducation and culture
Ministry ofFinance