STFbreadcrumb separatorSTFsbreadcrumb separatorSTF Homepagesbreadcrumb separatorSTF401

Specialist Task Force 401:
Best Practices for secure long term document storage

Who we are:

Team Leader: Franco Ruggieri
Team Members: Iñigo Barreira
István Zsolt Berta
Alfredo Esposito
Gregor Karlinger
Paloma Llaneza
Sandro Fontana

What we do:

This STF will issue:

  • One Technical Specification providing Information Preservation Service Providers with logical, physical, organisational, infrastructural, etc. requirements to securely and reliably implement and manage Information Preservation Systems;
One Technical Report indicating provisions for auditors of the above IPSP

For more details, see our Terms of Reference

Why we do it:

Security and reliability in long term information preservation is becoming more and more an issue: national (Italy UNINFO, USA NIST, France AFNOR) as well as International (ISO) bodies have begun dealing with this issue in the more recent years. This derives directly from the exponential increase in the volume of the information that is produced in digital format and that needs being preserved for a period that may span from some years, as in the case of accounting related records (e.g. in Italy digital accounts must be kept for at least ten years), to many decades, not to mention longer periods where legally required, as is the case of real estate records.

The skill required to evaluate an IPSP (Information Preservation Service Provider) reliability is complex and broadly scoped, therefore the average user resorting to an IPSP may not necessarily be able to perform such evaluation.

This problem applies to a number of service provisions fields. In fact EU Directive 2006/123/EC in its art. 26 addresses exactly the need to overcome this hindrance and to level out the field for users of any kind of services, requiring EUMS to “take accompanying measures to encourage providers to take action on a voluntary basis in order to ensure the quality of service provision.” In the ­course of the same Art 26 it is specified that this would be based on certification or accreditation systems or on similar mechanisms.

Consistently, the EU eGovernment Action Plan 2011- 2015 addresses, amongst other things, also the digital information long term preservation.

The purpose of this STF is, therefore, to lay down commonly recognised provisions an IPSP would use to implement and to manage an Information Preservation System and against which an IPSP can be assessed in order to provide the average user with a gauge suitable to help him choose an IPSP meeting his needs.

How we do it:

Based on a Technical Specification on this topic issued by the Italian UNINFO and on specifications issued by other EUMS, as well as on opinions by other international relevant bodies, this STF is drafting:

-       one TS specifying the requirements for implementing and managing Information Preservation Systems;

-       one TR providing assessors with indications on how to assess an Information Preservation System.

The above provides the STF with sufficient confidence that what is being developed is consistent with specifications developed in some EUMS.

These STF deliverables build on ETSI TS 102 573 (“Policy requirements for trust service providers signing and/or storing data for digital accounting”), that in turn is based on ISO/IEC 27001 (“Information technology — Security techniques — Information security management systems — Requirements”) and on ISO/IEC 27002 (“Information technology — Security techniques — Code of practice for information security management”), and specify what requirements are to be added to those indicated in the mentioned ETSI TS 102 573 and ISO/IEC 27001/27002, or what provisions of such specifications are to be disregarded with reference to IPSP.

The development process, performed by a team gathering skills in the ISO/IEC 27000 family, in drafting assessing guidelines and, more in general, in dealing with digital information, goes through one commenting phase by the TC ESI and a subsequent public one. Eventually, the deliverables will be approved by the ESI before publication.

Time plan:

The STF work will unfold in the following phases:

 Activity

Deadline

1) Drafting provisions for implementing and managing an IPSP October 2010
2) Drafting provisions for conducting assessments on an IPSP November 2010
3) Commenting by the ESI February 2011
4) Disposition of ESI Comments April 2011
5) Approval by the ESI May 2011
6) Publication June 2011

How to contact us:

STF members can be contacted at the following e-mail addresses

Franco Ruggieri franco.ruggieri@fastwebnet.it

Iñigo Barreira i-barreira@izenpe.net

István Zsolt Berta istvan.berta@microsec.hu

Alfredo Esposito alfredo.esposito@infocert.it

Gregor Karlinger gregor.karlinger@xitrust.com

Paloma Llaneza pll@palomallaneza.com

 

This information is based upon STF working assumptions.
The views expressed do not necessarily represent the position of ETSI in this context.

Last updated: 2013-04-13 17:33:44