Specialist Task Force 401:
Best
Practices for secure long term document storage
Who we are:
Team Leader: Franco Ruggieri
Team Members: Iñigo Barreira
István Zsolt Berta
Alfredo Esposito
Gregor Karlinger
Paloma Llaneza
Sandro Fontana
What we do:
This STF will issue:
- One Technical Specification
providing Information Preservation Service Providers with logical, physical,
organisational, infrastructural, etc. requirements to securely and reliably
implement and manage Information Preservation Systems;
One Technical Report indicating provisions for
auditors of the above IPSP
For more details, see our
Terms of Reference
Why we do it:
Security and reliability in long term information preservation is becoming more
and more an issue: national (Italy UNINFO, USA NIST, France AFNOR) as well as
International (ISO) bodies have begun dealing with this issue in the more recent
years. This derives directly from the exponential increase in the volume of the
information that is produced in digital format and that needs being preserved
for a period that may span from some years, as in the case of accounting related
records (e.g. in Italy digital accounts must be kept for at least ten years), to
many decades, not to mention longer periods where legally required, as is the
case of real estate records.
The skill required to evaluate an IPSP (Information Preservation Service
Provider) reliability is complex and broadly scoped, therefore the average user
resorting to an IPSP may not necessarily be able to perform such evaluation.
This problem applies to a number of service provisions fields. In fact EU
Directive 2006/123/EC in its art. 26 addresses exactly the need to overcome this
hindrance and to level out the field for users of any kind of services,
requiring EUMS to “take accompanying
measures to encourage providers to take action on a voluntary basis in order to
ensure the quality of service provision.” In the course of the same Art 26
it is specified that this would be based on certification or accreditation
systems or on similar mechanisms.
Consistently, the EU eGovernment Action Plan 2011- 2015 addresses, amongst other
things, also the digital information long term preservation.
The purpose of this STF is, therefore, to lay
down commonly recognised provisions an IPSP would use to implement and to manage
an Information Preservation System and against which an IPSP can be assessed in
order to provide the average user with a gauge suitable to help him choose an
IPSP meeting his needs.
How we do it:
Based on a Technical Specification on this topic issued by the Italian UNINFO
and on specifications issued by other EUMS, as well as on opinions by other
international relevant bodies, this STF is drafting:
-
one TS specifying the
requirements for implementing and managing Information Preservation Systems;
-
one TR providing assessors
with indications on how to assess an Information Preservation System.
The above provides the STF with sufficient confidence that what is being
developed is consistent with specifications developed in some EUMS.
These STF deliverables build on ETSI TS 102 573 (“Policy
requirements for trust service providers signing and/or storing data for digital
accounting”), that in turn is based on ISO/IEC 27001 (“Information
technology — Security techniques — Information security management systems —
Requirements”) and on ISO/IEC 27002 (“Information
technology — Security techniques — Code of practice for information security
management”), and specify what requirements are to be added to those
indicated in the mentioned ETSI TS 102 573 and ISO/IEC 27001/27002, or what
provisions of such specifications are to be disregarded with reference to IPSP.
The development process, performed by a team
gathering skills in the ISO/IEC 27000 family, in drafting assessing guidelines
and, more in general, in dealing with digital information, goes through one
commenting phase by the TC ESI and a subsequent public one. Eventually, the
deliverables will be approved by the ESI before publication.
Time plan:
The STF work will unfold in the following phases:
Activity
|
Deadline
|
| 1) Drafting provisions for implementing and managing an IPSP |
October 2010 |
| 2) Drafting provisions for conducting assessments on an IPSP |
November 2010 |
| 3) Commenting by the ESI |
February 2011 |
| 4) Disposition of ESI Comments |
April 2011 |
| 5) Approval by the ESI |
May 2011 |
| 6) Publication |
June 2011 |
How to contact us:
STF members can be contacted at the following e-mail addresses
Franco Ruggieri franco.ruggieri@fastwebnet.it
Iñigo Barreira i-barreira@izenpe.net
István Zsolt Berta istvan.berta@microsec.hu
Alfredo Esposito alfredo.esposito@infocert.it
Gregor Karlinger gregor.karlinger@xitrust.com
Paloma Llaneza pll@palomallaneza.com
This information is based upon STF working assumptions.
The views expressed do not necessarily represent the position of ETSI in this
context.
Last updated: 2013-04-13 17:33:44