By Lori Ashley
CoSA’s Digital Preservation Capability Self-Assessment survey is a high-level framework of requirements from ISO 14721 and ISO 16363. This is the third in a series of five (5) blog posts in the BACKER series to explore how specific components in the CoSA DPC survey relate to the systematic assessment of a digital preservation program and repository. Follow the links for part one and part two.
We are using categories from ISO 16363, Audit and certification of trustworthy digital repositories, to frame the key issues and help CoSA members prepare for a positive and useful experience with the January 2022 survey. This week we will focus on the third category, Infrastructure and Security Risk Management, and map their criteria and metrics to the 15 DPC survey questions and response statements.
A Note about the Survey
The Digital Preservation Capability Maturity Model (DPCMM) was developed to be used to conduct a gap analysis of current digital preservation capabilities and to help practitioners and organizations delineate a multi-year roadmap of incremental improvements. It is important to note that the DPCMM is not a "one size fits all" approach and it is not intended to serve as a capability audit tool. Rather, it is a flexible tool that can be adapted to any organization’s specific requirements and resources, and takes into account a range of potential repository models, implementation strategies, and collection types.
The model, which is the basis of CoSA’s DPC self-assessment survey, identifies core digital preservation requirements which form the basis for debate and dialogue regarding the desired future state of digital preservation capabilities and the level of risk its leadership is willing to take on with regard to protection of and access to its permanent electronic records. In many instances, this is likely to come down to the question of what constitutes digital preservation capability that is “good enough” to fulfill the organization’s mission and meet the expectations of its stakeholders.
Infrastructure and Security Risk Management: Technical Infrastructure Risk Management
The criteria and metrics in this subsection relate to the capability of the repository to identify and manage risks to its operations and goals that are associated with the system infrastructure. This includes hardware and software technologies appropriate to the services it provides to designated communities, a technology watch monitoring or notification system, procedures to evaluate and implement changes to hardware and software, backup functionality, mechanism to detect bit loss, testing and change management processes, as well as mechanisms to track all digital objects and synch copies.
Digital preservation infrastructure components of the DPC Self-Assessment that relate to technical infrastructure risk management include:
- Digital Preservation Policy – identify the approach to the operational management and sustainability of trustworthy digital repositories
- Digital Preservation Strategy – proactively and systematically monitor changes in technologies that may impact the digital collections and the digital repository
- Technical Expertise – expertise available to the Archives/RM unit to review emerging technologies and recommend those that the state/territory should adopt
- Designated Community – outreach and engagement with users to understand and adapt to their requirements
- Device/Media renewal – protect the bitstream by monitoring and refreshing storage devices and media
- Security – security, backup, and business continuity services including firewalls, role-based access rights, data transfer integrity validations, and logs for all preservation activities
Digital preservation capabilities require a combination of hardware and software tools and solutions. There are many commercial and open source tools available which range from supporting a single task, e.g., Checksum Generator, to an integrated ingest-to-access platform.
As reported in the Digital Preservation section of the 2021 edition of The State of State Records, a majority of respondents indicating they have an OAIS-based digital preservation system are using a commercial cloud-based platform which addresses most of the infrastructure-related requirements in the standard. Several archives are using an on-premise enterprise solution which requires a coordinated combination of external and internal technical services to monitor, implement and document changes to hardware and software technologies.
Infrastructure and Security Risk Management: Security Management
The criteria and metrics in this subsection relate to the systematic analysis, control, roles/authorizations, and preparedness for identifying and responding to security risks factors that impact data, systems, personnel and physical plant. At least one off-site backup of all preserved data and the recovery plan are maintained.
Digital preservation infrastructure components of the DPC Self-Assessment that touch on these topics include:
- Digital Preservation Strategy –strategies to address the risks associated with technology obsolescence including plans related to periodic renewal of storage devices and storage media
- Governance – a formal decision-making framework that assigns accountability and authority in the state/territory for the preservation of government records
- Collaborative Engagement – systematically addressing interdependencies among stakeholders
- Technical Expertise – access to technical expertise that can respond to evolving technologies
- Electronic Records Survey – projected volume and scope of permanent electronic government records that will come into the custody of the Archives
- Device/Media renewal –routine monitoring and refreshing of storage devices and media
- Security – security, backup, and business continuity services
As state and territorial archives establish and expand their digital repositories for government records and other permanent assets, resources and coordinated capabilities to ensure a secure and trustworthy infrastructure are critical.
The need for multiple copies of the preserved data is documented in the functional area Storage of NDSA’s Levels of Digital Preservation. Cloud-based digital preservation solutions typically manage synchronized copies in three geographic locations, each with a different disaster threat. Self-healing in the event of a failed fixity check of one of the copies may also be automatically handled by the system.
The digital age has been accompanied by a significant increase in cybersecurity risk and focus across all levels of government. This is evidenced by ‘Cybersecurity’ maintaining the #1 spot for eight years straight in the State CIO Top 10 priorities list. Most recently as state governments moved to virtual operations in response to the pandemic, both new and old vulnerabilities to government ‘business as usual’ emerged which are detailed in the 2020 Deloitte-NASCIO Cybersecurity Study. Regardless of whether technical infrastructure and security services for a digital repository are managed by internal resources, external resources, or a combination of the two, Archives/RM units will need to actively engage with their IT colleagues to ensure that a high level of monitoring, change management, and documentation are available.
As our blog series continues and we count down to the January DPC self-assessment, we will examine the second ISO 16363 category and the very heart of any OAIS – Digital Object Management.
A Note about Post-Survey Activities
The IMLS BACKER grant is helping CoSA to understand the resources needed by its members to manage the lifecycle of electronic records and to establish and sustain digital repositories. By identifying strengths and weaknesses to protect permanent government records, the DPC Self-Assessment survey results will also help to guide the SERI subcommittees in their ongoing efforts and potentially suggest areas to work collaboratively with CoSA’s partner associations.
Image credit: Jørgen Stamp, CC BY 2.5 DK <https://creativecommons.org/licenses/by/2.5/dk/deed.en>, via Wikimedia Commons