Information Technology Reference
In-Depth Information
25.4 Understanding the ISO Trusted Digital Repository Metrics
It is clear that one cannot cover all possible situations in the metrics, nor can one
prescribe exactly what each repository must do. This is the case with all types of
audits. Instead one must leave a lot to the judgement of the auditors.
To understand the way in which the metrics in
Audit and Certification of
Trustworthy Digital Repositories
[
251
] (referred to below as the “metrics docu-
ment”) were written it is helpful to think about the document in the following way,
building it up in the same way that the authors of that document.
A very important thing to understand is that in judging a repository one could
look at many types of issues. For example is the restaurant good, is the lighting
adequate, is wheelchair access, does the repository respond to requests within 3 min,
is it easy to find what one is looking for and so on. However these are not the things
against which the repository is to be judged here. Instead we are concerned about
how well a repository preserves the digitally encoded information with which it has
been entrusted.
With this in mind, one could say that since the audit and certification depends on
the judgement of the auditors, the metrics document could have one metric, namely
“
Make sure the repository does a good job in preserving its holdings
”.
Of course this would not be adequate. We need to provide more guidance for the
auditors. Therefore we start by saying “Well at least look at the organisation - make
sure it cannot suddenly go out of business, and also make sure that they know how
to preserve the digital objects.” This one can say that there are two guidelines for
auditors:
•
Look at the organisation and its finances
•
Look at the way it takes care of the digital stuff
In fact there is a third area, which one could argue is part of the second one,
namely:
•
Make sure that the digital holdings cannot be stolen or otherwise lost.
The reason this third bullet is added is that the repository could undergo a security
audit separately (ISO 27000) so that it seemed sensible to provide a separate group
which could essentially be replaced by ISO 27000 certification - but such additional
certification is definitely not required.
Therefore we have three main headings:
-
Organisational Infrastructure
-
Digital Object Management
-
Infrastructure and Security Risk Management
Continuing this process we can specify the topics where the auditor really needs to
be sure to look. The metrics document has the following breakdown:
