5.2 Security Risk Management #
5.2.1 - The repository shall maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant. #
Response #
Comprehensive, systematic risk assessment is essential to the long-term security and reliability of SP and its archived information. Risk assessment helps the repository identify and evaluate threats that could disrupt normal operations or impair its ability to meet its Mandatory Responsibilities and contracted obligations. SP began formally documenting and analyzing risks in the fall of 2011. The participants included key personnel from SP, OCUL, and the University of Toronto Libraries. In many cases, the risk analysis documented threats that librarians, systems administrators, and programmers had already addressed in the design and implementation of the repository.
At present, SP does not employ a third-party code of practice for risk analysis. Instead, SP reviewed risk assessment practices used by a variety of revelant institutions and organizations in order to avoid being ‘locked in’ to a particular code of practice. Following the review, SP designed a risk analysis model that suited the repository’s operating conditions and technical environment.
Please see the Risk Analysis and Management Strategies document for details. This document identifies threats, assesses their probability and potential impact, and provides an overview of the repository’s risk-minimization and prevention strategies.
Responsibility #
- Digital Preservation Librarian
- OCUL Executive Director
- OCUL Library Directors
Potential Risks #
The chief risks associated with risk analysis are (1) failure to review and update the analysis in a timely and consistent manner and (2) failure to acknowledge and analyze foreseeable risks. To minimize the first risk, SP has monitoring commitments in place (see Monitoring Commitments below). To minimize the second risk, SP uses a comprehensive typology of threats as a model for identifying foreseeable and relevant risks (described in the Risk Analysis and Management Strategies document).
Monitoring Commitments #
The repository will assess its risk analysis on a regular basis, according to the Review Cycle for Documentation Policy, or whenever there are major changes to its operating environment such as hardware refreshment, significant staffing level changes, or security incidents.
Future Plans #
SP recognizes that formal security audits and third-party vulnerability assessments could be valuable.
Documents #
5.2.2 - The repository shall have implemented controls to adequately address each of the defined security risks. #
Response #
SP has implemented controls to address and manage the security threats described in its Risk Analysis and Management Strategies document. The repository manages threats to its operations and content by using administrative procedures and technical controls recommended by the international digital curation community. SP manages some threats without external assistance and others in collaboration with staff from University of Toronto Libraries, OCUL administration, and/or OCUL members. Accordingly, the repository’s risk management strategies include activities that involve SP staff only indirectly or not at all (e.g. fire prevention and suppression). These relationships are outlined in the Risk Analysis and Management Strategies document where relevant.
Please see the Risk Analysis and Management Strategies document for details. This document describes policies and procedures employed by SP, University of Toronto Libraries, and the Libraries' Information Technology Services to manage risks.
Responsibility #
Numerous personnel are responsible for the design, implementation, and monitoring of security and risk controls. In general, the Digital Preservation Librarian is responsible for overall risk management.
Potential Risks #
The chief risks associated with security controls are (1) failure to employ controls that address the full scope and scale of the threat and (2) failure to review and update controls in a timely manner. To manage the first risk, SP conducted a thorough analysis of individual threats in order to design controls that address their full scope and scale. Please see 5.2.1 for more information. To manage the second risk, the repository has monitoring commitments in place (see Monitoring Commitments below).
Monitoring Commitments #
SP will assess its Risk Analysis and Management Strategies document on a regular basis, according to the Review Cycle for Documentation Policy, or whenever there are major changes to its operating environment such as hardware refreshment, significant staffing level changes, or security incidents. Reassessment will in some cases lead to the adjustment of individual security controls.
Future Plans #
SP recognizes that standardized codes of practice, such as ISO 27000, could provide a useful framework for designing and implementing security risk controls.
Documents #
5.2.3 - The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system. #
Response #
SP grants authorizations and administers access controls with the intention of maintaining a high level of security and stability. As described in the repository’s Security Plan, SP authorizes each staff member with limited access to system functionality based on his or her assigned duties. The SP Roles and Responsibilities document provides a general outline of the relationship between staff roles and specific duties. Additional controls include the following practices:
- There is no root access to critical processes, servers, or the storage array under normal circumstances. Systems administrators have root access under exceptional circumstances.
- Only systems administrators can write changes to the production servers or file system. Software developers have access to isolated development environments and the repository’s code versioning system.
- SP’s standard method of repairing errors in files or metadata is to request a corrected version of the article from the original Provider and re-ingest the complete package.
- Only systems administrators have access to the server room. Only the University of Toronto Libraries' Information Technology Services department can grant authorization to enter the server room.
- Only systems administrators can make changes to access controls.
Content Note - Journals #
Staff cannot write to ejournals volumes that have been mounted with a ‘read-only’ restriction. All ejournals volumes are mounted ‘read-only’ when they reach 2TB in size.
Responsibility #
- Systems Administrator
- Digital Preservation Librarian
Documents #
5.2.4 - The repository shall have suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information together with an offsite copy of the recovery plan(s). #
Response #
In collaboration with the University of Toronto Libraries' (UTL) administration and the Libraries' Information Technology Services (ITS) department, SP has already implemented a variety of disaster preparedness and minimization strategies for a wide variety of threats. The repository’s Risk Analysis and Management Strategies document describes the full range of risk management strategies. The core strategy is the repository’s Backup Plan. In the event of a disaster that leads to data corruption or loss, SP staff will work with ITS to restore information from backup copies.
SP is developing a written Disaster Recovery Plan that will reflect its operational relationship with UTL and ITS. The policies and procedures described in the Disaster Recovery Plan will reflect some of the threats analyzed in the repository’s Risk Analysis and Management Strategies document. However, the Disaster Recovery Plan will focus on systematic procedures for managing large-scale data corruption or loss. The plan will provide step-by-step instructions for addressing and resolving episodes of data corruption or loss (or situations where data corruption or loss is possible but not certain). Steps will include assessing the extent of any damage, retrieving content from backup copies, validating the authenticity and integrity of information, and restoring full dissemination services. The plan will describe emergency contacts, staff roles and responsibilities, communication priorities, and data recovery procedures. Part of the planning process involves identifying a suitable off-site storage location for copies of the plan.
Responsibility #
- Systems Administrator
- Digital Preservation Librarian
Potential Risks #
The chief risks associated with a disaster recovery plan are (1) failure to review and update the plan in a timely and consistent manner, (2) failure to inform staff about the plan, and (3) failure to train staff in disaster recovery procedures. To minimize the first risk, SP has monitoring commitments in place (see Monitoring Commitments below). With respect to the second and third risks, SP has a documented Backup Plan and a formal agreement with ITS for data recovery. The repository will implement formal communication and training processes as a part of its Disaster Recovery Plan.
Monitoring Commitments #
The repository will assess its Disaster Recovery Plan on a regular basis, according to the Review Cycle for Documentation Policy, or whenever there are major changes to its operating environment such as hardware refreshment or significant staffing level changes. In addition, SP will review the plan after any disaster during which staff consulted the plan or any episode of large-scale data corruption or loss.
Future Plans #
The Disaster Recovery Plan is currently in development.