European Framework of Certification for Trustworthy Digital Repositories

This content explores the European framework of certification for Trustworthy Digital Repositories, focusing on topics such as levels of certification, guidelines for data producers and consumers, and the challenges of establishing trust in data sharing. It delves into the concept of Trustworthy Digital Repositories, their characteristics, and the different levels of certification they can achieve. The framework includes Basic, Extended, and Formal Certification, each with specific requirements and audits. Additionally, it discusses DIN 31644 criteria and the self-assessment procedure for certification. The ultimate goal is to ensure secure and reliable long-term access to digital resources while mitigating risks to data integrity.

• Certification
• Trustworthy Digital Repositories
• Data Sharing
• European Framework
• DIN 31644

sid_fla Follow

Uploaded on Sep 16, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Webinar on Trust and Certification 18 April 2016 Heiko Tjalsma DANS with contributions by Urpo Kaila CSC This work is licensed under the Creative Commons CC-BY 4.0 licence. Attribution: EUDAT www.eudat.eu www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065

2. Topics Trust and certification: history of the European framework of certification: levels (DSA DIN ISO) DSA in detail: Guidelines: Data producer/ repository / consumer Technical infrastructure Organisational infrastructure Legal infrastructure Emphasis on preservation OAIS as reference model Future of DSA: WDS and the development into DSA-WDS common requirements Certification of security: a separate chapter 2

3. Trust and certification: the European framework of certification: certifying Trustworthy Digital Repositories Perhaps the biggest challenge in sharing data is trust: how do you create a system robust enough for scientists to trust that, if they share, their data won t be lost, garbled, stolen or misused? 3

4. What is a Trustworthy Digital Repository? A repository . With a mission to provide reliable, long-term access to digital resources, now and in the future Understanding threats to and risks to the data within its systems Having a regular cycle of audit and/or certification 4

5. European framework of certification levels Basic Certification is granted to repositories which obtain DSA certification Extended Certification is granted to Basic Certification repositories which in addition perform a structured, externally reviewed and publicly available self-audit based on DIN 31644/nestorSeal Formal Certification is granted to repositories which in addition to Basic Certification obtain full external audit and certification based on ISO 16363 5

6. DIN 31644: extended certification 34 criteria written by German NESTOR group and adopted in Germany as DIN 31644 Self-assessment procedure by NESTOR leads to NESTOR seal Review of the assessment by 2 reviewers, appointed by NESTOR Self assessment and evidence on website DANS the very first one to acquire a NESTOR Seal http://www.langzeitarchivierung.de/Subsites/nestor/EN/nestor -Siegel/siegel_node.htm 6

7. ISO 16363: formal certification Based on Open Archival Information System (OAIS) and Trusted Repository Audit and Certification (TRAC) Over 100 metrics Test audits 2011 by PTAB (Primary Trustworthy Digital Repository Authorisation Body) Full external auditing process ISO 16919: Requirements for bodies providing audit and certification of candidate trustworthy digital repositories No ISO certifications yet.. http://www.iso16363.org/ 7

8. The near future: Common Requirements for certification The DSA has entered into a partnership with ICSU World Data System. This has lead to an amalgamation and renewal of their respective certifications (DSA and WDS) in the course of 2016 DSA and WDS will remain as seals The existing, separate DSA and WDS guidelines will be replaced by one new common catalogue of requirements 8

9. Timescale transition to Common Requirements for certification Until the cut-off data (mid June 2016) DSA self-assessments can be submitted The current Data Seal (2014-2015) will be extended to the end of 2017 for existing holders and for those completing current applications before the cut-off date 9

10. WDS key characteristics comparable with DSA World Data System part of ICSU Light-weight certification procedure for regular and network members 17 criteria Based on self assessment Peer review by WDS Scientific Committee (IPO in Tokyo) Focus on earth observation and space Many members in US and Asia Renewal between 3 and 5 years 71 accredited members https://www.icsu-wds.org/services/certification

11. DSA- Data Seal of Approval Launched in 2008 More than 50 Seals granted (April 2016) Adopted by several European (data) infrastructures as primary trust facilitator: EUDAT CESSDA CLARIN DARIAH 11

12. DSA in a nutshell Basic, lightweight certification mechanism 16 Guidelines for Trustworthy Digital Repositories Guidelines that relate to Data Producers, Data Repositories, and Data Consumers Self-assessment, with no site visit Peer-reviewed process supervised by DSA Board DSA granted for a period of two years Online tool for self-assessment and review 12

13. DSA Data Seal of Approval: Objectives The DSA is granted to repositories committed to archiving and providing access to data in a sustainable way for: DATA PRODUCERS -Assurance of reliable data storage FUNDERS Confidence that data is available for re- use DATA CONSUMERS Assurance of using reliable data 13

14. Data Seal of Approval: Principles The data of a repository are . Available on the Internet Accessible (restricted if necessary for legal reasons) Usable (file formats) Reliable (Authentic) Citable 14

15. Common Requirements Organisational Infrastructure Six requirements: I to VI Digital Object Management Eight requirements: VII to XIV Technology Two requirements: XV to XVI 15

16. Common Requirements First step: Background Information: What is the context of the repository? Are you outsourcing functions? 16

17. OUTSOURCING Outsourcing of some tasks is possible, under the following conditions: Provide a list of Outsource Partners that your organization works with, describing the nature of the relationship (organizational, contractual, etc.), and whether the Partner has undertaken any Trusted Digital Repository assessment. Such Partners may include, but are not limited to: any services provided by an institution you are part of, storage provided by others as part of multicopy redundancy, or membership in organizations that may undertake stewardship of your data collection when a business continuity issue arises. List the certification requirements for which the Partner provides all, or part of, the relevant functionality/service, including any contracts or Service Level Agreements in place. Because outsourcing will almost always be partial, you will still need to provide appropriate evidence for certification requirements that are not outsourced and for the parts of the data lifecycle that you control. 17

18. Organisational Infrastructure I Mission / Scope II Licences III Continuity of access IV Confidentiality / Ethics V Organisational infrastructure VI Expert guidance 18

19. Digital Object Management VII Data integrity and authenticity VIII Appraisal IX Documented storage procedures X Preservation plan XI Data quality XII Workflows XIII Data discovery and identification XIV Data reuse 19

20. Technology XV Technical infrastructure XVI Security 20

21. Compliance Levels (unchanged) 21

22. OAIS Open Archival Information System OAIS is a Reference Model Originated at the CCSDS Consultative Committee for Space Data Systems USA Aimed at longterm preservation of and access to data Developed between 1995 and 2002 ISO standard14721: 2003 revised 2012 22

23. OAIS and Certification The OAIS is a Reference Model, is referred to in Requirements IX Documented storage procedures and XV Technical infrastructure is not a technical system The OAIS gives repositories a common and conceptual framework for describing their procedures The OAIS system on its own is not enough to guarantee a trustworthy digital repository TDR! 23

24. Core of the OAIS 24

25. Information packages Packages used in the preservation process in this order: Submission Information Package (SIP) - INGEST Provided by data producers Possibility to require many SIPs to get the full Content information and Preservation Description information (PDI) No one-to-one SIP / AIP relationship Archival Information Package (AIP) INGEST and ARCHIVAL STORAGE Fullfills the preservation requirements Sticks to the OAIS concepts Dissemination Information Package (DIP) ARCHIVAL STORAGE and ACCESS Provided to users: A copy of the AIP, fully or partly 25

26. Relation between packages and external parties 26

27. Functional Model of OAIS 27

28. Requirements for being an OAIS-compliant archive Obtaining appropriate information from the Producer (Submission Agreement) Sufficient legal mandate to handle the data A clear Designated Community (or more Designated Communities) Data to be understood by the Designated Community Disseminate authenticated data with traceable provenance Clear mission (including succession plan) and procedures 28

29. Information representation It is mandatory that the Archive preserves both the data object and the associated representation information = Content Information 29

30. About Security Certification by Urpo Kaila, EUDAT Security Officer Outline A special chapter in certification PDCA: plan-do-check-act About security certifications and security reviews Related frameworks and standards Experiences from previous audits and reviews 30

31. PDCA Security management models can be formulated as some kind of a plan-do-check-act governance cycle: Plan, based on Resources and services to be protected Risks Requirements Do Develop, implement and deploy services Check That services works according to plan Act Fix services or plan if not 31

32. About security audits and security reviews To ensure that security is implemented according to Requirements and standards Best practices and risk assessments Check by Self assessment - FitSM A quite weak form of review Internal review - SCI done by an internal controller , not by the person in charge of the service External audit ISO/IEC 27001 Trusted third party, possibly by an accredited body Define standard to be checked against and scope of review Requirements should be Known In use Documented Managed Approved 32

33. Related frameworks and standards ISO/IEC 27001 The international standard for information security management Requires a high level of maturity Certification obtained by Google, Amazon, Office365, Audit by accredited parties SCI A Trust Framework for Security Collaboration among Infrastructures https://www.eugridpma.org/sci/ A lightweight framework for internal review Done by EGI, etc In an early stage of development FitSM A lightweight framework for IT Service management based on ITIL/ISO 20 000 For self review or peer review http://fitsm.itemo.org/ 33

34. Experiences from previous audits and reviews External reviews or audits will often contribute to improve efficiency, management and security of an organisation Organisations must beware not to create rigid management models The most difficult compliant items are mostly Management involvement Change and configuration management Asset controls and continuity planning Software development 34

35. General certification experiences Documentation is very important: collect and organise sufficient and explicit documentation. Certification process can lead to more awareness within the repository of existing preservation tasks and procedures. Commitment by the management is an absolute prerequisite. DSA is a good incentive to improve procedures and describe responsibilities more adequately. 35

36. Relevant links DSA: http://datasealofapproval.org/en/ WDS: https://www.icsu-wds.org/services/certification Common Requirements: https://rd- alliance.org/system/files/DSA%E2%80%93WDS%20Catalogue%2 0of%20Common%20Requirements%20V2.2.pdf OAIS: http://public.ccsds.org/publications/archive/650x0m2.pdf 36

37. Questions on Trust and Certification? More information on this webinar: heiko.tjalsma@dans.knaw.nl The next webinar will be in May on Research Data Management More information on future webinars and recordings: www.eudat.eu/training info@eudat.eu www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065