Thursday, December 22, 2016

Securing Trustworthy Digital Repositories

Securing Trustworthy Digital Repositories. Devan Ray Donaldson, Raquel Hill, Heidi Dowding, Christian Keitel.  Paper, iPres 2016. (Proceedings p. 95-101 / PDF p. 48-51).
     Security is necessary for a digital repository to be trustworthy. This study looks at digital repository staff members’ perceptions of security for Trusted Digital Repositories (TDR) and explores:
  • Scholarship on security in digital preservation and computer science literature
  • Methodology of the sample, and data collection, analysis techniques
  • Report findings; discussion of implications of the study and recommendations
Security in the paper refers to “the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction”.  Three security principles mentioned are confidentiality, integrity, and availability.  Recent standards for TDRs show the best practices of the digital preservation community, including security as part of attaining formal “trustworthy” status for digital repositories. However, security can be hard to measure. Part of security is the threat modeling process, where "assets are identified; threats against the assets are enumerated; the likelihood and damage of threats are quantified; and mechanisms for mitigating threats are proposed". Understanding threats should be based on "historical data, not just expert judgment" to avoid unreliable data. The study discusses the Security Perception Survey, which "represents a security metric focused on the perceptions of those responsible for managing and securing computing infrastructures". 

Two standards, DIN 31644 and ISO 16363, draw upon DRAMBORA, an earlier standard, which consisted of six steps for digital repository staff members:
  1. identify their objectives.
  2. identify central activities necessary to achieve their objectives and assets.
  3. align and document risks to their activities and assets.
  4. assess, avoid, and treat risks by each risk’s probability, impact, owner, and remedy
  5. determine what threats are most likely to occur and identify improvements required. 
  6. complete a risk register of all identified risks and the results of their analysis.
Security is a major issue for digital repositories. "Taken together, standards for TDRs underscore the importance of security and provide relatively similar recommendations to digital repository staff members about how to address security." Participants in this study found the security criteria in the standard that they chose sufficient.

No comments: