Accreditation of document management and archiving services in Slovenia. From the legislation to the practice

Transcription

1 Accreditation of document management and archiving services in Slovenia From the legislation to the practice Tatjana Hajtnik,, MA The Archives of the Republic of Slovenia, Head of the Division for E-Archiving Pavel Golob,, CISA EUROJUST, Acting Head of the Security, Facility Management, General Services and Events Unit December 2008

2 ARS The Archives of the Republic of Slovenia Staff - 76 SLOVENIA Area: km2 Population: ( ) Capital city: Ljubljana Language: Slovene; also Italian and Hungarian in nationally mixed areas Currency: euro (since 1 January 2007) 2 / 34

3 Agenda Basic requirements for for long term preservation 3 / 34

4 Agenda Basic requirements for for long term preservation Slovenian Legislation 4 / 34

5 Agenda Basic requirements for for long term preservation Slovenian Legislation Internal Rules 5 / 34

6 Agenda Basic requirements for for long term preservation Slovenian Legislation Internal Rules Accreditation Process 6 / 34

7 Agenda Basic requirements for for long term preservation Slovenian Legislation Internal Rules Accreditation Process Check List List 7 / 34

8 Agenda Basic requirements for for long term preservation Slovenian Legislation Internal Rules Accreditation Process Check List List Lessons Learned 8 / 34

9 Basic requirements of long-term preservation legal and evidential values of documents in digital form principles of long-term preservation of documents and/or usability of their contents: accessibility applicability authenticity integrity protection of cultural monument 9 / 34

10 National Legislation and Regulation

11 Slovenian Legislation in long-term preservation Protection of Documents and Archives and Archival Institutions Act, PDAAIA - general rules on method and organization of storage Regulation on Documents and Archives Protection detail executable rules Unified Technological Requirements (UTR) organizational and technological requirements Regulation on professional qualification for public administration and provider s staff General Conditions on Accreditation Implementation Other regulation to be compliant with regarding the Other regulation to be compliant with regarding the retention time 11 / 34

12 Internal rules

13 Internal Rules Who should adopt? Entity (public or commercial), which intent to capture or store materials in the digital form Why should be adopted? To ensure the legal validity and evidential value of the documents in digital form Legal requirement: to be confirmed by ARS Mandatory for: public administration, service providers running for service accreditation Monitoring: internal or external; at least once a year Supervision authority: Supervision authority: ARS; deploying certified information system auditor 13 / 34

14 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Organisational Structure 14 / 34

15 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Human resources (roles, competances, ) Organisational Structure 15 / 34

16 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Document Management Procedures Human resources (roles, competances, ) Organisational Structure 16 / 34

17 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Information and Communication Infrastructure Document Management Procedures Human resources (roles, competances, ) Organisational Structure 17 / 34

18 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Information Security Information and Communication Infrastructure Document Management Procedures Human resources (roles, competances, ) Organisational Structure 18 / 34

19 Internal rules: aim and structure Describing the main process (e.g. capture of material, conversion, implementation, ) Defining responsibility within the process Setting minimum set of documentation (e.g. register of captured documents, audit trail, logs, ) Monitoring Information Security Information and Communication Infrastructure Document Management Procedures Human resources (roles, competances, ) Organisational Structure 19 / 34

20 Supervision authority - ARS Registration obligatory for equipment and services providers Simple administrative procedure Accreditation In general not obligatory, with the exception when the service or equipment (HW & SW) are deployed in public sector Contract between ARS and provider Internal rules, confirmed by ARS 20 / 34

21 Check Lists Emposed by ARS Internal rules & Services Confirming internal rules Accreditation Monitoring Check List Software accreditation Check List Hardware accreditation Check List 21 / 34 PDAAIA, Regulations, UTR

22 Provider difference between Public administration and Commercial Sector Public Administration Confirmed Internal rules by ARS - obligatory Accredited equipment and services - obligatory Commercial Sector Confirmed Internal rules by ARS non obligatory Accredited equipment and services non obligatory Provider of capture and storage of documents in a digital form 22 / 34 Registration Confirmed internal rules Accredited equipment or services Registration Confirmed internal rules Provider of capture and storage of documents in a digital form

23 Service Accreditation

24 Accreditation procedure ARS Providers APPLICATION 1 HW and SW services 24 / 34

25 Accreditation procedure ARS Providers APPLICATION HW and SW services 1 2 Proposal of the Contract for accreditation implementation and General Conditions 25 / 34

26 Accreditation procedure ARS Providers APPLICATION 1 HW and SW services 2 Signed contract 3 Payment of compensation for accreditation Proposal of the Contract for accreditation implementation and General Conditions 26 / 34

27 Accreditation procedure ARS Providers APPLICATION 1 HW and SW services 2 Proposal of the Contract for accreditation implementation and General Conditions Signed contract 3 Payment of compensation for accreditation 4 Deciding procedure ACCREDITATION Entry into the registry of equipment and services Providers 27 / 34

28 Accreditation procedure ARS Providers APPLICATION 1 HW and SW services Signed contract supervision 3 Payment of compensation for 5 accreditation 2 Proposal of the Contract for accreditation implementation and General Conditions 4 Deciding procedure ACCREDITATION Entry into the registry of equipment and services Providers 28 / 34

29 Structure of the Check List The CL consists of 5 sections: Section A: The methodology of review Section B: List of the control activities Section C: Final assessment Section D: Legal framework Section E: Appendixes 29 / 34

30 The structure of the tables Requirement no. xx: Legal bases Area of implementation Reference to Internal Rules Control activity importance (Impact with regard to the PDAAIA compliance) Expected frequency of the control activity Expected type of the control activity Relying on work of others Review guidance Compensation controls 30 / 34 XX number legislation (PDAAIA, regulations, UTR) reference to the type of service to be implemented () Input from service provider, who needs to state Document title, version and date page number of paragraph number Critical Very Important Important Annual, Semi annual, Quarterly, Monthly, Weekly, Daily, Very frequent Manual (no IT support) Automatic (application controls, software input controls,, etc.) Mixed (combination of manual and automatic controls) E.g. ISO 9001, ISO 27001,. Requirement Requirement description, as stated in the legislation bases ( PDAAIA, regulations, UTR). Normally citation from relevant legal source. Filled in within the review. Type of the review acitvity Interview Documentation review Review of the software Posting test transactions Substantial testing Monitoring Evidence review Assesment Internal Rules: (Filled in by ARS within the process of the IR approval) Adequate: Not adequate: Not applicable: Finding: (outcome of the accreditation review) Adequate: Not adequate: Not applicable: Dare: dd/mm/yyyy Recommendation: Summery of the review Filled in within the review by the auditor, following the relevant international standards of auditing. (test performed, reference to the relevant documentation, etc.) Working documents Filled in within the review.

31 Present Situation Registered equipment and services Providers Confirmed Internal Rules (10 in progress) Accredited SW (5 in progress) 48 Accredited type of HW 2 Service Accreditation Pilot Project 31 / 34

32 Lessons Learned During Piloting Accreditation Process ARS recommends that the service provider performs self assessment and evaluation before the accreditation The accreditation process could be accelerated when the provider updates the check list with the references between the requirements and the internal rules supporting documents Accreditation review should be prepared in advance in terms of the schedule, required staff, list of required evidences, etc. The review should be focused on the critical control activities / requirements 32 / 34

33 Lessons Learned During Piloting Review Communication of Internal Rules within the Provider Organization Awareness of staff with regard to the information security and importance of the compliance with the relevant legislation When part of the infrastructure or service is outsourced to third party, focus on the Service Level Agreement The monitoring of critical internal controls should be imposed ARS recognizes the ISO 9001 and ISO certificates as valid in the process of obtaining the assurance regarding the effectiveness of control activities (in scope of standards) 33 / 34

34 THANK YOU FOR ATTENTION! Tatjana Hajtnik,, MA The Archives of the Republic of Slovenia, Head of the Division for E- Archiving Pavel Golob,, CISA EUROJUST, Acting Head of the Security, Facility Management, General Services and Events Unit