National Archives of Finland long-term preservation permission procedure for

governmental agencies and development of national auditing and certification system

Markus MerenmiesNational Archives of Finland

DLM Forum Members MeetingBudapest, Hungary 12th-13th May 2011

Topics

• Why permission?• What is required to have it?• Auditing and certification system

Why permission?

• Based on archives act• Permanent preservation only in digital

format requires a permission• ”Proactive risk mitigation”• To verify the fullfillment of requirements

before records are produced

Requirement categories

• Information and task classification– Quality and accordance with ”real life”– Maintenance classification

• Records management process– How task classification is used

• Disposal of non-permanent records– Documented and managed administrative process– Required audit-trail of disposal

• Transfer– Documented and managed administrative process– Proper file formats (and content) and valid XML-structure– Error handling and transfer management

• General ”Good governance”– Log-file management– Information security

Auditing and certification system

Governmental agencies

National Archives

Sähkerequirements

Sähkerequirements

Long-term preservation Permission procedure

RequestFor permission

preservationagreement

State Treasury Office

AuditingserviceAuditingservice

Securityrequirements

Securityrequirements

Records

Qualitycontrol

What we have to know?

What we want to have?

Have they doneIt right?

TransferTest Service

TransferTest Service Process and

metadataProcess and

metadata

Softwarefunctionalities

Softwarefunctionalities

informationsecurity

informationsecurity

RecordsManagement

schedule

RecordsManagement

schedule

What we have to do?

Auditing

• Management of processes and information• Pre-defined requirements and measuring

quidelines (auditing toolbox)• Documented awareness of responsibilities • ERMS should be sertified, if not, then

auditing should cover it also

Auditing process

• Outsourced pre-defined auditing package– 3 days, 2800€– Security audit: 6 days, 5500€

• Assisted systematic self-assesment– Pre-requirements for documentation– Self-assesment questions– Auditing workshop

• To recommend (or not) permission for long-term preservation

• Separate technical transfer-test service

Sertification of ERMS

• ERMS Functionalities and Sähke2-requirements

• Challenge: How requirements are stated and how to measure?

• Status: re-writing Sähke2-requirements and development of sertification framework

• But… Normally products are customized

Good governance

• How ownership of the system/process is defined and managed?

• Logfiles: how produced, why used?• Security audit and risk management

• Development of Governmental Enterprise Architecture– General rules for information

management and responsibilities

Should we do it ourselves?

• Yes– Difficult to outsource – Required expertice only in archives

• No– Not enough own resources– Software auditing requires special skills

What we’ve learnt?

• How to verify? That must be clear when writing requirements. – Sähke3 should support certification– Compliance with Moreq2010

• Define first, what you need to know• Different tools for different means• What you measure, that you’ll get. Keep

focus on important issues• Everything is simple, until you try it

Environment of requirements

Publicorganization

Nationalarchives

Board ofantiqueties

Nationallibrary

Ministry ofEducation and culture

Ministry ofFinance

Thank you

Markus Merenmies

National Archives of Finland

markus.merenmies@narc.fi

+358504094011