1. Security Standards and Digital Curation
The flexibility of digital information can be regarded as a great strength. As software and hardware develop, data can be created, accessed, edited, manipulated and shared with increasing ease, The corollary is that data is vulnerable to unauthorized access, alteration or manipulation, which without checks can easily go undetected, and undermine its authoritative nature. Successful digital Curation ensures that data is managed and protected so that its authority is maintained and retained throughout the Curation lifecycle.1 To be authoritative data needs to remain authentic, reliable and useable, while retaining its integrity.2 These characteristics of data can be preserved through the implementation of an effective Information Security Management Systems (ISMS). The policies, procedures, human and machine resources which constitute an ISMS should ensure that the CIA Triad — Confidentiality, Integrity and Availability — is maintained across an organization’s physical, personal and organizational layers. Confidentiality ensures that data is only available to those authorized to access it. Integrity ensures that data can only be altered by authorized persons. Availability demands that authorized persons can access data when they require.
2. The ISO/IEC 27000 Series
The ISO/IEC 27000 is a series of standards which, when used together, specify the complete implementation of an ISMS. The series is still under development, with four of the planned standards currently published. Work is progressing on the completion of the remainder of standards ISO/IEC 27000 to ISO/IEC 27010. These cover the fundamental requirements of an ISMS, are applicable to any domain, and can be applied to any organization regardless of size, structure or aim. ISO/IEC numbers after this have been reserved for sector specific implementation guidelines, most of which are still at the planning or pre-draft stage. The appendix summarizes the development of the series to date.
The core documents in the series are ISO/IEC 27001, which specifies the requirements for an ISMS, and ISO/IEC 27002, which establishes guidelines and principles for implementation. These standards are based on the Plan-Do-Check-Act (PDCA) model for continuous quality control and improvement.3 An ISMS can be audited against ISO/IEC 27001 and certified for compliancy. Third party certification is available from a number of accredited providers and normally lasts for 3 years. Support for improving an implementation is usually given throughout the certification period.
ISO/IEC 27001 sets out the requirements for establishing, managing, documenting and continuously improving an ISMS using a risk management approach, which must be pre-defined by an organisation.4 Implementers are mandated to identify, analyse and evaluate risks and reduce these to an acceptable level. Contingencies for treating these risks are selected from over 130 controls defined by the standard. These cover a range of areas where information security could be compromised, and focus on the preparation of adequate policies and procedures, and documentation of processes. Controls include: security policy; staffing issues; equipment issues; access controls to both computing equipment and data; compliance with legal requirements and standards; acquisition, development and maintenance of the system; and management of business continuity. The controls are not exhaustive and they may be customized, or additional ones developed, for a specific implementation.
The standard also mandates that a compliant ISMS will: demonstrate management commitment through provision of resource, competent staff and training; undergo internal audit and management reviews; and undertake to continually improve effectiveness.
Mappings across the related management standards ISO 9001 and ISO 14001 are provided, to ensure consistency of approach across implementations.
ISO/IEC 27002 gives practical implementation guidance and further information for each of the controls identified in ISO/IEC 27001. It contains guidance on how to select appropriate controls for an implementation, including those essential for legislative compliance and those required for best practice.
Implementing or certifying ISMS against ISO/IEC 2001 can bring a number of benefits to an organization:
• Following a defined structured approach, with international recognition, can ensure that an ISMS is fit for purpose
• Information security issues, and how to mitigate associated risks, will be identified, managed monitored and improved in a planned manner
• Appropriate processes and procedures for information security management will be defined, documented and embedded in practice
• Demonstration of organizational commitment to information security, will ensure adequate allocation of resources, identification of roles and responsibilities and appropriate training
• Data will be protected against unauthorized access, demonstrating its authoritative nature, while authorized users will have access to data when they require it
• Continuity of an organization’s business will be effectively managed, improving its profile and increasing opportunities
• Intellectual property rights can be protected
• Independent verification of compliance with the standard can ensure that an organization has not been negligent regarding appropriate laws on the privacy of personal information. In England and Wales the standard is recognized by the Information Commissioner as an appropriate source of advice for ensuring compliance with the Data Protection Act (1998).
See the DCC Curation Lifecycle Model (accessed 12 March 2009).
2 The characteristics of an authoritative record as defined by ISO 15489: Information and Documentation – Records Management.
3 Also known as the Deming Cycle or Shewhart Cycle. See more information on Wikipedia.
4 ISO/IEC 27001 recommends, but does not mandate, the use of ISO/IEC 27005, Information Technology – Security Techniques – Information Security Risk Management for defining an organization’s risk management approach.
5 ISO 9001: Quality Management Systems – Requirements and ISO 14001: Environmental Management Systems – Requirements with Guidance for Use.
The published ISO27k standards related to “information technology – security techniques”