Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

5.2.2 -The repository shall have implemented controls to adequately address each of the defined security risks.

Introduction

A summary of our practices in relation to our objectives, commitments, and context. May include:

  1. Standards met or industry best practices employed, and their applicability to Scholars Portal; certifications achieved or audits undertaken if applicable
  2. Differences from standards or best practices and our rationale for those differences if applicable
  3. Parties involved in the creation of the document if applicable\

The complete text of the SOMETHING is available through the link below. The SOMETHING fulfills all or part of this criteria by describing SOMETHING, SOMETHING, and SOMETHING. (repeat for all documents linked)

Responsibility

Wiki Markup
\[Who in Scholars Portal/OCUL is/are chiefly responsible for this issue at the present time? *DELETE*\]

FirstName LastName, Title

Potential Risks (delete if not needed)

Significant risks, threats, changes, or dependencies that could affect our ability to satisfy this criteria or deliver this service in the future. How are we addressing these risks?

Monitoring Commitments (delete if not needed)

How frequently we intend to monitor the situation or review the document. Mention automated reports if applicable.

Future Plans (delete if not needed)

Things we are planning to do in the future. Things we would like to do in the future.

Relevant Document(s) (delete if not needed)

  1. Document Title (link)

Key Resources Consulted (delete if not needed)

BibliographySP has implemented controls to address and manage the security threats described in its Risk Analysis and Management Strategies document. The repository manages threats to its operations and content by using administrative procedures and technical controls recommended by the international digital curation community. SP manages some threats without external assistance and others in collaboration with staff from University of Toronto Libraries, OCUL administration, and/or OCUL members. Accordingly, the repository's risk management strategies include activities that involve SP staff only indirectly or not at all (e.g. fire prevention and suppression). These relationships are outlined in the Risk Analysis and Management Strategies document where relevant.

Please see the Risk Analysis and Management Strategies document for details. This document describes policies and procedures employed by SP, University of Toronto Libraries, and the Libraries' Information Technology Services to manage risks.

Responsibility

Numerous personnel are responsible for the design, implementation, and monitoring of security and risk controls. In general, the Digital Preservation Policy Librarian is responsible for overall risk management.

Potential Risks

The chief risks associated with security controls are (1) failure to employ controls that address the full scope and scale of the threat and (2) failure to review and update controls in a timely manner. To manage the first risk, SP conducted a thorough analysis of individual threats in order to design controls that address their full scope and scale. Please see 5.2.1 for more information. To manage the second risk, the repository has monitoring commitments in place (see Monitoring Commitments below).

Monitoring Commitments

SP will assess its Risk Analysis and Management Strategies document on a regular basis, according to the Review Cycle for Documentation Policy, or whenever there are major changes to its operating environment such as hardware refreshment, significant staffing level changes, or security incidents. Reassessment will in some cases lead to the adjustment of individual security controls.

Future Plans

SP recognizes that standardized codes of practice, such as ISO 27000, could provide a useful framework for designing and implementing security risk controls.

Relevant Document

  1. Risk Analysis and Management Strategies
  2. Review Cycle for Documentation Policy