5.2.2 -The repository shall have implemented controls to adequately address each of the defined security risks.
Scholars Portal has implemented controls to address and manage the security threats described in its Risk Analysis and Management Strategies document. The repository manages threats to its operations and content by using administrative procedures and technical controls recognized by the digital repository community. Scholars Portal manages some threats without external assistance and others in collaboration with staff from University of Toronto Libraries, OCUL administration, and/or OCUL members. Accordingly, the repository's risk management strategies include activities that involve Scholars Portal staff only indirectly or not at all. These relationships are outlined in the Risk Analysis and Management Strategies document where relevant.
The complete text of the Risk Analysis and Management Strategies document is available through the link below. The document satisfies all of this criteria by describing policies and procedures employed by Scholars Portal, University of Toronto Libraries, and the Library's Information Technology Services to manage risks.
Numerous personnel are responsible for the design, implementation, and monitoring of security and risk controls. In general, the Digital Preservation Policy Librarian is responsible for risk management.
The chief risks associated with security controls are (1) failure to employ controls that address the full scope and scale of the threat and (2) failure to review and update controls in a timely manner. To manage the first risk, Scholars Portal conducts a thorough analysis of individual threats in order to design controls that address their full scope and scale. Please see TRAC 5.2.1 for more information. To manage the second risk, the repository has monitoring commitments in place (see next item).
Scholars Portal will assess its Risk Analysis and Management Strategies document on a regular basis, according to the Review Cycle for Documentation Policy, or whenever there are major changes to its operating environment such as hardware refreshment, staffing changes, or cyber attack. Reassessment will in some cases lead to closer scrutiny and evaluation of individual security controls.