5.1.1.4 - The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.

Explanation

SP staff evaluate all mandatory and optional updates on a risk-benefit basis. Staff evaluate updates for their effect on the integrity and understandability of information, the speed and interoperability of the system, and the accessibility and usability of content.

Staff apply all mandatory updates to software and firmware. Staff may or may not apply optional updates. As in all cases of software change, SP tests and evaluates updates in an isolated development environment to ensure that changes will not disrupt normal operations. Please see 5.1.1.1.6 and 5.1.1.6.2 for more information about software monitoring and testing. Moving software from development to production is done through a version control system, which serves as a record of all updates.

Please see the Risk Analysis and Management Strategies document for additional information about the repository's efforts to reduce the risk of software failure.

Responsibility

Systems Administrator

Digital Preservation Policy Librarian

Potential Risks

There is always a risk of software failure in complex information systems. SP uses widely accepted, industry-standard procedures for testing and evaluating software changes, but small errors or conflicts sometimes escape testing. Software failure could force SP to suspend certain operations until the affected systems can be thoroughly analyzed, repaired, and tested.

Monitoring Committments

SP systems administrators and programmers receive notices and alerts about stability and security issues from hardware and software vendors on a regular basis. They also monitor the enterprise IT commiunty for news about emerging risks.

Relevant Document

  1. Risk Analysis and Management Strategies