5.2.1 Maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant

From aptrust
Jump to: navigation, search


5.2.1 Maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant
Status Ready for review
Compliance Rating Fully compliant
Responsible


The repository shall maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant.

Supporting Text

This is necessary to ensure ongoing and uninterrupted service to the Designated Community.

Examples for Meeting the Requirement

Repository employs the codes of practice found in the ISO 27000 series of standards system control list; risk, threat, or control analysis.

Discussion

The repository should conduct regular risk assessments and maintain adequate security protection in order to provide expected and contracted levels of service, following codes of practice such as ISO 27000. ‘System’ here refers to more than IT systems, such as hardware, software, communications equipment and facilities, and firewalls. Fire protection and flood detection systems are also significant, as are means to assess personnel, management, and administration procedures, resources, as well as operations and service delivery. Loss of income, budget and reputation are significant threats to overall operations as is loss of mandate. On-going internal and external evaluation should be conducted to assess quality of service and relevance to user community served and periodic financial audits should be secured to ascertain ethical and legal practice and maintenance of required operating funds. Intellectual property rights practices should also be reviewed regularly as well as the repository’s liability for regulatory non-compliance as applicable. The repository should assess its staff’s skills against those required in the evolving digital repository environment and ensure acquisition of new staff or retraining of existing staff as necessary. Regular risk assessment should also address external threats and denial of service attacks and loss of or unacceptable quality of third party services. The repository may conduct overall risk assessments with tools such as DRAMBORA.

Evidence Provided

A detailed description of the APTrust threat model and mitigations are documented here: Risk Management, Threats, and Mitigations