1 / 16

Repository audit and risk profiles: trust through transparency

Repository audit and risk profiles: trust through transparency. Raivo Ruusalepp Institute for Information Studies Tallinn University. DCI Conference , Toronto 16/6/2010. Topics. How to tell whether a repository is “ rotten ” ? Audit as a method for demonstrating trustworthiness

yale
Download Presentation

Repository audit and risk profiles: trust through transparency

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Repository audit and risk profiles: trust through transparency Raivo Ruusalepp Institute for Information Studies Tallinn University DCI Conference, Toronto 16/6/2010

  2. Topics • How to tell whether a repository is “rotten”? • Audit as a method for demonstrating trustworthiness • Trust in digital preservation • Risk as a measure of success • Risk profiles of different repositories

  3. Asymmetric information • The problem of quality uncertainty: Information asymmetry occurs when the seller knows more about a product or service than the buyer (G. Akerlof, 1970) • How to tell whether a digital preservation repository is a “cherry” or a “lemon”?

  4. The Call for Repository Certification “A critical component of the digital archiving infrastructure is the existence of a sufficient number of trusted organizations capable of storing, migrating, and providing access to digital collections… A process for certification of digital archives is needed to create an overall climate of trust about the prospects of preserving digital information.” Task Force on Archiving of Digital Information: Preserving Digital Information, 1996

  5. Chronology of repository audit work 2002: Trusted Repositories Attributes & Responsibilities 2005: RLG/NARA Draft Audit Check-list for Repository Certification 2006-2007: CRL and DCC Pilot Repository Audits Dec 2006: Catalogue of Criteria for Trusted Digital Repositories published (in English) by nestor Feb 2007: Digital Repository Audit Method Based on Risk Assessment (DRAMBORA) published by DPE/DCC Mar 2007: Trustworthy Repositories Audit & Certification (TRAC) Criteria and Check-list published by CRL and OCLC 2007: Birds of a Feather group of audit checklist standardisation Mar 2008: DRAMBORA Interactive released May 2008: Data Seal of Approval by DANS Nov 2008: Version 2 of the nestor repository criteria Oct 2009: CCSDS draft standard on Repository Certification Jan 2010: CRL issues first certificate of a trusted repository (to Portico)

  6. Trust through audit • Independent measuring of repositories is seen as anessential aim • Taken as axiomatic that audit is a mechanism for establishing the trustworthiness of a repository • Internal audit • Self assessment • Internal Audit Service • External audit • Financial auditing • Operational auditing • IT systems and services audit • Informationsecurity audit

  7. Stakeholders’ trust in a repository • Usersmay trust a repositorybecause: • itisdeemedassafeplaceofdepositthroughlaw, regulations, communityconsensus • itscontentisverified (authorship, authenticity, accuracy) • Depositorsmay trust a repositorybecause: • itisdeemedas a safeplaceofdeposit • itusessoftwarethathasbeenadoptedbymanyotherrepositories • ithasbeencertifiedas a trustedrepository (sinceJanuary 2010)

  8. The nature of trust in a repository • Trust as a layered concept: • Attitude, belief • Decision (linked with achieving a goal and often based on assessment of associated risks) • Act, behaviour (i.e. establishing a relation) • TRUST(X Y C τ gx) • Occurrent trust vs dispositional trust • Can the risks associated with future digital preservation actions be measured?

  9. Two concepts of trust through audit • The TRAC “family” of audit methods: • A fixedsetof (minimum) requirements • Rely on the OAIS ReferenceModelastherepository standard • Rely on policiestocreatedispositional trust • The DRAMBORA method: • Therepositoryneedstodemonstrateitscapabilityto • identify and prioritise the risks that impede itsactivities • manage the risks to mitigate the likelihood of their occurrence • establishing effective contingencies to alleviate the effects of the risks that occur • Awarenessofrisks and abilitytotreatthemcreates trust

  10. Digital Repository Audit Method Based on Risk Assessment • Jointly developed by the Digital Curation Centre (DCC) and DigitalPreservationEurope (DPE) • First released in March 2007 • Over 200 users (registered repositories) • DRAMBORA provides: • A methodology for conducting repository self-assessments • An on-line tool to facilitate the assessment and document its results – DRAMBORA Interactive

  11. Objectives The purpose of the DRAMBORA toolkit is to facilitate the auditor in: • defining the mandate and objectives of the repository • defining the scope and constraints of functions of the repository • identifying the activities and assets of the repository • identifying the risks and vulnerabilities associated with the mandate, activities and assets • assessing and calculating the risks • defining risk management measures • reporting on the self-audit

  12. Repository Service Classification • DRAMBORA includes some rudimentary tools for identifying and describing classes of repositories in terms of their common services and characteristics • Audits are only meaningful within the context of comparable repositories (‘repository-sphere’) • Performance is understood in terms of services and translated into baseline risk registers • OCLC Research, Research Libraries, Risk and Systemic Change (2010)

  13. Trust in Repositories • Strong link betweentheorganisationalcontextoftherepository and itsusers’ expectations • Forexample, differenttreatmentofauthenticityinarchivesofrecords and researchdatacentres • Linking trust toservicesthat a repositoryisofferingismoremeaningfulthanto a wholeinstitutionorunitwithinanorganisation • Services are muchmoremeaningfulinthecontextoffederatedrepositoryconsortia and intheWeb 2.0 environment

  14. Concluding questions • Who will drive the automation of audits – the community or the technology developers? • How much disclosure is good for a repository? • With very little transparency from audits we may become over-confident (the excess of trust) which will lead to additional risks • With too much transparency may lead to insufficient confidence (excess of diffidence) and we may miss good opportunities/services

  15. URLs Trustworthy Repositories Audit & Certification (TRAC) Criteria and Checklisthttp://www.crl.edu/PDF/trac.pdf nestor Catalogue of Criteria for Trusted Digital Repositorieshttp://nbn-resolving.de/urn:nbn:de:0008-2008021802 DCC/DPE Digital Repository Audit Method Based on Risk Assessment (DRAMBORA)‏http://www.repositoryaudit.eu/download MOIMS-Repository Audit and Certification BoF group http://wiki.digitalrepositoryauditandcertification.org/ Data Seal of Approval http://www.datasealofapproval.org/ Ten basic characteristics of digital preservation repositories http://www.crl.edu/content.asp?l1=13&l2=58&l3=162&l4=92

  16. Contacts raivo@eba.ee

More Related