5.2.1 Maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant document
The repository shall maintain a systematic analysis of security risk factors associated with data, systems, personnel, and physical plant.
This is necessary to ensure ongoing and uninterrupted service to the Designated Community.
Repository employs the codes of practice found in the ISO 27000 series of standards system control list; risk, threat, or control analysis.
The repository should conduct regular risk assessments and maintain adequate security protection in order to provide expected and contracted levels of service, following codes of practice such as ISO 27000. ‘System’ here refers to more than IT systems, such as hardware, software, communications equipment and facilities, and firewalls. Fire protection and flood detection systems are also significant, as are means to assess personnel, management, and administration procedures, resources, as well as operations and service delivery. Loss of income, budget and reputation are significant threats to overall operations as is loss of mandate. On-going internal and external evaluation should be conducted to assess quality of service and relevance to user community served and periodic financial audits should be secured to ascertain ethical and legal practice and maintenance of required operating funds. Intellectual property rights practices should also be reviewed regularly as well as the repository’s liability for regulatory non-compliance as applicable. The repository should assess its staff’s skills against those required in the evolving digital repository environment and ensure acquisition of new staff or retraining of existing staff as necessary. Regular risk assessment should also address external threats and denial of service attacks and loss of or unacceptable quality of third party services. The repository may conduct overall risk assessments with tools such as DRAMBORA.
A detailed description of the APTrust threat model and mitigations are documented here: Risk Management, Threats, and Mitigations
AWS Shared model discussion.
AWS meets ISO 27001 standards. ISO certificate AWS
Wasabi meets ISO 27001 standards.
“Wasabi is deployed in top tier data centers certified for SOC 2, ISO 27001 and PCI-DSS. Copies of SOC 2 or ISO 27001 reports for data centers can be obtained by requesting them here.”
Update Risk Management files, which is/are underway. IAM roles specific authority and assignments. New risk management documentation is being created. Reference as this is generated.