5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes
The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system.
This is necessary in order to ensure that individuals have the authority to implement changes, that adequate resources have been assigned for the effort, and that the responsible individuals will be accountable for implementing such changes.
Repository employs the codes of practice found in the ISO 27000 series of standards; organizational chart; system authorization documentation. Repository maintains ISO 17799 certification.
Authorizations are about who can do what: who can add users, who has access to change metadata, who can access audit logs. It is important that authorizations are justified, that staff understand what they are authorized to do, that staff have required skills associated with various roles and authorizations, and that there is a consistent view of this across the organization.
The delineated roles and responsibilities have been documented in the Security section as well as the APTrust Staff section and section 3.2.1.
Additional threat models and mitigations are described on our Risk Management, Threats, and Mitigations page.
Wasabi: ISO 27001 is an expansion on 27000, and can be referenced.
“Wasabi is deployed in top tier data centers certified for SOC 2, ISO 27001 and PCI-DSS. Copies of SOC 2 or ISO 27001 reports for data centers can be obtained by requesting them here.”
AWS: ISO 27001 is an expansion in 27000 and can be referenced appropriately.