Information Security

Summary/Best Practices

Information security is often an overlooked aspect of digital preservation. It is defined as "the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information."  (wikipedia: "information security") It requires some knowledge of the characteristics of your operating system, and is often entangled with the administration of digital asset management (DAM) systems. Sometimes, the ability to progress up the levels can be helped or hindered by the systems in which you choose to manage your digital content. The more you know about the storage system, the easier it is to manage your information security.

Many steps in the Information Security process include decisions or information that should be recorded in a digital preservation policy or local digital preservation plan.

More Resources

  • NDSA Blog- offers some practical, foundational information for understanding the importance of Information Security in a digital preservation context, and is a great place to start learning
  • Digital Preservation Coalition (DPC) Handbook- easy-to-follow handbook on the topic

Step by Step

Level 0 to Level 1

  • Identify who has read, write, move and delete authorization to individual files
  • Restrict who has those authorizations to individual files

Most modern file systems allow for some level of user/administration control. The majority of Orbis-Cascade members have already achieved this level of information security. The best tools for moving from level 0 to level 1 are most likely interpersonal:

  • Get to know who manages your computers.
  • If you manage your own computer, an easy first step is to make sure your computer is password protected.
  • Ask DAMS managers to give you a list of who has access to what files.
  • Talk with your colleagues to find out the answer to these questions:
    • Who works with your digital files?
    • Who has access to content?
    • And, most crucially, who has permissions to delete or move content from one place to another?

Much of this information can be ascertained and described in the production of a digital preservation plan.

Level 1 to Level 2

  • Document access restrictions for content

Some DAMS have the ability to provide different levels of access to content. For example, you might have materials that are made freely and openly available via the internet. You might also have some content that is restricted to authenticated users via Shibboleth or another identity solution. Still further, some material may be restricted to only on-campus, or on-premises use. Lastly, some content may not be intended to be accessible by anyone other than Library staff. This could consist of high-quality digital master files, archival materials that need to be redacted for privacy or security concerns before use, and others.

Documenting these access restrictions, while the restrictions themselves are often enforced by current computer systems, is important to consider because current reasons for such restrictions might not always be so obvious. Documenting these decisions and the reasons behind them allows someone in the future to interpret the decision, understand the reasoning, and potentially adopt a change if necessary.

Level 2 to Level 3

  • Maintain logs of who performed what actions on files, including deletions and preservation actions

It is important to maintain a record of what happens to files in order to provide both provenance and continuity. Digital files are very easy to change, and keeping track of what changes have been made can help maintain the integrity of a set of files. This can be done in a number of ways, through a number of techniques, but most important is to get into the habit of doing so. Lightweight examples might include: noting how images are scanned and manipulated in post-processing and including de-duplication notes in a finding aid for a digital collection.

Again, maintaining a record of changes can be made easier by choosing a DAMS that allows for this sort of logging. Some logs might also be kept by the system administrators and a conversation can help you understand if and how this information is collected. Using a tool like Archivematica to process and manage your preservation master files can help keep track of preservation actions.

Level 3 to Level 4

  • Perform audit of logs

Performing regular audits of logs can help ensure that the choices and safeguards that you have put in place are working as expected.

Please check out the Digital Preservation Coalition's Handbook for more information on this topic.