The benefits of certification

surveyUnder the umbrella of the Network Digital Heritage (NDE), a Dutch working group focused on certification.  I reported earlier on their results. Following the European Framework of Certification (the website is not updated since a while ago, but apart from that, the different levels of certification still make sense) the first level of certification is acquiring the Data Seal of Approval. Currently around 50 organisations are rewarded with this seal, in various disciplines. As NDE project group we expected we could learn from their experiences. We were particularly looking for some practical information so that our Dutch colleagues could be better prepared for the certification process. Things like time investment, the people that were involved and the benefits the certificate offered the organisations. Lees verder

iPRES 2015 in Chapel Hill

Afbeelding1Audit, CD-ROMS, Emulatie, Ingest, OAIS en Web, dat waren in alfabetische volgorde de meest besproken onderwerpen tijdens de jaarlijkse conferentie iPRES 2016, die vorige week plaatsvond in Chapel Hill, North Carolina. Dit is mijn persoonlijke indruk, want natuurlijk kwamen in de lezingen, posters en workshops nog veel meer onderwerpen aan bod. Het is tenslotte een jaarlijkse reünie waarbij iedereen probeert zijn resultaten en toekomstplannen te presenteren. Lees verder

Preparations for getting the certificate

TDR-Annemieke

In my last blog post I talked about the NCDD work package on Certification, a Dutch initiative in which 5 major memory institutions will get certified according to either DSA, or DIN (and in the future ISO 16363).  One of the organizations participating is the Netherlands Institute for Sound and Vision.  The NISV is the production archive for the Dutch public broadcasters  (without a legal deposit law in The Netherlands this material is not collected in the National Library but  we have shared responsibilities for collecting our national heritage).

The NISV officially started the DSA certification procedure last June, but preparing the organization is an activity that already started a while ago. Read for example their white paper OAIS compliant Preservation Workflows in an AV Archive from 2013, in which they show how they plan to organize their workflows according to the OAIS model.

My colleague Annemieke de Jong , Preservation Officer at NISV, had an interesting interview in AV Insider about the efforts her team made to involve and to prepare the organization before they stepped into the process to get the Data Seal of Approval certification. The article describes for example their approach to guarantee authenticity and integrity and to make audit trails possible.  Valuable recommendations (from a practitioner!)  at the end of the article makes it a must read for everyone thinking about  getting certified.

 

It’s getting serious: audit and certification

ptab-logo

Last May the 3rd PTAB training for repository managers and potential auditors was given at the KB in the Hague in the Netherlands. The event was organized in collaboration with the National Coalition for Digital Preservation (NCDD). Two trainers, David Giaretta and me, instructed an audience of around 15 people about the interpretation, finer details and consequences for organisations of the ISO 16363 standard Audit and Certification of Trustworthy Digital Repositories. Currently there are no official auditors to perform a certification process according to this standard. But the PTAB group is contacting National Standard Bodies in different countries to stimulate this to happen.

It will be a matter of time and now there are organizations thinking seriously to prepare themselves being audited. Representatives from 5 organisations in the Netherlands were invited to tell the course attendees about their plans. Them being the National Archive, DANS, 3TU, the KB National Library and the Institute for Sound and Vision. They are all participating in the Certification Work package of the NCDD, which aims a collaboration in the certification process, exchange of experiences and setting up training for other Dutch organisations. (Earlier I blogged about this nin Dutch however). The 5 organisations all represent a different stage in the European Framework of Certification.

Certification-framework

European Framework of Certification Levels

 

The KB National Library, the National Archive and the Institute for Sound and Vision are preparing themselves for a DSA seal, but have different time schedules. DANS is preparing for the nestor/DIN certification this year and 3TU is renewing their DSA seal, which occurs every 3 years. The preparations for the auditing process will be different for every organisation. But there will be a lot that can be shared. And we will do so, as we are planning certification activities in the Network Cultural Heritage, starting after the summer. I’ll keep you posted!

The gold standard

This is the text of a presentation I held at the combined 4C/DPC conference ‘Investing in Opportunity: Policy Practice and Planning for a Sustainable Digital Future’ in London 17-18 November 2014 at the Wellcome Trust.

WP_20141118_006

A few months ago I was in Copenhagen and as I like shopping in a foreign country and take something with me to remind me of my trip , I bought a golden ring. Well, not gold, it was gold plated and after a few months of wearing is was a silver ring. Was that a disappointment? The design was still nice and the ring still fitted. But it did no longer match my other rings. And I was not expecting this to happen so soon. And if instead of silver, the next layer would have been brass or nickel or copper, I really would have been disappointed and felt betrayed. So it was gold, turned to silver and yes that did matter.

No one would appreciate a trustworthy digital archive turning from gold to silver…

What are we talking about?

The title of this presentation Is there a gold standard and does this matter? was made by William [Kilbride] when inviting me for this panel. But what we are talking about here of course is the ISO 16363 standard on Audit and Certification of trustworthy digital repositories, officially an ISO standard since 2012. Recently the accompanying standard for accreditation of auditors was officially published by ISO and now certification against this standard can start.

The ISO standard is the highest level in the European framework of certification, starting with the basic level of the Data Seal of Approval, a middle layer of the nestor/DIN standard, and the highest level of this ISO standard. We currently don’t speak about layers like bronze, silver and gold, but if you would do, the ISO is the gold level in this model, the gold standard if you wish.

History

This audit standard has a history of more than 10 years and to really value its importance, we should know a bit of its history. Already in the OAIS model, a reference is made to a systematic approach of checking the conformity of organisations to this model, a standard for accreditation of archives. The first draft of TRAC criteria is based on this OAIS model – our shared view how digital preservation should be done. Ten years ago a draft version of TRAC was tested by performing audits on different repositories, among them the KB, and based on this feedback the Checklist of TRAC was published in 2007. 5 years later, with TRAC as a starting point, the ISO standard was published, which I will call here the TDR-standard. In summary, this standard is based on preservation insights of a wide variety of organisations and people, all knowledgeable in digital preservation and with different background. We sometimes might forget who is behind this standard and I tried to create an overview of the people and organisations that were involved in TRAC 2002, 2005, 2007, ISO 16363 and ISO 16919. A wide variety of organisations, and of people, some already retired, some still going strong and others working daily with digital preservation. The standard was created really with input from the preservation community.

Woordenwolk-personen woordenwolk-instellingen

Is a gold standard also a perfect standard?

That need not to be the case. Although a lot of experience is woven into the standard, this standard is not a static, carved in stone, document. For the TDR standard, I think it is too early to judge. No audits did take place with this standard yet.

Let me give you an example of another “gold” standard we all share: the OAIS model ISO 14721, out there for more than 10 years. The OAIS standard has proven its value, on various areas but especially as the Esperanto of the digital preservation community. However, standards operate in a changing world and that has an influence on the value of that standard. If a standard is not adapted to developments in the changing world – and digital preservation is an evolving area – it will lose its value.

Some people think the OAIS model is outdated and does not keep up with the developments in preserving digital material. Since 2002, when the OAIS was first published, the preservation insights have changed. As an example: Emulation is now an accepted approach, migration less then 10 years ago. Quite often, in practice,  the well know functional model of the OAIS is extended with a function “pre-process”. Sometimes the OAIS standard is interpreted more as a straitjacket then as a conceptual model. This will lead now and then to strong twitter opinions, like suggestions to burn OAIS, never to mention it in a presentation etc. Other people contribute in a more constructive way by blogging about specific shortcomings of OAIS or by further developing the model. Like we did in the Planets project, where Paul Wheatly and I added the Preservation Watch concept, extended in the SCAPE project. Others created a framework to apply OAIS to distributed digital preservation. These contributions will help to keep a standard alive and we, as a preservation community, should try to incorporate new insights into the standard.

That is why ISO standard has a process of reviewing the standard. Every 5 years, theoretically at least, changes can be made to the standard. The first opportunity for the OAIS model (and coincidentally for the TDR standard as well) is 2017.

The ISO process is not quite clear, but there is enough reason for the preservation community to investigate how to be involved in this process and keep the standards up to date. I’ll talk with the Dutch Standard Organisation NEN soon and ask them what is the official procedure and how we can collaboratively act. I’ll report on this at our KB research blog

Back to the TDR standard.

The TDR standard was developed to audit trustworthy digital repositories. A big difference with the OAIS model, where the individual institute decides whether it is compliant or not, is that it is a group of auditors who are making this judgement. As currently everyone can say that his repository is conform OAIS, this will no longer be correct if we speak about the TDR standard. There an external body will make the decision whether your repositoriy is a Trustworthy Digital Repository, according to the “gold” standard and based on the information you gave the auditors. And, not less important, based on the knowledge and experience of the auditors. And this is a crucial factor in the process: who are these auditors? Sometimes the more cynical people tell me that an audit process starts with giving the auditors a good dinner, have a chat and then you’ll get the certificate. Needless to say that this is not a good auditing process. Certainly not one that is covered by the rules and regulations that are described in ISO 16919. This standard describes the qualities an auditor need to have in general, but the standard is specifically extended with qualities related to digital preservation. Despite this, how do we, as a community get to the point that we trust the auditors and that the certificate really reflects a trustworthy repository? Two elements contribute to this: transparency and the time limited validity of the certificate.

One of the measures that were taken is “transparency”: all documentation, except for really confidential material, will be publicly available after the certificate is given. There are already a few examples out there based on TRAC audit by CRL, LOCKSS, Portico, Hathi Trust, Chronopolis and Scholars Portal. This transparency will help to foster discussion in the community about the certification.

The other element is that a certificate, in contrast to the repository itself, is not for “long term” . Instead it is lasting 5 years or so. Then the repository will need to start a new audit process to get the certificate again, based on changed conditions no doubt.

Will a certified repository be a successful preservation environment?

Chances are yes, but no guarantee can be given. As a community we agreed on a approach to digital preservation by accepting the OAIS model and the derived audit standards, described and hopefully regularly discussed and updated in this golden approach so to speak. By the way, the monetary gold standard is not in use any more, but replaced by other mechanisms. Whether our gold standards will lead to success, time will tell.

 

 

Finally ISO 16919 is published, ISO auditing can start

Rijksmuseum-man-voor-commissieI blogged before about the enormous amount of time it takes before a draft standard becomes an approved ISO standard and finally this week happened what we were waiting for: ISO officially published the ISO 16919 standard. Fully named: Requirements for bodies providing audit and certification of candidate trustworthy digital repositories. This mouthful of words all comes down to one element: consistency. An audit done with auditors from one part of the world should be comparable with an audit done by auditors in another part of the world. This is a problem that ISO has tackled by having a standard that regulates the accreditation of auditors : ISO 17021 Standard requirements for A&C general management systems. The PTAB group adapted this standard in order to make it complementary to the ISO 16363 -2012 standard Audit and Certification of Trustworthy Digital Repositories. What additions were needed? In short: specific digital preservation knowledge is introduced as a requirement in this standard. This is done by an explicit reference to the OAIS standard ISO 14721-2012, and the ISO 16363-2012. A list of competencies is added, describing the qualifications an auditor should possess to participate in the audit process. This also is focused on digital preservation aspects, adding to general auditors requirements like confidentiality, impartiality, responsibility etc.  Experience in digital preservation is expected and where the knowledge is lacking, training might fill the gaps. The next step will be that qualified auditors will be appointed. Here the national standard bodies play an important role, as they monitor this process. So we are not there yet, but an important milestone is reached. The European framework of audit and certification sees an external audit according to ISO 16363 as the highest level of certification. An organisation can start with certification according to the Data Seal of Approval, followed by the Nestor/DIN 31644 standard. This  will leave some time to train qualified auditors and get experience with the concept of certification in the evolving world of digital preservation.

Dasish Workshop on Audit and Certification

Last week I (partially) attended the Dasish Workshop on Audit and Certification in The Hague to give a presentation about the history and current status of the ISO 16363 standard Audit and Certification of Trustworthy Digital Repositories and the ISO 16919 (still not approved) which regulates the accreditation of auditors. I published my slides with some references to literature.

Apart from the usual, I also added one slide about “risks”. The growing focus on audit and certification is encouraging and shows that we all want to meet high standards. But we should also realize that digital preservation is an evolving field. Althought we agree on a set of starting points, the day to day practice shows often the gap between theory and practice. Auditors, funding bodies and organisations should realise that. Also the auditing practice will be a growth path.

You can find a summary of the Dasish Workshop in the blogpost of Kirsty Lee (who attended the whole 2 days!) http://libraryblogs.is.ed.ac.uk/bitsandpieces/