JISC

Speakers: Andrew McHugh, DCC, HATII and Perla Innocenti, DCC, HATII

Building Trust in Digital Repositories Using DRAMBORA. Seamus Ross, Andrew McHugh, Raivo Ruusalepp, Hans Hofman & Perla Innocenti

The DCC/DPE DRAMBORA toolkit helps build trust in digital repositories. It is being developed within the wider context of international audit and certification activities, including TRAC, the CRL Certification of Archives project, the NESTOR project and international Audit and Certification Birds of a Feather activities. DRAMBORA meets a shortfall not addressed by these activities. Most existing methods are too static, with too much reference on the OAIS model and too little emphasis on evidence in the auditing process. DRAMBORA is based on established risk management principles and takes a bottom up approach to assessment ( in contrast with the TRAC and NESTOR methodologies). It is characterised by a particular focus on evidence and risk assessment.

The purpose of the DRAMBORA toolkit is to facilitate the auditor in defining the mandate and scope of functions of the repository, identifying the activities and assets of the repository, and identifying the risks and means of managing those risks. Audit results should help to manage the repository better continuously, not just give a one off one-time evaluation. Following completion of the self-audit, organisations can expect to have established a comprehensive and well-documented self-awareness of their mission, aims and objectives and their own intrinsic activities and assets, constructed a detailed catalogue of pertinent risks, and prepared the organisation for subsequent external audit.

DRAMBORA is not a certifying tool or an OAIS compliance tool but rather a self-assessment and management tool. The organisation itself sets the benchmark against which it is assessing itself. There are three anticipated applications:

• validatory – internal self assessment to confirm suitability of existing policies, procedures and infrastructures
• preparatory – a precursor to extended, possibly external audit
• anticipatory – a process preceding the development of the repository of one or more of its aspects

Andrew and Perla then introduced the six stages of self-assessment, illustrating each one with practical examples and a series of tasks that should be completed during each stage. The six stages are:

1.      Ascertain the organisational context

2.      Document policy and regulatory framework

3.      Identify activities, assets and their owners

4.      Identify risks – how to do so and what kinds of risks?

5.      Assess risks

6.      Manage risks

The purpose of stages 1 and 2 is to identify the role of the repository and its aims and objectives within the wider supporting policy and regulatory organisational infrastructure. Stage 3 develops a conceptual model of what the repository does and how it does it by examining not only the key assets it produces and the technology it uses, but also its activities and work processes. Stage 4 produces a comprehensive list of identified risks faced by the organisation. Andrew explored some of these risks and the different types of effects they can have. This included loss of trust or reputation, loss of key members of staff, legal liabilities, obsolescence, incomplete data packages and loss of information. He then identified some fundamental issues in assessing these risks, including the likelihood and potential impact of risks, as well as relationships between them and groupings of risk. This led to the concept of the risk impact scoring system, a scaled system that weighted risks and assigned a risk score according to their impact and assessment. Andrew concluded his walk-through of the stages of the toolkit with some suggestions on the ways in which risks can be managed. The toolkit refrains from prescribing specific management policies and recommends instead that auditors should:

• choose and describe risk management strategies
• assign responsibility for adopted measures
• define performance and time-scale targets
• reassess success recursively

On this last point, DRAMBORA is quite clear – the assessment is a recursive process. Risks will vary as circumstances change. Auditors should therefore update their risk register regularly,

Repository managers were encouraged to download and implement the toolkit. Feedback on experiences using the toolkit was welcomed and will be fed into DRAMBORA v2.