S 2.242 Electronic archiving objectives

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer

In order to introduce electronic archiving in an organisation, the objectives to be achieved must be defined. The management of the respective organisation must be involved in this. Coordination with superior organisational units may be necessary. In particular, it must be defined

• in which areas which data is to be archived,
• which level of security is to be attained,
• which scope of functions and services is aimed at, and
• who will bear the responsibility.

The results must be documented in the archiving concept (see safeguard S 2.243 Development of an archiving concept).

Which data is to be archived?

The definition of the data to be archived is intended to delimit the technical requirements for the archive system to be selected. However, the limitation should be so general that there is sufficient clearance for the technical design, at which it must be observed that the requirements may also change over the course of time. General characterisations make sense particularly at a management level, e.g.:

• all data/documents of the department,
• all data/documents of the business processes,
• all business data,
• all accounting data,
• all customer data, as well as
• all data of the classification level.

If data with different protection requirements is to be archived, it is recommendable to define the objectives and requirements taking the respective protection requirements category as a basis. An example of the aforementioned includes the process of archiving documents classified as open, internal, confidential, or such like.

Which level of security is to be attained?

The level of security to be attained during archiving can typically be characterised as follows on a management level:

• compliance with statutory and organisational requirements regarding the protection of the data during and beyond archiving (e.g. after having disposed of the data media),
• resistance of the archiving process to manipulation,
• resistance of the archive system used to internal and external attacks to the stored data, as well as the IT system.

If data and documents are classified, the level of security may be differentiated in more detail on the basis of this classification.

Which scope of functions and services is aimed at?

The scope of functions and services of electronic archiving aimed at may differ depending on the organisation. Normally, the following requirements are defined at a management level:

• integration ability into the existing IT system landscape,
• integration ability into existing IT and document management processes,
• compliance with specified (both by law and internally) retention and deletion periods for data,
• terms of disposal and observance of the duty to offer.

This mainly refers to public administration, since public offices may be obliged to offer data characterised by their particular importance, e.g. social, political, or historic nature, to a competent archive upon expiration of the retention period. Only if this archive decides that the corresponding data is not worthy to be archived, may the data be deleted permanently. In many cases, the decision regarding the worthiness to be archived of data can only be made upon expiration of the retention period so that the data cannot be processed automatically at the end of the retention period.

• compliance with the levels of security aimed at for the data, as well as

• migration ability of the archive system if requirements and influencing factors change.

Who will bear the responsibility?

Persons in charge must be appointed when electronic archiving is established and/or operated. Normally, the management commissions a specialised department and/or its head with the implementation of the archiving function. Objectives, authorisations, and personnel and financial resources must be linked to the aforementioned. The implementation must be delegated in accordance with the guidelines of the organisation and documented in the archiving concept.

Review questions:

• Are all data to be archived and the related levels of security determined?
• Has the scope of functions and services of archiving been defined?
• Were persons in charge of establishing the archive system and archiving appointed?
• Are there objectives and authorisations for persons in charge of archiving and are personnel and financial resources assigned to archiving?
• Was the task assignment of archiving defined in the archiving concept?
• Are the processes of planning and implementing the archiving process defined in the archiving concept?