S 2.243 Development of an archiving concept

Initiation responsibility: IT Security Officer

Implementation responsibility: Archive Administrator, IT Security Officer

The establishment of an archive system should be designed carefully. In doing so, numerous influencing factors (e.g. organisation-internal or statutory provisions, technical and organisational ambient conditions) must be observed on the one hand, and manifold technical options are available for establishing an electronic archive on the other hand. For this reason, it is necessary to develop a concept at the beginning that takes into account all influencing factors and criteria used to select the specific archiving system and the corresponding products, but that is also financially and economically feasible at the same time

The objective defined in S 2.242 Electronic archiving objectives forms the basis for the archiving concept.

The technical and/or organisational use of the archive system must be defined in the archiving concept, for example

• the responsibilities and competences,
• the definition of user roles (e.g. Archive Administrators, Administrators, users, technical users),
• the definition of data access rights and terms regarding the assignment of rights,
• the delimitation of the data to be archived,
• the protection of the archived data, e.g. by encryption and signature,
• the aimed at system connection and/or the application conditions for archiving components,
• the technical design of the archive system,
• the operation of the archive system (e.g. description of Service Level Agreements).

The results should be documented in writing in such a way that they can be updated and extended. The archiving concept should be kept in all implemented versions. The employees must be informed of the parts of the concept that apply to them. The instruction should be documented verifiably. One possible structure of an archiving concept is outlined in the following table of contents, for example:

Table of contents archiving concept

• Document context
• • Subject matter requiring regulation
  • Regular modification
  • Implementation arrangements
• Definitions
• • Archiving, document concept
  • Long-term archiving, archiving for audit purposes
  • Description of the application and the archive system
• Threat situation for motivation
• • Dependence of the organisation on the data stock
  • Typical threats such as loss of data, reconstruction errors etc.
  • Causes of damage specific to individual organisations
  • Examples of cases of damage within the organisation
• Definition of an internal security policy for the organisation
• • Specification of responsibilities
  • Objectives, security level
• Description of the influencing factors
• • Identification of the data to be archived
  • Data confidentiality requirements
  • Integrity requirements
  • Data authentication requirements
  • Data availability requirements
  • Regulatory framework
  • Archiving periods (minimal; maximum period of storage too if required)
  • Requirements regarding performance on reading in and reading out data, reconstruction effort
  • Data volumes and modification volumes
  • Type of data (formats)
  • Type of access to the archived data (local or distributed in the LAN or WAN)
  • Standards and norms to be observed
  • Required functionality
  • Personnel costs
  • Costs including follow-up costs (maintenance, administration, updates etc.)
  • Knowledge and IT-specific qualifications of the users
• Definition of the use
• • Type of archive system
  • Conditions of use of the archive system
  • Period of use
  • Names of staff in positions of responsibility
  • Determination of service level agreements
  • Implementation of staff-related measures (training, deputation arrangements, obligations, role assignment)
  • Documentation of conditions of use and configuration
  • Interoperability, conformity with standards, protection of investment
  • Regular data backup
  • Virus protection
  • Use of cryptographic methods
• General conditions for archiving
• • Form of contract
  • Refresh cycles for the storage media
  • Inventory listing
  • Deletion of data
  • Destruction of unusable data media
  • Stock of functioning reading devices
• Sporadic recovery drills

Individual items of this concept are addressed in the safeguards

• S 2.242 Electronic archiving objectives,
• S 2.244 Determination of the technical influencing factors for electronic archiving,
• S 2.245 Determination of the legal influencing factors for electronic archiving,
• S 2.246 Determination of the organisational influencing factors for electronic archiving,

in more detail.

The process of electronic archiving is not a once-off task, but a dynamic process. Therefore, an archiving concept must be adapted regularly to the current circumstances.

Review questions:

• Is there an archiving concept mentioning all influencing factors and decision criteria regarding the selection of an archive system?
• Are the technical and the organisational use of the archive system defined in the archiving concept?
• Can the archiving concept be updated and extended and is it documented in writing?
• Are all implemented versions of an archiving concept retained?
• Have all employees received information on those parts of the archiving concept affecting them and is the instruction documented verifiably?
• Electronic archiving: Is the archiving concept regularly adapted to the current circumstances?