S 2.260 Regular auditing of the archiving procedure

Initiation responsibility: Auditor, IT Security Officer

Implementation responsibility: IT Security Officer, Archive Administrator, Auditor

The process of archiving must be subjected to regular audits in order to check the process for correctness and to derive the correctness and authenticity of the documents stored in the archive system from this.

For this, an appropriate approach must be developed for the audit in accordance with the concept described in S 2.243 Development of an archiving concept and the approach must be documented in the form of a checklist.

This checklist should cover at least the following items:

Questions regarding responsibilities

• Have the persons in charge been appointed and instructed regarding their tasks? Is this documented?
• Are there substitution arrangements for all persons in charge?

Questions regarding the organisational process

• Are there organisation-wide regulations regarding the use of electronic archiving?
• Are there organisation-wire regulations and documentations as to which documents must be archived? Are these regulations comprehensive and complete?
• Are the security requirements for the documents documented?
• Are the organisation-wide regulations regularly adapted to current developments?
• Are all adaptations of the regulations documented and archived properly?

Questions regarding the use of archiving

• Are there unambiguous regulations as to which documents must be archived?
• Are there documented regulations as to which context information is assigned to archived documents, such as information on document categories, for example?
• Are the documents to be archived archived completely and reproducibly?
• Are the confidentiality requirements of the documents to be archived met?
• Are the authenticity requirements of the documents to be archived met?
• Are the integrity requirements of the documents to be archived met?
• Are the availability requirements of the documents to be archived met?
• Are the legal regulations for archiving adhered to?
• Have all users and administrators received training and instructions regarding their roles and tasks? Is this documented?

Questions regarding the redundancy of the archived data

• Is archived data stored and retained with sufficient redundancy, e.g. by using redundant archive systems or alternative backup media?
• Are the archive systems and, if required, the archive data backed up regularly?
• Were the data backups performed in accordance with the regulations?
• Are the data backups of the archived data complete and legible?
• Did losses of data occur since the most recent audit?
  
  If yes, what were the frequency and severity of these incidents?
• Did errors occur during the reconstruction of archived documents?
  
  If yes, what was the frequency of these incidents and was it possible to remedy the errors?

Questions regarding administration

• Is the required refresh cycle of archiving media met?
• Are archiving media which are no longer used disposed of and destroyed properly?
• Are readers and storage media available in the required quantities?

Technical assessment of the archive system

The audit should also include a technical re-assessment of the archive system components and the data formats used. This is intended to ensure that technical further developments are identified in good time and technical changes to the archive system itself implemented by the manufacturer are known in advance.

These audits may result in the finding that the technical components of the archive system must be changed. In this case, it must be ensured that replaced components, e.g. drives, storage media, operating software, are completely compatible with all other components, maintaining the functionality required for operation.

The results of the audits must also be archived in accordance with the requirements regarding the archiving process.

Review questions:

• Is the process of archiving subjected to regular audits?
• Does the checklist for the audit feature questions regarding the responsibilities, the organisational process, the use of archiving, the redundancy of the archived data, the administration, and the technical assessment of the archive system?
• Are the results of the audits archived in accordance with the requirements of the archiving process?