S 2.262 Control of archive system usage

Initiation responsibility: Head of IT, Archive Administrator

Implementation responsibility: Archive Administrator, Head of IT, Administrator

Corresponding regulations must be specified to ensure that the archive system is used in the manner intended in the archiving concept (see safeguard S 2.243 Development of an archiving concept). For this, policies for the use and the administration of the archive system should be created. The policies must be established and published in the relevant organisation according to the organisational conventions. When external personnel is employed they must be obligated to observe these policies.

The administration policies should cover the following points at a minimum:

• specification of the responsibility for operation and administration of the archive system,
• agreements on service parameters (Service Level Agreements) for operation of the archive system, particularly if external providers are commissioned with the administration or operation,
• terms regarding the assignment of access rights to the components of the archive system and the archive media,
• terms regarding the assignment of access rights to the services provided by the archive,
• regulations regarding the handling of archived data and archive media,
• monitoring the archive system and the ambient conditions for the archive system and the archive media used,
• regulation regarding data backup of the software components of the archive system itself,
• logging the activities on the archive system,

The user policies should cover the following at a minimum:

• explanation of the goal of electronic archiving and the archiving periods for documents,
• specification of the responsibility for working with the archive system
• specification to what extent the use of the archive system is compulsory
• terms regarding the assignment of access rights to the services provided by the archive,
• training requirements for users to be enabled to use the archive system
• regulation regarding the assignment of context information for the archived documents, see also S 2.258 Consistent indexing of documents during archiving
• obligation to handle researched documents with care and to observe any restrictions on the use of the information
• regulation regarding the handling of documents after expiry of the defined archiving period
• regulation that data which is intended to be deleted after a defined period must no longer be used, even though it might still be available for technical reasons
• regulation regarding the handling of personal data
• use of the security mechanisms provided by the archive system to allow for the integrity and authenticity of the archived documents to be checked at a later point and to guarantee the required confidentiality
• obligation to check the integrity and authenticity of researched documents before their further use
• handling of data whose integrity cannot be proven, e.g. in case of a failed signature check
• logging the user activities on the archive system
• accounting terms if the archive system is used by multiple organisational units

The regulations must be documented and the administrators and users of the archive system must confirm in writing that they have read them.

Review questions:

• Are checks made as to whether the archive system is used in accordance with the archiving concept?
• Have policies for the use and the administration of the archive system been created?
• Is external personnel obligated to observe the policies?
• Does the administration policy specify the responsibility for operation, administration, access rights, and service parameters of the archive system?
• Are the regulations documented and are the administrators and users of the archive required to confirm in writing that they have read them?