S 4.426 Archiving for the Lotus Notes/Domino environment

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The services of the Lotus Notes/Domino environment can support numerous business processes. These business processes may be characterised by technical requirements regarding the archiving of the electronically processed, exchanged, or stored information These must be integrated into the archiving concept for Lotus Notes/Domino mentioned in S 2.207 Security concept for Lotus Notes/Domino.

The existing legal requirements and the requirements of regulatory and inspection authorities must be taken into consideration within the technical requirements.

The archiving concept must be implemented during operation of the Lotus Notes/Domino environment. In this, module S 1.12 Archiving must be applied.

The following aspects of archiving must be taken into consideration first and foremost during operation of the Lotus Notes/Domino environment:

• Archiving must be performed in compliance with the privacy provisions. Personal data must be deleted upon expiration of the defined periods within the framework of the technical possibilities. Depending on the type of data, it may be necessary to meet other statutory or contractual provisions.
• The validity of electronic signatures (regarding the designed archiving period) must be taken into consideration when implementing the archiving processes. The archiving method must include possible renewal of the signature.
• Based on accumulation effects, the protection requirements of the archives regarding confidentiality and integrity may even be higher than for the corresponding productive databases. The security safeguards for the archives must image this.
• Lotus Notes/Domino data is archived in proprietary formats. Using the archive requires the provision of old Lotus Notes/Domino versions or the periodic migration of the ODS formats used during archiving. In any case, valid licences are required which may cause problems when using licences with a limited validity (see S 2.493 Licence management and licencing aspects regarding procurement for Lotus Notes/Domino). It must be ensured that accessing the archives is possible from a technical and licence right point of view during the periods defined in the archiving requirements.

If archiving systems are already used for other electronically stored documents and/or data, it may make sense to connect Lotus Notes/Domino (and/or the corresponding Domino applications or services) to these archiving systems.

The functions of Lotus Notes/Domino regarding server- and client-side archiving, as well as the configurable administrator policy regarding email archiving constitute aids that can be used to implement archiving meeting the majority of the requirements. However, this requires a detailed review as to whether the solutions implemented with the help of these functions meet the statutory and technical requirements (e.g. for email archiving).

If DAOS (Domino Attachment and Object Service, available in version 8.5 and higher) is used, the existing archiving concept and the related methods must be checked and, if necessary, adapted, because the data to be archived is no longer stored redundantly.

Review questions:

• Are the statutory requirements for archiving electronic data and emails known and taken into consideration within the archiving concept for Lotus Notes/Domino?
• Is the archiving concept appropriately implemented during operation by the archiving methods?
• Was the archiving concept reviewed and adapted accordingly to the methods when using DAOS (Domino Attachment and Object Service)?