|
|
|
|
|||||||||
|
VERS STORY | STANDARD | ASSESSMENT | PROJECTS | DIGITAL ARCHIVE | TRAINING | TOOLKIT | PUBLICATIONS | |
|
|||||||||
|
|||||
|
3.2 Record integrity (Specification 1, section 2.2) The recordkeeping system must be capable of proving that a record has integrity; that is, that any alterations to the record are authorised and documented. Integrity is essentially about proof and the best way to consider this requirement is to consider how you would prove in a court of law that a record was unaltered from its creation, or that any alterations are documented. A record can retain integrity despite being altered, provided the alteration is performed by an authorised person and the alteration is documented. There are a number of ways of demonstrating record integrity. One way of demonstrating integrity is by means of the VERS standard record format which is specified in PROS 99/007 Specification 3: VERS Standard Electronic Record Format. In this format, integrity is shown by the use of one or more digital signatures. If any modifications are carried out on the record, the integrity is shown by preserving the original record and layering the alterations around it (using the ModifiedVEO object in a Version 2 system, or an onion record in a Version 1 system). When the alteration occurred, and who performed the alteration, is recorded in the Management History. If the integrity of a record is not protected using the VERS standard format it will be necessary to show that the recordkeeping system acts as a vault. Conformance can be achieved by a formal statement from the recordkeeping system vendor that:
Protecting integrity is difficult, as complex systems may contain software bugs or undocumented access mechanisms. An agency may require an audit of the system and its design to check the integrity of the system. Integrity must be shown over the entire life of the record; any gap in the protection of the record will impair the record's integrity. One way of causing an integrity failure is during the export of custody from one recordkeeping system to another system. In this case the chain of integrity will require showing that it was held securely in the first recordkeeping system, that it has been held securely in the current recordkeeping system, and that it was transferred securely from the first system to its successor. The VERS standard format can be used to secure the records while they are being transferred. Records must be protected against undocumented modification by normal users, records managers, and system administrators. Most systems control access by normal users, but care needs to be taken in respect of users with special privileges (such as records managers and system administrators). Conformance to this point is covered in the notes to the previous point. It must not be possible for records to be destroyed or deleted except by authorised users. All destruction or deletion of records must be recorded. It will be necessary to show that the recordkeeping system acts as a vault and that deletion and destruction of records can only be achieved through the recordkeeping functions provided by the system and that all deletion and destruction is logged in an audit log. Conformance can be achieved by a formal statement from the recordkeeping system vendor that:
Protecting integrity is difficult, as complex systems may contain software bugs or undocumented access mechanisms. An agency may require an audit of the system and its design to check the integrity of the system. The system must be capable of verifying whether a record has retained its integrity. Verification may be achieved by verifying the digital signatures, or by extracting audit information from the logs if the records are not digitally signed. If the verification is carried out by digital signatures the validity of the root certificate must be checked. The check may be against a copy of the certificate kept in an secure portion of the archive, or by comparing various copies of the root certificate used to sign records at roughly the same time. 1 If the verification is carried out by an examination of the audit information, there is no requirement for the system to analyse the audit log and to automatically determine of integrity. The system may simply extract the entries in the audit log that refer to modifications to the record and present these in a report for inspection by a user. Verification must be capable of being carried out upon demand by users accessing records. However, it is not necessary to validate a record each time the record is accessed. Conformance to this point is achieved by the recordkeeping system vendor demonstrating verification of integrity upon demand by users. The system must be capable of auditing the integrity of a random sample of records. This allows the owners of a recordkeeping system to periodically audit the integrity of the record collection and may pick up systematic corruption earlier than with more ad hoc checking. Conformance to this point is achieved by the recordkeeping system vendor demonstrating verification of integrity of a random sample of records. Any failure to verify a record must be logged and immediately brought to the attention of the system administrator. Failure to verify a signature may indicate an attempt to forge or alter records. This requirement can only be achieved if the system can automatically verify a record. If a failure of integrity can only be determined by a manual examination of an audit log, the system cannot automatically detect a failure and hence cannot log the event or bring it to the attention of an administrator. Conformance to this point is achieved by the recordkeeping system vendor demonstrating logging and alarm raising after a failure to verify a record. 1 See Advice 12, which relates to PROS 99/007 Specification 3: VERS Standard Electronic Record Format, for a description of this approach to verification. | |||||
 |
 |
|