OPS.1.2.2 Archiving
Archiving plays a special role in the document management process. On the one hand, it is expected that digital documents will be available until the expiry of a prescribed retention period. On the other hand, their confidentiality and integrity must be preserved.
Description
Introduction
Archiving plays a special role in the document management process. On the one hand, it is expected that digital documents will be available until the expiry of a prescribed retention period. On the other hand, their confidentiality and integrity must be preserved. In addition, the context must be maintained so that the respective stored transaction can be reconstructed.
During the entire period of long-term storage, appropriate measures for information preservation and, if necessary, measures for preserving evidentiary value must therefore be implemented.
In German information technology terminology, the term “electronic archiving” is sometimes used synonymously with the term “electronic long-term storage.” For clarity, this building block therefore generally uses only the term “archiving” or “digital long-term archive.” An IT procedure for retaining electronic documents is referred to as an “archive system” or “digital archive” or “long-term storage.” The retention period for documents is measured according to legal and other requirements and the purpose of the data.
The term “documents” as used in this building block encompasses data and digital documents, unless they are expressly used in a different sense.
From a legal perspective in Germany, the term “archiving” is concretized and established by the archive laws of the federal government and the states. “Archiving” in the legally correct sense relates exclusively to records of public administration. It refers to the fact that records of an authority, once they are no longer needed for its purposes, are to be sorted out and retained indefinitely by a competent state institution (Federal Archives) (compare §§ 1 and 2 BarchG). This type of archiving is to be distinguished from the time-limited retention considered in this building block.
Objective
The building block describes how digital documents can be archived in a long-term, secure, immutable, and reproducible manner. For this purpose, requirements are defined with which an archive system can be securely planned, implemented, and operated.
The retention of paper documents is not considered in this building block, but requirements are made for how these can be digitized and archived.
Scope and Modeling
The building block OPS.1.2.2 Archiving is to be applied once to the information domain when long-term archiving of electronic documents takes place. Long-term archiving may be required due to external or internal requirements, or a system for long-term archiving of electronic documents may already be in operation.
The building block does not address the time-unlimited archiving in the sense of the archive laws of the federal government and the states.
This building block describes security measures with which electronic documents can be retained and preserved for long-term storage within the framework of applicable retention periods. Measures for operational data backup are not addressed in this building block. Requirements for this are presented in CON.3 Data Backup Concept.
A digital long-term storage system consists of individual components, e.g. a database. However, how such components can be operated securely in detail is also not the subject of this building block. For this purpose, the requirements from the corresponding building blocks, such as APP.4.3 Relational Databases, SYS.1.1 General Server and SYS.1.8 Storage Solutions, must additionally be observed.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.2.2 Archiving.
Obsolescence of Archive Systems
Archived data is typically intended to remain stored for a very long period. During this period, however, the underlying technical system components, storage media, and data formats can become physically or technically obsolete and thereby unusable. For example, compatibility problems with the data formats used may arise over time.
If the ageing process is not addressed, it is to be expected in the long term that, for example, archived raw data can no longer be read from the archive media. Archived data can also be altered by physical errors in the archive system and media.
Inadequate Ordering Criteria for Archives
Electronic archives can contain very large amounts of data. The individual records are stored according to certain ordering criteria, which are differentiated between index data of the business applications and index data of the archive system. If unsuitable ordering criteria are used, archived documents may no longer be retrievable, or only with great effort. It is also possible that the semantics of the documents cannot be clearly determined. An unsuitable or limited selection of ordering criteria could also cause the objectives of retention to be missed, e.g. demonstrability to third parties.
Unauthorized Archive Access Due to Insufficient Logging
Unauthorized archive accesses are usually detected using log files. However, if logging was not sufficiently comprehensive, such accesses might not be detected. As a result, attackers could gain unnoticed access to the information stored there and, for example, copy or modify it.
Inadequate Transfer of Paper Data into an Electronic Archive
When documents are scanned, the appearance or semantics of the recorded data can be distorted. Documents can also be lost in the process. This can lead to the information in the document being incorrectly interpreted and calculated, e.g. if important parts of the document or the document stack are forgotten during scanning.
Insufficient Renewal of Cryptographic Procedures in Archiving
Cryptographic procedures used, e.g. for signatures, seals, timestamps, technical evidence records, or encryption, must be regularly adapted to the current state of the art so that the protective effect is maintained. If this does not happen, for example, the integrity of the document can no longer be guaranteed due to an outdated insecure signature. Furthermore, the file may not be admitted as evidence in court, even if the document is still completely correct. The confidentiality of an encrypted document is also lost.
Insufficient Reviews of Archiving
If the archiving process is reviewed too infrequently or too imprecisely, this can lead to malfunctions not being detected. This can call into question the integrity of the archived documents themselves. This can result in legal and economic disadvantages for the institution: for example, a file may not be admissible as evidence in court because it cannot be ruled out that it was manipulated.
Violation of Legal Framework Conditions in the Use of Archiving
Various legal framework conditions must be observed when archiving electronic documents. If these are not complied with, this can have civil or criminal law consequences, e.g. for minimum retention periods arising from tax, budget law, or other reasons.
Requirements
The following are the specific requirements of building block OPS.1.2.2 Archiving. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Specialist Responsible Persons |
| Additional responsibilities | Users, IT Operations, Top Management |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.2.2.A1 Identification of Influencing Factors for Electronic Archiving (B)
Before deciding which procedures and products to use for electronic archiving, the technical, legal, and organizational influencing factors MUST be identified and documented. The results MUST be incorporated into the archiving concept.
OPS.1.2.2.A2 Development of an Archiving Concept (B)
It MUST be defined which objectives are to be achieved with archiving. In particular, which regulations must be complied with, which employees are responsible, and what functional and performance scope is being aimed at MUST be taken into account.
The results MUST be recorded in an archiving concept. Top Management MUST be involved in this process. The archiving concept MUST be regularly adapted to the current circumstances of the institution.
OPS.1.2.2.A3 Appropriate Placement of Archive Systems and Storage of Archive Media (B) [IT Operations]
The IT components of an archive system MUST be set up in secured premises. It MUST be ensured that only authorized persons are permitted to enter the premises. Archive storage media MUST be stored appropriately.
OPS.1.2.2.A4 Consistent Indexing of Data in Archiving (B) [IT Operations, Users]
All data, documents, and records stored in an archive MUST be indexed unambiguously. For this purpose, the structure and scope of the index information for an archive MUST already be defined during the planning phase.
OPS.1.2.2.A5 Regular Processing of Archived Data Stocks (B) [IT Operations]
Throughout the entire archiving period, it MUST be ensured that
- the data format used can be processed by the applications in use,
- the stored data is also readable in the future and reproducible in such a way that semantics and evidentiary value are maintained,
- the file system used on the storage medium can be processed by all participating components,
- the storage media can be read technically faultlessly at any time, and
- the cryptographic procedures used for encryption and preservation of evidentiary value by means of digital signature, seal, timestamp, or technical evidence records (Evidence Records) correspond to the state of the art.
OPS.1.2.2.A6 Protection of the Integrity of the Index Database of Archive Systems (B) [IT Operations]
The integrity of the index database MUST be ensured and verifiable. In addition, the index database MUST be regularly backed up. The data backups MUST be restorable. Medium and large archives SHOULD have redundant index databases.
OPS.1.2.2.A7 Regular Data Backup of System and Archive Data (B) [IT Operations]
All archive data, the associated index databases, and the system data MUST be regularly backed up (see CON.3 Data Backup Concept).
OPS.1.2.2.A8 Logging of Archive Accesses (B) [IT Operations]
All accesses to electronic archives MUST be logged. For this purpose, date, time, user, client, and the actions performed as well as error messages SHOULD be recorded. The archiving concept SHOULD specify how long the log data is to be retained.
The log data of archive accesses SHOULD be regularly evaluated. The institution’s internal guidelines SHOULD be observed in doing so.
It SHOULD also be defined which events are displayed to which employees, such as system errors, timeouts, or when records are copied. Critical events SHOULD be checked immediately after detection and, if necessary, escalated further.
OPS.1.2.2.A9 Selection of Suitable Data Formats for Archiving Documents (B) [IT Operations]
A suitable data format MUST be selected for archiving. It MUST ensure that archive data and selected characteristics of the original document medium can be reproduced in the long term and in the original quality.
The document structure of the selected data format MUST be unambiguously interpretable and electronically processable. The syntax and semantics of the data formats used SHOULD be documented and published by a standardization organization. A lossless image compression method SHOULD be used for evidence-proof and audit-proof archiving.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.1.2.2.A10 Creation of a Policy for the Use of Archive Systems (S) [IT Operations]
It SHOULD be ensured that employees use the archive system in the way provided for in the archiving concept. For this purpose, an administration and a usage policy SHOULD be created. The administration policy SHOULD contain the following points:
- Definition of responsibilities for operation and administration,
- Agreements on performance parameters in operation (including service level agreements),
- Modalities for granting access and access rights,
- Modalities for granting access rights to the services provided by the archive,
- Rules for handling archived data and archive media,
- Monitoring of the archive system and environmental conditions,
- Rules for data backup,
- Rules for logging, and
- Separation of producers and consumers (OAIS model).
OPS.1.2.2.A11 Briefing on Administration and Operation of the Archive System (S) [IT Operations, Users]
The responsible employees of IT Operations and the users SHOULD be trained for their area of responsibility.
The training of IT Operations employees SHOULD cover the following topics:
- System architecture and security mechanisms of the archive system used and the underlying operating system,
- Installation and operation of the archive system and handling of archive media,
- Documentation of administrative activities, and
- Escalation procedures.
The training of users SHOULD cover the following topics:
- Handling the archive system,
- Operating the archive system, and
- Legal framework conditions of archiving.
The conduct of the training sessions and participation SHOULD be documented.
OPS.1.2.2.A12 Monitoring of Storage Resources on Archive Media (S) [IT Operations]
The available free storage capacity on archive media SHOULD be continuously monitored. As soon as a defined threshold value is undershot, responsible employees MUST be automatically alerted. The alert SHOULD be role-based. There MUST always be sufficient empty archive media available to be able to quickly prevent storage bottlenecks.
OPS.1.2.2.A13 Regular Review of Archiving Processes (S)
It SHOULD be regularly checked whether the archiving processes are still functioning correctly and properly. For this purpose, a checklist SHOULD be created that contains questions on responsibilities, organizational processes, the use of archiving, the redundancy of archive data, administration, and the technical assessment of the archive system. The audit results SHOULD be documented in a comprehensible manner and compared with the target state. Deviations SHOULD be investigated.
OPS.1.2.2.A14 Regular Observation of the Market for Archive Systems (S) [IT Operations]
The market for archive systems SHOULD be regularly and systematically observed. Among other things, the following criteria SHOULD be observed:
- Changes in standards,
- Changes in technology among hardware and software manufacturers,
- Published security vulnerabilities or weaknesses, and
- Loss of security suitability for cryptographic algorithms.
OPS.1.2.2.A15 Regular Processing of Cryptographically Secured Data in Archiving (S) [IT Operations]
The development of the field of cryptography SHOULD be continuously observed in order to assess whether an algorithm remains reliable and sufficiently secure (see also OPS.1.2.2.A20 Appropriate Use of Cryptographic Procedures in Archiving).
Archive data that has been secured with cryptographic procedures that will not be suitable for security purposes in the foreseeable future SHOULD be re-secured in time with appropriate procedures.
OPS.1.2.2.A16 Regular Renewal of Technical Archive System Components (S) [IT Operations]
Archive systems SHOULD be kept up to date technically over long periods. New hardware and software SHOULD be extensively tested before installation in an operational archive system. When new components are put into operation or new file formats are introduced, a migration concept SHOULD be created. It SHOULD describe all changes, tests, and expected test results. The conversion of individual data SHOULD be documented (transfer note).
When archive data is converted to new formats, it SHOULD be checked whether the data is required to be archived additionally in its original formats for legal requirements.
OPS.1.2.2.A17 Selection of a Suitable Archive System (S) [IT Operations]
A new archive system SHOULD always be selected on the basis of the requirements described in the archiving concept. It SHOULD fulfil the requirements formulated there.
OPS.1.2.2.A18 Use of Suitable Archive Media (S) [IT Operations]
Suitable media SHOULD be selected and used for archiving. The following aspects SHOULD be taken into account:
- the volume of data to be archived,
- the average access times, and
- the average simultaneous accesses to the archive system.
The archive media SHOULD also meet the requirements for long-term archiving with regard to audit-proofness and service life.
OPS.1.2.2.A19 Regular Function and Recovery Tests in Archiving (S) [IT Operations]
Regular function and recovery tests SHOULD be performed for archiving. The archiving data carriers SHOULD be checked at least once a year to determine whether they are still readable and intact. Appropriate processes SHOULD be defined for troubleshooting.
Furthermore, the hardware components of the archive system SHOULD be regularly checked for their correct function. It SHOULD be regularly checked whether all archiving processes are functioning without errors.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.1.2.2.A20 Appropriate Use of Cryptographic Procedures in Archiving (H) [IT Operations]
In order to be able to cover long retention periods, archive data SHOULD only be secured with cryptographic procedures based on current standards and norms.
OPS.1.2.2.A21 Transfer of Paper Data into Electronic Archives (H)
If documents on paper, for example, are digitized and transferred into an electronic archive, it SHOULD be ensured that the digital copy matches the original document in terms of image and content.
Additional Information
Good to Know
The Federal Network Agency (BNetzA) lists in its publication “Announcement on electronic signatures under the Signature Act and Signature Ordinance: List of suitable algorithms and parameters” algorithms and parameters classified as suitable.
The German Institute for Standardization (DIN) defines in DIN 31644:2012-04 “Information and documentation - Criteria for trustworthy digital long-term archives” criteria for trustworthy digital long-term archives. In DIN 31647:2015-05 “Information and documentation - Preservation of evidence of cryptographically signed documents,” technical and security-relevant requirements for the long-term retention of digitally signed documents while maintaining the legal validity of the digital signature are defined.
The BSI has compiled in its technical guideline “BSI TR-03138 RESISCAN: Replacement Scanning” the security-relevant technical and organizational measures that are to be observed when replacing scanning.
In the technical guideline “BSI TR-03125 TR-ESOR: Preservation of Evidence of Cryptographically Signed Documents” together with its annexes, the BSI provides a guide describing how electronically signed data and documents can be stored securely over long periods of time until the end of retention periods in the sense of legally effective preservation of evidentiary value.