Download as a PDF - CiteSeerX

erpanet.org
  • No tags were found...

Download as a PDF - CiteSeerX

erpa workshopERPANET WorkshopThe Role of Audit andCertification in Digital PreservationStadsarchief AntwerpenApril 14-16, 2004© ERPANET, 02/04/2004


ERPANET Workshop Antwerpen 3erpaworkshopERPANET WorkshopAntwerp, BelgiumApril 14-16, 2004Briefing PaperIntroductionThe Role of Audit andCertification in Digital PreservationOrganisations with a mandate or mission, public or private, have a responsibility and areaccountable for carrying out specific activities or to deliver specific services. In the public sector theyare subject to regular surveys by inspecting bodies, who assess whether they perform adequatelyand according to the rules. For that purpose, external accountability, the audit process is used. Thatcan be done by an internal person or body or by an external body, such as an audit commission orthe national audit office for government organisations. 1 Within the framework of e-government,though not only, one of the aspects often mentioned is ‘good governance’. It includes not only theway government organisations organise themselves, but also that this is done while obeying certaindemocratic rules and values (e.g. being accountable, ethical conduct). Internal auditing in anorganisation is used to control the business activities.In the private sector the fall and financial disaster of Enron as well as similar other cases have leadto new legislation that has a huge impact on the way companies have to keep records of what theyare doing. The Sarbanes-Oxley Act (SOX) that was adopted by U.S. Congress for instance aims toprotect shareholders and the general public from accounting errors and fraudulent practices. It alsoimposes new responsibilities on IT and records management departments. The Securities andExchange Commission (SEC) administers this law and for example sets timelines for compliance.The main aim is to restore public confidence in capital and financial markets. The act also has animpact that crosses the borders of the USA and influences all companies that trade or havebusiness relationships with the USA. In short, recent developments have significantly changed thelandscape of information and records management and imposed stricter rules for trading and doingbusiness and keeping evidence how this is done. To know whether an organisation complies withlaws and rules audits are necessary.In the area of digital preservation the audit process is seen as an important part of preservationmanagement. With the development and emergence of digital repositories there is an increasing callfor a certification process and audit. Even before these repositories exist, organisations want to besure they are doing or developing the right thing. One of the drivers for certification is to ensure theconfidence of users in the services of those repositories and the information they provide. However,it also includes ensuring that the internal control of an organisation is adequate so it can achieve itsmission and identified goals.Although digital objects are being preserved for some time now by different organisations, there isnot yet a really dedicated digital repository. There is still much discussion and research going on indifferent communities about how best to preserve digital objects. Nonetheless there is a frameworkfor preservation as laid down in the ISO standard of the Open Archival Information System (OAIS,ISO 14721:2002), that provides a high level overview of the different aspects. A working group ofRLG uses this framework for developing a certification process for digital repositories, of which auditis a part. 21 Reports from auditing bodies can be found on the Web. Examples are www.audit-commission.gov.uk (a UK organisationfor local government), www.anao.gov.au/WebSite.nsf/Lookup%20Pages/WhatsNew!OpenDocument (with reports of theAustralian National Audit Office).2 See http://www.rlg.org/longterm/certification.html.© ERPANET, April 2004


ERPANET Workshop Antwerpen 4There is a significant difference between the first two examples and the last one though. In theformer two the audit will focus in first instance on how organisations perform in relation to theirmission. The audit will use records and information created as evidence of what happened in theorganisation, the business activities. An audit of the records and information management processitself could also be undertaken here, but always within the business context it is supporting. In thatcase the management of digital records and information is a secondary or supporting process. Inthe situation of a digital repository preservation and providing access to digital resources is theprimary process. The aim to maintain digital resources in an authentic and reliable way is the same,but the business context is different.The audit process is not new and very well known in the government, financial, quality assurance,and systems environments, focusing on different aspects including information management. It istherefore not surprising that it is taken up in the area of digital preservation. The workshop inAntwerp will provide insight in the different perspectives of audit, discuss the different methods andaspects, and share and discuss ideas, concepts and approaches for its application to managing andpreserving digital objects. This briefing paper tries to set the scene and provides a short introductionto the topic.Purpose and benefitsThe purpose of audit in general is to check and ensure that organisations, public or private, meetthe commonly agreed or expected standards or values, and that they are doing what they aresupposed to do and performing their activities in an appropriate, correct and acceptable way. Thesestandards and values may not always be explicitly expressed, as for example may be the case withdemocratic values. Audits also provide insight whether public money is spent effectively andefficiently. Stakeholders are not only customers, shareholders, or society in general, but also seniormanagement of an organisation.The ultimate goal is to give people a certain level of certainty and confidence that they can trustorganisations they have to deal with as users, customers, citizens, business and trading partners,providers, and so on. That is why audit reports are mostly made public.Apart from the external check many organisations also want to know themselves how they performagainst their mission and targets and/or how the customer or the public is viewing them. The auditreport can provide an overview of strong and weak points and of the effectiveness and efficiency ofthe organisation for instance, so an improvement program can be developed or existing frameworksand policies can be adjusted.In the area of digital preservation it will be the assurance that the information that is provided byinformation providers, including digital repositories, still is authentic, reliable, and not tampered with.This is critical in a digital environment where information is no longer physical or tangible and for itssurvival very much dependent on the fast developing information technology.ScopeAn important question that has to be asked is what do we want to audit? Is it the organisation that isrunning a digital repository or is it a system that is containing valuable information resources, or is itan organisation that is creating and managing information in order to support and enable itsbusiness, or all of these? In all cases it has to do with managing information, be it from differentperspectives.Audits may be needed in the different phases of the life of digital objects. The general consensus isthat measures for proper management and preservation have to be taken from the very beginningthat is the design of systems that create or produce them. That will mean different audits in differentcontexts (government sector, private sector, publishing, cultural heritage sector), in differentorganisations (such as the creating organisation, mediators, publishers, archives, library orrepository) are necessary and at different moments in time.So, who are stakeholders? Apart from the management of an organisation and the preservers, alsopeople that may depend on the digital resources and their accessibility and reliability, the users suchas attorneys, the public, citizens, researchers, regulating or controlling organisations (e.g. FDA,general auditors), publishers, organisations.© ERPANET, April 2004


ERPANET Workshop Antwerpen 6The audit process and the certification processWhat are the steps, different approaches, what instruments, what is needed to conduct a successfulaudit, or to be certified?An audit, to be meaningful, requires clearly defined goals, standards and procedures against whichthe audit is conducted. This can either be very rigid – in cases where all of these items are definedexternally to the process being audited – or it can be very flexible, in cases where most of thedefinitions are made by the organisation being audited. Certification, if it follows from audit, usuallyrequires that certain information is available for audit, and its quality and completeness allows theauditors to take a view as to its accuracy.In different environments, audit and inspection may be a process that happens without warning, ormay be something that only takes place by the invitation of the audited organisation. What modelsare useful in the digital preservation world? What are we expecting of those organisations willing tosubmit themselves to such audits? And what conclusions can we draw about those who cannot, orwill not, go through the process?An interesting question may also be why a certification process is necessary for digital repositories?Will it increase the reliability and trustworthiness of information? Do the benefits justify the costs? Ithas been argued that, at present, only a peer review would be effective to certify a digital repositoryand its processes. Would this be acceptable to those who wish to use its results? Who should bearthe costs of the audit process, and can we expect that cultural heritage institutions should meet thesame criteria, and bear similar costs, to financial or industrial repositories?Examples of certification processes exist in domains related to preservation of digital information,such as for information security or for privacy. There is also a certification process for CertificationService Providers such as Trusted Third Parties (TTP) which is based upon European guidelines forTTPs in a public key infrastructure.IssuesDo we need to develop another audit process or are there already types of audits that could fulfil ourrequirements, e.g. information audits or quality assurance audits? If so, how can these requirementsbe included in those audits?How to develop a framework that could serve as guidance in an organisation with respect tocreating and managing or preserving digital objects? Is for instance the adoption of OAIS sufficientfor a digital repository? Does it cover the organisational or financial part, or will the criteriamentioned in the RLG report about ‘Trusted digital repositories’ 5 be sufficient?Is there an ideal combination of standards for developing a framework?The role of audit in relation to digital repositories raises all sorts of questions, e.g. when and to whatextent is preservation management different from information management, if at all, or is it anaspect of it? Does the long term dimension make it special or not?Will the business model for a digital repository be an important factor for performing audits? There iscurrently a lot of discussion about possible business models. Will a digital repository for example bepart of an existing organisation (e.g. a library or archives), or be part of a distributed approach, orpart of a network of repositories that may share certain services or facilities, or will it be a sharedrepository serving many organisations?How will the choice for one of these business models influence the need for an audit process, butalso the way the audit process will be carried out?A special issue is certification. Should an audit be part of a process to achieve certification of adigital repository for instance? What will be the object of certification, the repository (is thisdefined?), the organisation behind it, the system or the whole? Why is certification necessary or willregular audits be sufficient? Will certification increase validity of and trust in services provided bydigital repositories? Will it give external users a better feeling about the trustworthiness than if onlyregular (external) audits were carried out?5 RLG/OCLC report Trusted Digital Repositories: Attributes and Responsibilities, May 2002. Seehttp://www.rlg.org/longterm/repositories.pdf.© ERPANET, April 2004


ERPANET Workshop Antwerpen 7Institutions as libraries and archives never are certified for the paper publications and records theypreserve and provide access to. Why is it necessary to have audits and even certification now fordigital objects? Have they become less reliable? Have libraries and archives become differentorganisations or are new types of organisation emerging that do not have that confidence of thegeneral public?So, the basic questions are:- What do we want to achieve or pursue with audit?- Do we always need audit? If not, in what circumstances do we need it?- What should be audited?- Who should do the audits (e.g. specialised bodies or not) and what are the requirements forthose bodies?- What framework(s) do we need in relation to the different business contexts to conduct anaudit?- Will the framework(s) allow different levels of compliance?- What is necessary to conduct a proper audit?- What steps should the audit process encompass?- Should an audit be followed by certification?- What are the expectations of the different stakeholders (e.g. publishers, the public, recordscreators, government, users)?- Who are the likely consumers of audit or certification – who wants it to happen?- What difference will the existence of an audit or certification process make to the market, orto the activities of stakeholders in it?The WorkshopThis workshop will provide an overview of the ideas, possible approaches and developments in thearea of auditing and certification procedures and programs for management and preservation ofdigital information.In this respect it will include also experiences from sectors where audits are an integral part ofprocesses, such as financial management. What can be learned from them?The focus will be on whether and how audit can help in making digital preservation successful andhelp users to trust digital information that is provided to them.The workshop will offer expert speakers in the field and breakout sessions for discussion betweenparticipants and speakers and for sharing experiences.ReferencesRLG working group on certification of digital repositories:http://www.rlg.org/longterm/certification.htmlHanneri Botha, J.A. Boon, ‘The information audit: Principles and Guidelines’, in: Libri, 2003, vol.53,p. 23-38The Information Systems and Control Association, see http://www.isaca.org.They have among others information about auditing standards, guidelines and procedures withrespect to information systems, including ‘COBIT Governance, Control and Audit for Information andRelated Technology’, 3d edition, IT Governance Institute, July 2000.For the International Organization of Supreme Audit Institutions, seehttp://www.intosai.org/1_defaue.html.© ERPANET, April 2004


ERPANET Workshop Antwerpen 8erpaworkshopWorkshop ProgrammeAntwerp, BelgiumApril 14-16, 2004Wednesday, 14th April9.00 Registration9.30 WelcomeHans Hofman – Nationaal Archief, co-Director ERPANET; NetherlandsInge Schoups – City Archives / Stadsarchief Antwerpen; BelgiumSession 1 Introduction – Getting the Picturechaired by Inge Schoups – City Archives / Stadsarchief Antwerpen; Belgium9.45 Governance, audit and digital preservationBoudien Glashouwer – The Expert Centre on Government Strategy andIT-management; Netherlands10.10 Measuring Information Management Capacity in Public Sector InstitutionsAndrew Lipchak – Infotegrity Consulting; Canada11.10 Break11.30 The concepts of an auditJan Pasmooij – Royal Dutch Institute of Chartered Accountants (NIVRA);Netherlands12.15 LunchSession 2 Introduction continuedchaired by Seamus Ross – Director HATII and ERPANET; UK13.30 How to use CobiT to assess the Security & Reliability of Digital PreservationGreet Volders – Information Systems Audit and Control Association(ISACA); Belgium14.05 Internal Control and the Sarbanes-Oxley ActLex van der Drift – PriceWaterhouseCoopers; Netherlands14.45 Break15.10 Breakout session16.30 Reporting17.00 Closing© ERPANET, April 2004


ERPANET Workshop Antwerpen 9Thursday, 15th AprilSession 3 Requirements, Approaches, Frameworks and Areaschaired by Filip Boudrez – City Archives / Stadsarchief Antwerpen; Belgium9.00 Certification of Information SecurityPaul Overbeek – KPMG; Netherlands9.35 Certification of digital repositoriesKevin Ashley – University of London Computer Centre (ULCC),member RLG task force digital repository certification; UK10.15 Break10.40 All the President’s E-mail: Electronic Recordkeeping Policies and Practicesin the Executive Office of the PresidentJason Baron – National Archives & Records Administration (NARA); USA11.15 The legal validity of informationHannelore Dekeyser – Katholieke Universiteit Leuven; Belgium11.55 The Information Management Capacity Check: A Baseline for SuccessBob Provick – Library and Archives Canada12.30 LunchSession 4 Practice and Implementationchaired by Niklaus Bütikofer – co-Director ERPANET; Switzerland14.00 Privacy Seals and Privacy AuditsBarbara Körffer and Thomas Probst – Independent Centre for PrivacyProtection, Schleswig Holstein; Germany14.40 Auditing Electronic Data Capture (EDC) in clinical trialsHans-Jürgen Schmidt – Aventis; Germany15.15 Break15.40 Breakout session16.40 Reporting17.10 ClosingFriday, 16th AprilSession 5 Practice and Implementation continuedchaired by Hans Hofman – Nationaal Archief, co-Director ERPANET; Netherlands9.00 [Title to be confirmed]David Giaretta – Rutherford Appleton Laboratory,RLG task force digital repository certification; UK9.40 Audit in electronic Records managementFilip Boudrez – City Archives / Stadsarchief Antwerpen; Belgium10.15 Break10.45 Breakout session11.45 Reporting12.15 Discussion and Wrap upSeamus Ross – Director HATII and ERPANET; UK13.00 Closing© ERPANET, April 2004


ERPANET Workshop Antwerpen 10Speaker Biographies andAbstracts of presentationserpaworkshopBiographyKevin AshleyUniversity of London Computer Centre, UKKevin Ashley is head of the Digital Archives Department at the University of LondonComputer Centre, which operates information and computing services for the UK andEuropean research, education and public sectors. For the past 10 years his group’s work hasprimarily involved the preservation of large-scale digital resources on behalf of otherorganisations. It also operates the National Data Repository at ULCC, which providesdigital archiving and distribution services for organisations such as the British Library.He is a board member of the Digital Preservation Coalition, a member of the AdvisoryCouncil for ERPANET and that of the UK Archives Hub. He speaks frequently on mattersrelated to digital preservation and access and management of digital content, and has alsobeen a contributor to training provided by the Archive Skills Consultancy and the DPC. Hiscareer has previously involved pattern recognition in medical image analysis, networkprotocol development, standards development, numerical software tools and bar-tending; hehas contributed open-source software via organisations such as DECUS for over 20 years.AbstractCertification of digital repositoriesFollowing the publication in May 2002 of the RLG/OCLC document "Attributes of aTrusted Digital Repository" RLG established a task force whose goal is to develop acertification process or model which draws on that document. My presentation will:• Briefly summarise the May 2002 report• Describe the goals and methods of the group• Summarise our work so far• Highlight some of the more difficult issues and those which are still outstandingFrom the last point, I hope to provide material for further discussion at the workshop and tosolicit input which could help the Task Force in its work.The presentation will be my personal opinion and should not be seen as an officialstatement by RLG nor as representing the views of other members of the Task Force.© ERPANET, April 2004


ERPANET Workshop Antwerpen 11Jason BaronNational Archives & Records Administration (NARA), USABiographyJason has served as Director of Litigation for the U.S. National Archives and RecordsAdministration since May 2000. Before joining NARA, he worked for 12 years at theJustice Department in Washington, D.C., where he represented the White House and theU.S. Archivist in landmark cases involving the preservation of electronic records, includingArmstrong v. Executive Office of the President (the PROFS case). Jason also has been aVisiting Scholar at the University of British Columbia’s School of Library, Archival andInformation Studies, and was a member of the U.S. InterPARES team. Among hispublications, he has authored a chapter entitled “The PROFS Decade: NARA, E-mail, andthe Courts,” in Thirty Years of Electronic Records (Scarecrow Press 2003). He holdsdegrees from Wesleyan University (Connecticut) and from the Boston University School ofLaw.AbstractAll the President’s E-mail: Electronic Recordkeeping Policies and Practices in theExecutive Office of the PresidentIn the wake of over a decade of litigation and controversy over the management of the U.S.government’s email records, the past three Presidential administrations, as well as theincumbent Executive Office of the President (EOP), have faced serious technical challengesin choosing to manage the White House’s email records in an electronic recordkeepingenvironment. Difficulties that have arisen have been subsequently confirmed in an audit ofthe EOP’s recordkeeping practices conducted by the U.S. General Accounting Office. Thissession will review the EOP experience with electronic recordkeeping in the aftermath ofthe PROFS case, with special attention paid to how EOP’s records management practiceshave been monitored (both by EOP itself as well as by outside institutions), as well as tohow such practices affect the long-term archival preservation of the government’s emailrecords.© ERPANET, April 2004


ERPANET Workshop Antwerpen 12Filip BoudrezStadsarchief AntwerpenAntwerp City Archives, BelgiumBiographyFilip Boudrez studied history at the University of Louvain. In 1997 he obtained the degreeof Archivist and Records Manager and the same year he followed training in softwareengineering and computer programming. He worked from October 2000 until December2003 in the DAVID-project. In the DAVID-project, he developed electronic record-keepingstrategies, practical guidelines and best practices for all kind of electronic records (e-mail,office documents, websites, databases, GIS, etc). He currently works for the City Archivesof Antwerp where he puts the DAVID findings into practice. He develops tools for theimplementation of record-keeping procedures, implements new technologies like XML andperforms electronic records management audits.AbstractAudit in electronic records managementWell created and managed electronic records are a prerequisite for efficient electronicrecord-keeping. For this reason, the City Archives of Antwerp spends a lot of time andeffort in auditing records management procedures within the agencies. The goal is to ensurethat electronic records are as effective as needed for the work process in which they areused and at the same time to ensure that they can easily be preserved in the long run ifnecessary. Besides general guidance in the records management process, the system designof information systems is examined and quality criteria are formulated. This results in newrequirements for information systems, which need to be observed when building orchoosing new information systems. Points of interest are, among other things, theidentification of records, the capture, the registration of metadata and the trustworthiness.This presentation shows how the audit is put into practice and provides some examples onhow the archivist can improve the quality of electronic records within the organisation.© ERPANET, April 2004


ERPANET Workshop Antwerpen 13Hannelore DekeyserKatholieke Universiteit Leuven, BelgiumBiographyHannelore Dekeyser (°1977, Leuven) obtained her law degree at the Katholieke UniversiteitLeuven in 2001. She spent the academic year 2000-2001 as an exchange student at theWestfälische Wilhelms-Universität Münster in Germany. In 2002 she obtained a DESdegree in ICT-law and administration from the Facultés Universitaires Notre-Dame de laPaix Namur.In September 2002, she joined the Interdisciplinary Centre for Law & IT (ICRI) at theK.U.Leuven, Belgium. Until the end of 2003, she was working on a four-year extendingproject called "DAVID", which stands for digital archiving in Flemish institutions andadministrations. The DAVID project was conducted in close association with the AntwerpCity Archives and was financed by the Fund for Scientific Research - Flanders (F.W.O.Vlaanderen). Hannelore Dekeyser's main research top was the legal aspects of digitalarchiving in the Belgian public sector.Currently she is conducting a study on legal needs for digital archival in e-commerce onbehalf of the Belgian Federal Public Service for Economy, SMEs, Self-employed andEnergy.AbstractThe legal validity of informationInformation is legally valid when a judge declares it to be valid. This rule of thumb is oflittle use to designers and users of information systems. How can they make sure a judgewill accept that their information is valid?Sometimes the law gives guidelines defining the characteristics of valid records. Moreoften, only implicit rules concerning validity can be identified. Usually, such rules onlyapply to certain types of information, namely records created with the intention of providingthe proof of an action or a fact. Most information created in the course of a businessprocess falls outside this category. Still, a judge may well have to weigh its validity when aconflict arises. Expert opinions and audit reports can play a crucial role in determining theoutcome of the case.© ERPANET, April 2004


ERPANET Workshop Antwerpen 14Lex van der DriftPriceWaterhouseCoopers, NetherlandsBiographyIn 1995 Lex joined PricewaterhouseCoopers in the Netherlands. He is qualified as aRegister Informaticus and Register EDP-auditor and was admitted to the partnership in1997. He is member of the global leadership team of the Systems & Process Assurance(SPA) group of approx. 3000 professionals. He is specialised in auditing the controls in ITsystems and business processes, trustee work for (initial) public offerings and IT duediligence work. Lex has published several articles and books on IT controls. For a largenumber of years he was part time core lecturer at the Erasmus University Rotterdam for thepost graduate EDP Audit program. Currently he is chairing the board of governors of thatprogram. He performed work for IBM, KPN, Deutsche Telekom, ABN Amro, Shell, theDutch Central Bank, ABP, Euroclear and Philip Morris.AbstractInternal Control and the Sarbanes-Oxley ActIn the past few years, starting with Enron in late 2001, failures in internal control, particularover financial reporting, caused people loosing their livelihoods and their life savings. Faithin U.S. and, due to e.g. Parmalat and Ahold, other capital markets was shaken to the core.To regain the confidence of public in the stability and fairness of capital markets, U.S.Congress required not just management to report periodically on company’s internal controlover financial reporting, but also auditors to attest to the accuracy of management’s report.Amongst others, these obligations are included in the Sarbanes-Oxley Act of 2002. ThisAct has not just implications for the business in the US; it applies globally to supervisoryboards, executives and auditors involved in both US domestic and foreign public interestcompanies (also) listed in the U.S.Briefly, important implications for auditing and controlling over financial reporting arediscussed.© ERPANET, April 2004


ERPANET Workshop Antwerpen 15Boudien GlashouwerHet Expertise Centrum, NetherlandsBiographyMrs. Boudien J. Glashouwer RE RI CISA worked from 1975 until 1993 at the MunicipalAudit Service of the City of Amsterdam. In those years her tasks were bookkeeping,financial audit, IT-audit and consulting. In 1993 she became employed at the NetherlandsCourt of Audit as a project manager research in the unit Government-wide FinancialManagement Audit & Information Technology Audit. Since 2000 she is a senior consultantat ‘Het Expertise Centrum’, concerning governmental strategy and IT-management issues(www.hec.nl). Boudien Glashouwer studied several courses accounting, automation,internal control, public finance and governmental policy. In 1993 she graduated as an EDPauditor.Her special topic was ‘storage management and managing digital archives’.AbstractGovernance, audit and digital preservationCritically important to the survival and success of an organisation is effective managementof finance. But just as important is the quality of information and related InformationTechnology (IT). Control is management’s responsibility. This includes legislation,company policies, organisational structures, practices and procedures, realisation andmanagement assessment of the business goals. Successful organisations manage the risks.All business processes need to be regularly assessed over time for their quality andcompliance with control requirements. Using frameworks like COSO (internal control) andCOBIT (control objectives for IT) can help. The auditor gives assurance that themanagement has its (IT) governance in control and that the internal control system complieswith legislation and standards, and business requirements as integrity, availability andreliability of information. Digital preservation becomes more and more important to stay inbusiness!© ERPANET, April 2004


ERPANET Workshop Antwerpen 16BiographyDavid GiarettaCCLRC Rutherford Appleton Laboratory, UKDr David Giaretta has worked for many years in the field of Space Data archives, inparticular those involving data from Astronomical satellites. He is chairman of CCSDSPanel 2, the standards group under which the OAIS Reference Model was produced, and heplayed an active role in its development. He is currently involved in the development ofseveral standards which follow on from the Reference Model, and he is also a member ofthe RLG Task Force on Digital Repository Certification.Barbara KörfferIndependent Centre for Privacy Protection, Schleswig Holstein, GermanyBiographyBarbara Körffer studied law and works since 2002 for the Independent Centre for PrivacyProtection (ICPP) in the areas of privacy audits and privacy seals, freedom of informationand data protection in several special areas.[ BARBARA KÖRFFER DELIVERS THE PRESENTATION TOGETHER WITH THOMAS PROBST ]AbstractPrivacy Seals and Privacy AuditsThis presentation will introduce two new instruments supporting data protection inSchleswig-Holstein. One of them is the privacy seal, which can be awarded every kind ofIT product, suitable for use by public offices. This seal certifies the compatibility of theproduct with the regulations of data protection.The other new instrument is the privacy public authority audit, which is available for publicauthorities in Schleswig-Holstein. They can have their privacy protection system checkedand audited in a formal procedure by the Independent Centre for Privacy Protection (ICPP).This presentation will explain the formal certification processes which are performed toaward a product with the privacy seal or a privacy protection system with an audit.© ERPANET, April 2004


ERPANET Workshop Antwerpen 17Andrew LipchakInfotegrity Consulting, CanadaBiographyAndrew Lipchak is an independent consultant (Infotegrity Consulting) in informationmanagement and archival development. During a career in the Government of Ontario,Canada, he was manager of policy and planning for the Archives of Ontario as well asManager of Corporate Information Policy for the Government of Ontario. In the latterposition, he was responsible for government-wide policies, standards and processes for themanagement of records in all media. More recently, he has advised Canadian federalgovernment departments and central agencies on information management policy andprogram development. He assisted in the preparation of the Information Commissioner ofCanada’s annual reports to Parliament. His report on information management, democraticgovernance and the electronic environment has been published by the Public Policy Forum,Ottawa. Other clients include the International Records Management Trust, London, andthe World Bank.AbstractMeasuring Information Management Capacity in Public Sector InstitutionsThis presentation will cover key elements of the information management (IM)development strategy of the Government of Canada, with a focus on current approaches toassessing IM programs, risks and impacts. It will describe several Canadian IMmeasurement and evaluation models, including the Information Management CapacityCheck. This new maturity model-based diagnostic tool being used by many departments toassess IM capabilities related to people, skills, processes, management frameworks andculture, technology and other resources. The presentation will discuss the potential value ofcurrent Canadian initiatives to governments and public sector institutions, while notingother IM and records management assessment methods that may be useful.© ERPANET, April 2004


ERPANET Workshop Antwerpen 19Jan PasmooijRoyal Dutch Institute of Chartered Accountants, Netherlands(Koninklijk Nederlands Instituut van Registeraccountants, NIVRA)BiographyJan Pasmooij at this moment is the manager ICT Knowledge Centre of Royal NIVRA, theInstitute of Chartered Accountants in the Netherlands and the Program Manager of thepostgraduate IT-auditing curriculum at the Erasmus University in Rotterdam. He has asover 20 years’ experience as a financial, IT- and operational auditor in public practice andgovernment and has been published in numerous journals and has presented internationallyon a wide range of IT-related topics.AbstractThe concepts of an auditWhat are the added values of an audit?? What kind of audit- or assurance-framework isneeded to provide the assurance asked for??To perform an audit and provide an opinion the auditor need an audit- or assuranceframework.This framework establishes the basic principles and essential procedures forprofessional auditors for the performance of engagements intended to provide an opinion.This kind of framework also provides guidance to the responsible party and the intendedusers of the audit report. During my presentation I will explain the framework and provideguidance how to use audits as a tool for management.© ERPANET, April 2004


ERPANET Workshop Antwerpen 20Thomas ProbstIndependent Centre for Privacy Protection, Schleswig Holstein, GermanyBiographyDr. Thomas Probst studied mathematics and physics. Since 1999, he works for theIndependent Centre for Privacy Protection (ICPP) as a technical analyst in the areas ofprivacy-friendly biometrics, data security, privacy audits and privacy seals.[ THOMAS PROBST DELIVERS THE PRESENTATION TOGETHER WITH BARBARA KÖRFFER ]AbstractPrivacy Seals and Privacy AuditsThis presentation will introduce two new instruments supporting data protection inSchleswig-Holstein. One of them is the privacy seal, which can be awarded every kind ofIT product, suitable for use by public offices. This seal certifies the compatibility of theproduct with the regulations of data protection.The other new instrument is the privacy public authority audit, which is available for publicauthorities in Schleswig-Holstein. They can have their privacy protection system checkedand audited in a formal procedure by the Independent Centre for Privacy Protection (ICPP).This presentation will explain the formal certification processes which are performed toaward a product with the privacy seal or a privacy protection system with an audit.© ERPANET, April 2004


ERPANET Workshop Antwerpen 21Bob ProvickLibrary and Archives Canada, CanadaBiographyBob Provick is a Senior Project Officer with the Government Records Branch at Libraryand Archives Canada. He has over 30 years experience in Information Management and hasled or participated in many Government of Canada IM initiatives.In 2002, he participated in the development of the Information Management CapacityCheck (IMCC). Since April 2003 he and his IM Strategies Team have been responsible forthe implementation of the IMCC in the Government of Canada and providing informedadvice and guidance to federal government institutions on the application of the IMCC. Heand his team are currently developing a detailed Process Guide for the IMCC.Bob is a member of several IM related professional associations and has spoken many timeslocally, nationally and internationally on IM issues.AbstractThe Information Management Capacity Check: A Baseline for SuccessThe Information Management Capacity Check (IMCC) was developed by Library andArchives Canada to allow Government of Canada departments and agencies to identify abaseline of current capacities for the management of information, a desired "to be" state andestablish strategic priorities for improving their capacities. The IMCC is a self-assessmenttool incorporating all elements of Information Management including the organization,maintenance and protection of information. The IMCC has been endorsed by all senior levelgovernment IM committees as the preferred tool for assessing IM capacity in theGovernment of Canada.This presentation will provide an overview of the IMCC tool and the methodology, and willpresent a case study. The presentation will also address the alignment of the IMCC withcurrent audit and evaluation strategies.© ERPANET, April 2004


ERPANET Workshop Antwerpen 22Jürgen-Hans SchmidtAventis, GermanyBiographyJürgen Hans has been working in the pharmaceutical industry since certification as aphysician and gaining his doctorate in 1987. Until 1992, he worked in the clinical researchdepartments of Pfizer and Boehringer Mannheim. He then switched to the Clinical QADepartment at Hoechst/Aventis. Since June 2000, he has been head of Quality Managementin the Medical Department at Aventis Pharma Deutschland GmbH.Juergen Hans holds Diplomas in Pharmaceutical Medicine (DGPharmMed), ResearchQuality Assurance (Anglia University, Cambridge, UK; and Master in Drug RegulatoryAffairs (University of Bonn, Germany).AbstractAuditing Electronic Data Capture (EDC) in clinical trialsDuring the audits of clinical trials, auditors more and more often see electronicallyregistered data. Increasingly patient or volunteer data are stored in GP computers or hospitalinformation systems. Paper patient charts decrease more and more. The informationsystems used in clinical trials have to comply to a range of international standards andrequirements. Amongst others these system have to ensure the quality of the data, cater fordata security, provide audit trail functionality, and preserve the data into the future. Thispresentation will present practices and experiences in auditing the adequacy of the systemsand their compliance to relevant standards.© ERPANET, April 2004


ERPANET Workshop Antwerpen 23Inge SchoupsStadsarchief AntwerpenAntwerp City Archives, BelgiumBiographyStudies of history at the universities of Antwerp and Ghent. Archivist at the State Archivesin Ghent (1978 - 1979), researcher at the University of Ghent (1979 - 1982) and archivist atthe National Archives in Brussels (1983 - 1994). At the National Archives main focuseswere archival automation and informatics, institutional and administrative history andarchival terminology. In 1983 she published a manual on the use of computers in thehumanities. Since 1994 she is director of the Antwerp City Archives where priority is givento the management of current records. For the period 2000 - 2004 she is chair of theInternational Council on Archives committee on current records.© ERPANET, April 2004


ERPANET Workshop Antwerpen 24Greet VoldersInformation Systems Audit and Control Association (ISACA), BelgiumBiographyGreet Volders obtained a degree in Mathematics (1984) and a Masters in Computer Audit(1995). She started her career as a functional analyst, progressed to project leader andconsultant for projects concerning implementing methodologies for applicationdevelopment & project management. After various projects in the pharmaceutical &telecommunications industry, Greet Volders chose to focus on quality assurance & qualitymanagement in the development of information systems.In 1995, she started her own consultancy company Voquals N.V. This company providesconsultancy services in matters concerning quality management in IT-environments andsystem implementation (conform to ISO9000 or EFQM if required by the client).Beside advising in Quality Assurance and optimising the processes, Greet also executes ITaudits conform to CMM (Capability Maturity Model) or develops IT Governance in severalcompanies, using the CobiT model.AbstractHow to use CobiT to assess the security & reliability of Digital PreservationThis session will start with an overview of CobiT, which is a generally applicable andaccepted standard for good Information Technology (IT) and a short introduction ofISACA, the organisation who developed CobiT.We continue with more details (critical success factors, control objectives and key goal &performance indicators) for some the CobiT-processes relevant to digital preservation, witha focus on the specific demands of reliability, confidentiality and security.This presentation will end with some practical guidelines of how to audit these processesand domains.© ERPANET, April 2004

More magazines by this user
Similar magazines