The Trustworthy Information Systems Approach
June 7, 2005
John Breeden, CRM
Fourth in the Missouri Electronic Records Education and Training Initiative (MERETI) workshop series
Note: Click on the to watch the instructor discuss key points. The number refers to the corresponding slide in the accompanying PowerPoint presentation and handout.
Instructor John Breeden began this class by defining some of the key concepts to be discussed throughout the workshop, including “information system”, “trust”, “trustworthy”, and “records”. Most of the information in the class is based upon the concepts and models contained in the Trustworthy Information Systems Handbook developed by the Minnesota State Archives. 5-6
Records can have four types of value, and the value(s) of a particular kind of record will determine the level of trustworthiness that must be designed into and maintained within an information system. The records values include informational/business value, fiscal value, legal value, and historical/archival value. 7-10a 7-10b
The features of a trustworthy information system are authenticity, reliability, integrity, and accessibility. 11-12
Government needs trustworthy information systems to:
- provide better service to the public,
- provide confidence in government,
- ensure information can be retrieved for as long as needed,
- protect the organization (the citizens) from litigation, and
- perform our jobs efficiently. 17
The process of building a trustworthy information system involves many parties, and is best done when an organization builds the system or when it upgrades to new hardware and/or software. However, an organization can implement many of the features at any time.
The people to involve in defining and building the system include the program managers and employees (the users), the information technology experts, and the other interested parties such as records managers, auditors, and legal counsel.
An organization should first evaluate its existing systems and analyze the cost effectiveness of modifying existing systems to meet identified required trustworthiness criteria. 22
The criteria used to measure the trustworthiness of systems falls into the broad categories of:
- security measures
- audit trails
- disaster recovery plans, and
Whether any particular criterion is important to an organization’s systems will depend on how much value it places on the information in them (business, fiscal, legal, and historical values). 26
Documentation is an essential component of a trustworthy system. Documentation of the equipment and maintenance procedures provide assurance that data is not being corrupted. Documentation of the relationship of the components in an interconnected system demonstrates the planning that has gone into the system and identifies where the most vulnerable points are in the system. 27-29
Documentation should also be maintained on the design, development, and testing of the system, including the conventions and tools used. It is critical to document the operating procedures of the system, including methods of input and access, data modification, data duplication, data deletion, indexing, and outputs. Identification of system users and their levels of access is essential.
Security measures ensure trustworthiness of systems. Security levels can be scaled down or up to match the sensitivity of the information contained in the system. Security falls into three general categories: user identification and authorization, internal system security, and external system security.
User identification and authorization security measures include effective password rules 36, limiting user access to only information needed to do his/her job, limiting rights to alter and delete records only to authorized users, preventing any user from deleting record audit trails, and limiting access to digital signatures to only authorized officials. Agencies must maintain lists of current and past authorized users and their privileges and responsibilities, and keep it up to date. Authorities assigned to users should ensure that no single individual can compromise the system’s integrity, and that there are always checks and balances.
Internal system security. Agencies should control access to system documentation, control access to output and storage devices 40a, and ensure security when moving data between locations, either physically or electronically. Agencies must control the disposal of old computer equipment and software to prevent unauthorized release of information. System security personnel must be fully trained, and the system’s physical security must be assured, including having security detection mechanisms in place at all times. 40b
Systems that interconnect with other systems or the internet must be protected by external system security measures. These include verification of users accessing the system, ensuring the integrity of information received by the system, detecting transmission errors, detection of changes in a record since its creation or signature, and protection against hackers, viruses, and worms. The level of security provided must be appropriate for the level of sensitivity of the records in the system. 47
System audit trails are an essential element of trustworthy information systems. At a minimum audit trails should log a record identifier, user identifier, the date and time, and the nature of the action taken. Audit trail software and mechanisms must be thoroughly protected. Audit logs should record user log-in activity, password changing activity, physical location of the user, and other details appropriate for the kind and sensitivity of the information in the system. 53
A trustworthy system will include a disaster recovery plan which identifies vital records 54, analyzes risk management processes, and identifies potential hazards. The plan will identify mitigation and recovery efforts for each potential type of hazard. (See Workshop 6 for more detailed information on disaster recovery.)
Metadata provides the information about the records in your system that enables the functionality of the system and ensures the integrity of the records. Metadata fields are used for system operations, audit trails, access and security, retention, and records history. The kinds of metadata that are important to include must be determined early in the system design process, based on input from all users and stakeholders in the system. The system’s purpose and criticality will help determine which metadata elements are necessary. 57-65
Following lunch, Mr. Breeden examined one type of electronic record system – a document imaging system – in depth to illustrate the general principles of system trustworthiness discussed earlier in the day. 68 He discussed imaging systems’ trustworthiness in terms of:
- policy documents
- duty of care/security
- procedures and processes
- technology considerations, and
- audit trails 69
Imaging policies need to address the scope of information included in the system, grouped into types or record series. 71 Policies should be established for storage media and version control, including records that may be stored on more than one medium. Allowable image file formats should be defined and permissible compression techniques discussed. Retention schedules must be identified for each record series, based on all stakeholders’ inputs and citing relevant laws and industry standards. 74
Duty of care deals with an organization’s practical, legal, and ethical obligation to understand the value of its information and use and preserve it accordingly. This includes establishing a chain of accountability and responsibilities for information throughout the work process, determining any vital records, identifying and mitigating security vulnerabilities 77, and implementing disaster recovery plans.
An information system’s trustworthiness depends to a great extent upon the established procedures and processes used in the system. For a document imaging system, these processes and procedures include:
- document capture/scanning 81 84
- data capture 88 90
- indexing 91
- authenticated output procedures 94
- document retention after scanning 95
- document destruction
- backup and system recovery 97
- system maintenance
- security and protection 99
The technology and equipment used in an imaging (or other electronic record) system can affect the integrity and trustworthiness of the system. Consideration must be given to the following in designing and operating an imaging system:
- storage media and subsystems 104
- access levels 105
- system integrity checks
- image processing
- compression techniques 108 109
Audit trails are integral to the trustworthiness of a system. Audit trails must be inviolable, and must be migrated along with the records during hardware/software upgrades and storage media refreshes. 112 Each step in a workflow system represents an audit trail point. 114 119 126