Difference between revisions 657323440 and 660502792 on enwiki

< previous diff
next diff >
Trusted Storage specification
<!-- Please do not remove or change this Copyvio message until the issue is settled -->
{{Nobots}}
{{Copyviocore
|url=http://webcache.googleusercontent.com/search?q=cache:Vg5LlwwiGKwJ:standardsproposals.bsigroup.com/Home/Proposal/3941/c010+&cd=2&hl=en&ct=clnk&gl=us
|month = April
|day = 20
|year = 2015
|time = 13:05
|timestamp = 20150420130545}}
<!-- Do not use the "Copyviocore" template directly; the above line is generated by "subst:Copyvio|url" -->
{{lead missing|date=April 2015}}
{{dead end|date=April 2015}}
{{notability|date=April 2015}}
== Scope ==
This International Standard specifies functional and technical requirements associated with storage sub-systems storing/managing organizational records, in a protected/secured fashion, during the lifecycle of the information.   This standard provides sufficient detail enabling organizations, including product suppliers, to identify/specify functionality of all aspects of the information storage environment considered to be non-alterable storage environments (or Trusted WORM), preventing modification or deletion during the content lifecycle, and the ability to track, manage, and audit data integrity through the information lifecycle.   These sub-system requirements will include identifying relevant history/audit related information that must be collected and stored by the controlling server.  This standard does not mandate specific storage media types or configurations

Recognizing that storage technologies will continue to mature and morph over time, this standard is based on the concept that the overall trusted storage sub-system does not rely on specific storage technologies or media.  Rather, this standard mandates functional requirements for storage technologies/media allowing organizations to maintain their information in a secure fashion.  

This environment must operate regardless of the underlying storage sub-technology regardless of being optical, magnetic, electronically accessible microforms, or solid state storage technologies.  This standard is based on the concept that access to the trusted storage sub-system is secured from any external access and once configured can only be access through a single channel that is audited.  This standard will also identify reporting requirements for these sub-systems that must be transmitted to the ECM control "head" managing access control and provide information on other aspects of Trusted WORM storage integration related requirements.

== Purpose ==
The standardization of Trusted Storage (sometimes referred to as Trusted WORM) along with an agreed upon definition on how Trusted Storage sub-systems inter-operate with document and records management technologies began in 2013.  This effort began as a result of increasing requirements for organizations to store business and/or official records in a storage environment compliant with relevant governmental and regulatory requirements that ensure information is properly protected.   The Trusted Storage standardization work is being completed by [http://www.iso.org/iso/standards_development/technical_committees/other_bodies/iso_technical_committee.htm?commid=53666 ISO TC/171 SC1/WG8] (ISO 18759).   This International Standard specifies functional and technical requirements associated with Trusted Storage sub-systems that enable organizations, including product suppliers, to develop/configure products and technologies that store and manage content stored in non-alterable environments preventing modification or deletion during the life cycle of the content following organizational policies and procedures. This standard also specifies reporting requirements to ensure that content is no unknowingly altered during its prescribed retention cycle.  The current ISO convener for this effort is Robert Blatt, US/ANSI Expert to ISO TC/171

Organizations storing digital content or ESI (Electronically Stored Information) as business records have increasing sought guidance on how to design, implement and manage information and content management systems in such a way as to guarantee the reliability, authenticity and integrity of the records contained within the system throughout their entire life cycles.  In addition to the requirements of normal business purposes, the need to ensure the reliability of records has come from legal mandates in the form of statutes and regulations, as well as well as admissibility standards as relate to legal proceedings.

Standard setting bodies such as ISO, ANSI and AIIM have developed the concept of a “trusted system” in order to provide clear and concise, vendor neutral requirements for information and content management systems used to manage content as reliable and legally admissible records. This concept as defined by ISO 15801 <ref>ISO 15801 Document management -- Information stored electronically -- Recommendations for trustworthiness and reliability</ref>, a trusted system is “a system used to store electronic information in an accurate, reliable and usable / readable manner, ensuring integrity over time.” 
 
At a minimum, a trusted system stores at least one copy of the record on media that prevents unauthorized deletions and that is stored in a different location from the original content.  In particular, it meets the following criteria:

* At least two copies of the ESI should be written to separate locations, with at least one copy written to an unalterable media
* Controls must be put in place to ensure that ESI is accurately captured and retained until a policy-defined deletion point
* Write and modify actions of ESI should only take place through the ECM maintaining retention controls
* Every action, including read, write, and modify, should be auditable through a reporting interface

ISO 18759 addresses the requirements for storage subsystems as regards non-alterability, security and verification, and as are expressed in authoritative documents such as by ISO 15801, AIIM ARP 1 - 2009<ref>[http://www.aiim.org/Research-and-Publications/Standards/Articles/ARP1-2009 AIIM ARP 1 – 2009]</ref>, and ANSI/AIIM 25 Trusted Assessments <ref>http://www.aiim.org/documents/standards/ANSI_AIIM_25-2012.pdf</ref>.  The title of the standard, “Trusted WORM Functionality” is meant to reflect the objective of the standard, which is to provide additional, comprehensive detail on the characteristics of storage subsystems that meet the non-alterability requirement.  It is not meant to suggest that compliant storage subsystems by themselves constitute or are sufficient for a system to be designated a trusted system.

This standard is motivated by the evolution of storage technologies.  The de facto paradigm for trusted storage has been optical media, which is “write once” by virtue of the nature of the media and the method of writing to it.  However, new non-optical storage subsystems have evolved that accomplish “write once” objectives through a combination of hardware and software controls.  Understanding what specific functionality is required of these systems to meet trusted system requirements is the primary motivation for this standard.  Planning, design and implementation best practices (<ref>ISO 22957 ISO 22957 (2013)  Analysis, Selection, & Implementation of Electronic Content Management (ECM) Systems</ref>) associated with Trusted ECM Technologies further expands on the concept of trustworthiness and reliability of the content during the information lifecycle.
 
The ISO 15801 definition of a trusted system contains two elements. The first element is the requirement that any information retrieved from the system can at the time of the retrieval be proven to be accurate, reliable, complete and unspoiled as a record. The second element is that during the life cycle of the system itself, it can be proven that the system continues to maintain the integrity of all its records in accord with their retention policies and will continue to do so into the future provided that its normal operating conditions are maintained.  These two elements of the definition of a trusted system correspond to distinct but interconnected legal requirements, such as those developed by courts as regards the admissibility of ESI as evidence into legal proceedings, and those developed by regulators as regards the obligations of both public and private organizations to maintain reliable and accurate records systems for purposes of accountability and transparency.   

The Trusted Storage standard (ISO 18759) for trusted storage environments addresses both these criteria and will therefore provide guidance to organizations seeking to meet diverse legal requirements and mandates as regards the production and management of their electronic records.

== Citations and References ==

{{uncategorized|date=April 2015{{multiple issues|
{{Orphan|date=August 2012}}
{{Refimprove|date=April 2008}}
}}

The '''Trusted Storage specification''' is a document under debate in the [[Trusted Computing Group]] designed to provide interoperability and standardization of [[Full Disk Encryption]] (FDE) for [[hard disk drives]] (HDDs).  The draft was published on 19 June 2007.<ref>https://www.trustedcomputinggroup.org/news/press/Storage_spec_release_final_june_18_2007.pdf</ref>

==References==
{{reflist}}

==See also==
* [[Disk encryption]]
* [[Full disk encryption]]

[[Category:Cryptographic software]]
[[Category:Disk encryption]]


{{crypto-stub}}