APPENDIX 2

Products of InterPARES Trust research

Corinne Rogers

All results of the research studies undertaken as part of InterPARES Trust

(hereinafter ITrust) are made freely available for use through a Creative
Commons Attribution – NonCommercial – ShareAlike 4.0 International Public
License (http://creativecommons.org/licenses/by-nc-sa/4.0/). These results, as
well as many presentations, published articles, books and book chapters may
be found at https://interparestrust.org/trust/research_dissemination.
ITrust research products include annotated bibliographies, literature
reviews, final and status reports, checklists and guidance documents, survey
instruments, reports and analysis. The checklists and guidance documents
will be briefly described here. These and all other research products can be
found on the ITrust website.
Each document is identified by a code consisting of two letters followed by
two numbers. The letters indicate the regional team that led the study; the
numbers indicate the order in which the studies were proposed and
approved. For example, AF01 indicates the first study undertaken by Team
Africa.

• AA – Team Australasia
• AF – Team Africa
• AS – Team Asia
• EU – Team Europe (including Israel and Turkey)
• LA – Team Latin America (including Mexico)
• NA – Team North America
• TR – Transnational Team (comprised of international organizations).

Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014
 288 TRUSTING RECORDS IN THE CLOUD

Checklists and guidance documents

EU08 (2016) Checklist for Ensuring Trust in Storage in Infrastructure-as-
a-Service – Hrvoje Stančić, Edvin Bursic and Adam Al-Harari (English,
Spanish)
This checklist offers guidance for individuals, businesses, government
agencies or other organizations to assess the security and ongoing
trustworthiness (i.e. authenticity, reliability and accuracy) of their data when
stored in an Infrastructure-as-a-Service (IaaS) platform. The goal of the study
was to establish the minimum amount of information necessary to support
users’ trust in an IaaS provider and also position the provider as a trusted
service provider. This checklist can be used by records managers and
archivists when assessing a Cloud Service Provider (CSP) offering IaaS, as
well as by CSPs as a guideline for providing online information about their
service. This document can also be found as part of the final report for EU08.

EU09 (2016) Comparative Analysis of Implemented Governmental e-

Services: a Checklist for Assessment – Hrvoje Stančić, Hrvoje Brzica, Ivan
Adzaga, Ana Garic, Martina Poljicak Susec, Kristina Presecki and Ana
Stankovic
This checklist offers guidance to records professionals in businesses, govern-
ment agencies or other organizations, as well as service providers, to assess
the implemented governmental e-services in the context of trusting those
services and the data they hold and preserve. The questions in the checklist
are sufficient to provide enough information on an e-service in order for the
users to consider the service to be responsible, reliable, accurate, secure,
transparent and trustworthy.

EU15 (2016) Checklist for Single Sign-On Systems – Hrvoje Stančić,

Tomislav Ivanjko, Nikola Bonic, Ana Garic, Ksenija Loncaric, Ana Lovasic,
Kristina Presecki and Ana Stankovic
This checklist offers guidance to records managers and archivists in
businesses, government agencies or other organizations to assess single sign-
on (SSO) systems, as well as by SSO developers to ensure that they have
provided sufficient information on the system they are developing in order
to detect the possibilities of exchanging identification and authentication
credentials. Single sign-on systems and their key components were analyzed
in 28 European countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary,

Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014
 APPENDIX 2  289

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland,

Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United
Kingdom. This analysis built on findings by the research team that there was
an absence of publicly available information important for establishing trust
in e-Services, particularly information about ‘Storage and long-term content
availability’ and ‘System operation transparency’. This document can also be
found as part of the final report for EU15.

NA06 Retention & Disposition in a Cloud Environment – Functional

Requirements (March 2015)
This study was designed to contribute to a better understanding of the
difficulties encountered when managing records in a cloud environment by
answering two questions: (1) How does the use of cloud services affect an
organization’s ability to retain and dispose of records in accordance with the
law and other guidelines? and (2) What can be done to mitigate the risks that
arise from the gaps between the ability to apply retention and disposition
actions to records residing within the enterprise and those residing in the
cloud? The checklist offers guidance for individuals and organizations in
evaluating specific cloud products and/or services to assess ability to meet
retention and disposition requirements.

NA08 (2016) Managing Records of Citizen Engagement Initiatives: A

Primer – Grant Hurley, Valerie Léveillé and John McDonald
The primer is a tool designed to help guide the drafting, execution and/or
evaluation of government-citizen engagement initiatives as they relate,
specifically, to the open government initiatives within an organization and,
more generally, to recordkeeping needs and requirements and internal
information management culture. Open government and citizen engagement
are defined, the role of records and recordkeeping in the context of citizen
engagement is discussed, and issues and strategies are proposed at levels of
policy, governance and management, people, standards and practices,
technology and awareness.

Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014
 290 TRUSTING RECORDS IN THE CLOUD

NA12 (2018) Preservation as a Service for Trust (PaaST): Functional and

Data Requirements for Digital Preservation – Kenneth Thibodeau, Daryll
Prescott, Richard Pearce-Moses, Adam Jansen, Katherine Timms,
Giovanni Michetti, Luciana Duranti, Corinne Rogers, Larry Johnson, John
R. Butler, Courtney Mumma, Vicki Lemieux, Sarah Romkey, Babak
Hamidzadeh, Lois Evans, Joseph Tennis, Shyla Seller, Kristina McGuirk,
Chloe Powell, Cathryn Crocker and Kelly Rovegno
Just as the Cloud is not a specific technology or even a family or configuration
of technology, the primary challenges it poses for digital preservation are not
technological. Rather, the challenges stem from the loss of control over, and
even knowledge of, what hardware and software are used and how they are
used. PaaST defines a comprehensive set of functional and data requirements
that support preservation of digital information regardless of the technologies
used or who uses them. The requirements are intended to enable authentic
digital preservation in the Cloud; nevertheless, the requirements are valid in
other scenarios as well, including in-house preservation and situations where
digital preservation includes both in-house and contracted services. PaaST
requirements supplement the Open Archival Information System (OAIS)
Reference Model (now an ISO standard). They are applicable to cases that
include heterogeneity in the types of information objects being preserved;
variety in applicable directives, such as laws, regulations, standards, policies,
business rules and contractual agreements; varying conditions of ownership,
access, use and exploitation; variation in institutional arrangements and
relationships between or among the parties involved; and as wide a spectrum
of circumstances as possible, from best practices to worst cases.

NA14 Cloud Service Provider Contracts Checklist – Jessica Bushey, Marie

Demoulin, Elissa How and Robert McLellan (February 2016) (English,
French, Dutch, Spanish)
This checklist supports records managers, archivists, chief information
officers and others who are assessing cloud services for their organization. It
is a tool for users to gain an understanding of the terms in boilerplate cloud
service contracts, verify if potential cloud service contracts meet their needs,
with particular emphasis on requirements for records and archives, clarify
recordkeeping and archival needs to legal and IT departments, and
communicate recordkeeping and archival needs to cloud service providers.
This checklist is a tool for consideration only and does not constitute legal
advice, nor does it recommend for or against any particular cloud service
provider (or the use of cloud services in general).

Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014
 APPENDIX 2  291

TR03 (2017) Security Classification Checklist – Ineke Deserno, Eng

Sengsavang, Marie Shockley, Shadrack Katuu and Julia Kastenhofer
This checklist supports organizations in the development or revision of
policies and procedures for managing security classified information assets,
especially digital information, to ensure the reliability, authenticity,
confidentiality, integrity and availability of security classified records and
their long-term preservation. It supports best management of these assets
throughout their lifecycle, from creation through active and controlled
business use, to secondary use, eventual declassification and archival control.

Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014
Downloaded from https://www.cambridge.org/core. University of Liverpool Library, on 06 Jul 2020 at 02:20:22, subject to the Cambridge Core
terms of use, available at https://www.cambridge.org/core/terms. https://doi.org/10.29085/9781783304042.014