Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cyber-security regulation wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Medical privacy wikipedia , lookup
Information security wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Social engineering (security) wikipedia , lookup
Version 1.0 February 2015 Trusted Computing (TC) and Digital Rights Management (DRM) for Records Managers Archives New Zealand is the custodian of the Trusted Computing and Digital Rights Management (TC / DRM) Standards and Guidelines. This role includes communicating the Standards and Guidelines to a wider government audience and consulting with stakeholders as the technological landscape changes. Digital Rights Management, in particular, has the potential to affect current records management practices. What is Trusted Computing and Digital Rights Management Trusted Computing (TC) is a group of technologies which can be used to intentionally limit access to the data and facilities on a computer. The hardware for TC is included in most laptop and desktop computers sold today. TC hardware can be useful to governments by guaranteeing that their machines have not been tampered with or to prevent unauthorised access to stolen machines. Digital Rights Management (DRM) software provides a way for information providers to control access to information while making it available to other people’s computers. It is widespread in the entertainment industry and is now available in office applications. In conjunction with TC, DRM could provide strong control over access to documents and emails. What is the purpose of Trusted Computing and Digital Rights Management? TC provides security at a hardware level which can be used to establish trust between systems. Examples include the Trusted Platform Module chip imbedded in most PCs which can enable the computer to confirm that its software hasn’t been tampered with. DRM allows for persistent item level protection. DRM can be used to protect intellectual property and copyright control over individual digital items. DRM protections travel with the items and are independent of the system which creates or uses them. Examples of DRM include the printing restrictions one can place on a PDF document and the Information Rights Management feature in Microsoft Office which allows creators to restrict which readers can open a Word document. What are the risks associated with Trusted Computing and Digital Rights Management? DRM can adversely affect the full usability of documents. Information providers can encumber documents with restrictions and conditions imposed by the provider. For example, providers can set a document to become unusable after a period of time without notifying the agency which receives the document. Public offices would therefore lack control over incoming documents. There is also a TC feature that can be used in conjunction with DRM called ‘remote attestation’ which allows information to be sent to an external server when the item is opened. The government agency holding the document may have no way of knowing what information is transmitted. Many TC and DRM systems therefore have the potential to undermine the security of government systems and the privacy of people who use them. How does Digital Rights Management affect records management? DRM can impede the management of official records by preventing the capture of records into an EDRMS or by preventing printing so that a paper copy can be kept. DRM may facilitate the illegal disposal of records by setting time-based actions (such as access expiry or restrictions) not desired or authorised by the recipient of the records. Through access expiry, modification or restriction DRM may prevent access to information to those otherwise entitled to it. One of the most important first steps you can take is to decide if your organisation will accept DRM encumbered information and if so, how you will handle it. Key questions to ask yourself are: Is it a record which is affected? Will the information be needed on an on-going basis? What are the costs and limitations of access to the information? Do you have hardware or software in place which detects DRM or can you put those tools in place? If you are considering creating DRM-encumbered information take the following steps: Update your recordkeeping policy to include TC and DRM issues. Determine if your DRM deployment is appropriate under the Security in Government Sector (SIGS) manual. Inform people of the DRM restrictions you are placing on documents and be prepared to justify the restrictions. Ensure continued access to records you are required by law to create and maintain. Finally, ensure compliance of any new systems with the Trusted Computing and Digital Rights Management Standards & Guidelines published by the State Services Commission by seeking a declaration about DRM from vendors in their tender or RFP response. The declarations should detail the TC / DRM features of the product, which TC / DRM features are turned on by default, and what the limitations are of using or not using these features. This will help you determine whether you can comply with the Standards & Guidelines if you implement their system. About the Principles & Policies, Standards & Guidelines The Principles & Policies and the Standards & Guidelines were originally developed by the TC / DRM Working Group headed by the State Services Commission under the E-government Interoperability Framework (eGIF). They provide a deliberately generic framework for examining and dealing with TC and DRM issues. The Principles & Policies were designed to be usable by any government department (in any country) and they cover the full spectrum of issues relevant to government-held information, including privacy, accessibility, intellectual property and information security. The Standards & Guidelines were written to assist government agencies implement the Principles & Policies appropriate to their own needs. Key Trusted Computing and Digital Rights Management Principles & Policies for Records Managers System Security Principle The security of government systems and information must not be undermined by the use of trusted computing and digital rights management technologies. (Principle 4) Information Availability Policy Government must know about encumbrances, have control over them, and explicitly agree to them. (Policy 1) Information Confidentiality and Integrity Policy Government must know about information flows and be able to identify harmful communications. (Policy 11) Further information about the Principles and Policies can be found on the ICT.govt.nz website.