CRL and Portico have agreed that ongoing certification is contingent upon Portico making certain disclosures every two years. These disclosures should entail, at minimum:
- Inventory of new content added to the repository since prior certification;
- Description of significant changes in repository system architecture or configuration, critical software, or software platforms;
- Software and hardware patch risk register;
- New agreements and contracts with key depositors of content, content users, major funders or sources of revenue, and providers of critical repository services;
- New key policies regarding acquisition, management, and disposition of archived content and related files and metadata;
- Records of significant events and changes in the nature and condition of digital content since the most recent audit, such as server logs;
- Records of significant events and changes in the operations of the repository;
- Most recent financial statements for the repository organization or service unit. The financial statements should indicate the categories and, where appropriate, sources of revenue and the level of same; the functional allocation of expenses; and changes in the financial position of the organization supporting the service unit; and
- Revenue and expense projections by function, for the repository organization or service unit, for the next three years.
In addition, Portico must allow a periodic, systematic sampling and inspection of the repository’s archived content by CRL, or by a third party designated by CRL, using either a manual or automated process as determined by mutual agreement between CRL and the repository. This will allow CRL to independently verify and monitor the presence and integrity of content in the repository comprehensively or at least on a meaningful scale. We expect the ongoing disclosures provided by Portico to CRL to show their progress in acting on the CRL issues of concern identified through this audit.