Versions Compared

Old Version 111

changes.mady.by.user Drummond Reed

Saved on

compared with

New Version 112

changes.mady.by.user Drummond Reed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The primary document is the "home page" for the governance framework (GF). It:

  1. MUST have a DID (decentralized identifier) that serves as an identifier of the entire GF.
  2. MUST have a unique DID URL (as defined in the W3C Decentralized Identifiers 1.0 specification) to identify each specific version of the primary document.
  3. MUST contain authoritative references to all other documents included in the GF, called controlled documents.

...

  1. SHOULD reference any external websites, white papers, or other helpful background materials.
  2. SHOULD reference the ToIP Foundation, the ToIP stack, and the specific version of the ToIP governance template upon which the GF is based (if any).
  3. MAY include an "Acknowledgements" section thanking contributors to the GF.

Terminology and Notation

This section asserts the terminology conventions used in the GF. It:

  1. MUST explicitly specify the use of the ToIP Governance Requirements Glossary (see below).
  2. MUST reference the GF Glossary controlled document for all other terms (see the Controlled Documents section).
  3. MAY specify that terms specific to one controlled document are defined in that controlled document.
  4. MUST specify that all RFC 2119 keywords used with their RFC 2119 meanings are CAPITALIZED.
  5. SHOULD specify any other formatting, layout, or notation conventions used in the primary document or  and/or controlled documents.


ToIP Governance Requirements Glossary

...

  1. MUST specify the official language or languages for the GF.
  2. SHOULD use an IETF BCP 47 language tag to identify each official language.
  3. SHOULD specify and provide links to all official translations of the GF.
  4. SHOULD specify the policies or  and/or rules governing the production of translations.

...

  1. For the governing authority (or each interdependent governing authority), this section:
    1. MUST state the full legal identity including jurisdiction(s).
    2. MUST state the DID.
    3. SHOULD provide an LEI.
    4. MUST provide contact information for official communication to the legal entity.
    5. SHOULD provide contact information for official persons acting on behalf of the legal entity.
  2. For the GF itself, this section:
    1. SHOULD provide the URL for a publicly-accessible website dedicated to the GF ("GF website").
  3. The GF website SHOULD include:
    1. HTML versions of all documents in the GF.
    2. PDF versions of all documents in the GF.
    3. Highlighted links to the Governance Requirements controlled document(s) that specify how the governing authority itself is governed.
    4. If applicable, a primary trust mark for the GF displayed prominently on the home page and in the header of every other page.

Administering Authority

If the Administering Authority This section is only REQUIRED if the administering authority for the GF is different from the governing authority, include this section. It:

  1. MUST state the full legal identity of the administering authority.
    1. SHOULD provide the LEI.
  2. MUST provide contact information for the administering authority as a legal entity.
    1. SHOULD provide contact information for official contacts acting on behalf of the legal entity.
  3. MUST clearly define what administrative authority the governing authority the role of the administering authority i.e., what administrative authority the governing authority delegates to the administering authority and what decisions and processes remain the responsibility of the governing authority.

...

This is a statement of what is in and out of scope of for the GF. It:

  1. SHOULD clearly state the primary governed roles in the trust community.

  2. SHOULD state any other relevant stakeholders.

  3. SHOULD state the primary types of interactions, transactions, or processes in which the actors serving these roles will be engaged.
  4. SHOULD state what kind of artifacts will be governed.
  5. SHOULD, if applicable, clearly state what is out of scope.

...

  1. SHOULD specify tangible, achievable results (e.g. SMART criteria and Fit-for-Purpose criteria).SHOULD specify the intended overall outcomes the GF is designed to produce.
  2. MUST only contain outcomes over which the GF has the authority and mechanisms to achieve within its scope.
  3. MUST be consistent with the principles of the GF (below).

...

  1. SHOULD serve as a guide to the development of policies, rules, and other requirements in the GF ("principles guide policies").
  2. SHOULD refer to existing principles whenever possible (whether defined by ToIP or other sources).
  3. SHOULD be referenced (along with any other relevant parts of the GF) in any Legal Agreement ( so as to help clarify intent).
  4. MUST NOT include requirements (e.g., using capitalized RFC 2119 keywords) for which either human or machine conformance can be directly tested — those should be stated as requirements policies or rules elsewhere in the GF.

General Requirements

This section contains requirements that apply to the GF as a whole and not just in the context of a particular controlled document. It:

  1. SHOULD include the requirements that:
    1. Apply generally to governance of the entire trust community.
    2. Apply to the structure of the GF, e.g., what who is responsible for which controlled documents must be specified by whom and applied to whom.
    3. Guide the development of more specific requirements within the controlled documents.
  2. SHOULD NOT include requirements that apply only within the context of a specific category addressed by one of the controlled documents.
  3. MUST include any responsible use policies use policies that apply to infrastructure governed by the GF.
  4. MUST include any regulatory compliance policies compliance policies that are not specified within particular controlled documents.
  5. SHOULD include a Code of Conduct that applies to all trust community members.

...

This section contains the specific requirements governing revisions to the GF. It:

  1. MUST include requirements specifying:
    1. How any revisions to the GF will be developed, reviewed, and approved.
    2. How any new versions will be uniquely identified with a DID URL.
  2. SHOULD include at least one public review period for any GF that will be available to the public.publicly-available GF.
  3. SHOULD NOT include any other types of governance requirements for the governing authority or interdependent governing authorities (those of requirements that pertain to governance of the governing authorit(ies). Those should be defined in controlled documents in the Governance Requirements category).

Extensions

This section applies to GFs that permit extension GFs (a common feature of some ecosystem GFs). It:

  1. MUST state whether the GF can be extended.
  2. MUST specify the requirements an extension GF must meet in order to be approved.
  3. MUST specify the process by which an extension GF can be approved.
  4. MUST define an authoritative mechanism for registration, activation, and deactivation of an approved extension GF.
  5. MUST define the requirements for notification of trust community members about activation or deactivation of an approved extension GF.

Schedule of Controlled Documents 

This is a listing section contains an authoritative list of all controlled documents in the GF. It:

...

  1. SHOULD be a single controlled document for each applicable language (even if it is organized by categories or other heuristics).
  2. SHOULD provide a common reference for all possibly ambiguous terms used throughout the GF.
  3. SHOULD reference the ToIP Core Glossary or any other relevant ToIP glossary for all terms with established definitions in the overall scope of ToIP.
  4. SHOULD conform to standard requirements for a glossary, i.e., list all terms alphabetically for easy reference.
  5. MAY tag terms by category or usage.MAY specify that terms specific to one controlled document are defined in that controlled documentusage.

Anchor
risk-assessment
risk-assessment
Risk Assessment

This category includes links to an ISO 27005 (or compatible) risk assessment for managing risk. Controlled documents in this category:

  • SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose and objectives within its scope.
  • SHOULD include a risk assessment process output that provides an assessment of  of each key risk that the GF is designed to address and mitigate.
  • SHOULD assess which roles and processes specified in the GF are vulnerable to each risk and how they are affectedwhat impacts could result.
  • SHOULD include a risk treatment plan specifying how identified risks are to be treated (e.g. mitigated, avoided, accepted or transferred).

...

  1. SHOULD include a trust assurance framework document that  that defines a scheme in which governed parties assert compliance with the policies of the GF and the mechanisms of assurance over those assertions.
  2. SHOULD (if applicable) define the roles of auditors and auditor accreditors and the directives policies governing their actions.
  3. SHOULD (if applicable) define the roles of certifying parties and the requirements policies governing their actions and relationships with the governing authority, auditors and auditor accreditors.
  4. SHOULD (if applicable) include requirements supporting the development, licensure, and usage of one or more trust marks.

...

  1. MUST include controlled documents that specify governance requirements (e.g., Charter, Bylaws, Operating Rules, and so on) for:
    1. The primary governing authority (or all interdependent governing authorities).
    2. If applicable, the administering authority
  2. SHOULD address any policies required for antitrust policies, intellectual property rights (IPR) policies, confidentiality policies, responsible use, or other requirements for regulatory compliance under which that apply to the trust community members agree to operate.
  3. SHOULD include any requirements governing enforcement of the GF and how dispute resolution will be handled.

...

These are the requirements governing the business model(s) and business rules to be followed by the trust communityControlled documents in this category:

  1. SHOULD clearly explain the any exchange(s) of value within the trust community the GF is governingbetween trust community members governed by the GF.
  2. SHOULD define the policies and/or rules governing how and when these exchanges of value take place.
  3. SHOULD define the requirements for the use of any decision support systems.
  4. SHOULD define how all trust community members will be held accountable for their actions in these exchanges.
  5. SHOULD define how the governing authority, administering authority, and the GF are sustainable under these requirements.

Technical Requirements

These are the are requirements governing technical interoperability. Controlled documents in this category:

  1. MUST specify how trust community members will interoperate technically using the ToIP technology stack by reference to any relevant ToIP specifications and recommendations.
  2. SHOULD include any additional specifications and/or specification profiles that are specific to the technical operation of technical interoperability within this trust community.
  3. SHOULD reference include references one or more ToIP glossaries as needed.
  4. SHOULD reference any test suites and or other testing requirements.

Information Trust Requirements

These are requirements for in the five categories of trust service criteria defined by the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC). These can be addressed by implementing internal controls as describedefined by the Committee on the Sponsoring Organizations of the Treadway Commission (COSO) Guidance on Internal ControlControlled documents in this category:

  1. MUST specify the baseline requirements for trust community members for governed parties with regard to:
    1. Information security
    2. Information availability
    3. Information processing integrity
    4. Information confidentiality
    5. Information privacy
  2. SHOULD specify the relevant information trust policies by reference to:
    1. ToIP specifications and recommendations.
    2. Other regulatory or industry standards.
    3. GF-specific policies.
    4. GF-compliant decision support systems.
    5. Trust community member-specific policies.

Inclusion, Equitability, and Accessibility Requirements

These are the policiesare requirements governing how the GF enables fair and equal access to all. Controlled documents in this category:

...

This category includes any legal agreements or contracts included specified in the GF. Controlled documents in this category:

  1. MUST include all specified legal agreements or contracts between Members and/or the governing authoritybetween trust community members.
  2. SHOULD reference the GF glossary document(s) for all terms not defined internally to the legal agreement or contract.
  3. MUST clearly state the governed parties to whom these legal agreements apply.
  4. MUST define or reference all relevant accountability and enforcement mechanisms.
  5. SHOULD reference any other relevant requirements in the balance of the GF.

...