Versions Compared

Old Version 47

changes.mady.by.user Scott Perry

Saved on

compared with

New Version 50

changes.mady.by.user Drummond Reed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Standard ToIP Roles at that layer (see the GSWG Process and Roles TF)
  • Standard ToIP Processes in which actors in those roles are engaged (see the GSWG Process and Roles TF)
  • Recommended Policies Directives for Policies for those Processes (see the GSWG Process and Roles TF)
  • Standard Risks against which Risk Assessment should be performed (see the GSWG Trust Assurance TF)
  • Standard elements of a Trust Assurance Framework to address those risks (see the GSWG Trust Assurance TF)

The balance of this page consists of the structure of defines the proposed metamodel and the requirements directives for requirements for each component. In these requirementsdirectivesthe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" are to be interpreted as defined in RFC 2119.

All terms appearing in First Letter Caps on this page MUST be added to the ToIP Glossary tagged for inclusion in the ToIP Governance Glossary. (Note: the Concepts and Terminology WG has already been briefed on this dependency.) The following terms have specific definitions used in this document:

Info
titleNEW
  • Requirements include any combination of Policies, Rules, and Specifications.
  • Machine-Testable Requirements are Requirements with which compliance can be verified using an automated test suite and appropriate scripting or testing software.
  • Human-Auditable Requirements are Requirements with which compliance can only be verified by an audit of people, processes, and procedures.
  • Policies are Human-Readable Requirements expressed as defined in RFC 2119.
  • Rules are Machine-Readable Requirements that can be processed by a Rules Engine. They are expressed in a structured rules language as specified by the GF.
  • Specifications are documents containing any combination of Machine-Testable Requirements and Human-Auditable Requirements needed to produce technical interoperability. They are expressed as defined in RFC 2119. 

Table of Contents

Primary Document

...

  1. MUST have a DID (Decentralized Identifier) that serves as an identifier of the entire GF.
  2. MUST have a unique DID URL (defined in the DID spec) to identify each specific version of the Primary Document.
  3. MUST contain authoritative references to all other documents included in the GF, called the Controlled Documents.
  4. MUST include policies Policies in the Revisions section stating how the Controlled Documents are governed by the Governance Authority.

...

This section is a non-normative general introduction to the GF that whose purpose is to orient first-time readers as to the overall context of the GF. It:

...

  1. SHOULD be as short and concise as possible—ideally one sentence, or only a few sentences.

Scope

This is an inventory of the stakeholders, assets/artifacts and objectives for which the GF is intended to provide governancea statement of what is in and out of scope of the GF. It:

  1. SHOULD clearly state the stakeholders the primary Governed Actors in the Trust Community. Info
    titleDeleted Bullet referencing Objectives above this section

  2. SHOULD state any other relevant stakeholders.


  3. SHOULD state the primary types of interactions or transactions these Governed Actors will be engaging in. SHOULD clearly state the high-level assets/artifacts (e.g. ledgers, transactions, agents, wallets, verifiable credentials, applications) under oversight by the GF.
  4. SHOULD, if applicable, clearly state who and what are out of scope.

...

...

Objectives

This states the high-level outcomes desired by

...

the Trust Community through its

...

adoption of

...

the Governance Framework. It:

  1. SHOULD specify tangible, achievable results (e.g. SMART criteria and Fit-for-purpose criteria).
  2. SHOULD specify the intended overall outcomes

...

  1. to be produced by conformance with the Requirements in the GF.
  2. MUST only contain outcomes over which the GF has the authority and mechanisms to achieve within its Scope.

...

  1. MUST be consistent with its Principles.

Principles

This section states the Principles by which all members of the Trust Community have agreed to abide. It:

  1. SHOULD serve as a guide to the development of any Policies Directives based Requirements based on each Principle ("Principles guide PoliciesDirectives").
  2. SHOULD refer to existing Principles—whether defined by ToIP-Compatible by other ToIP GFs or by other bodies—whenever sources—whenever possible.
  3. SHOULD be referenced (along with any other relevant parts of the GF) in any Legal Agreement between Members and the Governance Authority.
  4. SHOULD MUST NOT include language requirements using RFC 2119 terms for which either human or machine conformance can be directly tested — those statements should be included as Policies "MUST" Directivesstated as Requirements elsewhere in the GF.

...

General Requirements

This section contains the Policies Directives that Requirements that apply to the GF as a whole and not just in the context of a particular detailed directive section of a Controlled Document. It:

  1. SHOULD include the Policies  Directives thatPolicies that:
    1. Apply generally to governance of the entire Trust Community;
    2. Apply to the structure of the GF, e.g., what Controlled Documents must be specified by whom and applied to whom.
    3. Guide the development of more specific Policies Directives within Policies within the Controlled Documents.
  2. SHOULD NOT include Policies Directives that Policies that apply only within the context of a specific category addressed by one of the Controlled Documents.
  3. MUST include Responsible Use Policies that apply generally to infrastructure governed by the GF.
  4. MUST include any Regulatory Compliance Policies Directives that Policies that are not specified within particular Controlled Documents.

Revisions

This section specifies the policies for how contains the specific Policies governing revisions to the GF are governed. It does not include Governance Policies Directives for Policies for the Governance Authority or interdependent Governance Authorities (those are defined in Controlled Documents in the Governance Rules category category). It:

  1. MUST state the full legal identity and contact information for the primary Governance Authority or interdependent Governance Authorities.
  2. MUST include policies Directives specifying Policies specifying how any revisions to the GF are identified, developed, reviewed, and approved.
  3. SHOULD include at least one public review period for any GF that will be available to the public.

...

  1. SHOULD be a single Controlled Document (even if it is organized by categories or other heuristics).
  2. SHOULD provide a common reference for all possibly ambiguous terms used throughout the GF.
  3. SHOULD reference the ToIP Glossary—or tagged subset(s) of the ToIP Glossary—for all terms defined there.
  4. SHOULD conform to standard requirements for a glossary, i.e., list all terms alphabetically (by language) for easy reference.[Rieks: OED (lexico)cambridgewikipedia, etc, say that glossary IS already an alphabetically sorted list of words]
  5. MAY tag terms by category or usage.
  6. MAY specify that terms specific to one Controlled Document are defined in that Controlled Document.

...

This category includes links to an ISO 27005 (or compatible) risk assessment and for framework compliant policies directives for managing risk. Controlled Documents in this category:

  • SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose  objectives and objectives within its scope.
  • SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
  • SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
  • MAY include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred); however, all risks that are to be mitigated by directives in the GF SHOULD be identified.SHOULD include a

Trust Assurance

...

and

...

Certification

This category includes policies for managing risk, directives including constituting a program whereby parties MUST, SHOULD or MAY be specifies Policies for Governed Actors be held accountable against Directives Requirements of the GF. Controlled Documents in this category:

  1. SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose within its scope.SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
  2. SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
  3. SHOULD include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred).
  4. SHOULD include a Trust Assurance Framework document that defines a scheme in which Roles assert compliance with the Policies "MUST" Directives of Policies of the GF and the mechanisms of assurance over those assertions.
  5. SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies directives governing their actions.
  6. SHOULD (if applicable) define the roles of Certification Authorities and the Policies  Directives governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.
  7. SHOULD (if applicable) include policies directives around the developing, licensingPolicies supporting the development, licensure, and usage of one or more Trust Marks.

Governance

...

These are the Rules Directives for Requirements for governing the GF as a whole. Controlled Documents in this category:

  1. MUST specify the primary Governance Authority or all interdependent Governance Authorities (if any).
  2. MUST include Controlled Documents that specify Governance Policies  Directives for the primary Governance Authority or all interdependent Governance Authorities (e.g., Charter, Bylaws, Operating Rules, etc.)
  3. SHOULD address any antitrust Policies, intellectual property rights (IPR) Policies, confidentiality Policies, or other regulatory compliance policies (SSP - I kept the word Policies here since these documents would be policy documents ) under which the stakeholders the Trust Community Members agree to operate.
  4. SHOULD include any Policies directives governing Policies governing enforcement of the GF and how Dispute Resolution will be handled.

...

Business Rules

These are the Polices and/or Rules  Directives governing the business model(s) of the GF and/or sustainability of the Governance Authorityand business rules to be followed by the Trust Community. Controlled Documents in this category:

  1. SHOULD clearly explain the exchange(s) of value within the Trust Community for which the GF is designed.
  2. SHOULD define the Policies  Directives governing and/or Rules governing how and when these exchanges of value take place.
  3. SHOULD define the Requirements for the use of any Rules Engines.
  4. SHOULD define how all Trust Community Members will be accountable for their actions in these exchanges.
  5. SHOULD define how the Governance Authority and the GF are sustainable under these Rules.

...

Technical Requirements

These are the Rules Directives governing technical Requirements governing technical interoperability. Controlled Documents in this category:

  1. MUST specify how Members of the Trust Community will interoperate technically using the ToIP Technology Stack by reference to ToIP Standard Specifications (TSS).
  2. SHOULD (if necessary) reference one or more specific ToIP Interoperability Profiles (TIPs).
  3. SHOULD specify any technical Policies or Specifications that are specific to this Trust Community.(New) SHOULD (if applicable) specify Rules defined in a GF-compatible or compliant Rules Engine

Information Trust

...

Requirements

These are the Rules Directives governing information Requirements governing information security, privacy, availability, confidentiality and processing integrity as these terms are defined by the AICPA for service organizations. Controlled the Committee on the Sponsoring Organizations of the Treadway Commission - (COSO) Internal Control - Integrated FrameworkControlled Documents in this category:

  1. MUST specify how Members of the Trust Community will ensure the following categories of Information Trust:
    1. Information security
    2. Information privacy
    3. Information availability
    4. Information confidentiality
    5. Information processing integrity
  2. SHOULD specify the relevant Information Trust Policies by reference to:
    1. ToIP Standard Specifications (TSS).
    2. Other regulatory or industry standards.
    3. GF-specific Policies Directives.
    4. Trust Community Member-specific Policies Directives.
    5. (new) GF-compatible or compliant Rules Engines

Inclusion, Equitability, and Accessibility

...

Requirements

These are the Rules Directives governing Policies governing how the GF enables fair and equal access to all. Controlled Documents in this category:

  1. MUST specify how Members of the Trust Community will enable and promote inclusion, equitability, and accessibility by reference to:
    1. ToIP Standard Specifications (TSS).
    2. Other regulatory or industry standards/guidelines.
    3. GF-specific Policies.
    4. Member-specific Policies.
    5. (new) GF-compatible or compliant Rules Engines
  2. SHOULD specifically address how the GF is designed to help bridge (or eliminate) the digital divide.

...

  1. MUST include all legal agreements or contracts between Members and/or the Governance Authority.
  2. SHOULD reference the Glossary document for all terms not defined within.
  3. MUST clearly state the parties Governed Actors to whom these legal agreements apply.
  4. MUST define or reference all relevant accountability and enforcement mechanisms.
  5. SHOULD reference any other relevant Policies Directives relevant Requirements in the balance of the GF.

...