...
- SHOULD clearly state the stakeholders in the Trust Community.
Info title Deleted Bullet referencing Objectives above this section SHOULD clearly state the high-level assets/artifacts (e.g. ledgers, transactions, agents, wallets, verifiable credentials, applications) under oversight by the GF. - SHOULD, if applicable, clearly state who and what are out of scope.
Info | ||
---|---|---|
| ||
ObjectivesThis states the high-level outcomes desired by the Governance Authority through its execution of its Governance Framework. It:
|
...
- SHOULD serve as a guide to the development of any
PoliciesDirectives based on each Principle ("Principles guidePoliciesDirectives"). - SHOULD refer to existing Principles—whether defined by ToIP-Compatible GFs or by other bodies—whenever possible.
- SHOULD be referenced (along with any other relevant parts of the GF) in any Legal Agreement between Members and the Governance Authority.
- SHOULD NOT include language for which conformance can be directly tested — those statements should be included as
Policies"MUST" Directives.
Primary
...
Policies General Directives (since there can be should and mays here, I think Directive is a better word than requirement)
This section contains the Policies Directives that apply to the GF as a whole and not just in the context of a particular Controlled Document. It:
- SHOULD include the
PoliciesDirectives that:- Apply generally to governance of the entire Trust Community;
- Apply to the structure of the GF, e.g., what Controlled Documents must be specified by whom and applied to whom.
- Guide the development of more specific
PoliciesDirectives within the Controlled Documents.
- SHOULD NOT include
PoliciesDirectives that apply only within the context of a specific category addressed by one of the Controlled Documents. - MUST include Responsible Use
PoliciesDirectives that apply generally to infrastructure governed by the GF. - MUST include any Regulatory Compliance
PoliciesDirectives that are not specified within particular Controlled Documents.
...
- SHOULD be a single Controlled Document (even if it is organized by categories or other heuristics).
- SHOULD provide a common reference for all possibly ambiguous terms used throughout the GF.
- SHOULD reference the ToIP Glossary—or tagged subset(s) of the ToIP Glossary—for all terms defined there.
SHOULD list all terms alphabetically (by language) for easy reference.[Rieks: OED (lexico), cambridge, wikipedia, etc, say that glossary IS already an alphabetically sorted list of words]- MAY tag terms by category or usage.
- MAY specify that terms specific to one Controlled Document are defined in that Controlled Document.
Risk Assessment
This category includes links to an ISO 27005 (or compatible) risk assessment and for framework compliant policies directives for managing risk. Controlled Documents in this category:
- SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose within its scope.
- SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
- SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
- SHOULD include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred).
SHOULD include a Trust Assurance Framework that defines how Roles assert compliance with the Policies of the GF and the mechanisms of assurance over those assertions.SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies governing their actions.SHOULD (if applicable) define the roles of Certification Authorities and the Policies governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.SHOULD (if applicable) include policies around the developing, licensing, and usage of one or more Trust Marks.
Risk Assessment, Trust Assurance Framework, and Certification
This category includes policies for managing risk, directives including how parties can be certified against constituting a program whereby parties MUST, SHOULD or MAY be held accountable against Directives of the GF. Controlled Documents in this category:
SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose within its scope.SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.SHOULD include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred).- SHOULD include a Trust Assurance Framework document that defines how a scheme in which Roles assert compliance with the
PoliciesMUST Directives of the GF and the mechanisms of assurance over those assertions. - SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies governing their actions.
- SHOULD (if applicable) define the roles of Certification Authorities and the
PoliciesDirectives governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors. - SHOULD (if applicable) include
policiesdirectives around the developing, licensing, and usage of one or more Trust Marks.
Governance Rules Directives
These are the Rules Directives for governing the GF as a whole. Controlled Documents in this category:
- MUST specify the primary Governance Authority or all interdependent Governance Authorities (if any).
- MUST include Controlled Documents that specify governance Governance
PoliciesDirectives for the primary Governance Authority or all interdependent Governance Authorities (e.g., Charter, Bylaws, Operating Rules, etc.) - SHOULD address any antitrust Policies, intellectual property rights (IPR) Policies, confidentiality Policies, or other regulatory compliance policies (SSP - I kept the word Policies here since these documents would be policy documents ) under which the stakeholders agree to operate.
- SHOULD include any
Policiesdirectives governing enforcement of the GF and how Dispute Resolution will be handled.
Business Rules Directives
These are the Rules Directives governing the business model(s) of the GF and/or sustainability of the Governance Authority. Controlled Documents in this category:
- SHOULD clearly explain the exchange(s) of value within the Trust Community for which the GF is designed.
- SHOULD define the
PoliciesDirectives governing how and when these exchanges of value take place. - SHOULD define how all Members will be accountable for their actions in these exchanges.
- SHOULD define how the Governance Authority and the GF are sustainable under these Rules.
Technical Rules Directives
These are the Rules Directives governing technical interoperability. Controlled Documents in this category:
- MUST specify how Members of the Trust Community will interoperate technically using the ToIP Technology Stack by reference to ToIP Standard Specifications (TSS).
- SHOULD (if necessary) reference one or more specific ToIP Interoperability Profiles (TIPs).
- SHOULD specify any technical Policies or Specifications that are specific to this Trust Community.
- (New) SHOULD (if applicable) specify Rules defined in a GF-compliant Rules Engine
Information Trust Rules Directives
These are the Rules Directives governing information security, privacy, availability, confidentiality and processing integrity as these terms are defined by the AICPA for service organizations. Controlled Documents in this category:
- MUST specify how Members of the Trust Community will ensure the following categories of Information Trust:
- SHOULD specify the relevant Information Trust Policies by reference to:
- ToIP Standard Specifications (TSS).
- Other regulatory or industry standards.
- GF-specific
PoliciesDirectives. - Member-specific
PoliciesDirectives. - (new) GF-compliant Rules Engines
Inclusion, Equitability, and Accessibility Rules Directives
These are the Rules Directives governing how the GF enables fair and equal access to all. Controlled Documents in this category:
- MUST specify how Members of the Trust Community will enable and promote inclusion, equitability, and accessibility by reference to:
- ToIP Standard Specifications (TSS).
- Other regulatory or industry standards/guidelines.
- GF-specific Policies.
- Member-specific Policies.
- (new) GF-compliant Rules Engines
- SHOULD specifically address how the GF is designed to help bridge (or eliminate) the digital divide.
...
- MUST include all legal agreements or contracts between Members and/or the Governance Authority.
- SHOULD reference the Glossary document for all terms not defined within.
- MUST clearly state the parties to whom these legal agreements apply.
- MUST define or reference all relevant accountability and enforcement mechanisms.
- SHOULD reference any other relevant Policies relevant
PoliciesDirectives in the balance of the GF.
...