Versions Compared

Old Version 43

changes.mady.by.user Drummond Reed

Saved on

compared with

New Version 44

changes.mady.by.user Scott Perry

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. SHOULD clearly state the stakeholders in the Trust Community.


  2. Info
    titleDeleted Bullet referencing Objectives above this section
    SHOULD clearly state the high-level assets/artifacts (e.g. ledgers, transactions, agents, wallets, verifiable credentials, applications) under oversight by the GF.


  3. SHOULD, if applicable, clearly state who and what are out of scope.
Info
titleNew Content

Objectives

This states the high-level outcomes desired by the Governance Authority through its execution of its Governance Framework. It:

  1. SHOULD specify tangible, achievable results (e.g. SMART criteria and Fit-for-purpose criteria).
  2. SHOULD specify the intended overall outcomes of the Rules and Policies Directives in the GF.
  3. MUST align with its Purpose.
  4. MUST only contain outcomes over which the GF has the authority and mechanisms to achieve within its Scope.
  5. SHOULD consider its Principles.

...

  1. SHOULD serve as a guide to the development of any Policies Directives based on each Principle ("Principles guide Policies Directives").
  2. SHOULD refer to existing Principles—whether defined by ToIP-Compatible GFs or by other bodies—whenever possible.
  3. SHOULD be referenced (along with any other relevant parts of the GF) in any Legal Agreement between Members and the Governance Authority.
  4. SHOULD NOT include language for which conformance can be directly tested — those statements should be included as Policies "MUST" Directives.

Primary

...

Policies  General Directives (since there can be should and mays here, I think Directive is a better word than requirement)

This section contains the Policies Directives that apply to the GF as a whole and not just in the context of a particular Controlled Document. It:

  1. SHOULD include the Policies  Directives that:
    1. Apply generally to governance of the entire Trust Community;
    2. Apply to the structure of the GF, e.g., what Controlled Documents must be specified by whom and applied to whom.
    3. Guide the development of more specific Policies Directives within the Controlled Documents.
  2. SHOULD NOT include Policies Directives that apply only within the context of a specific category addressed by one of the Controlled Documents.
  3. MUST include Responsible Use Policies Directives that apply generally to infrastructure governed by the GF.
  4. MUST include any Regulatory Compliance Policies Directives that are not specified within particular Controlled Documents.

...

  1. SHOULD be a single Controlled Document (even if it is organized by categories or other heuristics).
  2. SHOULD provide a common reference for all possibly ambiguous terms used throughout the GF.
  3. SHOULD reference the ToIP Glossary—or tagged subset(s) of the ToIP Glossary—for all terms defined there.
  4. SHOULD list all terms alphabetically (by language) for easy reference.[Rieks: OED (lexico)cambridgewikipedia, etc, say that glossary IS already an alphabetically sorted list of words]
  5. MAY tag terms by category or usage.
  6. MAY specify that terms specific to one Controlled Document are defined in that Controlled Document.

Risk Assessment

This category includes links to an ISO 27005 (or compatible) risk assessment and for framework compliant policies directives for managing risk. Controlled Documents in this category:

  1. SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose within its scope.
  2. SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
  3. SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
  4. SHOULD include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred).
  5. SHOULD include a Trust Assurance Framework that defines how Roles assert compliance with the Policies of the GF and the mechanisms of assurance over those assertions.
  6. SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies governing their actions.
  7. SHOULD (if applicable) define the roles of Certification Authorities and the Policies governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.
  8. SHOULD (if applicable) include policies around the developing, licensing, and usage of one or more Trust Marks.

Risk Assessment, Trust Assurance Framework, and Certification

This category includes policies for managing risk, directives including how parties can be certified against  constituting a program whereby parties MUST, SHOULD or MAY be held accountable against Directives of the GF. Controlled Documents in this category:

  1. SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose within its scope.
  2. SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
  3. SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
  4. SHOULD include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred).
  5. SHOULD include a Trust Assurance Framework document that defines how a scheme in which Roles assert compliance with the Policies MUST Directives of the GF and the mechanisms of assurance over those assertions.
  6. SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies governing their actions.
  7. SHOULD (if applicable) define the roles of Certification Authorities and the Policies Directives governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.
  8. SHOULD (if applicable) include policies directives around the developing, licensing, and usage of one or more Trust Marks.

Governance Rules Directives

These are the Rules Directives for governing the GF as a whole. Controlled Documents in this category:

  1. MUST specify the primary Governance Authority or all interdependent Governance Authorities (if any).
  2. MUST include Controlled Documents that specify governance Governance Policies Directives for the primary Governance Authority or all interdependent Governance Authorities (e.g., Charter, Bylaws, Operating Rules, etc.)
  3. SHOULD address any antitrust Policies, intellectual property rights (IPR) Policies, confidentiality Policies, or other regulatory compliance policies (SSP - I kept the word Policies here since these documents would be policy documents ) under which the stakeholders agree to operate.
  4. SHOULD include any Policies directives governing enforcement of the GF and how Dispute Resolution will be handled.

Business Rules Directives

These are the Rules Directives governing the business model(s) of the GF and/or sustainability of the Governance Authority. Controlled Documents in this category:

  1. SHOULD clearly explain the exchange(s) of value within the Trust Community for which the GF is designed.
  2. SHOULD define the Policies Directives governing how and when these exchanges of value take place.
  3. SHOULD define how all Members will be accountable for their actions in these exchanges.
  4. SHOULD define how the Governance Authority and the GF are sustainable under these Rules.

Technical Rules Directives

These are the Rules Directives governing technical interoperability. Controlled Documents in this category:

  1. MUST specify how Members of the Trust Community will interoperate technically using the ToIP Technology Stack by reference to ToIP Standard Specifications (TSS).
  2. SHOULD (if necessary) reference one or more specific ToIP Interoperability Profiles (TIPs).
  3. SHOULD specify any technical Policies or Specifications that are specific to this Trust Community.
  4. (New) SHOULD (if applicable) specify Rules defined in a GF-compliant Rules Engine

Information Trust Rules Directives

These are the Rules Directives governing information security, privacy, availability, confidentiality and processing integrity as these terms are defined by the AICPA for service organizations. Controlled Documents in this category:

  1. MUST specify how Members of the Trust Community will ensure the following categories of Information Trust:
    1. Information security
    2. Information privacy
    3. Information availability
    4. Information confidentiality
    5. Information processing integrity
  2. SHOULD specify the relevant Information Trust Policies by reference to:
    1. ToIP Standard Specifications (TSS).
    2. Other regulatory or industry standards.
    3. GF-specific Policies Directives.
    4. Member-specific Policies Directives.
    5. (new) GF-compliant Rules Engines

Inclusion, Equitability, and Accessibility Rules Directives

These are the Rules Directives governing how the GF enables fair and equal access to all. Controlled Documents in this category:

  1. MUST specify how Members of the Trust Community will enable and promote inclusion, equitability, and accessibility by reference to:
    1. ToIP Standard Specifications (TSS).
    2. Other regulatory or industry standards/guidelines.
    3. GF-specific Policies.
    4. Member-specific Policies.
    5. (new) GF-compliant Rules Engines
  2. SHOULD specifically address how the GF is designed to help bridge (or eliminate) the digital divide.

...

  1. MUST include all legal agreements or contracts between Members and/or the Governance Authority.
  2. SHOULD reference the Glossary document for all terms not defined within.
  3. MUST clearly state the parties to whom these legal agreements apply.
  4. MUST define or reference all relevant accountability and enforcement mechanisms.
  5. SHOULD reference any other relevant Policies relevant Policies Directives in the balance of the GF.

...