Versions Compared

Old Version 46

changes.mady.by.user Scott Perry

Saved on

compared with

New Version 47

changes.mady.by.user Scott Perry

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The balance of this page consists of the structure of the proposed metamodel and the requirements directives for each component. In these requirements directivesthe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" are to be interpreted as defined in RFC 2119.

...

  1. SHOULD include the Policies  Directives that:
    1. Apply generally to governance of the entire Trust Community;
    2. Apply to the structure of the GF, e.g., what Controlled Documents must be specified by whom and applied to whom.
    3. Guide the development of more specific Policies Directives within the Controlled Documents.
  2. SHOULD NOT include Policies Directives that apply only within the context of a specific category addressed by one of the Controlled Documents.
  3. MUST include Responsible Use Policies  Directives that apply generally to infrastructure governed by the GF.
  4. MUST include any Regulatory Compliance Policies Directives that are not specified within particular Controlled Documents.

...

This section specifies the policies for how revisions to the GF are governed. It does not include Governance Policies Directives for the Governance Authority or interdependent Governance Authorities (those are defined in Controlled Documents in the Governance Rules category). It:

  1. MUST state the full legal identity and contact information for the primary Governance Authority or interdependent Governance Authorities.
  2. MUST include policies Directives specifying how any revisions to the GF are identified, developed, reviewed, and approved.
  3. SHOULD include at least one public review period for any GF that will be available to the public.

...

This category includes links to an ISO 27005 (or compatible) risk assessment and for framework compliant policies directives for managing risk. Controlled Documents in this category:

  • SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose objectives within its scope.
  • SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
  • SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
  • MAY include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred); however, all risks that are to be mitigated by directives in the GF SHOULD be identified.
  • SHOULD include a Trust Assurance Framework that defines how Roles assert compliance with the Policies of the GF and the mechanisms of assurance over those assertions.
  • SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the policies governing their actions.
  • SHOULD (if applicable) define the roles of Certification Authorities and the Policies governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.
  • SHOULD (if applicable) include policies around the developing, licensing, and usage of one or more Trust Marks.

Risk Assessment, Trust Assurance Framework, and Certification

...