...
- Standard ToIP Roles at that layer (see the GSWG Process and Roles TF)
- Standard ToIP Processes in which actors in those roles are engaged (see the GSWG Process and Roles TF)
- Recommended Policies for Requirements for those Processes (see the GSWG Process and Roles TF)
- Standard Risks against which a Risk Assessment should be performed (see the GSWG Trust Assurance TF)
- Standard elements of a Trust Assurance Framework to address those risks (see the GSWG Trust Assurance TF)
...
| Info | ||
|---|---|---|
| ||
|
...
- SHOULD have a reference to the ToIP Foundation, the ToIP Stack, and the specific version of the ToIP Governance Template from which it was derived.
- MAY include an Acknowledgements an "Acknowledgements" section to acknowledge the contributors to the GF.
...
- SHOULD clearly state the primary Governed Actors Roles in the Trust Community.
SHOULD state any other relevant stakeholders.
- SHOULD state the primary types of interactions or transactions these Governed Actors Roles will be engaging in.
- SHOULD, if applicable, clearly state who and what are out of scope.
...
- SHOULD serve as a guide to the development of any Requirements based Requirement based on each Principle ("Principles guide Policies").
- SHOULD refer to existing Principles—whether defined by other ToIP GFs or by other sources—whenever possible.
- SHOULD be referenced (along with any other relevant parts of the GF) in any Legal Agreement between Members and the Governance Authority.
- MUST NOT include requirements using RFC 2119 terms for which either human or machine conformance can be directly tested — those should be stated as Requirements elsewhere in the GF.
...
This section contains Requirements that apply to the GF as a whole and not just in the context of a particular Controlled Document. It:
- SHOULD include the Policies thatRequirements that:
- Apply generally to governance of the entire Trust Community;
- Apply to the structure of the GF, e.g., what Controlled Documents must be specified by whom and applied to whom.
- Guide the development of more specific Policies within Requirements within the Controlled Documents.
- SHOULD NOT include Policies that Requirements that apply only within the context of a specific category addressed by one of the Controlled Documents.
- MUST include Responsible Use Policies that apply generally to infrastructure governed by the GF.
- MUST include any Regulatory Compliance Policies that are not specified within particular Controlled Documents.
...
This section contains the specific Policies Requirements governing revisions to the GF. It does not include Governance Policies for Requirements for the Governance Authority or interdependent Governance Authorities (those are defined in Controlled Documents in the Governance category). It:
- MUST state the full legal identity and contact information for the primary Governance Authority or interdependent Governance Authorities.
- MUST include Policies specifying Requirements specifying how any revisions to the GF are identified, developed, reviewed, and approved.
- SHOULD include at least one public review period for any GF that will be available to the public.
...
- SHOULD identify key risks that MAY negatively affect the achievement of the GF's purpose and objectives within its scope.
- SHOULD include a Risk Assessment process output that provides an assessment of each key risk that the GF is designed to address and mitigate.
- SHOULD assess which Roles and Processes are vulnerable to each risk and how they are affected.
- MAY include a Risk Treatment Plan (RTP) for how identified risks are treated (e.g. mitigated, avoided, accepted or transferred); however, all risks that are to be mitigated by directives mandates in the GF SHOULD be identified.
Trust Assurance and Certification
This category specifies Policies Trust Criteria for Governed Actors be Parties be held accountable against Requirements of the GF. Controlled Documents in this category:
- SHOULD include a Trust Assurance Framework document that defines a scheme in which Roles Governed Parties assert compliance with the Policies of the GF and the mechanisms of assurance over those assertions.
- SHOULD (if applicable) define the roles of Auditors and Auditor Accreditors and the directives governing their actions.
- SHOULD (if applicable) define the roles of Certification Authorities of Certifying Parties and the Policies requirements governing their actions and relationships with the Governance Authority, Auditors, and Auditor Accreditors.
- SHOULD (if applicable) include Policies requirements supporting the development, licensure, and usage of one or more Trust Marks.
...
- MUST specify the primary Governance Authority or all interdependent Governance Authorities (if any).
- MUST include Controlled Documents that specify Governance Policies requirements for the primary Governance Authority or all interdependent Governance Authorities (e.g., Charter, Bylaws, Operating Rules, etc.)
- SHOULD address any antitrust Antitrust Policies, intellectual property rights Intellectual Property Rights (IPR) Policies, confidentiality Confidentiality Policies, or other regulatory compliance policies requirements under which the Trust Community Members agree to operate.
- SHOULD include any Policies governing requirements governing enforcement of the GF and how Dispute Resolution will be handled.
Business Requirements
These are the Polices and/or Rules requirements governing the business model(s) and business rules to be followed by the Trust Community. Controlled Documents in this category:
...
- MUST include all legal agreements or contracts between Members and/or the Governance Authority.
- SHOULD reference the Glossary document for all terms not defined within.
- MUST clearly state the Governed Actors Parties to whom these legal agreements apply.
- MUST define or reference all relevant accountability and enforcement mechanisms.
- SHOULD reference any other relevant Requirements in the balance of the GF.
...