- Requirements include any combination of Machine-Testable Requirements and Human-Auditable Requirements. Unless otherwise stated, all Requirements MUST be expressed as defined in RFC 2119.
- Mandates are Requirements that use a MUST, MUST NOT, SHALL, SHALL NOT or REQUIRED keyword.
- Recommendations are Requirements that use a SHOULD, SHOULD NOT, or RECOMMENDED keyword.
- Options are Requirements that use a MAY or OPTIONAL keyword.
- Machine-Testable Requirements are those with which compliance can be verified using an automated test suite and appropriate scripting or testing software.
- Rules are Machine-Testable Requirements that are written in a Machine-Readable language and can be processed by a Rules Engine. They are expressed in a structured rules language as specified by the GF.
- Human-Auditable Requirements are those with which compliance can only be verified by a human audit of Policies, Processes, and Practices.
- Policies are Human-Auditable Requirements written using standard conformance terminology. For Policies used in ToIP Governance Frameworks, the standard terminology is RFC 2119 keywords. Note that all RFC 2119 keywords have weight from an auditing perspective. An implementer MUST explain why a SHOULD or RECOMMENDED requirement was not implemented and SHOULD explain why a MAY requirement was implemented.
- Processes are Human-Auditable Requirements that specify actions and methods to achieve Policy objectives.
- Practices are activities within Processes to achieve Process requirements.
- Specifications are documents containing any combination of Machine-Testable Requirements and Human-Auditable Requirements needed to produce technical interoperability.
|