-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refine RISK taxonomy into a single consistent hierarchy #181
Comments
Discussed with Rob Brennan, Delaram, and Julio who were involved in creating the risk assessment concepts. Conclusion: we have |
- In RISK extension, the taxonomy has been restructured as per the discussion in #181 where there is a single taxonomy under `dpv:RiskConcept` as the top concept - The concept `dpv:RiskConcept` has been added to DPV, and the other corresponding risk concepts have been declared as its subclass - The consequences and impacts taxonomy has been restructured and grouped into more 'organic' categories rather than arbitrary ones - Cosmetic changes to RISK include a new empty incident report section to be filled in the future, and a better visual representation of the risk matrixes in a table
- In RISK extension, the taxonomy has been restructured as per the discussion in #181 where there is a single taxonomy under `dpv:RiskConcept` as the top concept - The concept `dpv:RiskConcept` has been added to DPV, and the other corresponding risk concepts have been declared as its subclass - The consequences and impacts taxonomy has been restructured and grouped into more 'organic' categories rather than arbitrary ones - Cosmetic changes to RISK include a new empty incident report section to be filled in the future, and a better visual representation of the risk matrixes in a table
- RiskConcepts under ExternalSecurityThreat and OperationalSecurityRisk have been reorganised under the Confidentiality, Integrity, Availability (CIA) InfoSec triad - see #181 for discussion
Rob suggested we have the CIA triad from InfoSec in there somewhere as it will help security folks find the right concept. I have re-organised the risk sources / threats concepts under CIA and kept the other groups regarding impact. See live at: https://dev.dpvcg.org/2.1-dev/risk/ |
- creates a new structuring/organisation of RISK taxonomy related to risk sources, risks, consequences, and impacts where each concept can take on different roles depending on the use-case - to express this, each concept is created as an instance of new concepts e.g. `PotentialRiskSource` or `PotentialImpact` - the concepts are now provided in a module `risk_taxonomy` instead of `risk_consequences` (which has been deleted) - the HTML documentation provides new sections for each of the `Potential...` concept along with an overview table for roles - the HTML documentation does NOT provide description of the new model or examples, this is TODO - this work is with thanks to discussions with @DelaramGlp and Rob Brennan - #182 added bias concepts - #185 removed risk:Fee as it has been added to DPV as dpv:FeeRequirement - #190 added discrimination concepts - #184 added rights impact concepts in RISK
- in RISK, the taxonomy concepts are additionally structured by technical, organisational, legal, and societal - in RISK, the taxonomy concepts have a base as potential risk source, potential risk, potential consequence, or potential impact - in RISK HTML, there is a table showing each concept and the role it can take - there are stubs in the HTML where description and examples are to be added - relevant issue is #181
Specs
RISK
New Concept(s)
Refine the RISK taxonomy of concepts to create a single hierarchy of 'events' which the adopter then chooses with a role: risk, consequence, impact, or risk source.
Changed Concept(s)
No response
The text was updated successfully, but these errors were encountered: