fix(C12,C14): remove governance-only controls outside AISVS scope#845
fix(C12,C14): remove governance-only controls outside AISVS scope#845vtknightmare wants to merge 1 commit into
Conversation
|
The premise checks out. The rule it cites is real ( Two things worth addressing: 1. Dangling reference (needs a fix). Removing 14.2.3 leaves an orphaned row in the controls inventory. 2. 12.4.3: reword instead of deleting? The DPIA trigger is governance, agreed. But the mechanism itself, a policy-as-code gate that blocks redeployment outside a model's purpose, is a legitimate technical control. Once it's gone, C12.4 has no deployment-time purpose enforcement left, only tagging (12.4.1) and runtime monitoring (12.4.2). I'd suggest keeping it and rewording to drop the compliance framing, something like:
Removing 12.4.4 and folding 14.2.3 into 14.2.1 both look good. |
vtknightmare
force-pushed
the
vtknightmare/fix/remove-grc-only-controls
branch
from
e94fdb7 to
06d9dc2
Compare
|
In my opinion ok to merge as is, after fixing Rico's first point of appendix references. |
vtknightmare
force-pushed
the
vtknightmare/fix/remove-grc-only-controls
branch
from
06d9dc2 to
ce2f5e6
Compare
Good catch on the AppD row. 14.2.3 entry at line 465 is folded into the 14.2.1 row and removed. On 12.4.3: you're right, the mechanism is worth keeping. Reworded to drop the DPIA framing and reference the purpose tag from 12.4.1 instead: "Verify that policy-as-code gates block redeployment of a model to a purpose or domain not covered by its purpose tag (12.4.1)." 12.4.4 and the 14.2.3 fold both unchanged. |
Preface rule: controls that serve only operational, governance, compliance,
or business objectives are out of scope.
- C12 12.4.3: reword instead of delete (review feedback). The DPIA trigger
is governance, but the mechanism itself (policy-as-code gate blocking
redeployment outside a model's purpose) is a legitimate technical control.
Reworded to reference the purpose tag from 12.4.1 rather than DPIA.
- C12 12.4.4: remove ('formal traceability proofs of consent scope' are legal
audit evidence, not an implementable technical control).
- C14: fold the policy intent of 14.2.3 into 14.2.1 and remove the standalone
control, which described a governance authorization process.
- AppD: fold the orphaned 14.2.3 row into the 14.2.1 row and remove it,
to match the chapter change.
vtknightmare
force-pushed
the
vtknightmare/fix/remove-grc-only-controls
branch
from
ce2f5e6 to
6a2bd4c
Compare
3 participants
Preface rule: 'Controls that serve only operational, governance, compliance, or business objectives are out of scope.'