Tagged: GRC
Governance, Risk, Compliance concepts and workflows
Pages with this tag
Framework landscape
1Overview of common compliance frameworks and their data structures.
Vision
2Short and long-term goals for Crosswalker.
Challenge 39: Is there a unified-model spine — and is it CRI?
3Stress-test the assumption that the unified risk/audit/GRC model has a single spine and that the spine is the CRI Profile. Evaluate spine candidates (CRI, SCF/STRM, NIST CSF 2.0, NIST 800-53, ISO 27001/27002, synthetic/derived) against coverage, sector-neutrality, mapping availability, license, and durability — and seriously consider hub-and-spoke, peer-mesh, and no-designated-spine alternatives. Foundational input to the unified-model shape and to ingestion sequencing.
Challenge 40: Control, risk, or obligation as the backbone entity?
4Decide what the unified model's nodes actually are — does everything hang off controls, risks, or obligations? Stress-test the implicit control-centric assumption against a risk-centric and an obligation-centric model, and determine whether the backbone is a single entity type or a small fixed set with typed edges. Feeds the unified-model shape and the Tier 1 schema.
Challenge 41: Is internal audit a spine element or a lens? (and what to name the model)
5Determine whether internal audit is a first-class structural element of the unified model or a consumer/lens over it — and let the model's name fall out of that decision. Weigh 'Unified Risk and Audit Model' against 'Unified Assurance Model', 'Unified GRC Model', and others. Naming follows structure, not the reverse.
Institutional ontology landscape — planning
6Planning the documentation of how institutions create, maintain, map, regulate, and consume ontologies — the human side of ontology evolution.
Institutional landscape decisions
7Decisions on how to document the institutional ontology landscape — layout, structure, tech approach, and scope.
Ontological foundations of the Unified Control Assurance and Risk Model
8A key foundations log defining the core categories of the security/GRC/risk/audit problem domains and how they relate — the five 'kinds of being' (objective, risk, obligation, control, audit/finding) as the foundation, structured around the three useful practitioner perspectives that name the model: Control (GRC-operational), Assurance (audit), and Risk (risk management). Covers the prudential-vs-deontic split, why obligation is broader than compliance (governance vs regulatory vs contractual source), why risk is the ontologically strangest category, and why control earns the center. Name chosen: Unified Control Assurance and Risk Model; remaining calls flagged open.
Ch 19 deliverable: Over-engineering stress test — radically simplify with narrow tiered escape hatch
9Fresh-agent adversarial research deliverable for Challenge 19. Bottom line: the architecture has lost the property of 'simpler thing becomes default because it's more adoptable.' Five concrete arguments: (1) competitive landscape (Hyperproof/Drata/Vanta hide crosswalk complexity from users; Excel + SharePoint baseline is what Crosswalker actually competes with); (2) SSSOM has zero GRC adoption (~50K downloads/month all biomedical); STRM (NIST IR 8477) + OSCAL is what NIST OLIR / SCF actually use; (3) audit trail wildly over-specified vs FRE 902(13)/(14) requirements (hash + qualified-person cert + git is the legal floor); (4) 5 MB three-engine WASM bundle is 10–50× Obsidian plugin median; SCF (1,400 controls × 261 frameworks) ships as one Excel file; recursive CTEs handle 3-hop closures over 10K edges in single-digit ms; (5) concrete 'simple default' proposal: markdown + YAML frontmatter (STRM) + git + signed releases + Dataview + STRM-TSV/OSCAL export, under 500 KB. Layered engines as separate opt-in companion plugins.
Control-centric vs obligation-centric compliance
10Two distinct jobs both called "compliance" — control-centric (maintain a control library + framework crosswalks) vs obligation-centric (track laws and their changes). They need different tools. An informal-but-useful distinction (not a formal standard, and not the IIA Three Lines Model).
Framework standards & tools
11Reference guide to compliance frameworks, mapping standards, and GRC tools relevant to Crosswalker.
Institutional landscape
12The entities, relationships, and dynamics of who creates, maintains, maps, mandates, and consumes structured ontologies — the human side of ontology management.