|
1040 | 1040 | "required": [ |
1041 | 1041 | "bom-ref", |
1042 | 1042 | "type", |
| 1043 | + "cadence", |
1043 | 1044 | "timestamp" |
1044 | 1045 | ], |
1045 | 1046 | "additionalProperties": false, |
|
1053 | 1054 | "description": "A human-readable name for the assessment." |
1054 | 1055 | }, |
1055 | 1056 | "type": { |
| 1057 | + "type": "array", |
1056 | 1058 | "title": "Type", |
1057 | | - "description": "The kind of risk assessment. Use the custom option for kinds specific to an organization's process.", |
| 1059 | + "minItems": 1, |
| 1060 | + "uniqueItems": true, |
| 1061 | + "description": "The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.", |
| 1062 | + "items": { |
| 1063 | + "oneOf": [ |
| 1064 | + { |
| 1065 | + "title": "Predefined Assessment Type", |
| 1066 | + "type": "string", |
| 1067 | + "enum": [ |
| 1068 | + "security", |
| 1069 | + "privacy", |
| 1070 | + "operational", |
| 1071 | + "safety", |
| 1072 | + "financial", |
| 1073 | + "environmental", |
| 1074 | + "supply-chain", |
| 1075 | + "compliance", |
| 1076 | + "data-protection-impact", |
| 1077 | + "fundamental-rights-impact", |
| 1078 | + "ai-impact", |
| 1079 | + "business-impact", |
| 1080 | + "third-party", |
| 1081 | + "threat", |
| 1082 | + "vulnerability", |
| 1083 | + "model-risk", |
| 1084 | + "fraud" |
| 1085 | + ], |
| 1086 | + "meta:enum": { |
| 1087 | + "security": "Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.", |
| 1088 | + "privacy": "Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.", |
| 1089 | + "operational": "Operational risk assessment, evaluating risks to ongoing operations and continuity.", |
| 1090 | + "safety": "Safety risk assessment, evaluating risks of harm to people or property.", |
| 1091 | + "financial": "Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.", |
| 1092 | + "environmental": "Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.", |
| 1093 | + "supply-chain": "Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).", |
| 1094 | + "compliance": "Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.", |
| 1095 | + "data-protection-impact": "Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).", |
| 1096 | + "fundamental-rights-impact": "Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).", |
| 1097 | + "ai-impact": "Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).", |
| 1098 | + "business-impact": "Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.", |
| 1099 | + "third-party": "Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.", |
| 1100 | + "threat": "Threat assessment, evaluating the threats and threat actors relevant to a subject.", |
| 1101 | + "vulnerability": "Vulnerability assessment, evaluating weaknesses that could be exploited.", |
| 1102 | + "model-risk": "Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.", |
| 1103 | + "fraud": "Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it." |
| 1104 | + } |
| 1105 | + }, |
| 1106 | + { |
| 1107 | + "title": "Custom Assessment Type", |
| 1108 | + "type": "object", |
| 1109 | + "required": [ |
| 1110 | + "name" |
| 1111 | + ], |
| 1112 | + "additionalProperties": false, |
| 1113 | + "properties": { |
| 1114 | + "name": { |
| 1115 | + "type": "string", |
| 1116 | + "minLength": 1, |
| 1117 | + "title": "Name", |
| 1118 | + "description": "The name of the custom assessment type." |
| 1119 | + }, |
| 1120 | + "description": { |
| 1121 | + "type": "string", |
| 1122 | + "title": "Description", |
| 1123 | + "description": "A description of the custom assessment type." |
| 1124 | + } |
| 1125 | + } |
| 1126 | + } |
| 1127 | + ] |
| 1128 | + } |
| 1129 | + }, |
| 1130 | + "cadence": { |
| 1131 | + "title": "Cadence", |
| 1132 | + "description": "The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.", |
1058 | 1133 | "oneOf": [ |
1059 | 1134 | { |
1060 | | - "title": "Predefined Assessment Type", |
| 1135 | + "title": "Predefined Assessment Cadence", |
1061 | 1136 | "type": "string", |
1062 | 1137 | "enum": [ |
1063 | 1138 | "initial", |
|
1067 | 1142 | "ad-hoc" |
1068 | 1143 | ], |
1069 | 1144 | "meta:enum": { |
1070 | | - "initial": "Initial, baseline risk assessment.", |
| 1145 | + "initial": "Initial, baseline assessment performed once at the outset.", |
1071 | 1146 | "periodic": "Scheduled, recurring assessment.", |
1072 | 1147 | "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", |
1073 | 1148 | "triggered": "Assessment triggered by a specific event, such as a change or an incident.", |
1074 | 1149 | "ad-hoc": "Unplanned, one-off assessment, neither scheduled nor triggered by a defined event." |
1075 | 1150 | } |
1076 | 1151 | }, |
1077 | 1152 | { |
1078 | | - "title": "Custom Assessment Type", |
| 1153 | + "title": "Custom Assessment Cadence", |
1079 | 1154 | "type": "object", |
1080 | 1155 | "required": [ |
1081 | 1156 | "name" |
|
1086 | 1161 | "type": "string", |
1087 | 1162 | "minLength": 1, |
1088 | 1163 | "title": "Name", |
1089 | | - "description": "The name of the custom assessment type." |
| 1164 | + "description": "The name of the custom assessment cadence." |
1090 | 1165 | }, |
1091 | 1166 | "description": { |
1092 | 1167 | "type": "string", |
1093 | 1168 | "title": "Description", |
1094 | | - "description": "A description of the custom assessment type." |
| 1169 | + "description": "A description of the custom assessment cadence." |
1095 | 1170 | } |
1096 | 1171 | } |
1097 | 1172 | } |
|
0 commit comments