Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] FYI: The minutes for CRA Expert Group Meeting #1 are now public

The method for measuring trustworthiness (risk assessments) in software may be need to follow a “common method” similar to how credit reporting agencies in the US work following a defined method to calculate a “trust score”, like the US FICO score for a person, as an example.

 

All parties will need to apply the same “risk assessment logic/method” in order to produce a consistent means of communicating trustworthiness based on a risk assessment with consistent semantics so that everyone will understand the difference between a risk assessment trust score of 50 and a score of 90.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Daniel Thompson-Yvetot via open-regulatory-compliance
Sent: Thursday, March 6, 2025 11:27 AM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI: The minutes for CRA Expert Group Meeting #1 are now public

 

I was happy to see the EUCC mentioned, but am also concerned that the various stakeholder opinions diverge in needs for the "risk assessment".

Being clear about the expectations will be essential for any CAB to be able to properly (and neutrally) interpret the risks. In my opinion, the risk assessment must be associated with the four principles the CRA defines:


Availability: Ensuring systems remain operational and accessible when needed
Authenticity: Verifying that data and users are genuine
Integrity: Maintaining data accuracy and preventing unauthorized modifications
Confidentiality: Protecting sensitive information from unauthorized access

Cheers,

 

On Thu, Mar 6, 2025 at 5:22PM Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

The document references has:  7. List of participants at the end and the
participants are listed by type ...e.g. A, C, D.

Is there a definition of these types somewhere?

Thanks.

On 3/6/2025 6:54 AM, Lars Francke via open-regulatory-compliance wrote:
> https://ec.europa.eu/transparency/expert-groups-register/core/api/front/document/115256/download
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top