For a TAS3 compliant Trust Network to gain a trustworthy reputation and to ensure that belonging to the Trust Network really enables lower cost of operation through lesser fraud, improved trust, and ultimately less need for formal audits, it must take proactive and mandatory activities to monitor its activities and stop any fraudulent practises before they become a problem, ideally even before they become publicly known.
This section addresses Reqs. D1.2-2.11-Transp, D1.2-2.12-Compr, D1.2-2.15-Resp, D1.2-2.16-Mitigate, D1.2-2.17-AuditUntamp, D1.2-2.21-DataProtLaw, D1.2-2.22-GovtAccess, D1.2-12.13-Vfy, and D1.2-12.15-Valid.
In TAS3, the monitoring should happen at levels of
Continued automated, robotic, testing that compares results to both modelled expectations and past results. This is one of the focus areas of TAS3. See: On-line Compliance Testing (OCT).
Operations monitoring to determine upness and performance of services, as well as detection of anomalies. Trouble ticket system for reporting and rectification of operational errors, as well as intrusion detection scans and monitoring are included here as well. Use of industry standard solutions is recommended as TAS3 does not plan additional research in this area.
Log audit. Some part of log audit is handled in operations monitoring, above, but logs will contain a wealth of additional information, such as usage patterns to inform new investment and areas of innovation, which can be extracted using data mining techniques. Use of industry standard solutions is encouraged in general as the only connection with TAS3 research is in the area of gathering inputs for reputation scoring.
Formal compliance audits should occasionally be carried out manually to ensure that the automated monitoring and audit mechanisms, above, are functioning correctly. These audits may be mandated by legislation or by governance agreement and are typically fairly costly affairs with reputable outside consultants specializing in organizational and IT audits. TAS3 contribution for this area stems from recommendations and guidelines of the project legal team.
Administrative Oversight. The Trust Guarantor will take necessary administrative steps to ensure that the Trust Network is adequately monitored, mostly automatically, but with necessary and timely manual intervention. The Trust Guarantor may, according to the Governance Agreement, be monitored by an Advisory Board, Management Board, and ultimately General Assembly.
Section of 4.3.7 "Management" of [NexofRA09] discusses the need for management interfaces in services components. TAS3 is compatible with these requirements.