CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

docs/model/05.1-Layer-1.md raw

 1---
 2layout: page
 3title: Layer 1
 4---
 5
 6## Vectors & Guidance
 7
 8The need for generic, high-level Risk Assessment is typically surfaced by factors or requirements far removed from the scope of the activity that is being assessed. Sometimes the need is made clear due to a Rule such as legislation. Other times, this type of activity is demanded as a precursor for Controls in a new technology category that has yet to be fully assessed — such as we have seen with the emergence of artificial intelligence.
 9
10When documenting a Vector, it is not necessary to understand the technological intricacies, such as the technologies involved at every step. Instead, the focus is on the opportunity for mistake or malice. These can be documented independently or within a catalog, and may similarly be published as standalone artifacts or alongside related Guidance. An example of Vectors can be found in the [MITRE ATT&CK](https://attack.mitre.org/) framework as *techniques*.
11
12The constituent parts of a Guidance, referred to as Guidelines, do not typically stand on their own, and are most often published as a longstanding Guidance Catalog. Each Guideline often includes explanatory context and recommendations for designing optimal outcomes without foreknowledge of implementation details.
13
14Guidance may be written internally for unique circumstances, but it is often developed by industry groups, government agencies, or international standards bodies. Examples include the [OWASP Top 10](https://owasp.org/www-project-top-ten/), [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework), [HIPAA](https://www.hhs.gov/hipaa/index.html), [GDPR](https://gdpr-info.eu/), [CRA](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act), or any of the [PCI](https://www.pcisecuritystandards.org/) and [ISO](https://www.iso.org) standards.
15
16As noted in **Figure 5.1**, Vector artifacts can be referenced by both Guidance and Threats to accelerate authoring and increase fidelity. Similarly, Guidance artifacts can be referenced by Controls to demonstrate how a particular Control applies the respective Guideline.
17
18---
19
20## Continue Reading
21
22- **< Previous Page**: [The Definition Layers](./05-definition-layers)
23- **> Next Page**: [Layer 2](./05.2-Layer-2)
24
25---