| Member Log In |
| About REN-ISAC |
| Contact Us |
| Membership |
| Docs & Links |
| Monitoring |
| 24x7 Watch Desk |
| Advisory Groups |
| Policies |
| Contributors |
Membership
- Contents:
- Goal
- Membership Criteria
- Applying for Membership
- Changes in a Member's Employment Status or Responsibilities
- Membership Confirmation and Termination
- Ex Officio Members
- Membership Eligibility Examples
- Membership Criteria
Goal
Develop a trusted community for sharing information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. The trust community will provide a forum for sharing sensitive information, a source for trusted contact information, a meeting point for peers, a means to facilitate communications, and methods for improving cybersecurity awareness and response.
Membership Criteria
- An individual applies to join as a representative of his or her institution or organization.
- The individual must be actively involved in cyber-security protection or response in an official capacity for an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization.
- The individual must be permanent staff (i.e. no students, contract workers, temps, etc.), and have or share principal responsibility for security protection, response, or management at the institution.
- The individual must have responsibility across the institution in whole or substantial part, that is, the individual must represent security for the institution. Representation of an individual campus of a multi-campus system is acceptable. Those with responsibility in an institutional division, such as a department, school, etc., don't qualify for membership unless guided by the exceptions listed in Criteria #8, or by specific recommendation of the institutional CIO, IT security officer, or other university-level executive.
- The individual must be vouched for by current REN-ISAC members according to the Normal or Sponsored Membership plans described in "Applying for Membership" below.
- The individual must abide by the REN-ISAC Confidentiality Policies and with specific sharing guidelines attached to shared information.
- The individual must be deemed responsible to the trust engendered among the membership.
- Requests from persons in other circumstances will be reviewed against the Goal. Membership in those cases will be at the discretion of the REN-ISAC. For example, if an institution has no centralized IT security function, then consideration for membership of departmental security personnel will be made on a case-by-case basis.
Examples that illustrate membership eligibility are included at the bottom of this document.
Applying for Membership
Membership requests are put to the current members for vouching.
There are two ways of applying for membership: Normal and Sponsored. The distinction is only to the method of establishing membership - there is no subsequent distinction of trust and information sharing.
Normal Membership: Two current REN-ISAC members must vouch that the applicant meets membership criteria, with no members dissenting.
Sponsored Membership: Relies on the single vouch of a sponsor, with no members dissenting. To facilitate the membership of select, trusted subordinates of existing REN-ISAC members - when the subordinate doesn't have recognition within the community - an existing member can sponsor the application of a subordinate. The subordinate must meet all Membership Criteria, but requires no additional vouches. The Sponsored Membership request will be put to the members for question and dissent. Whenever possible the Normal Membership method should be used.
To apply for Normal Membership, the applicant sends a request to:
ren-isac at ren-isac dot net including the following information:
- name
- e-mail address
- office phone
- 24-hour phone/pager (optional, but highly recommended)
- employer
- job title, and responsibilities
- the institution's functional e-mail address for reporting security incidents, e.g. abuse@
To apply for Sponsored Membership, the sponsor sends the above information on behalf of the subordinate, and indicates that it's a sponsored request.
Changes in a Member's Employment Status or Responsibilities
Membership is tied to the individual's organizational representation and responsibilities.
If an individual terminates or changes employers, the membership must be immediately terminated and, if appropriate, the individual must reapply as a representative of the new organization.
If an individual changes responsibilities within an organization and no longer serves in a capacity that meets the Membership Criteria, the membership must be immediately terminated.
Members should promptly report changes in their employment as effects membership eligibility.
Membership Confirmation and Termination
Trust is established and maintained through published and rigorously enforced membership criteria and active maintenance of the member roll.
REN-ISAC will aggressively poll the membership for confirmation of status. Members must respond to the confirmation requests or membership will be terminated.
REN-ISAC may at its discretion reissue vouch requests, either privately or to the membership mailing list, to confirm a member's standing.
REN-ISAC reserves the right to unilaterally terminate the membership of an individual without notice.
The member roll will be visible to members via the review command of the renisac-sec-l listserv.
Ex Officio Members
Certain persons who don't meet the Membership Criteria may be granted membership by virtue of their position. For example, members of the REN-ISAC Technical and Executive Advisory Groups, technical directors of sponsoring organizations, etc. Ex Officio memberships will be granted at the discretion of the REN-ISAC.
Membership Eligibility Examples
Ann is the lead sysadmin for a number of institutional servers that support the primary financial and student systems of the university. She is specifically tasked with security for the systems. Although she has explicit security responsibilities in her job description, she doesn't meet the requirement #4 to "represent security for the institution." Ann is not eligible for membership.
Mel is an IT support provider in the College of Arts and Sciences at the University and spends greater than 50% of his time on security matters for the College. The University has a central IT organization including a central security team. Mel is not eligible because he doesn't meet the requirement #4 of having security duties "across the institution in whole or substantial part."
Kyle is part of a three-person team handling security incidents for the University. The team is composed of students who rotate duty according to their class schedules. Kyle is not eligible for membership because he doesn't meet the requirement #3 for permanent staff.
Cheryl is a network engineer in the NOC who spends 50% of her time working on security matters that affect the entire University. Security incidents are referred to her from the University IT Security Office - she works at the direction of the security office. Cheryl is not eligible for membership because she doesn't meet the requirement #3 to have a principal responsibility in security protection and response.
Meryl (Cheryl's older sister) is a senior network engineer in the NOC at a different University. Like Cheryl, Meryl spends 50% of her time working on security matters. Although the University has a separate IT Security Office, Meryl is tasked to work independently and in conjunction with the Security Office for network security matters. Meryl is eligible for membership because she shares principal responsibility for security protection and response.
Page Revised: June 19, 2006
Copyright, Trustees of Indiana University