REN-ISAC membership guidelines are under-going some changes. For many years, we've had to turn away Member Representative nominees who did not meet our criteria for operational security. Given the evolving nature of information security, it has become clear that REN-ISAC needs to involve the talents of colleagues who don't necessarily manage firewalls or intrusion detection systems. Information security requires planning, policy, training, support & communications, compliance, and much more. That's why we are rolling out Enterprise Participation, or EP. But don't worry -- we aren't throwing out our previous guidelines. We're simply making room for security practitioners who don’t meet our traditional focus on operational security.
Building Upon Trust
One of our main goals with EP was to make sure we do not distrupt the trust relationships among our members. In fact, we wanted to build upon the strong trust among our security operations (Ops) members. To achieve that, we are adding two new communities for our Member Representatives – General and Officer – each with their own communications channel. Security practitioners who don’t meet the traditional definition of Ops will be eligible to join the General community. These are folks working in risk assessment and management, identity and access management, security training / outreach / liaison, and ERP system administrators, just to name a few. The Officer community is meant for executives with an information security responsibility – people with titles like CIO, General Counsel, Director of Internal Audit, Director of Risk Management, and others.
Being a member of REN-ISAC means a person must belong to one of four core communities. In addition to the Ops, General, and Officer core communities, we are also adding an Affiliate community. This community is meant for close associates at your institution whose expertise can provide insights or value to a REN-ISAC special interest group (SIG). An example of a SIG might be cyber-security researchers, communications experts, and system administrators of self-phishing campaigns who, along with Member Representatives, participate in a "Self Phishing" special interest group. The group may decide the outcome will be a white paper of the best practices of conducting a self-phishing campaign in a university setting. Once the white paper is written and shared, the group may disband. Other SIGs may last in perpetuity. Its really up to the group leaders to decide their mission and goals.
Persons in the Affiliate community differ from other core community members in one key way -- they are not considered Member Representatives. Their role is focused on a particular subject, and in some cases, their membership is short-lived.
|Core Community||Description||Typical Job Description, Title, or Area of Expertise||Considered a Member Representative?|
|Security Operations (Ops)||Responsible for protection and response for the institution||Security analyst, security engineer, CISO, incident response specialist||Yes|
|General||Security practitioners without institution-wide protection and response responsibilities||Risk assessment, compliance, identity & access management, enterprise system administration, security training, network administration||Yes|
|Officer||Executives with an information security responsibility||CIO, Risk Compliance Officer, Chief Policy Officer, Director of Internal Audit||Yes|
|Affiliate||Trusted persons within the member institution with expertise in a particular subject||Cyber-security researchers (including faculty and grad students), awareness campaign specialists||No|
The role of Management Representative remains the focal point of all administrative activity, including nominations for Member Representatives and Affiliates. Via our registry, nominations are initiated by the Management Rep, who chooses a role for the nominee.
The Management Rep choose between two roles -- Affiliate or Member Representative. The Affiliate role and community are described above. The Member Representative role is meant for the security practitioners who will participate in the General, Officer, or Ops communities.
Once a role is chosen for a new nominee, the Management Rep chooses a core community for the person, from among the communities for which their role is eligible. For those in the Affiliate role, there is only one choice for a core community. The real choices are the special interest groups and communications channels to which they are assigned by the Management Rep.
Once the nonination is made, there is a period of vetting, as per our Membership Guide. Essentially, the community has a chance to look over the person's job title and job description, and if they feel the nominee does not qualify for that community, or if they have a trust issue with the nominee, they can voice their objection to the community or the Membership Committee.
You might notice that “XSec” isn't listed here. That's because XSec membership requires a person to be in the Ops community for at least 6 weeks, and so it's not available to a Management Rep making an initial nomination. It's worth noting that the process for XSec nominations and vouching has not changed.
Once a person joins REN-ISAC, either as an Affiliate or Member Rep, they are able to choose from one or more communications channels for which they are eligible. In some cases, the member is automatically added to those channels. Those communications channels include private email lists, access to our members-only wiki, and much more.
Here is a list of benefits afforded to each of the core communities and the XSec community.
Let us know what you think by emailing MEMBERSHIP@REN-ISAC.NET.