Enterprise Participation Home
REN-ISAC membership guidelines are under-going some changes. For many years, we've had to turn away Member Representative nominees who did not meet our criteria for operational security. Given the evolving nature of information security, it has become clear that REN-ISAC needs to involve the talents of colleagues who don't necessarily manage defensive systems or provide incident response. Information security requires planning, policy, training, support & communications, compliance, risk assessment, and much more. That's why we are rolling out Enterprise Participation, or EP. But don't worry -- we aren't throwing out our previous guidelines. We're simply making room for security practitioners who don’t meet our traditional focus on operational security.
Building Upon Trust
One of our main goals with EP was to make sure we do not distrupt the trust relationships among our members. In fact, we wanted to build upon the strong trust among our security operations (Ops) members. To achieve that, we are adding two new communities for our Member Representatives – General and Officer – each with their own communications channel. Security practitioners who don’t meet the traditional definition of Ops will be eligible to join the General community. These are folks working in risk assessment and management, identity and access management, security training / outreach / liaison, ERP system administrators, and IT professionals who cover security among other roles for their institution, just to name a few. The Officer community is meant for executives with an information security responsibility – people with titles like CIO, General Counsel, Director of Internal Audit, Director of Risk Management, and others.
Being a member of REN-ISAC means a person must belong to one of four core communities. In addition to the Ops, General, and Officer core communities, we will also be adding an Affiliate community in the near future. While we have made room for Affiliates in our new Membership Guide, nominating someone for that community won't be possible just yet.
|Core Community||Description||Typical Job Description, Title, or Area of Expertise|
|Security Operations (Ops)||Responsible for protection and response for the institution||Security analyst, security engineer, CISO, incident response specialist|
|General||Practitioners whose operational security responsibilities are associated with other systems or services such as enterprise applications, networks, dns; or, whose responsibilities aren't strictly "security operational", such as risk, compliance, and IAM; or, whose security responsibilities are not institution-wide||Risk assessment, compliance, identity & access management (IAM), enterprise system administration, security training, network administration|
|Officer||Executives with an information security responsibility||CIO, Risk Compliance Officer, Chief Policy Officer, Director of Internal Audit|
|Affiliate (coming soon)||Trusted persons within the member institution with expertise in a particular subject||Cyber-security researchers (including faculty and grad students), awareness campaign specialists|
The role of Management Representative remains the focal point of all administrative activity, including nominations for Member Representatives. Via our registry, nominations are still initiated by the Management Rep, but he or she must now choose a core community for that person. As described above, a Member Representative must be assigned to one of three core communities. The Ops community is what we think of as the traditional REN-ISAC Member Representative. This is someone with institution-wide protection and response responsibilities. Where EP really shows up is with the General community, which is meant for security practitioners whose security responsibilities, or the scope of which, do not meet the requirements for Ops. In addition, the Officer community is a place for executives with a stake in information security to share and receive information.
Once the nomination is made, there is a period of vetting, as per our Membership Guide. Essentially, the community has a chance to look over the person's job title and job description, and if they feel the nominee does not qualify for that community, or if they have a trust issue with the nominee, they can voice their objection to the community or the Membership Committee.
You might notice that “XSec” isn't listed here. That's because XSec membership requires a person to be in the Ops community for at least 6 weeks, and so it's not available to a Management Rep making an initial nomination. It's worth noting that the process for XSec nominations and vouching has not changed.
Once a person joins REN-ISAC, either as an Affiliate or Member Rep, they are able to choose from one or more communications channels for which they are eligible. In some cases, the member is automatically added to those channels. Those communications channels include private email lists, access to our members-only wiki, and much more.
Here is a list of benefits afforded to each of the core communities and the XSec community.
Let us know what you think by emailing MEMBERSHIP@REN-ISAC.NET.