Remember, the institution is the member, and is eligible, through a management representative, to nominate one or more member representatives. The member representative must meet membership criteria, pass vetting requirements, and abide policies and trust requirements.
Information is shared to, and by, the member representative. The member representative participates in information sharing -- the institution does not. Certain classes of shared information cannot be further disseminated within the institution. Rather, the member representative analyzes shared information and formulates protection and response actions for the institution. This important distinction places limits on the dissemination of information. Refer to the Information Sharing Policy for details.
An institution must have a management representative, and one or more member representatives. There are three communities of member representatives -- general, ops (operational security), and officers. An institution can have any number of member representatives, provided they are full-time employees and qualify for the community for which they are nominated. All nominees go through a minimum 6 business-day vetting period, which allows the community to evaluate their qualifications.
The management representative is the steward of an institution's membership, responsible for nominating member representatives, timeline maintenance of membership changes, withdrawls, terminations, and other administrative actions. The management representative should be an executive with the ultimate responsibility for information security for the entire institution. Typical job titles include:
Chief Information Officer (CIO)
Vice President or associate/assistant vice president
Chief Information Security Officer (CISO) who reports directly to one of the above roles
A delegate may serve as the Management Representative. Any delegate must be a manager, with the security function in the subordinate reporting chain. Delegates are identified when one of the above roles performs institutional registration. The management representative may also be, but is not expected to be, a member representative in the General, Ops, or Officers community. Unless established as a member representative, the management representative does not participate in operational information sharing. The management representative should be a member representative only if it's appropriate for that individual to participate operationally. Regardless of member rep status, a management rep is eligible to participate in management advisory groups and committees.
Member representative - Ops (Operation Security) Community
Representatives in the Ops community are security professionals who are responsible for cyber defense and response for the entire institution. Those who qualify for the Ops community manage and engineer intrusion detection/prevention systems, vulnerability scanners, firewalls, and other defensive systems. Members of the Ops community analyse threat intelligence and respond to incidents.
Member representative - General Community
Representatives in the General community are practitioners whose operational security responsibilities are associated with other systems or services such as enterprise applications, networks, DNS; or, whose responsibilities aren't strictly "security operational", such as risk, compliance, and IAM; or, whose security responsibilities are not institution-wide
Member representative - Officers Community
Those who qualify as representatives in the Officers community are executives at the member insitution with a stake in information security. Typically, this includes the CIO, CISO, and directors or associate vice presidents in the information technology branch of the org chart.
Member representative - XSec
Referred to as "XSec member", these individuals represent their institutions in the information sharing and services community at a security classification of Restricted Use (highest level). XSec membership provides access to additional sensitive data and information sources, and levels of participation in the community. A representative is only eligible for XSec if they have been in good standing in the Ops community for at least 6 weeks.
Institutions must be a college or university, teaching hospital, research and education network provider, or government-funded research organization located in the Australia, Canada, New Zealand, the UK, or the United States.
Individuals (member representatives) must:
be full-time permanent staff and have or share principal responsibility for security protection and response at the institution
have institution or organization-wide responsibility, that is, the individual must represent security for the institution (or a single campus of a multi-campus system).
agree to abide the REN-ISAC Information Sharing Policy
must conform to the frameworks established by the "governance/charter", the Membership Terms and Conditions, and the Information Sharing Policy
Requests for membership in which the institution, organization, or individual doesn't meet membership criteria are reviewed by the Membership Committee and REN-ISAC directors. For example, if an institution has no central IT security function, consideration for departmental memberships might be made on a case-by-case basis.