Remember, the institution is the member, and is eligible, through a management representative, to nominate one or more member representatives. The member representative must meet membership criteria, pass vetting requirements, and abide policies and trust requirements.
Information is shared to, and by, the member representative. The member representative participates in information sharing -- the institution does not. Certain classes of shared information cannot be further disseminated within the institution. Rather, the member representative analyzes shared information and formulates protection and response actions for the institution. This important distinction places limits on the dissemination of information. Refer to the Information Sharing Policy for details.
An institution must have a management representative, and one or more member representatives. There are two classes of member representative: General and XSec. An institution can have any combination of General and XSec representation. The class of an individual member representative's participation is determined according to the capabilities, needs, and choice of the institution and individual, and by vouched trust.
The management representative is the steward of an institution's membership, responsible for nominating member representatives, timeline maintenance of membership changes, withdrawls, terminations, and other administrative actions. The management representative must be one of the following and verified by the membership committee:
Chief Information Officer (CIO)
Vice President or associate/assistant vice president
Chief Information Security Officer (CISO) who reports directly to one of the above roles
A delegate of one of the above roles
Any delegate must be a manager, with the security function in the subordinate reporting chain. Delegates are identified when one of the above roles performs institutional registration. The management representative may also be, but is not expected to be, a General or XSec member representative. Unless established as a member representative, the management representative does not participate in operational information sharing. The management representative should be a member representative only if it's appropriate for that individual to participate operationally. Regardless of member rep status, a management rep is eligible to participate in management advisory groups and committees.
Member representative - General
Referred to as "General member", these individuals represent their institutions in the information sharing and services community at a security classification of Privileged Use. The General class provides a level of participation in the community for those individuals whose job function doesn't require access to the additional XSec resources, or who don't meet XSec criteria.
Member representative - XSec
Referred to as "XSec member", these individuals represent their institutions in the information sharing and services community at a security classification of Restricted Use (highest level). XSec membership provides access to additional sensitive data and information sources, and levels of participation in the community.
Institutions must be a college or university, teaching hospital, research and education network provider, or government-funded research organization.
Individuals (member representatives) must:
be full-time permanent staff and have or share principal responsibility for security protection and response at the institution
have institution or organization-wide responsibility, that is, the individual must represent security for the institution (or a single campus of a multi-campus system).
agree to abide the REN-ISAC Information Sharing Policy
must conform to the frameworks established by the "governance/charter", the Membership Terms and Conditions, and the Information Sharing Policy
Individuals with responsibility within a division, such as a department or school, don't qualify for membership unless by exception (outlined below)
Prospective General member representatives must be accepted for membership by existing member representatives of the REN-ISAC trust community. Existing member representatives are not required to positively vouch, but are given the opportunity to express concern regarding the fitness or trustworthiness of the prospect.
Prospective XSec member representatives must:
be a General member representative in good standing, for a minimum of six weeks
receive two vouches from active XSec member representatives. One vouch must come from an external institution. A vouch must affirm that the prospect meets membership criteria, and importantly, must explicitly express personal trust in the individual. Guidance for proper vouching is provided in Vouching, Dissent, and Reproach
have responsibilities dedicated to operational security protection and response, or to a combination of networking and security with security responsibilities at minimum 50% assignment
have organizational responsibility to assess threat and incident, and to develop plans of action that have impact to the organization
have the authority to independently carry out these responsibilities with nominal management oversight
The institution must have the capability to actively defend against known threats, identify and remediate compromised machines, and must respond to compromised machines in a timely manner.
Requests for membership in which the institution, organization, or individual doesn't meet membership criteria are reviewed by the Membership Committee and REN-ISAC directors. For example, if an institution has no central IT security function, consideration for departmental memberships might be made on a case-by-case basis.
Ex officio memberships may be granted at the discretion of REN-ISAC directors for persons in relationship to the community, such as members of advisory groups or analysis teams, directors of sponsoring organizations, etc.