An institution must have a management representative, and one or more member representatives. There are three communities of member representatives -- general, ops (operational security), and officers. An institution can have any number of member representatives, provided they are full-time employees and qualify for the community for which they are nominated. All nominees go through a minimum 6 business-day vetting period, which allows the community to evaluate their qualifications.
The management representative is the steward of an institution's membership, responsible for nominating member representatives, timeline maintenance of membership changes, withdrawals, terminations, and other administrative actions. The management representative should be an executive with the ultimate responsibility for information security for the entire institution. Typical job titles include:
Chief Information Officer (CIO)
Vice President or associate/assistant vice president
Chief Information Security Officer (CISO) who reports directly to one of the above roles
A delegate may serve as the Management Representative. Any delegate must be a manager, with the security function in the subordinate reporting chain. Delegates are identified when one of the above roles performs institutional registration. The management representative may also be, but is not expected to be, a member representative in the General, Ops, or Officers community. Unless established as a member representative, the management representative does not participate in operational information sharing. The management representative should be a member representative only if it's appropriate for that individual to participate operationally. Regardless of member rep status, a management rep is eligible to participate in management advisory groups and committees.
Member representative - Ops (Operation Security) Community
Representatives in the Ops community are security professionals who are responsible for cyber defense and response for the entire institution. Those who qualify for the Ops community manage and engineer intrusion detection/prevention systems, vulnerability scanners, firewalls, and other defensive systems. Members of the Ops community analyze threat intelligence and respond to incidents.
Member representative - General Community
Representatives in the General community are practitioners whose operational security responsibilities are associated with other systems or services such as enterprise applications, networks, DNS; or, whose responsibilities aren't strictly "security operational", such as risk, compliance, and IAM; or, whose security responsibilities are not institution-wide.
Member representative - Officers Community
Those who qualify as representatives in the Officers community are executives at the member institution with a stake in information security. Typically, this includes the CIO, CISO, and directors or associate vice presidents in the information technology branch of the org chart.
Member representative - XSec
Referred to as "XSec member", these individuals represent their institutions in the information sharing and services community at a security classification of Restricted Use (highest level). XSec membership provides access to additional sensitive data and information sources, and levels of participation in the community. A representative is only eligible for XSec if they have been in good standing in the Ops community for at least 6 weeks.