FS-ISAC End User License Agreement

 

This End User License Agreement, including the Member Subscriber and CERES Forum Application Form, Member Terms and Conditions, and Operating Rules which by this reference are incorporated herein (this "Agreement"), is a binding agreement between FS-ISAC and the entity identified on the Membership Form (defined below) as the licensee of the FS-ISAC Portal ("Licensee"). This Agreement is subject to the terms and conditions contained in the Member Terms and Conditions.

FS-ISAC PROVIDES THE FS-ISAC PORTAL SOLELY ON THE TERMS AND CONDITIONS SET FORTH IN THIS AGREEMENT AND ON THE CONDITION THAT LICENSEE ACCEPTS AND COMPLIES WITH THEM. AT ACCEPTANCE OF MEMBERSHIP YOU (A) ACCEPT THIS AGREEMENT AND AGREE THAT LICENSEE IS LEGALLY BOUND BY ITS TERMS; AND (B) REPRESENT AND WARRANT THAT: (I) YOU ARE OF LEGAL AGE TO ENTER INTO A BINDING AGREEMENT; AND (II) IF LICENSEE IS A CORPORATION, GOVERNMENTAL ORGANIZATION, OR OTHER LEGAL ENTITY, YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT ON BEHALF OF LICENSEE AND BIND LICENSEE TO ITS TERMS. IF LICENSEE DOES NOT AGREE TO THE TERMS OF THIS AGREEMENT, FS-ISAC WILL NOT AND DOES NOT LICENSE THE FS-ISAC PORTAL TO LICENSEE AND YOU MUST NOT USE THE FS-ISAC PORTAL OR DOCUMENTATION.

NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT OR LICENSEE'S ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS AGREEMENT, NO LICENSE IS GRANTED (WHETHER EXPRESSLY, BY IMPLICATION, OR OTHERWISE) UNDER THIS AGREEMENT, AND THIS AGREEMENT EXPRESSLY EXCLUDES ANY RIGHT, CONCERNING ANY FS-ISAC PORTAL THAT LICENSEE DID NOT ACQUIRE LAWFULLY OR THAT IS NOT A LEGITIMATE, AUTHORIZED COPY OF FS-ISAC'S FS-ISAC PORTAL.

1. DEFINITIONS. For purposes of this Agreement, the following terms have the following meanings:
  • “Authorized Users” means solely those individuals authorized to use the FS-ISAC Portal pursuant to the license granted under this Agreement, as set forth on the Membership Form.
  • “Documentation” means user manuals, technical manuals, and any other materials provided by FS-ISAC, in printed, electronic, or other form, that describe the installation, operation, use, or technical specifications of the FS-ISAC Portal.
  • “Intellectual Property Rights” means any and all registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.
  • “Licensee” has the meaning set forth in the preamble.
  • “Membership Form” means the application form filled out and submitted by or on behalf of Licensee, and accepted by FS-ISAC, for Licensee’s use of the license for the FS-ISAC Portal granted under this Agreement.
  • “FS-ISAC Portal” means the database and information sharing tools for which Licensee is obtaining a license, as expressly set forth in the Membership Form.
  • “Proprietary Information” has the meaning set forth in Section 9.
  • ”Third Party” means any person other than Licensee or FS-ISAC.
2. LICENSE GRANT AND SCOPE. Subject to and conditioned upon Licensee’s strict compliance with all terms and conditions set forth in this Agreement, FS-ISAC hereby grants to Licensee a non-exclusive, non-transferable, non-sublicensable limited license during the Term to use, solely by and through its Authorized Users, the FS-ISAC Portal and Documentation.

3. INFORMATION SHARING. FS-ISAC provides for authenticated and, when appropriate, anonymous and confidential sharing between and among Licensees. Licensees may share information associated with cyber incidents, threats, vulnerabilities, and resolutions or solutions associated with critical infrastructures and technologies.

4. TRAFFIC LIGHT PROTOCOL (TLP). All information submitted, processed, stored, archived, or disposed of in connection with the FS-ISAC Portal will be classified and handled using TLP, defined in accordance with ADDENDUM 1 below. If no marking is specified, the information shall be treated as confidential information (TLP: Amber). Information classified as Green, Yellow, or Red must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.

5. USE RESTRICTIONS. Licensee shall not, and shall require its Authorized Users not to, directly or indirectly:
  1. use (including make any copies of) the FS-ISAC Portal, Proprietary Information, or Documentation beyond the scope of the license granted;
  2. share passwords, usernames or other login credential information provided by FS-ISAC solely to benefit Licensee;
  3. modify, translate, adapt, or otherwise create derivative works or improvements, whether or not patentable, of the FS-ISAC Portal, Proprietary Information, or Documentation or any part thereof;
  4. combine the FS-ISAC Portal, Proprietary Information or any part thereof with, or incorporate the FS-ISAC Portal or any part thereof in, any other programs;
  5. reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain access to the source code of the FS-ISAC Portal or any part thereof;
  6. remove, delete, alter, or obscure any trademarks or any copyright, trademark, patent, or other intellectual property or proprietary rights notices provided on or with the FS-ISAC Portal, Proprietary Information, or Documentation, including any copy thereof;
  7. rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available the FS-ISAC Portal, Proprietary Information, or any features or functionality of the FS-ISAC Portal, to any Third Party for any reason, whether or not over a network or on a hosted basis, including in connection with the internet or any web hosting, wide area network (WAN), virtual private network (VPN), virtualization, time-sharing, service bureau, FS-ISAC Portal as a service, cloud, or other technology or service; or
  8. use the FS-ISAC Portal, Proprietary Information, or Documentation in violation of any law, regulation, or rule;

6. RESPONSIBILITY FOR USE OF FS-ISAC PORTAL. Licensee is responsible and liable for all uses of the FS-ISAC Portal and Documentation through access thereto provided by Licensee, directly or indirectly. Specifically, and without limiting the generality of the foregoing, Licensee is responsible and liable for all actions and failures to take required actions with respect to the FS-ISAC Portal and Documentation by its Authorized Users or by any other Person to whom Licensee or an Authorized User may provide access to or use of the FS-ISAC Portal and/or Documentation, whether such access or use is permitted by or in violation of this Agreement.

7. REPORTING A SUSPECTED COMPROMISE. ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC SECURITY OPERATIONS CENTER AT: 877-612-2622 (WITHIN THE U.S.) OR 571-252-8517 (OUTSIDE THE U.S.). ANY VIOLATION OF THE REQUIREMENTS LISTED IN THIS AGREEMENT MAY RESULT IN IMMEDIATE TERMINATION OF LICENSEE’S ACCESS TO THE FS-ISAC PORTAL AND LOSS OF FEES.

8. INTELLECTUAL PROPERTY RIGHTS. Licensee acknowledges and agrees that the FS-ISAC Portal and Documentation are provided under license, and not sold, to Licensee. Licensee does not acquire any ownership interest in the FS-ISAC Portal or Documentation under this Agreement, or any other rights thereto, other than to use the same in accordance with the license granted and subject to all terms, conditions, and restrictions under this Agreement. FS-ISAC reserves and shall retain its entire right, title, and interest in and to the FS-ISAC Portal and all Intellectual Property Rights arising out of or relating to the FS-ISAC Portal, except as expressly granted to the Licensee in this Agreement. Licensee shall use commercially reasonable efforts to safeguard the FS-ISAC Portal from infringement, misappropriation, theft, misuse, or unauthorized access. Licensee shall promptly notify FS-ISAC if Licensee becomes aware of any infringement of the FS-ISAC’s Intellectual Property Rights in the FS-ISAC Portal and fully cooperate with FS-ISAC in any legal action taken by FS-ISAC to enforce its Intellectual Property Rights.

9. PROPRIETARY INFORMATION. Licensee acknowledges that content in the FS-ISAC Portal is the confidential, proprietary, and trade secret property (“Proprietary Information”) of FS-ISAC. Licensee shall not disclose, provide, or otherwise make available the Proprietary Information to any person other than Licensee’s authorized employees or agents who are under a confidentiality agreement, and Licensee shall not use the Proprietary Information other than exclusively for Licensee's internal operational purposes. Licensee shall take steps to protect the Proprietary Information no less securely than if it were Licensee's own intellectual property and proprietary information, but also at all times in conformance with Traffic Light Protocol (ADDENDUM 1). The provisions of this Section 9 shall survive the termination of this Agreement.

10. GOVERNING LAW. Any disputes arising out of or related to this Agreement shall be resolved in accordance with the applicable Member Terms and Conditions.

Color 

When should it be used? 

How may it be shared? 

RED 

Sources may use TLP RED when the information’s audience must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations.  The source must specify a target audience to which distribution is restricted. 

Recipients may not share TLP RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.  

AMBER 

Sources may use TLP AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. 

Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Member’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information. 

GREEN 

Sources may use TLP GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community. 

Recipients may share TLP GREEN information with peers, supervised entities, trusted government and critical infrastructure partner organizations, and service providers with whom they have a contractual relationship, who have a need-to-know but not via publicly accessible channels. 

WHITE 

Sources may use TLP WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. 

TLP WHITE information may be distributed without restriction, subject to copyright controls.