1.0 The Central Bank and Regulator Supervisor Forum (CERES)
The CERES Forum is a program of the Financial Services Information Sharing and Analysis Center, Inc. (“FS-ISAC”) within FS-ISAC that is subject to the overall management and supervision of FS-ISAC. Subscribership in the CERES Forum does not constitute membership in FS-ISAC.
2.1 CERES Forum
2.1(a) The CERES Forum portal, database and information sharing tools are in a secure facility. The FS-ISAC provides for authenticated and, when appropriate, anonymous, and confidential sharing between and among CERES Forum Subscribers. Subscribers may share intelligence and information relevant to the CERES Forum provided here as strategic intelligence, financial sector resilience and cooperative defense, and Public-Private cooperation. All information is shared securely via a portal among Subscribers of the CERES Forum, in CERES Forum calls and meetings, and the CERES Forum mailing list.
2.1(b) Terminology and Definitions:
2.1(c) The database of information created may be augmented by information provided by commercial, government and other sources of relevant information. Information submitted by CERES Forum Subscribers will not be shared with non-Subscribers unless the CERES Forum Subscriber indicates it is permissible to share the submitted information to other specified groups such as law enforcement, country or national level security organizations, critical infrastructure sectors, or with other affiliated entities that may enter into information sharing agreements with FS-ISAC.
2.1(d) Subscribership will be limited to any Central Bank and/or an entity with regulatory or supervisory responsibilities which meet the eligibility criteria established by FS-ISAC and the CERES Forum as defined in Section 3.1.
2.1(e) Subscribers will enroll by completing the appropriate CERES Forum Subscriber Application, accepting the CERES Forum Agreement, and paying any applicable annual fee. Subscribers and their Access Coordinators abide by the CERES Forum Agreement, EULA and these Rules.
2.1(f) The CERES Forum will be governed and managed by FS-ISAC under the processes and authorities established in the by-laws of FS-ISAC and CERES Forum Charter.
2.2 Cornerstones of Sharing
2.2(a) Submission Anonymity: Faith that submissions will pose no competitive threat and will be without attribution to the originating Subscriber if the submission is submitted anonymously.
2.2(b) Authenticated Sharing of Information: The CERES Forum structure will allow certain information, such as events, incidents, threats, vulnerabilities, resolutions and solutions, to be shared in an authenticated, anonymous and private manner. Recipients of alerts are confident information is from an authorized and vetted source.
2.2(c) FS-ISAC Owned and Operated: Assurance that the database and input is owned by FS-ISAC and/or the CERES Forum Subscribers, submitted to a private sector service provider, and managed by a professional staff in accordance with the CERES Forum Charter and these Rules.
2.2(d) No Freedom of Information Act (FOIA) Access: Control of the portal by the private sector ensures that the CERES Forum database is not subject to Freedom of Information Act requests from the press or others that are not Subscribers of the CERES Forum.
3.0 Subscriber Eligibility & Enrollment
3.1 CERES Forum Subscriber Eligibility
3.1(a) Subscribership is open to the entities below, provided they are not subject to international sanctions or other special designated nationals lists.
3.1(b) Other Requirements:
3.1(c) FS-ISAC reviews the application and verifies the applicant through a variety of sources including OFAC Sanctions database and other relevant information sources. If there are questions regarding eligibility, FS-ISAC may require further information and/or conduct an internal review for an eligibility decision.
3.2 Enrollment Process and Procedures
3.2(a) An organization wishing to become a Subscriber in the CERES Forum may obtain all relevant information including these Rules, the CERES Forum Agreement and EULA at FS-ISAC Terms. CERES Forum Agreement acceptance and information to facilitate any payment of fees will be made through DocuSign.
3.2 (b) FS-ISAC may use trusted third-party sources to verify applicant eligibility. The Primary Contact and Access Coordinator(s) identification must be completed.
3.2(c) Upon execution of the Sales Order participation will be enabled.
3.2(d) CERES Forum Subscribers will not be entitled to a refund of any fees.
4.0 Enrollment Material and Activation
4.1 CERES Forum Portal Activation
4.1(a) FS-ISAC will contact the Primary Contact to activate the account once the Agreement is fully executed to provide the Primary Contact access credentials.
4.2 User Hardware and Software Requirements
4.2(a) There are no special hardware or software requirements to use the database. A Subscriber or User must have the capability to securely access the Internet.
4.3 CERES Forum Portal Access Credentials
4.3(a) Access credentials are issued to the Subscribers’ Access Coordinators. Credentials are allocated to individuals as determined by the Subscriber and are tracked and monitored for use. Once authenticated, the User may submit an incident anonymously or with attribution. Credentials allow access to the CERES Forum databases and search functions. It is the responsibility of the Subscriber’s Primary Contact to manage and maintain internal control and the status of these credentials.
4.3(b) Processes are established to initially set authentication credentials, reset authenticators, reissue and invalidate authenticators when requested to by the Primary Contact or when suspicious access is attempted.
4.4 Credential Revocation Procedures
4.4(a) The Primary Contact may request replacement credentials at firstname.lastname@example.org.
4.4(b) If a credential is rejected on three separate occasions it will be disabled without notice to the Primary Contact. It is the responsibility of the Primary Contact to ensure FS-ISAC has current contact information for each Access Coordinator.
4.5 Unauthorized Use or Compromise of Credentials
4.5(a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC SECURITY OPERATIONS CENTER at email@example.com.
4.6 Failed Access Credentials
4.6(a) If any credentials become inoperative, FS-ISAC must be contacted at firstname.lastname@example.org for instructions on how to receive a replacement.
4.7 Terminating Relationship
4.7(a) Upon termination of the CERES Forum Agreement for any reason, access credentials to the CERES Forum portal and all other CERES Forum services will be terminated.
5.1(a) FS-ISAC has established a business relationship with a service provider to deliver the CERES Forum portal services. FS-ISAC and the service provider have a formal Service Level Agreement for the various services. Subscribers may contact email@example.com for details.
5.1(b) A general overview of the CERES Forum operations follows:
5.1(c) Information Sources: Information is contributed by Subscribers submitting anonymously or with attribution.
5.1(d) Sanitizing of Submitted Information: Subscribers are solely responsible for ensuring that submissions intended to be anonymous are submitted without identifying information. However, all incident information submitted to the CERES Forum will be reviewed by staff to assure there is no reference to the submitter or the company on an anonymous submission.
5.2 Submission of Information to the CERES Forum
5.2(a) The mission of the CERES Forum is to provide a trusted means for Central Bank, regulatory, and supervisory agencies to:
5.2(b) This sharing of information is expected to be beneficial for preparedness, protection. crisis management and recovery.
5.2(c) The following definitions are offered as guidance to Subscribers for categorizing and classifying information being considered for submission:
a. Cyber security breaches or incidents experienced of a new evolving nature; that clearly go beyond daily norms or appear to have broad consequences; correlate to incidents reported by others or correlate to specific threat information received.
b. Cyber security breaches or incidents having a significant impact on operations (e.g., Denial of Service attacks, attacks on integrity) or are of a recurring or persistent and insidious nature.
c. Security breaches or incidents related to criminal activities (e.g., fraud, extortion, or espionage).
d. Incidents are classified by the nature of the severity.
a. Specific or general cyber threats to any component or entity; knowledge uncovered of threats against other sectors or entities.
b. Details of “hacker”, “nation state” or “criminal” information, posing a threat to infrastructure or systems.
c. Threat information or indicators received from credible sources.
a. Items reported by national CERT organizations or other homeland security law enforcement agencies, reputable information sharing groups, or security provider alert bulletins considered to be of operational importance to the banking and finance infrastructure because of architecture, operational procedures or knowledge of historical exploitation of vulnerabilities of similar nature.
b. Reports of and/or validation of vulnerability hoaxes being perpetrated.
c. Operational vulnerabilities experienced by vendor or service providers that could impact the sector broadly (e.g., cryptographic exploits, authentication technology exploits).
d. Results of an investigation of vulnerabilities or the validation of specific vulnerabilities within systems.
4. Resolutions and Solutions
a. CERES Forum Subscribers propagate resolutions and solutions by providing intelligence and information as a help source for peer organizations. Resolutions to specific incidents are posted to the CERES Forum database.
b. Members submit and update resolutions of incidents reported, and postings may be done anonymously. Submitted resolutions are not checked for technical accuracy by FS-ISAC. Resolutions can be a single activity such as apprehension of an individual causing the incident or a combination of events such as implementation of new processes or controls or reconfiguration of key equipment.
c. Subscribers are requested to provide any practical knowledge uncovered when working to address specific vulnerabilities or threats (e.g., effectiveness of methods or practices dealing with e-mail borne virus or trojan horse programs). Resolutions are categorized as a technical solution or a business process solution.
d. Policy issues and recommendations.
e. Critical infrastructure threats.
5.3 Government or Law Enforcement Information
5.3(a) Information may be accepted and authenticated as coming directly from governments, government agencies, state, provincial or local governments, or law enforcement regarding incidents, threats, and vulnerabilities.
5.3(b) FS-ISAC may provide data on specific events or incidents to appropriate government and law enforcement agencies, and private sector partners such as critical infrastructure ISACS, when there is potential benefit to the financial sector and only with the consent of the CERES Subscriber providing the information. Information is shared without attribution to the incident originator and can help provide relevant intel of the financial sector threat landscape.
5.4 Subscriber Submission Modes
5.4(a) Attributable: Subscribers may submit attributable information by using the attributable submission option on the database or sending to firstname.lastname@example.org.
5.4(b) Anonymous: Subscribers may submit information anonymously by using the anonymous submission form on the CERES Forum portal.
5.5 Traffic Light Protocol
5.5(a) All information submitted, processed, stored, archived, or disposed of is classified and handled in accordance with its classification.
5.5(b) Information is classified using the Traffic Light Protocol (TLP), defined as:
5.5(c) If no marking is specified, the information shall be treated as Confidential Information, TLP Amber.
5.5(d) Information classified as Green, Amber, or Red must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.
6.0 CERES Forum System Security Monitoring
6.1 Monitoring and Testing
6.1(a) The CERES Forum systems are actively monitored 24/7. FS-ISAC operators use reasonable efforts to notify Subscribers of the status of the system through the alert-mechanism specified by each Subscriber Access Coordinator (i.e., mobile device).
7.0 Help Desk Policy and Procedures
7.1 User Support Contact
7.1(a) Subscribers may contact Help Desk to assist with any CERES Forum problems at email@example.com.
8.0 Antitrust/Competition Provisions
8.1(a) FS-ISAC, CERES Forum and its Subscribers will comply with all laws and regulations governing antitrust and anticompetitive practices. FS-ISAC officers, directors, staff, CERES Steering Committee and CERES Forum Subscribers must not engage in any conduct that may constitute violation of these laws, including but not limited to price fixing, group boycotts, or allocations of markets among organizations or institutions.
8.1(b) To assure compliance with this policy:
9.1 Confidentiality Requirement
9.1(a) Steering Committee subscribers, officers, FS-ISAC staff and CERES Forum Subscribers may have access to or receive from FS-ISAC, the CERES Forum, CERES Forum Subscribers, or affiliated partners certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers (“Confidential Information”).
9.1(b) Committee members, officers, staff and CERES Forum Subscribers agree that all such trade secret and other information obtained shall be considered confidential and proprietary to the disclosing party.
9.1(c) As stipulated in Section 5.5, Traffic Light Protocol, all information is classified as Confidential (Amber) by default unless specifically classified otherwise.
9.1(d) Staff and contractors are required to execute a Confidentiality Agreement as a condition of employment. CERES Forum Subscribers, including Steering Committee subscribers and officers, are bound by the terms of the Rules.
9.1(e) Parties in possession of Confidential information may be requested to disclose Confidential information to law enforcement, a government authority or other third-party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS-ISAC and the CERES Forum with advance notice of such disclosure to allow FS-ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.
9.2 Confidentiality Agreement
9.2(a) Recipients of Confidential Information will be obligated to:
10.0 Rules Modification and Precedence
10.1 Modification of Rules Approvals
10.1(a) From time to time these Rules and the CERES Forum Agreement may be modified with the approval of FS-ISAC. Notifications to current Subscribers will be provided at that time.