FS-ISAC CERES Operating Rules

 

1. The Central Bank and Regulator Supervisor Forum (CERES)
The CERES Forum is a program of the Financial Services Information Sharing and Analysis Center, Inc. (“FS-ISAC”) within FS-ISAC that is subject to the overall management and supervision of FS-ISAC. Membership in the CERES Forum does not constitute membership in FS-ISAC.


2.Overview


2.1 CERES Forum
2.1(a) The CERES Forum portal, database and information sharing tools are in a secure facility. The FS-ISAC provides for authenticated and, when appropriate, anonymous, and confidential sharing between and among CERES Forum members. Members may share information associated with cyber incidents, threats, vulnerabilities, and resolutions or solutions associated with critical infrastructures and technologies. The information is shared securely via a portal among members of the CERES Forum (“Member”).
2.1(b) Terminology and Definitions:
1. Primary Contact is defined as the person designated by Member to whom all FS-ISAC notices, invoices and other information is delivered. The Primary Contact represents the Member and attests any Member employees, agents and consultants who use the CERES Forum will comply with the CERES Forum Operating Rules (“Rules”) and ensure strict confidentiality of CERES Forum information. The Primary Contact is responsible for ensuring all Access Coordinators (as defined below) are current and have the need for credentials and have the appropriate authority to use the credentials issued by the FS-ISAC for the CERES Forum.
2. Access Coordinators (users) are those employees, agents and contractors identified by the Primary Contact as authorized to have CERES Forum credentials.
3. CERES Forum Portal or Portal refers to the Internet site that provides access to the private information that is exclusively available to CERES Forum Members after successful completion of the authentication process.
2.1(c) The database of information created may be augmented by information provided by commercial, government and other sources of relevant information. Information submitted by CERES Forum Members will not be shared with non-Members unless the CERES Forum Member indicates it is permissible to share the submitted information to other specified groups such as law enforcement, Country or National Level Security Organizations, critical infrastructure sectors, or with other affiliated entities that may enter into information sharing agreements with FS-ISAC.
2.1(d) Members will be limited to any central bank or entity with regulatory or supervisory responsibilities which meet the eligibility criteria established by FS-ISAC and the CERES Forum as defined in Section 3.1.
2.1(e) Members will enroll by completing the appropriate CERES Forum Subscriber Application, accepting the CERES Forum Subscriber Agreement, and paying any applicable annual fee. Members and their Access Coordinators (users) abide by the CERES Forum Subscriber Agreement and these Rules.
2.1(f) The CERES Forum will be governed and managed by FS-ISAC under the processes and authorities established in the by-laws of FS-ISAC and CERES Forum Charter.

2.2 Cornerstones of the FS-ISAC
The cornerstones are the foundation upon which FS-ISAC, and the CERES Forum will select and manage trusted service providers to enable CERES Forum information sharing.
2.2(a) Submission Anonymity: Faith that submissions will pose no competitive threat and will be without attribution to the originating Member if the submission is submitted anonymously.
2.2(b) Authenticated Sharing of Information: The CERES Forum structure will allow certain information, such as events, incidents, threats, vulnerabilities, resolutions and solutions, to be shared in an authenticated, anonymous and private manner. Recipients of alerts are confident information is from an authorized and vetted source.
2.2(c) FS-ISAC Owned and Operated: Assurance that the database and input is owned by FS-ISAC and/or the CERES Forum Members, submitted to a private sector service provider, and managed by a professional staff in accordance with the CERES Forum Charter and these Rules.
2.2(d) No Freedom of Information Act (FOIA) Access: Control of the portal by the private sector ensures that the CERES Forum database is not subject to Freedom of Information Act requests from the press or others that are not Members of the CERES Forum.

3.Member Eligibility & Enrollment

3.1 CERES Forum Member Eligibility
3.1(a) Membership is open to the entities below, provided they are not subject to international sanctions or other special designated nationals lists.
1.Central Banks.
2. Entities with regulatory or supervisory responsibility for financial institutions.
3. Other entities as may be determined by the CERES Forum Steering Committee and FS-ISAC which would be beneficial to the CERES Forum.
4. FS-ISAC, at its discretion, can deny CERES Forum membership to any applicant that does not meet the CERES Forum eligibility requirements or subscription agreement requirements.
3.1(b) Other Requirements:
1. Members: Adhere to all applicable regulations and laws, including antitrust, privacy, and other relevant laws. Adhere to strict standards for professional conduct. Remain current with all financial obligations to FS-ISAC.
2.Members must immediately notify FS-ISAC if their eligibility status changes.
3.FS-ISAC may conduct periodic member eligibility reviews to assure compliance.
3.1(c) FS-ISAC reviews the application and verifies the applicant through appropriate regulatory or other sources. For institutions or associations that do not have a U.S. presence, FS-ISAC will verify the applicant is not on an OFAC sanctions list. For applications that FS-ISAC cannot verify or if there are questions regarding eligibility, FS-ISAC will conduct an internal review for an eligibility decision.


3.2 Enrollment Process and Procedures
3.2(a) An organization wishing to become a Member in the CERES Forum may obtain all relevant information including these Rules and the CERES Forum Subscriber Agreement from membership@fsisac.com. CERES Forum Subscriber Agreement acceptance and any banking account information to facilitate any payment of fees may be made through DocuSign.
3.2(b) FS-ISAC may use trusted third-party sources to verify applicant eligibility. The Primary Contact and Access Coordinator(s) identification must be completed.
3.2(c) Upon receipt of a completed CERES Forum Subscriber Agreement and payment as applicable, participation will be enabled.
3.2(d) CERES Forum Members will not be entitled to a refund of any fees.


4.Enrollment Material and Activation

4.1 CERES Forum Activation
4.1(a) FS-ISAC will contact the Primary Contact to activate the account once the Subscriber Agreement is fully executed and any applicable fee payments are received. The Primary Contact will receive the Member’s access credentials.


4.2 User Hardware and Software Requirements
4.2(a) There are no special hardware or software requirements to use the database. A Member must have the capability to securely access the Internet.

4.3 CERES Forum Portal Access Credentials
4.3(a) Access credentials are issued to the Members’ Access Coordinators. Credentials are allocated to individuals as determined by the Member and are tracked and monitored for use. Once authenticated, the Member User may submit an incident anonymously or with attribution. Credentials allow access to the CERES Forum databases and search functions. It is the responsibility of the Member’s Primary Contact to manage and maintain internal control and the status of these credentials.
4.3(b) Processes are established to initially set authentication credentials, reset authenticators, and reissue and invalidate authenticators when requested to by the Primary Contact or when suspicious access is attempted.

4.4 Credential Revocation Procedures
4.4(a) The Primary Contact may request replacement credentials at membership@ceresforum.com or FS-ISAC Help Desk toll-free at (877) 612-2622, #2 inside U.S. or +1 (571) 252-8517.outside of U.S.
4.4(b) If a credential is rejected on three separate occasions it will be disabled without notice to the Primary Contact. It is the responsibility of the Primary Contact to ensure FS-ISAC has current contact information for each Access Coordinator.


4.5 Unauthorized Use or Compromise of Credentials
4.5(a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC SECURITY OPERATIONS CENTER at (877) 612-2622, #2 inside U.S. or +1 (571) 252-8517.outside of U.S.

4.6 Failed Access Credentials
4.6(a) If any credentials become inoperative, FS-ISAC Administration at (877) 612-2622, #2 inside U.S. or +1 (571) 252-8517.outside of U.S. or membership@ceresforum.com must be contacted for instructions on how to receive a replacement.

4.7 Terminating Relationship
4.7(a) Upon termination of the CERES Forum Subscriber Agreement for any reason, access credentials to the CERES Forum portal will be terminated.

5. Operations

5.1 Overview
5.1(a) FS-ISAC has established a business relationship with a service provider to deliver the CERES Forum portal services to the Members. FS-ISAC and the service provider have a formal Service Level Agreement for the various services. Members may contact FS-ISAC staff for details.
5.1(b) A general overview of the CERES Forum operations follows:
1. The intent of the CERES Forum is to:
Provide a trusted means for central bank, regulatory, and supervisory agencies to share best practices concerning regulatory and compliance controls; and to hear from industry which controls are most effective.
Rapidly distribute cyber threats, vulnerabilities, incidents and other intelligence that could impact financial services, including those attacks that target central banks, regulatory and supervisory agencies.
Leverage FS-ISAC intelligence products as applicable.
2. Members have the capability to submit information voluntarily and anonymously to the database, which will be authenticated by the system as a submission from a current authorized Member. When a Member chooses to submit information anonymously no one will know who submitted the information. CERES Forum Members will only know an authorized and vetted Member submitted the data.
3. Information in the database will be available via secure, encrypted web-based connections only to current authorized Members.
5.1(c) Information Sources: Information is contributed by Members submitting anonymously or with attribution.
5.1(d) Sanitizing of Submitted Information: Members are solely responsible for ensuring that submissions intended to be anonymous are submitted without identifying information. However, all incident information submitted to the CERES Forum will be reviewed by staff to assure there is no reference to the submitter or the company on an anonymous submission.

5.2 Submission of Information to the CERES Forum
5.2(a) The mission of the CERES Forum is to provide a trusted means for central bank, regulatory, and supervisory agencies to:
Share best practices concerning regulatory and compliance controls;
Hear from industry which controls are most effective; and
Distribute rapidly information on cyber threats, vulnerabilities, and other intelligence that could impact financial services, including those attacks that target central banks, regulatory and supervisory agencies.
5.2(b) This sharing of information is expected to be beneficial for preparedness, protection. crisis management and recovery.
5.2(c) The following definitions are offered as guidance to Members for categorizing and classifying information being considered for submission:
1. Incidents
  • Cyber security breaches or incidents experienced of a new evolving nature; that clearly go beyond daily norms or appear to have broad consequences; correlate to incidents reported by others or correlate to specific threat information received.
  • Cyber security breaches or incidents having a significant impact on operations (e.g. Denial of Service attacks, attacks on integrity) or are of a recurring or persistent and insidious nature.
  • Security breaches or incidents related to criminal activities (e.g. fraud, extortion, or espionage).
  • Incidents are classified by the nature of the severity.
2. Threats
  • Specific or general cyber threats to any component or entity; knowledge uncovered of threats against other sectors or entities.
  • Details of “hacker”, “nation state” or “criminal” information, posing a threat to infrastructure or systems.
  • Threat information or indicators received from credible sources.
3. Vulnerabilities
  • Items reported by national CERT organizations or other homeland security law enforcement agencies, reputable information sharing groups, or security provider alert bulletins considered to be of operational importance to the banking and finance infrastructure because of architecture, operational procedures or knowledge of historical exploitation of vulnerabilities of similar nature.
  • Reports of and/or validation of vulnerability hoaxes being perpetrated.
  • Operational vulnerabilities experienced by vendor or service providers that could impact the sector broadly (e.g., cryptographic exploits, authentication technology exploits).
  • Results of an investigation of vulnerabilities or the validation of specific vulnerabilities within systems.
4. Resolutions and Solutions
  • CERES Forum Members propagate resolutions and solutions by providing intelligence and information as a help source for peer organizations. Resolutions to specific incidents are posted to the CERES Forum database.
  • Members submit and update resolutions of incidents reported, and postings may be done anonymously. Submitted resolutions are not checked for technical accuracy by FS-ISAC. Resolutions can be a single activity such as apprehension of an individual causing the incident or a combination of events such as implementation of new processes or controls or reconfiguration of key equipment.
  • Members are requested to provide any practical knowledge uncovered when working to address specific vulnerabilities or threats (e.g., effectiveness of methods or practices dealing with e-mail borne virus or trojan horse programs). Resolutions are categorized as a technical solution or a business process solution.
  • Policy issues and recommendations
  • Critical infrastructure threats

5.3 Government or Law Enforcement Information (NCCIC liaison)
5.3(a) Information may be accepted and authenticated as coming directly from governments, government agencies, state, provincial or local governments, or law enforcement regarding incidents, threats, and vulnerabilities.
5.3(b) FS-ISAC may provide data on specific events or incidents to appropriate government and law enforcement agencies, and private sector partners such as critical infrastructure ISACS, when there is potential benefit to the financial sector and only with the consent of the CERES Member providing the information. Information is shared without attribution to the incident originator and can help provide relevant intel of the financial sector threat landscape. 

5.4 Member Submission Modes
5.4(a) Attributable: Members may submit attributable information by using the attributable submission option on the database, or sending to iat@FSISAC.com or telephone (877) 612-2622 in US and +1 (571) 252-8517 outside U.S. Attributable communications will be authenticated by the Access Coordinator password.
5.4(b) Anonymous: Members may submit information anonymously by using the anonymous submission form on the CERES Forum portal. Or using anonymous credentials, an e-mail may be sent to iat@FSISAC.com.

5.5 Traffic Light Protocol
5.5(a) All information submitted, processed, stored, archived, or disposed of is classified and handled in accordance with its classification.
5.5(b) Information is classified using the Traffic Light Protocol (TLP), defined as:

Color 

When should it be used? 

How may it be shared? 

RED 

Sources may use TLP RED when the information’s audience must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations.  The source must specify a target audience to which distribution is restricted. 

Recipients may not share TLP RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.  

AMBER 

Sources may use TLP AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. 

Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Member’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information. 

GREEN 

Sources may use TLP GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community. 

Recipients may share TLP GREEN information with peers, supervised entities, trusted government and critical infrastructure partner organizations, and service providers with whom they have a contractual relationship, who have a need-to-know but not via publicly accessible channels. 

WHITE 

Sources may use TLP WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. 

TLP WHITE information may be distributed without restriction, subject to copyright controls. 

 

5.5(c) If no marking is specified, the information shall be treated as Confidential Information, TLP: Amber.
5.5(d) Information classified as Green, Amber, or Red must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.

6. CERES Forum System Security Monitoring

6.1 Monitoring and Testing
6.1(a) The CERES Forum systems are actively monitored 24/7. FS-ISAC operators use reasonable efforts to notify Members of the status of the system through the alert-mechanism specified by each Member Access Coordinator (i.e., mobile device).
6.1(b) FS-ISAC will use a third-party on at least an annual basis to complete formal, documented penetration test of the portal. Results of this test will be delivered to FS-ISAC, CERES Forum Steering Committee and available to Members on a request basis.

7. Help Desk Policy and Procedures

7.1 User Support Contact
7.1(a) Members may contact Help Desk to assist with any CERES Forum problems by calling (877) 612-2622 inside U.S., +1 (571) 252-8517 outside U.S or email membership@ceresforum.com.

8. Antitrust/Competition Provisions

8.1 Policy
8.1(a) FS-ISAC, CERES Forum and its Members will comply with all laws and regulations governing antitrust and anticompetitive practices. FS-ISAC officers, directors, staff, and CERES Forum Members must not engage in any conduct that may constitute violation of these laws, including but not limited to price fixing, group boycotts, or allocations of markets among organizations or institutions.
8.1(b) To assure compliance with this policy:
1. Members are prohibited from discussing any company-specific, competitively sensitive information, including terms, sales, conditions, pricing, or plans, related to their firms or other firms, including vendors or service providers they engage.
2.The CERES Forum portal and its forums are not to serve as a conduit for discussions or negotiations between or among vendors, manufacturers or security service providers with respect to any Member or group of Members.
3. Neither FS-ISAC staff, officers, and directors nor the CERES Forum Members, committees, and committee chairs are to recommend in any FS-ISAC or CERES Forum sponsored exchange or forum in favor of or against the coordinated boycott or adoption of any company or product or service of particular manufacturers or vendors;
4. Each Member will determine the effect of the exchanged information on its individual purchasing and related decisions.
5. Any breach of these guidelines will be reviewed by the CERES Forum Steering Committee and FS-ISAC Board of Directors and may result in termination of the organization’s membership and forfeiture of remaining fees.
6. Committee chairs, directors or staff will designate a responsible party to publish and disseminate minutes of CERES Forum meetings.

9. Confidentiality

9.1 Confidentiality Requirement
9.1(a) Steering Committee members, officers, FS-ISAC staff and CERES Forum Members may have access to or receive from FS-ISAC, the CERES Forum, CERES Forum Members, or affiliated partners certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers (“Confidential Information”).
9.1(b) Committee members, officers, staff and CERES Forum Members agree that all such trade secret and other information obtained shall be considered confidential and proprietary to the disclosing party.
9.1(c) As stipulated in Section 5.5, Traffic Light Protocol, all information is classified as Confidential (Amber) by default unless specifically classified otherwise.
9.1(d) Staff and contractors are required to execute a Confidentiality Agreement as a condition of employment. CERES Forum Members, including Steering Committee members and officers, are bound by the terms of the CERES Forum Subscriber Agreement.
9.1(e) Parties in possession of Confidential information may be requested to disclose Confidential information to law enforcement, a government authority or other third-party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS-ISAC and the CERES Forum with advance notice of such disclosure to allow FS-ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.

9.2 Confidentiality Agreement
9.2(a) Recipients of Confidential Information will be obligated to:
1. Protect and preserve the confidential and proprietary nature of all Confidential information.
2. Not disclose, give, sell, or otherwise transfer or make available, directly or indirectly, any Confidential information to any third-party for any purpose, except as expressly permitted in writing by FS-ISAC and the disclosing party.
3.Not use, or make any records or copies of, the Confidential Information, except as needed in order to provide specific services in the conduct of their duties, or as required by law or regulations, or as needed to use the information effectively to mitigate risk in their respective organizations;
4.Limit the dissemination of the Confidential Information to those with the need to know the Confidential Information, provided that such individuals are obligated to maintain the confidential and proprietary nature of the Confidential Information.
5. Return all Confidential Information and any copies thereof as soon as it is no longer needed or immediately upon the disclosing party’s request, to the extent permitted by law and regulatory retention requirements.
6. Notify the FS-ISAC and the CERES Forum immediately of any loss or misplacement of Confidential Information, and
7. Comply with any reasonable security procedures designated in the Confidentiality Agreement as may be prescribed by FS-ISAC and the CERES Forum for protection of the Confidential Information.

10. Rules Modification and Precedence

10.1 Modification of Rules Approvals
10.1(a) From time to time these Rules and the CERES Forum Subscription Agreement may be modified with the approval of FS-ISAC. E-mail notifications to current Members will be provided at that time. All changes will be highlighted and/or annotated for applicability.