FS-ISAC CERES Operating Rules

1.0 The Central Bank and Regulator Supervisor Forum (CERES)
The CERES Forum is a program of the Financial Services Information Sharing and Analysis Center, Inc. (“FS-ISAC”) within FS-ISAC that is subject to the overall management and supervision of FS-ISAC. Subscribership in the CERES Forum does not constitute membership in FS-ISAC.

2.0 Overview

2.1 CERES Forum

2.1(a) The CERES Forum portal, database and information sharing tools are in a secure facility. The FS-ISAC provides for authenticated and, when appropriate, anonymous, and confidential sharing between and among CERES Forum Subscribers. Subscribers may share intelligence and information relevant to the CERES Forum provided here as strategic intelligence, financial sector resilience and cooperative defense, and Public-Private cooperation. All information is shared securely via a portal among Subscribers of the CERES Forum, in CERES Forum calls and meetings, and the CERES Forum mailing list.

2.1(b) Terminology and Definitions:

1. Primary Contact is defined as the person designated by Subscriber to whom all FS-ISAC notices, invoices and other information is delivered. The Primary Contact represents the Subscriber and attests any Subscriber employees and agents who use the CERES Forum will comply with the CERES Forum Agreement, Operating Rules and End-User License Agreement (“Rules”) and ensure strict confidentiality of CERES Forum information. The Primary Contact is responsible for ensuring all Access Coordinators (as defined below) are current, have the need for credentials and have the appropriate authority to use the credentials issued by the FS-ISAC for the CERES Forum.
2. Access Coordinators (“Users”) are those employees and agents identified by the Primary Contact as authorized to have CERES Forum credentials.
3. CERES Forum Portal or Portal refers to the Internet site that provides access to the private information that is exclusively available to CERES Forum Subscribers after successful completion of the authentication process.

2.1(c) The database of information created may be augmented by information provided by commercial, government and other sources of relevant information. Information submitted by CERES Forum  Subscribers will not be shared with non-Subscribers unless the CERES Forum Subscriber indicates it is permissible to share the submitted information to other specified groups such as law enforcement, country or national level security organizations, critical infrastructure sectors, or with other affiliated entities that may enter into information sharing agreements with FS-ISAC.
2.1(d) Subscribership will be limited to any Central Bank and/or an entity with regulatory or supervisory responsibilities which meet the eligibility criteria established by FS-ISAC and the CERES Forum as defined in Section 3.1.
2.1(e) Subscribers will enroll by completing the appropriate CERES Forum Subscriber Application, accepting the CERES Forum Agreement, and paying any applicable annual fee. Subscribers and their Access Coordinators abide by the CERES Forum Agreement, EULA and these Rules.
2.1(f) The CERES Forum will be governed and managed by FS-ISAC under the processes and authorities established in the by-laws of FS-ISAC and CERES Forum Charter.

2.2 Cornerstones of Sharing

2.2(a) Submission Anonymity: Faith that submissions will pose no competitive threat and will be without attribution to the originating Subscriber if the submission is submitted anonymously.
2.2(b) Authenticated Sharing of Information: The CERES Forum structure will allow certain information, such as events, incidents, threats, vulnerabilities, resolutions and solutions, to be shared in an authenticated, anonymous and private manner. Recipients of alerts are confident information is from an authorized and vetted source.
2.2(c) FS-ISAC Owned and Operated: Assurance that the database and input is owned by FS-ISAC and/or the CERES Forum Subscribers, submitted to a private sector service provider, and managed by a professional staff in accordance with the CERES Forum Charter and these Rules.
2.2(d) No Freedom of Information Act (FOIA) Access: Control of the portal by the private sector ensures that the CERES Forum database is not subject to Freedom of Information Act requests from the press or others that are not Subscribers of the CERES Forum.

3.0 Subscriber Eligibility & Enrollment

3.1 CERES Forum Subscriber Eligibility

3.1(a) Subscribership is open to the entities below, provided they are not subject to international sanctions or other special designated nationals lists.

1. Central Banks.
2. Entities with regulatory or supervisory responsibility for financial institutions or firms.
3. Other entities as may be determined by the CERES Forum Steering Committee and FS-ISAC which would be beneficial to the CERES Forum.
4. FS-ISAC, at its discretion, can deny CERES Forum subscribership to any organization that does not meet the CERES Forum eligibility requirements, subscription agreement requirements or discretion of the CERES Forum Steering Committee and FS-ISAC.

3.1(b) Other Requirements:

1. Subscribers:
2. Adhere to all applicable regulations and laws, including antitrust, privacy, and other relevant laws.
3. Adhere to strict standards for professional conduct.
4. Remain current with all financial obligations to FS-ISAC.
5. Subscribers must immediately notify FS-ISAC if their eligibility status changes.
6. FS-ISAC may conduct periodic member eligibility reviews to assure compliance.

3.1(c) FS-ISAC reviews the application and verifies the applicant through a variety of sources including OFAC Sanctions database and other relevant information sources. If there are questions regarding eligibility, FS-ISAC may require further information and/or conduct an internal review for an eligibility decision.

3.2 Enrollment Process and Procedures

3.2(a) An organization wishing to become a Subscriber in the CERES Forum may obtain all relevant information including these Rules, the CERES Forum Agreement and EULA at FS-ISAC Terms. CERES Forum Agreement acceptance and information to facilitate any payment of fees will be made through DocuSign.
3.2 (b) FS-ISAC may use trusted third-party sources to verify applicant eligibility. The Primary Contact and Access Coordinator(s) identification must be completed.
3.2(c) Upon execution of the Sales Order participation will be enabled.
3.2(d) CERES Forum Subscribers will not be entitled to a refund of any fees.

4.0 Enrollment Material and Activation

4.1 CERES Forum Portal Activation

4.1(a) FS-ISAC will contact the Primary Contact to activate the account once the Agreement is fully executed to provide the Primary Contact access credentials.

4.2  User Hardware and Software Requirements

4.2(a) There are no special hardware or software requirements to use the database. A Subscriber or User must have the capability to securely access the Internet.

4.3 CERES Forum Portal Access Credentials

4.3(a) Access credentials are issued to the Subscribers’ Access Coordinators. Credentials are allocated to individuals as determined by the Subscriber and are tracked and monitored for use. Once authenticated, the User may submit an incident anonymously or with attribution. Credentials allow access to the CERES Forum databases and search functions. It is the responsibility of the Subscriber’s Primary Contact to manage and maintain internal control and the status of these credentials.
4.3(b) Processes are established to initially set authentication credentials, reset authenticators, reissue and invalidate authenticators when requested to by the Primary Contact or when suspicious access is attempted.

4.4 Credential Revocation Procedures

4.4(a) The Primary Contact may request replacement credentials at ceresadmin@ceresforum.com.
4.4(b) If a credential is rejected on three separate occasions it will be disabled without notice to the Primary Contact. It is the responsibility of the Primary Contact to ensure FS-ISAC has current contact information for each Access Coordinator.

4.5 Unauthorized Use or Compromise of Credentials

4.5(a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE  IMMEDIATELY REPORTED TO FS-ISAC SECURITY OPERATIONS CENTER at ceresadmin@ceresforum.com.

4.6 Failed Access Credentials

4.6(a) If any credentials become inoperative, FS-ISAC must be contacted at ceresadmin@ceresforum.com for instructions on how to receive a replacement.

4.7 Terminating Relationship

4.7(a) Upon termination of the CERES Forum Agreement for any reason, access credentials to the CERES Forum portal and all other CERES Forum services will be terminated.

5.0 Operations

5.1 Overview

5.1(a) FS-ISAC has established a business relationship with a service provider to deliver the CERES Forum portal services. FS-ISAC and the service provider have a formal Service Level Agreement for the various services. Subscribers may contact ceresadmin@ceresforum.com for details.

5.1(b) A general overview of the CERES Forum operations follows:

1. The intent of the CERES Forum is to:
2. Provide a trusted means for a Central Bank, regulatory and/or supervisory agencies to share best practices concerning regulatory and compliance controls; and to hear from industry which controls are most effective.
3. Rapidly distribute cyber threats, vulnerabilities, incidents and other intelligence that could impact financial services, including those attacks that target Central Banks, regulatory and supervisory agencies.
4. Leverage FS-ISAC intelligence products as applicable.
5. Subscribers have the capability to submit information voluntarily and anonymously to the database, which will be authenticated by the system as a submission from a current authorized Subscriber. When a Subscriber chooses to submit information anonymously no one will know who submitted the information. CERES Forum Subscribers will only know an authorized and vetted Subscriber submitted the data.
6. Information in the database will be available via secure, encrypted web-based connections only to current authorized Subscribers.

5.1(c) Information Sources: Information is contributed by Subscribers submitting anonymously or with attribution.

5.1(d) Sanitizing of Submitted Information: Subscribers are solely responsible for ensuring that submissions intended to be anonymous are submitted without identifying information. However, all incident information submitted to the CERES Forum will be reviewed by staff to assure there is no reference to the submitter or the company on an anonymous submission.

5.2 Submission of Information to the CERES Forum

5.2(a) The mission of the CERES Forum is to provide a trusted means for Central Bank, regulatory, and supervisory agencies to:

1. Share best practices concerning regulatory and compliance controls;
2. Hear from industry which controls are most effective; and
3. Distribute information rapidly on cyber threats, vulnerabilities, and other intelligence that could impact financial services, including, but not limited to those attacks that target Central Banks, regulatory and supervisory agencies.

5.2(b) This sharing of information is expected to be beneficial for preparedness, protection. crisis management and recovery.
5.2(c) The following definitions are offered as guidance to Subscribers for categorizing and classifying information being considered for submission:
1. Incidents
a. Cyber security breaches or incidents experienced of a new evolving nature; that clearly go beyond daily norms or appear to have broad consequences; correlate to incidents reported by others or correlate to specific threat information received.
b. Cyber security breaches or incidents having a significant impact on operations (e.g., Denial of Service attacks, attacks on integrity) or are of a recurring or persistent and insidious nature.
c. Security breaches or incidents related to criminal activities (e.g., fraud, extortion, or espionage).
d. Incidents are classified by the nature of the severity.
2. Threats
a. Specific or general cyber threats to any component or entity; knowledge uncovered of threats against other sectors or entities.
b. Details of “hacker”, “nation state” or “criminal” information, posing a threat to infrastructure or systems.
c. Threat information or indicators received from credible sources.
3. Vulnerabilities
a. Items reported by national CERT organizations or other homeland security law enforcement agencies, reputable information sharing groups, or security provider alert bulletins considered to be of operational importance to the banking and finance infrastructure because of architecture, operational procedures or knowledge of historical exploitation of vulnerabilities of similar nature.
b. Reports of and/or validation of vulnerability hoaxes being perpetrated.
c. Operational vulnerabilities experienced by vendor or service providers that could impact the sector broadly (e.g., cryptographic exploits, authentication technology exploits).
d. Results of an investigation of vulnerabilities or the validation of specific vulnerabilities within systems.

4. Resolutions and Solutions
a. CERES Forum Subscribers propagate resolutions and solutions by providing intelligence and information as a help source for peer organizations. Resolutions to specific incidents are posted to the CERES Forum database.
b. Members submit and update resolutions of incidents reported, and postings may be done anonymously. Submitted resolutions are not checked for technical accuracy by FS-ISAC. Resolutions can be a single activity such as apprehension of an individual causing the incident or a combination of events such as implementation of new processes or controls or reconfiguration of key equipment.
c. Subscribers are requested to provide any practical knowledge uncovered when working to address specific vulnerabilities or threats (e.g., effectiveness of methods or practices dealing with e-mail borne virus or trojan horse programs). Resolutions are categorized as a technical solution or a business process solution.
d. Policy issues and recommendations.
e. Critical infrastructure threats.

5.3 Government or Law Enforcement Information

5.3(a) Information may be accepted and authenticated as coming directly from governments, government agencies, state, provincial or local governments, or law enforcement regarding incidents, threats, and vulnerabilities.
5.3(b) FS-ISAC may provide data on specific events or incidents to appropriate government and law enforcement agencies, and private sector partners such as critical infrastructure ISACS, when there is potential benefit to the financial sector and only with the consent of the CERES Subscriber providing the information. Information is shared without attribution to the incident originator and can help provide relevant intel of the financial sector threat landscape.

5.4 Subscriber Submission Modes

5.4(a) Attributable: Subscribers may submit attributable information by using the attributable submission option on the database or sending to sharingops@fsisac.com.
5.4(b) Anonymous: Subscribers may submit information anonymously by using the anonymous submission form on the CERES Forum portal.

5.5 Traffic Light Protocol

5.5(a) All information submitted, processed, stored, archived, or disposed of is classified and handled in accordance with its classification.
5.5(b) Information is classified using the Traffic Light Protocol (TLP), defined as:

1. RED. Sources may use RED when the audience for the information must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations. The source must specify a target audience to which distribution is restricted. Recipients may not share RED information with any parties outside of the original recipients.
2. AMBER. Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Subscriber’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information.
3. GREEN. Sources may use GREEN when the information is useful for the awareness of all subscriber organizations as well as peers within the broader community. Recipients may share GREEN information with peers, trusted government and critical infrastructure partner organizations and service providers with whom they have a contractual relationship, but not through publicly accessible channels.
4. WHITE. Sources may use WHITE when the information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. WHITE information may be distributed without restriction, subject to copyright controls.

5.5(c) If no marking is specified, the information shall be treated as Confidential Information, TLP Amber.
5.5(d) Information classified as Green, Amber, or Red must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.

6.0 CERES Forum System Security Monitoring

6.1 Monitoring and Testing

6.1(a) The CERES Forum systems are actively monitored 24/7. FS-ISAC operators use reasonable efforts to notify Subscribers of the status of the system through the alert-mechanism specified by each Subscriber Access Coordinator (i.e., mobile device).

7.0 Help Desk Policy and Procedures

7.1 User Support Contact

7.1(a) Subscribers may contact Help Desk to assist with any CERES Forum problems at ceresadmin@ceresforum.com.

8.0 Antitrust/Competition Provisions

8.1Policy

8.1(a) FS-ISAC, CERES Forum and its Subscribers will comply with all laws and regulations governing antitrust and anticompetitive practices. FS-ISAC officers, directors, staff, CERES Steering Committee and CERES Forum Subscribers must not engage in any conduct that may constitute violation of these laws, including but not limited to price fixing, group boycotts, or allocations of markets among organizations or institutions.
8.1(b) To assure compliance with this policy:

1. Subscribers are prohibited from discussing any company-specific, competitively sensitive information, including terms, sales, conditions, pricing, or plans, related to their firms or other firms,  including vendors or service providers they engage.
2. The CERES Forum portal and its forums are not to serve as a conduit for discussions or negotiations between or among vendors, manufacturers or security service providers with respect to any Subscriber or group of Subscribers.
3. Neither FS-ISAC staff, officers, and directors nor the CERES Forum Subscribers, committees, and committee chairs are to recommend in any FS-ISAC or CERES Forum sponsored exchange or forum in favor of or against the coordinated boycott or adoption of any company or product or service of particular manufacturers or vendors;
4. Each Subscriber will determine the effect of the exchanged information on its individual purchasing and related decisions.
5. Any breach of these guidelines will be reviewed by the CERES Forum Steering Committee and FS- ISAC Board of Directors and may result in termination of the organization’s membership and forfeiture of remaining fees.
6. Committee chairs, directors or staff will designate a responsible party to publish and disseminate minutes of CERES Forum meetings.

9.0 Confidentiality

9.1 Confidentiality Requirement

9.1(a) Steering Committee subscribers, officers, FS-ISAC staff and CERES Forum Subscribers may have access to or receive from FS-ISAC, the CERES Forum, CERES Forum Subscribers, or affiliated partners certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers (“Confidential Information”).
9.1(b) Committee members, officers, staff and CERES Forum Subscribers agree that all such trade secret and other information obtained shall be considered confidential and proprietary to the disclosing party.
9.1(c) As stipulated in Section 5.5, Traffic Light Protocol, all information is classified as Confidential (Amber) by default unless specifically classified otherwise.
9.1(d) Staff and contractors are required to execute a Confidentiality Agreement as a condition of employment. CERES Forum Subscribers, including Steering Committee subscribers and officers, are bound by the terms of the Rules.
9.1(e) Parties in possession of Confidential information may be requested to disclose Confidential information to law enforcement, a government authority or other third-party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS-ISAC and the CERES Forum with advance notice of such disclosure to allow FS-ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.

9.2 Confidentiality Agreement

9.2(a) Recipients of Confidential Information will be obligated to:

3. Protect and preserve the confidential and proprietary nature of all Confidential information.
4. Not disclose, give, sell, or otherwise transfer or make available, directly or indirectly, any Confidential information to any third-party for any purpose, except as expressly permitted in writing by FS-ISAC and the disclosing party.
   Not use, or make any records or copies of, the Confidential Information, except as needed in order to provide specific services in the conduct of their duties, or as required by law or regulations, or as needed to use the information effectively to mitigate risk in their respective organizations.
5. Limit the dissemination of the Confidential Information to those with the need to know the Confidential Information, provided that such individuals are obligated to maintain the confidential and proprietary nature of the Confidential Information.
6. Return all Confidential Information and any copies thereof as soon as it is no longer needed or immediately upon the disclosing party’s request, to the extent permitted by law and regulatory retention requirements.
7. Notify the FS-ISAC and the CERES Forum immediately of any loss or misplacement of Confidential Information, and
8. Comply with any reasonable security procedures designated in the Confidentiality Agreement as may be prescribed by FS-ISAC and the CERES Forum for protection of the Confidential Information.

10.0 Rules Modification and Precedence

10.1 Modification of Rules Approvals

10.1(a) From time to time these Rules and the CERES Forum Agreement may be modified with the approval of FS-ISAC. Notifications to current Subscribers will be provided at that time.