1.1 These Operating Rules provide guidance to users of the Financial Services Information Sharing & Analysis Center (FS-ISAC) products and services and outline participation in FS-IASC, governance and security measures to protect the integrity of the organization and participants. From time to time these Operating Rules may be modified with the approval of the Board of Directors. Members will be notified of any Operating Rules revisions.
1.1 (a) There are four (4) types of FS-ISAC participants:
Member. A financial services firm or financial trade association participating in the products and services available based on their defined Tier. Membership is limited to regulated banking and financial services firms, financial industry associations. Regulators and supervisors are not allowed access to the FS-ISAC channels; however, specifically authorized staff with a need for such information, such as protecting their own infrastructure, may participate.
Vendor. A provider of cybersecurity products and/or services for financial sector stakeholders.
Managed Security Services Provider (MSSP). A company that provides critically important services to secure financial firm networks and infrastructure.
Critical Notification Only Participant (CNOP). A small US community institution or credit union with assets under $1b, who has chosen to only receive intelligence categorized as critical to the financial sector. They do not participate in the FS-ISAC member platforms.
1.1 (e) FS-ISAC regularly distributes alerts based on information obtained from member submissions and issues analytical reports related to this information. All alerts and reports are maintained in the FS-ISAC platform known as SHARE. Reports provided by commercial, government and other sources of relevant information may be included. All information is classified under the Traffic Light Protocol (TLP), which prohibits the sharing of TLP AMBER and TLP RED information outside of the membership. Information distributed via SHARE is provided to members without attribution of the originator.
2. ENROLLMENT MATERIAL AND ACTIVATION
2.1 Once organizations are vetted and approved by FS-ISAC and have completed steps in 1.1 (b), 1.1 (c) and 1.1 (d), users from that organization are given access to the products and services of FS-ISAC. Access is based on the company type enrolled Tier and, in some cases, the approval of the Primary Contact for that organization. Vendor access is based on the company enrolled level and in in some cases, the approval of the Primary Contact for that organization.
2.2 Intelligence Exchange Access
2.2 (a) The FS-ISAC Intelligence Exchange (IntelX) is the central hub for FS-ISAC applications and products. To access Intelligence Exchange, users from member or vendor firms must complete a user profile, which includes contact information to enable Two-Factor Authentication (2FA). Once access to Intelligence Exchange is gained, members will be able to access (dependent on Tier and user licensing) FS-ISAC applications and products to include but not limited to:
SHARE. FS-ISAC’s threat intelligence sharing app is available to all member firms based on their member Tier, excluding Vendors. Each Tier provides a certain number of licenses allocated to individual users within the member firm, which is decided by the member’s Primary Point of Contact (POC). SHARE holds all the FS-ISAC alerts, finished intelligence analysis and reports.
CONNECT. FS-ISAC’s secure chat platform is available to all member firms excluding MSSPs and Vendors. There are no licensing restrictions related to CONNECT access. Members can engage in knowledge sharing across various themes and topics with other members. CONNECT is available to all users in a member organization and is not exclusive to threat intelligence personnel.
Automated Feeds. STIX/TAXII and MISP accounts are for machine-to-machine consumption. FS-ISAC’s STIX/TAXII feed and MISP collections each are a separate set of credentials with an associated license per credential set. Automated Feed credentials must be explicitly requested by contacting email@example.com. In the spirit of good resource stewardship, FS-ISAC decommissions Automated Feed accounts that are unused for 90+ days.
2.2 (b) Processes are established to initially set authentication credentials, reset authenticators, and reissue and invalidate authenticators when requested by the Primary Contact or when suspicious access is identified.
2.3 Credential Revocation Procedures
2.3 (a) The Primary Contact may request to add or remove users from any service by contacting firstname.lastname@example.org. The Primary Contact must report termination of personnel with Intelligence Exchange credentials immediately.
2.4 Unauthorized Use or Compromise of Credentials
2.4 (a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC at email@example.com. Intelligence Exchange user credentials must be used by the specific user and not shared between users.
2.5 Terminating Participation
2.5 (a) Upon termination of the membership for any reason, access credentials to the FS-ISAC Intelligence Exchange are terminated. Former members are still bound to the TLP handling restrictions and cannot share TLP AMBER or TLP RED intelligence received from FS-ISAC channels.
3.1 (a) A general overview of the operations follows:
1. The intent of FS-ISAC is to:
a. Utilize the vast resources (people, process, and technology) of the sector to aid the entire sector with situational awareness and advance warning of new physical and cyber security threats, incidents and challenges;
b. Have a secure infrastructure that enables the sharing and dissemination of member and other trusted source submissions to FS-ISAC on current threats and security incidents;
c. Provide immediate information related to major or crisis-level incidents related to the industry to members and CNOPs;
d. Provide finished intelligence analysis reports from FS-ISAC’s Global Intelligence Office (GIO). The products provide indications and warnings, alerts based upon member or other trusted source submissions and finished tactical and strategic intelligence analysis.
3.1 (b) FS-ISAC has established business relationships with external service providers to deliver the FS-ISAC products and services to the member participants. For each product or service, FS-ISAC and the service provider have a formal Service Level Agreement. Members may contact firstname.lastname@example.org for details.
2. Threat and Incident Sharing
a. Members at all Tiers have the capability to voluntarily submit threat or incident information to FS-ISAC. Sharing of intelligence can occur within the IntelX apps, direct to the FS-ISAC GIO team or via the member email lists. All alerts published via the SHARE app are provided without attribution to the originator to protect their identity unless the originator provides explicit approval to attribute the information to them;
b. Information on cyber threats and incidents should relate to what is experienced by the member firm, another financial institution, a third-party provider to the firm or sector or critical infrastructure that the sector depends on. Open-source intelligence (i.e., publicly available information found on the internet) is suited for CONNECT discussion and do not count as member submissions unless the member can tie the information to internal events or incidents at their firm;
c. Information in SHARE is available via secure, encrypted web-based login to authorized member users. The FS-ISAC GIO relies on automation and manual processing of technical information received via SHARE, CONNECT or email. Automated processes validate the originator, extract the indicators of compromise (IOCs) provided and use data enrichment tools. Manual processes include GIO’s Information Sharing Operations analysts assessment of each submission and processing for alerts. Guidance on How to Share is available for members separately;
d. Separate from threat sharing, members can use CONNECT to chat/discuss about a variety of topics. This may be publicly available threat information, advice on security technology or processes, fraud topics, business continuity topics, cross-sector incidents or other items.
a. Members with direct access to FS-ISAC applications and products must create a profile in FS-ISAC's Intelligence Exchange, the hub for all FS-ISAC applications and products. The profile allows for authentication of membership and eligibility to access platforms, distribution lists and/or other products as well as inform FS-ISAC metrics on how the platforms are being used to measure the success of the products;
b. Submitting information directly into SHARE is encouraged and should relate to events, incidents or learnings affecting the member firm. Guidance on what to share is provided below but members should also use the How to Share guide available on SHARE’s Documents Library;
• Cyber or fraud events, such as suspicious network activity, attempted account takeovers, phishing etc. • Cyber or fraud incidents, such as network-based attacks, network intrusions, data breaches, card compromise, email compromise etc. • Physical incidents posing an impact to operational resilience or business continuity. • Physical security events that may impact operations or may be observed by other members. • Sector-specific, non-public guidance or threat advisories. • Independent research conducted on cyber or fraud threat actors or groups, their infrastructure, or analysis of their tools, techniques and procedures. • Non-public vulnerabilities discovered or suspected, vulnerability exploitation methods, or other non-public vulnerability information. • YARA, Snort or other rules or scripts that can be used for mitigation or detection purposes. • Lessons learned from cyber, fraud or physical incidents that can be used by other members for their own resilience.
c. Information Dissemination Categories. SHARE alerts are distributed to pre-set groups. These groups may be restricted by membership tier, geography, communities of interest or other groups. IntelX profiles and member subscriptions help determine those groups;
d. Information Sources. Information is contributed by members through various means as described in Section 2. FS-ISAC also maintains relationships with other sources who provide reports that can be disseminated to the membership, including that from government cyber security agencies, trade associations, CERTs or other entity. When possible, attribution to these external sources will be provided in the alert;
e. Handling Raw Submissions. Submissions direct to SHARE are automatically processed. Indicators of compromise (IOCs) are stripped out of the submission and enriched via FS-ISAC information and external subscriptions. Submissions via other methods will be manually processed by FS-ISAC’s GIO prior to alerting in SHARE;
f. Intelligence Analysis. Technical information, such as IOCs, undergo both automated and manual triage analysis. This includes checking IOCs against subscription services or against previously reported intelligence. All technical alerts will have a minimum of this type of data enrichment. FS-ISAC’s GIO also produces finished intelligence analysis reports, ranging from the tactical to the strategic levels of analysis. These are issued via SHARE, usually as PDFs;
g. Automated Feed. Members, excluding Vendors who want machine-to-machine automation of IOCs or vulnerabilities should subscribe to an Automated Feed account. Member Tier determines if the automated feed is included in dues or available for an extra fee. Email email@example.com to subscribe. This feed includes the IOCs reported by our members as well as vulnerabilities from a trusted third party; h. Urgent Notifications may on some occasions be sent to members during major incident or crisis situations. Contact details provided in their IntelX profiles will be used in these rare cases.
4. PUBLIC-PRIVATE PARTNERSHIPS (PPS)
4.1 FS-ISAC’s GIO maintains formal and informal information sharing relationships with government cyber security centers, law enforcement and national CERTs. In all relationships, FS-ISAC strictly follows the TLP handling guidance and never provides information to these partners without the explicit permission of the originator. Attribution is not provided from member sources.
4.2 Formal agreements exist with the following entities that provide reporting to FS-ISAC for dissemination via SHARE or other channels:
• US Cybersecurity and Infrastructure Security Agency (CISA Central). FS-ISAC’s GIO maintains two liaisons to CISA Central (formerly National Cybersecurity and Communications Integration Center (NCCIC)) who facilitate the sharing of US government reporting from the US-CERT and law enforcement agencies. • UK National Cyber Security Centre (NCSC). FS-ISAC’s GIO maintains two liaisons to the Industry 100 (i100) who facilitate the sharing of financial sector reporting issued by the NCSC and/or i100. This also allows communication to the National Crime Agency (NCA). • Europol. FS-ISAC’s GIO maintains a Memorandum of Understanding to facilitate the sharing of Europol updates on cybercrime information.
4.3 Informal relationships also exist with Interpol, the Dutch National Cyber Security Centre (NCSC), Cyber Security Agency of Singapore (CSA), and the Australian Cyber Security Centre (ACSC).
5. TRAFFIC LIGHT PROTOCOL (TLP)
5.1 All information submitted, processed, stored, archived, or disposed of is classified under TLP and handled in accordance with its classification as defined here.
5.1 (a) RED. Sources may use RED when the audience for the information must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations. The source must specify a target audience to which distribution is restricted. Recipients may not share RED information with any parties outside of the original recipients.
5.1 (b) AMBER. Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Member’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information.
5.1 (c) GREEN. Sources may use GREEN when the information is useful for the awareness of all member organizations as well as peers within the broader community. Recipients may share GREEN information with peers, trusted government and critical infrastructure partner organizations and service providers with whom they have a contractual relationship, but not through publicly accessible channels.
5.1 (d) WHITE. Sources may use WHITE when the information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. WHITE information may be distributed without restriction, subject to copyright controls. NOTE: Preference for sharing of TLP WHITE, publicly available information is via CONNECT or the email lists.
5.2 If no marking is specified, the information shall default to TLP AMBER.
5.3 Information classified as RED, AMBER, GREEN must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.
6. SECURITY THREAT LEVELS
6.1 FS-ISAC will maintain a “Cyber Threat Level” and a “Physical Threat Advisory” to indicate the degree of threat to the sector. SHARE always posts the threat levels.
6.2 There are three Cyber Threat Levels (CTLs) for each FS-ISAC geographic region: Americas, EMEA (Europe, Middle East, Africa) and APAC (Asia-Pacific). The CTLs are set by the region’s respective Threat Intelligence Committee (TICs) and reflect the current threat landscape direct or impacting the sector in that region. The Global CTL is an average of the three regional CTLs. Members can self-nominate to be part of their region’s TIC; however, acceptance is subject to approval based upon the user’s sharing activity and threat intelligence expertise.
6.3 The Physical Threat Advisory is issued by the FS-ISAC Business Resilience Committee (BRC) for North America. Users can self-nominate to the BRC; however, acceptance is subject to approval. BRC members tend to be business continuity managers or physical security specialists.
7. WEBINARS AND CALLS
7.1 Regional Threat Calls. Tier 5 to 1 member may join the Regional Threat Calls, which are held twice a month for the Americas, EMEA and APAC regions. These provide a current threat landscape review for the members with an intelligence update from the FS-ISAC’s GIO, threat briefs from external speakers and a discussion on the Cyber Threat Level.
7.2 Spotlight Calls. For certain security issues or threats, a special ad hoc call may be prepared for members. This would be a single-issue call to allow for a deep dive into the topic.
7.3 Threat Discussions or Crisis Calls. For immediate, significant issues, a call to gain situational awareness of the incident may be necessary. The FS-ISAC’s GIO may utilize the contact information from IntelX profiles for a broader notification to members during a crisis.
8. FS-ISAC SYSTEM SECURITY
8.1 Information Security Program
FS-ISAC maintains an Information Security Program that at a minimum provides: (i) an organizational structure and appropriate security controls to protect Member and corporate information; (ii) employee and contractor controls including communication of applicable policies, background checks, security awareness, and disciplinary processes; (iii) physical safety and security of facilities including access management, visitor logging and appropriate fire suppression controls; (iv) data and system security controls including access and authorization, firewalls, endpoint security, logging and monitoring and vulnerability management; and (v) system security monitoring and incident response procedures.
9. HELP DESK POLICY AND PROCEDURES
9.1 Users of FS-ISAC’s products and services can find assistance by contacting firstname.lastname@example.org.
10. ANTITRUST/COMPETITION PROVISIONS
10.1 (a) FS‐ISAC, its Board of Directors, and its members will comply with all laws and regulations governing antitrust and anticompetitive practices. FS‐ISAC officers, directors, staff, and members must not engage in any conduct that may constitute violation of these laws, including, but not limited to, price fixing, group boycotts, or allocations of markets among organizations or institutions;
10.1 (b) To assure compliance with this policy:
a. Members are prohibited from discussing any company‐specific, competitively sensitive information, including terms, sales, conditions, pricing, or plans, related to their firms or other firms, including vendors or service providers they engage;
b. The Intelligence Exchange and its forums are not to serve as a conduit for discussions or negotiations between or among vendors, manufacturers or security service providers with respect to any participant or group of participants;
c. Neither the FS‐ISAC staff, officers and directors nor its members and committees are to recommend in any FS‐ISAC sponsored exchange or forum in favor of or against the coordinated boycott or adoption of any company or product or service of manufacturers or vendors;
d. Each FS‐ISAC member will determine the effect of the exchanged information on its individual purchasing and related decisions;
e. Any breach of these guidelines will be reviewed by the Board of Directors and may result in termination of membership and forfeiture of remaining annual membership fees.
11.1 (a) “Confidential Information” shall mean any confidential or proprietary data or information obtained from the disclosing party, or to which the receiving party has access, including without limitation with respect to the disclosing party’s business or financial condition, technical information, customer lists or otherwise.
11.1 (b) Information generally known in the industry or otherwise publicly available at the time of disclosure, information that a party can demonstrate was lawfully in its possession prior to the date of disclosure, information which has been disclosed by third parties which have a right to do so, or information developed independently by the receiving party without reference to or use of the Confidential Information, shall not be deemed Confidential Information.
11.2 Confidentiality Requirement
11.2 (a) Directors, officers, staff and members may have access to or receive from the FS‐ISAC or participants certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers;
11.2 (b) Confidential Information may be disclosed by an FS‐ISAC alert or notification. Confidential Information may also be disclosed at member, committee and other meetings of members that may be constituted;
11.2 (c) Directors, officers, staff and members agree that all such Confidential Information obtained shall be considered confidential and proprietary to the disclosing party;
11.2 (d) As stipulated in Section 5.3, Traffic Light Protocol, all information is classified as Confidential AMBER by default unless specifically classified otherwise;
11.2 (e) Staff and contractors are required to execute a confidentiality agreement as a condition of employment. Members, including their directors and officers, are bound by the terms of these Rules;
11.2 (f) Parties in possession of Confidential Information may be requested to disclose Confidential Information to law enforcement, a government authority or other third party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS‐ISAC with advance notice of such disclosure to allow FS‐ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.
11.2 (g) Parties in possession of Confidential Information must maintain adequate and appropriate physical measures, policies and procedures to:
1. Ensure the security and confidentiality of the Confidential Information;
2. Protect against any anticipated threats or hazards to the security or integrity of such Confidential Information;
3. Protect against unauthorized access to or use of such Confidential Information that could result in harm or inconvenience to the disclosing party or its customers; and,
4. Where possible, ensure the complete, secure and permanent disposal of such Confidential Information, as may be directed by Member or required by applicable law.
11.3 Confidentiality Agreement
11.3 (a) Recipients of Confidential Information will be obligated to:
1. Strictly protect and preserve the confidential and proprietary nature of all Confidential Information;
2. Not disclose, give, sell or otherwise transfer or make available, directly or indirectly, any Confidential information to any third party for any purpose, except as expressly permitted in writing by the disclosing party; 3. Not use, or make any records or copies of, the Confidential Information, except as needed in order to provide specific services in the conduct of their duties, or as required by law or regulations, or as needed to use the information effectively to mitigate risk in their respective organizations;
4. Limit the dissemination of the Confidential Information to those with the need to know the Confidential information, provided that such individuals are obligated to maintain the confidential and proprietary nature of the Confidential Information;
5. Return all Confidential information and any copies thereof as soon as it is no longer needed or immediately upon the disclosing party’s request, to the extent permitted by law, or contractual or regulatory retention requirements;
6. Notify the FS‐ISAC immediately of any loss or misplacement of Confidential information; and
7. Comply with any reasonable security procedures designated in the Mutual Non-Disclosure Agreement as may be prescribed by the FS‐ISAC for protection of the Confidential information.
12. DISPUTE RESOLUTION
Any unsettled controversy or claim between the parties arising out of or relating to the Operating Rules, any other agreements with FS-ISAC, or any breach thereof shall be settled as follows:
12.1 Parties based in North America / LATAM: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration in New York, New York pursuant to the rules then in effect of the American Arbitration Association (“AAA”) and in accordance with the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards. There shall be one arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the AAA in accordance with its Commercial Rules. The arbitration shall be conducted in and the award shall be rendered in English.
12.2 Parties based in Europe/Middle East/Africa: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration under the Rules of Arbitration of the International Chamber of Commerce (“ICC”) by one (1) arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the ICC in accordance with its Rules of Arbitration. The place of arbitration shall be Paris, France. The arbitration shall be conducted in and the award shall be rendered in English.
12.3 Parties based in Asia Pacific: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration under the Rules of Arbitration of the ICC by one (1) arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the ICC in accordance with its Rules of Arbitration. The place of arbitration shall be Singapore, Singapore. The arbitration shall be conducted in and the award shall be rendered in English.
12.4 Except as may be required by law, neither a party nor the arbitrator may disclose the existence, content or results of any arbitration without the prior written consent of both parties.
13. RULES MODIFICATION AND PRECEDENCE
13.1 Modification of Rules Approvals 13.1 (a) From time to time these Operating Rules and the Subscription Agreement may be modified with the approval of the Board of Directors. Notifications to current members will be provided at that time.
14. PERSONAL DATA PROTECTION POLICY
14.1 Once an organization is vetted and approved by FS-ISAC and given access to the products and services of FS-ISAC, the organization is subject to and shall comply with the Personal Data Protection Policy.
15.1 Members who have executed an Agreement with FS-ISAC are subject to and shall comply with the Agreement.