1.1 These Operating Rules provide guidance to users of the Financial Services Information Sharing & Analysis Center (FS-ISAC) products and services and outline participation in FS-IASC, governance and security measures to protect the integrity of the organization and participants. From time to time these Operating Rules may be modified with the approval of the Board of Directors. Members will be notified of any Operating Rules revisions.
1.1 (a) There are four (4) types of FS-ISAC participants:
1.1 (b) Members and CNOPs apply for membership and must agree to the Membership Agreement, which incorporates by reference the Operating Rules and End-User-License-Agreement. A description of the products and services available at Member Benefits.
1.1 (e) FS-ISAC regularly distributes alerts based on information obtained from member submissions and issues analytical reports related to this information. All alerts and reports are maintained in the FS-ISAC platform known as SHARE. Reports provided by commercial, government and other sources of relevant information may be included. All information is classified under the Traffic Light Protocol (TLP), which prohibits the sharing of TLP AMBER and TLP RED information outside of the membership. Information distributed via SHARE is provided to members without attribution of the originator.
2. ENROLLMENT MATERIAL AND ACTIVATION
2.1 Once organizations are vetted and approved by FS-ISAC and have completed steps in 1.1 (b), 1.1 (c) and 1.1 (d), users from that organization are given access to the products and services of FS-ISAC. Access is based on the company type enrolled Tier and, in some cases, the approval of the Primary Contact for that organization. Vendor access is based on the company enrolled level and in in some cases, the approval of the Primary Contact for that organization.
2.2 Intelligence Exchange Access
2.2 (a) The FS-ISAC Intelligence Exchange (IntelX) is the central hub for FS-ISAC applications and products. To access Intelligence Exchange, users from member or vendor firms must complete a user profile, which includes contact information to enable Two-Factor Authentication (2FA). Once access to Intelligence Exchange is gained, members will be able to access (dependent on Tier and user licensing) FS-ISAC applications and products to include but not limited to:
SHARE. FS-ISAC’s threat intelligence sharing app is available to all member firms based on their member Tier, excluding Vendors. Each Tier provides a certain number of licenses allocated to individual users within the member firm, which is decided by the member’s Primary Point of Contact (POC). SHARE holds all the FS-ISAC alerts, finished intelligence analysis and reports.
CONNECT. FS-ISAC’s secure chat platform is available to all member firms excluding MSSPs and Vendors. There are no licensing restrictions related to CONNECT access. Members can engage in knowledge sharing across various themes and topics with other members. CONNECT is available to all users in a member organization and is not exclusive to threat intelligence personnel.
For compliance purposes, a member firm has the right to request and receive the Connect communications, including attachments, posted by any or all employees of the member firm. The member will not receive the postings of any individual not employed by the requesting member firm.
Automated Feeds. STIX/TAXII and MISP accounts are for machine-to-machine consumption. FS-ISAC’s STIX/TAXII feed and MISP collections each are a separate set of credentials with an associated license per credential set. Automated Feed credentials must be explicitly requested by contacting email@example.com. In the spirit of good resource stewardship, FS-ISAC decommissions Automated Feed accounts that are unused for 90+ days.
2.2 (b) Processes are established to initially set authentication credentials, reset authenticators, and reissue and invalidate authenticators when requested by the Primary Contact or when suspicious access is identified.
2.3 Credential Revocation Procedures
2.3 (a) The Primary Contact may request to add or remove users from any service by contacting firstname.lastname@example.org. The Primary Contact must report termination of personnel with Intelligence Exchange credentials immediately.
2.4 Unauthorized Use or Compromise of Credentials
2.4 (a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC at email@example.com. Intelligence Exchange user credentials must be used by the specific user and not shared between users.
2.5 Terminating Participation
2.5 (a) Upon termination of the membership for any reason, access credentials to the FS-ISAC Intelligence Exchange are terminated. Former members are still bound to the TLP handling restrictions and cannot share TLP AMBER or TLP RED intelligence received from FS-ISAC channels.
3.1 (a) A general overview of the operations follows:
1. The intent of FS-ISAC is to:
3.1 (b) FS-ISAC has established business relationships with external service providers to deliver the FS-ISAC products and services to the member participants. For each product or service, FS-ISAC and the service provider have a formal Service Level Agreement. Members may contact firstname.lastname@example.org for details.
2. Threat and Incident Sharing
a. Members with direct access to FS-ISAC applications and products must create a profile in FS-ISAC's Intelligence Exchange, the hub for all FS-ISAC applications and products. The profile allows for authentication of membership and eligibility to access platforms, distribution lists and/or other products as well as inform FS-ISAC metrics on how the platforms are being used to measure the success of the products;
b. Submitting information directly into SHARE is encouraged and should relate to events, incidents or learnings affecting the member firm. Guidance on what to share is provided below but members should also use the How to Share guide available on SHARE’s Documents Library;
c. Information Dissemination Categories. SHARE alerts are distributed to pre-set groups. These groups may be restricted by membership tier, geography, communities of interest or other groups. IntelX profiles and member subscriptions help determine those groups;
d. Information Sources. Information is contributed by members through various means as described in Section 2. FS-ISAC also maintains relationships with other sources who provide reports that can be disseminated to the membership, including that from government cyber security agencies, trade associations, CERTs or other entity. When possible, attribution to these external sources will be provided in the alert;
e. Handling Raw Submissions. Submissions direct to SHARE are automatically processed. Indicators of compromise (IOCs) are stripped out of the submission and enriched via FS-ISAC information and external subscriptions. Submissions via other methods will be manually processed by FS-ISAC’s GIO prior to alerting in SHARE;
f. Intelligence Analysis. Technical information, such as IOCs, undergo both automated and manual triage analysis. This includes checking IOCs against subscription services or against previously reported intelligence. All technical alerts will have a minimum of this type of data enrichment. FS-ISAC’s GIO also produces finished intelligence analysis reports, ranging from the tactical to the strategic levels of analysis. These are issued via SHARE, usually as PDFs;
g. Automated Feed. Members, excluding Vendors who want machine-to-machine automation of IOCs or vulnerabilities should subscribe to an Automated Feed account. Member Tier determines if the automated feed is included in dues or available for an extra fee. Email email@example.com to subscribe. This feed includes the IOCs reported by our members as well as vulnerabilities from a trusted third party;
h. Urgent Notifications may on some occasions be sent to members during major incident or crisis situations. Contact details provided in their IntelX profiles will be used in these rare cases.
4. PUBLIC-PRIVATE PARTNERSHIPS (PPS)
4.1 FS-ISAC’s GIO maintains formal and informal information sharing relationships with government cyber security centers, law enforcement and national CERTs. In all relationships, FS-ISAC strictly follows the TLP handling guidance and never provides information to these partners without the explicit permission of the originator. Attribution is not provided from member sources.
4.2 Formal agreements exist with the following entities that provide reporting to FS-ISAC for dissemination via SHARE or other channels:
4.3 Informal relationships also exist with Interpol, the Dutch National Cyber Security Centre (NCSC), Cyber Security Agency of Singapore (CSA), and the Australian Cyber Security Centre (ACSC).
5. TRAFFIC LIGHT PROTOCOL (TLP)
5.1 All information submitted, processed, stored, archived, or disposed of is classified under TLP and handled in accordance with its classification as defined here.
5.1 (a) RED. Sources may use RED when the audience for the information must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations. The source must specify a target audience to which distribution is restricted. Recipients may not share RED information with any parties outside of the original recipients.
5.1 (b) AMBER. Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Member’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information.
5.1 (c) GREEN. Sources may use GREEN when the information is useful for the awareness of all member organizations as well as peers within the broader community. Recipients may share GREEN information with peers, trusted government and critical infrastructure partner organizations and service providers with whom they have a contractual relationship, but not through publicly accessible channels.
5.1 (d) WHITE. Sources may use WHITE when the information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. WHITE information may be distributed without restriction, subject to copyright controls. NOTE: Preference for sharing of TLP WHITE, publicly available information is via CONNECT or the email lists.
5.2 If no marking is specified, the information shall default to TLP AMBER.
5.3 Information classified as RED, AMBER, GREEN must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.
6. SECURITY THREAT LEVELS
6.1 FS-ISAC will maintain a “Cyber Threat Level” and a “Physical Threat Advisory” to indicate the degree of threat to the sector. SHARE always posts the threat levels.
6.2 There are three Cyber Threat Levels (CTLs) for each FS-ISAC geographic region: Americas, EMEA (Europe, Middle East, Africa) and APAC (Asia-Pacific). The CTLs are set by the region’s respective Threat Intelligence Committee (TICs) and reflect the current threat landscape direct or impacting the sector in that region. The Global CTL is an average of the three regional CTLs. Members can self-nominate to be part of their region’s TIC; however, acceptance is subject to approval based upon the user’s sharing activity and threat intelligence expertise.
6.3 The Physical Threat Advisory is issued by the FS-ISAC Business Resilience Committee (BRC) for North America. Users can self-nominate to the BRC; however, acceptance is subject to approval. BRC members tend to be business continuity managers or physical security specialists.
7. WEBINARS AND CALLS
7.1 Regional Threat Calls. Tier 5 to 1 member may join the Regional Threat Calls, which are held twice a month for the Americas, EMEA and APAC regions. These provide a current threat landscape review for the members with an intelligence update from the FS-ISAC’s GIO, threat briefs from external speakers and a discussion on the Cyber Threat Level.
7.2 Spotlight Calls. For certain security issues or threats, a special ad hoc call may be prepared for members. This would be a single-issue call to allow for a deep dive into the topic.
7.3 Threat Discussions or Crisis Calls. For immediate, significant issues, a call to gain situational awareness of the incident may be necessary. The FS-ISAC’s GIO may utilize the contact information from IntelX profiles for a broader notification to members during a crisis.
8. FS-ISAC SYSTEM SECURITY
8.1 Information Security Program
FS-ISAC maintains an Information Security Program that at a minimum provides: (i) an organizational structure and appropriate security controls to protect Member and corporate information; (ii) employee and contractor controls including communication of applicable policies, background checks, security awareness, and disciplinary processes; (iii) physical safety and security of facilities including access management, visitor logging and appropriate fire suppression controls; (iv) data and system security controls including access and authorization, firewalls, endpoint security, logging and monitoring and vulnerability management; and (v) system security monitoring and incident response procedures.
9. HELP DESK POLICY AND PROCEDURES
9.1 Users of FS-ISAC’s products and services can find assistance by contacting firstname.lastname@example.org.
10. ANTITRUST/COMPETITION PROVISIONS
10.1 (a) FS‐ISAC, its Board of Directors, and its members will comply with all laws and regulations governing antitrust and anticompetitive practices. FS‐ISAC officers, directors, staff, and members must not engage in any conduct that may constitute violation of these laws, including, but not limited to, price fixing, group boycotts, or allocations of markets among organizations or institutions;
10.1 (b) To assure compliance with this policy:
11.1 (a) “Confidential Information” shall mean any confidential or proprietary data or information obtained from the disclosing party, or to which the receiving party has access, including without limitation with respect to the disclosing party’s business or financial condition, technical information, customer lists or otherwise.
11.1 (b) Information generally known in the industry or otherwise publicly available at the time of disclosure, information that a party can demonstrate was lawfully in its possession prior to the date of disclosure, information which has been disclosed by third parties which have a right to do so, or information developed independently by the receiving party without reference to or use of the Confidential Information, shall not be deemed Confidential Information.
11.2 Confidentiality Requirement
11.2 (a) Directors, officers, staff and members may have access to or receive from the FS‐ISAC or participants certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers;
11.2 (b) Confidential Information may be disclosed by an FS‐ISAC alert or notification. Confidential Information may also be disclosed at member, committee and other meetings of members that may be constituted;
11.2 (c) Directors, officers, staff and members agree that all such Confidential Information obtained shall be considered confidential and proprietary to the disclosing party;
11.2 (d) As stipulated in Section 5.3, Traffic Light Protocol, all information is classified as Confidential AMBER by default unless specifically classified otherwise;
11.2 (e) Staff and contractors are required to execute a confidentiality agreement as a condition of employment. Members, including their directors and officers, are bound by the terms of these Rules;
11.2 (f) Parties in possession of Confidential Information may be requested to disclose Confidential Information to law enforcement, a government authority or other third party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS‐ISAC with advance notice of such disclosure to allow FS‐ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.
11.2 (g) Parties in possession of Confidential Information must maintain adequate and appropriate physical measures, policies and procedures to:
11.3 Confidentiality Agreement
11.3 (a) Recipients of Confidential Information will be obligated to:
12. DISPUTE RESOLUTION
Any unsettled controversy or claim between the parties arising out of or relating to the Operating Rules, any other agreements with FS-ISAC, or any breach thereof shall be settled as follows:
12.1 Parties based in North America / LATAM: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration in New York, New York pursuant to the rules then in effect of the American Arbitration Association (“AAA”) and in accordance with the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards. There shall be one arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the AAA in accordance with its Commercial Rules. The arbitration shall be conducted in and the award shall be rendered in English.
12.2 Parties based in Europe/Middle East/Africa: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration under the Rules of Arbitration of the International Chamber of Commerce (“ICC”) by one (1) arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the ICC in accordance with its Rules of Arbitration. The place of arbitration shall be Paris, France. The arbitration shall be conducted in and the award shall be rendered in English.
12.3 Parties based in Asia Pacific: All disputes arising out of or in connection with the present Agreement shall be by final and binding arbitration under the Rules of Arbitration of the ICC by one (1) arbitrator agreed to by the parties within twenty (20) days of receipt by respondent of the request for arbitration or in default thereof appointed by the ICC in accordance with its Rules of Arbitration. The place of arbitration shall be Singapore, Singapore. The arbitration shall be conducted in and the award shall be rendered in English.
12.4 Except as may be required by law, neither a party nor the arbitrator may disclose the existence, content or results of any arbitration without the prior written consent of both parties.
13. RULES MODIFICATION AND PRECEDENCE
13.1 Modification of Rules Approvals
13.1 (a) From time to time these Operating Rules and the Subscription Agreement may be modified with the approval of the Board of Directors. Notifications to current members will be provided at that time.
14. PERSONAL DATA PROTECTION POLICY
14.1 Once an organization is vetted and approved by FS-ISAC and given access to the products and services of FS-ISAC, the organization is subject to and shall comply with the Personal Data Protection Policy.
15.1 Members who have executed an Agreement with FS-ISAC are subject to and shall comply with the Agreement.