Operating Rules

1. OVERVIEW

1.1 These Operating Rules provide guidance to users of the Financial Services Information Sharing & Analysis Center (FS-ISAC) products and services and outline participation in FS-IASC, governance and security measures to protect the integrity of the organization and participants. From time to time these Operating Rules may be modified with the approval of the Board of Directors. Members will be notified of any Operating Rules revisions.
1.1 (a) There are three types of FS-ISAC participants:
Member. A financial services firm, managed security services provider (MSSP) or trade association participating in the products and services available based on their defined Tier. Membership is limited to regulated banking and financial services firms, financial industry associations, and managed security service providers that provide critically important services to secure financial firm networks and infrastructure. Regulators and supervisors are not allowed access to the FS-ISAC channels; however, specifically authorized staff with a need for such information, such as protecting their own infrastructure, may participate.
Affiliate. A private security or technology solutions provider engaging with FS-ISAC and the membership through the Affiliate Partner Program. Affiliate Partners have access to Share, limited only to data approved for Affiliate Partners.
Critical Notification Only Participant (CNOP). A very small financial institution who has chosen to only receive intelligence categorized as critical to the financial sector. They do not participate in the FS-ISAC member platforms. CNOP participants must be US community or credit union firms with assets under $1b.
1.1 (b) Members, Affiliate Partners and CNOP apply for membership and must sign a Subscriber Agreement, which incorporates by reference the Operating Rules and End-User-License-Agreement. A description of the products and services available and minimum required membership levels is available on our membership page.
1.1 (c) FS-ISAC regularly distributes alerts based on information obtained from member submissions and issues analytical reports related to this information. All alerts and reports are maintained in the FS-ISAC platform known as SHARE. Reports provided by commercial, government and other sources of relevant information may be included. All information is classified under the Traffic Light Protocol (TLP), which prohibits the sharing of TLP AMBER and TLP RED information outside of the membership. Information distributed via SHARE is provided to members without attribution of the originator.

2. ENROLLMENT MATERIAL AND ACTIVATION
2.1 Once organizations are vetted and approved by FS-ISAC and have completed steps in 1.1 (b), users from that organization are given access to the products and services of FS-ISAC. Access is based on the company enrolled Tier and, in some cases, the approval of the Primary Contact for that organization.
2.2 Intelligence Exchange Access
2.2 (a) The FS-ISAC Intelligence Exchange (IntelX) is the central hub for FS-ISAC applications and products. To access Intelligence Exchange, users from member firms must complete a user profile, which includes contact information to enable Two-Factor Authentication (2FA). Once access to Intelligence Exchange is gained, members will be able to access (dependent on Tier and user licensing) FS-ISAC applications and products to include but not limited to:
SHARE. FS-ISAC’s threat intelligence sharing app is available to all member firms based on their member Tier. Each Tier provides a certain number of licenses allocated to individual users within the member firm, which is decided by the member’s Primary Point of Contact (POC). SHARE holds all the FS-ISAC alerts, finished intelligence analysis, reports shared by FS-ISAC affiliates and partners, and other resources.
CONNECT. FS-ISAC’s secure chat platform is available to all member firms excluding MSSPs. There are no licensing restrictions related to CONNECT access. Members can engage in knowledge sharing across various themes and topics with other members. CONNECT is available to all users in a Member organization and is not exclusive to threat intelligence personnel.
STIX/TAXII. STIX/TAXII accounts are for machine-to-machine consumption. FS-ISAC’s STIX/TAXII feed is a separate set of credentials with an associated license per credential set. STIX/TAXII credentials must be explicitly requested by contacting admin@fsisac.com. In the spirit of good resource stewardship, FS-ISAC decommissions STIX/TAXII accounts that are unused for 90+ days.
2.2 (b) Processes are established to initially set authentication credentials, reset authenticators, and reissue and invalidate authenticators when requested by the Primary Contact or when suspicious access is identified.
2.3 Credential Revocation Procedures
2.3 (a) The Primary Contact may request to add or remove users from any service by contacting admin@fsisac.com. The Primary Contact must report termination of personnel with Intelligence Exchange credentials immediately.
2.4 Unauthorized Use or Compromise of Credentials
2.4 (a) ANY SUSPECTED COMPROMISE OR UNAUTHORIZED USE OF ANY CREDENTIAL MUST BE IMMEDIATELY REPORTED TO FS-ISAC at admin@fsisac.com. Intelligence Exchange user credentials must be used by the specific user and not shared between users.
2.5 Terminating Participation
2.5 (a) Upon termination of the membership for any reason, access credentials to the FS-ISAC Intelligence Exchange are terminated. Former members are still bound to the TLP handling restrictions and cannot share TLP AMBER or TLP RED intelligence received from FS-ISAC channels.

3. OPERATIONS
3.1 Overview
3.1 (a) A general overview of the operations follows:
1. The intent of FS-ISAC is to:
a. Utilize the vast resources (people, process, and technology) of the sector to aid the entire sector with situational awareness and advance warning of new physical and cyber security threats, incidents and challenges.
b. Have a secure infrastructure that enables the sharing and dissemination of member and other trusted source submissions to FS-ISAC on current threats and security incidents.
c. Provide immediate information related to major or crisis-level incidents related to the industry to members and CNOPs.
d. Provide finished intelligence analysis reports from FS-ISAC’s Global Intelligence Office (GIO). The products provide indications and warnings, alerts based upon member or other trusted source submissions and finished tactical and strategic intelligence analysis.
3.1 (b) FS-ISAC has established business relationships with external service providers to deliver the FS-ISAC products and services to the member participants. For each product or service, FS-ISAC and the service provider have a formal Service Level Agreement. Members may contact admin@fsisac.com for details.
2. Threat and Incident Sharing
a. Members at all Tiers have the capability to voluntarily submit threat or incident information to FS-ISAC. Sharing of intelligence can occur within the IntelX apps, direct to the FS-ISAC GIO team or via the member email lists. All alerts published via the SHARE app are provided without attribution to the originator to protect their identity unless the originator provides explicit approval to attribute the information to them.
b. Information on cyber threats and incidents should relate to what is experienced by the member firm, another financial institution, a third-party provider to the firm or sector or critical infrastructure that the sector depends on. Open source intelligence (i.e. publicly available information found on the internet) is suited for CONNECT discussion and do not count as member submissions unless the member can tie the information to internal events or incidents at their firm.
c. Information in SHARE is available via secure, encrypted web-based login to authorized member users. The FS-ISAC GIO relies on automation and manual processing of technical information received via SHARE, CONNECT or email. Automated processes validate the originator, extract the indicators of compromise (IOCs) provided and use data enrichment tools. Manual processes include GIO’s Information Sharing Operations analysts assessment of each submission and processing for alerts. Guidance on How to Share is available for members separately.
d. Separate from threat sharing, members can use CONNECT to chat/discuss about a variety of topics. This may be publicly available threat information, advice on security technology or processes, fraud topics, business continuity topics, cross-sector incidents or other items.
3. SHARE
a. Members with direct access to FS-ISAC applications and products must create a profile in FS-ISAC's Intelligence Exchange, the hub for all FS-ISAC applications and products. The profile allows for authentication of membership and eligibility to access platforms, distribution lists and/or other products as well as inform FS-ISAC metrics on how the platforms are being used to measure the success of the products.
b. Submitting information directly into SHARE is encouraged and should relate to events, incidents or learnings affecting the member firm. Guidance on what to share is provided below but members should also use the How to Share guide available on SHARE’s Documents Library.

  • Cyber or fraud events, such as suspicious network activity, attempted account takeovers, phishing etc.
  • Cyber or fraud incidents, such as network-based attacks, network intrusions, data breaches, card compromise, email compromise etc.
  • Physical incidents posing an impact to operational resilience or business continuity.
  • Physical security events that may impact operations or may be observed by other members.
  • Sector-specific, non-public guidance or threat advisories.
  • Independent research conducted on cyber or fraud threat actors or groups, their infrastructure, or analysis of their tools, techniques and procedures.
  • Non-public vulnerabilities discovered or suspected, vulnerability exploitation methods, or other non-public vulnerability information.
  • YARA, Snort or other rules or scripts that can be used for mitigation or detection purposes.
  • Lessons learned from cyber, fraud or physical incidents that can be used by other members for their own resilience.

c. Information Dissemination Categories. SHARE alerts are distributed to pre-set groups. These groups may be restricted by membership tier, geography, communities of interest or other groups. IntelX profiles and member subscriptions help determine those groups.
d. Information Sources. Information is contributed by members through various means as described in Section 2. FS-ISAC also maintains relationships with other sources who provide reports that can be disseminated to the membership, including that from government cyber security agencies, trade associations, CERTs or other entity. When possible, attribution to these external sources will be provided in the alert.
e. Handling Raw Submissions. Submissions direct to SHARE are automatically processed. Indicators of compromise (IOCs) are stripped out of the submission and enriched via FS-ISAC information and external subscriptions. Submissions via other methods will be manually processed by FS-ISAC’s GIO prior to alerting in SHARE.
f. Intelligence Analysis. Technical information, such as IOCs, undergo both automated and manual triage analysis. This includes checking IOCs against subscription services or against previously reported intelligence. All technical alerts will have a minimum of this type of data enrichment. FS-ISAC’s GIO also produces finished intelligence analysis reports, ranging from the tactical to the strategic levels of analysis. These are issued via SHARE, usually as PDFs.
g. STIX/TAXII Feed. Members who want machine-to-machine automation of IOCs or vulnerabilities should subscribe to the FS-ISAC STIX/TAXII feed. Member Tier determines if a feed is included or available for an extra fee. Email admin@fsisac.com to subscribe. This feed includes the IOCs reported by our members as well as vulnerabilities from a trusted third party.
h. Urgent Notifications may on some occasions be sent to members during major incident or crisis situations. Contact details provided in their IntelX profiles will be used in these rare cases.

4. PUBLIC-PRIVATE PARTNERSHIPS (PPS)
4.1 FS-ISAC’s GIO maintains formal and informal information sharing relationships with government cyber security centers, law enforcement and national CERTs. In all relationships, FS-ISAC strictly follow the TLP handling guidance and never provides information to these partners without the explicit permission of the originator. Attribution is also not provided from member sources.
4.2 Formal agreements exist with the following entities that provide reporting to FS-ISAC for dissemination via SHARE or other channels:
  • US Cybersecurity and Infrastructure Security Agency (CISA). FS-ISAC’s GIO maintains two liaisons to the National Cybersecurity and Communications Integration Center (NCCIC) who facilitate the sharing of US government reporting from the US-CERT and law enforcement agencies.
  • UK National Cyber Security Centre (NCSC). FS-ISAC’s GIO maintains two liaisons to the Industry 100 (i100) who facilitate the sharing of financial sector reporting issued by the NCSC and/or i100. This also allows communication to the National Crime Agency (NCA).
  • Europol. FS-ISAC’s GIO maintains a Memorandum of Understanding to facilitate the sharing of Europol updates on cybercrime information.

4.3 Informal relationships also exist with Interpol, the Dutch National Cyber Security Centre (NCSC), Cyber Security Agency of Singapore (CSA), and the Australian Cyber Security Centre (ACSC).

5. TRAFFIC LIGHT PROTOCOL (TLP)
5.1 All information submitted, processed, stored, archived, or disposed of is classified under TLP and handled in accordance with its classification as defined here.
5.1 (a) RED. Sources may use RED when the audience for the information must be tightly controlled, because misuse of the information could lead to impacts on a party's privacy, reputation, or operations. The source must specify a target audience to which distribution is restricted. Recipients may not share RED information with any parties outside of the original recipients.
5.1 (b) AMBER. Recipients may only share TLP AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the Member’s organization if the providers are contractually obligated to protect the confidentiality of the information. TLP AMBER information can be shared with those parties specified above only as widely as necessary to act on the information.
5.1 (c) GREEN. Sources may use GREEN when the information is useful for the awareness of all member organizations as well as peers within the broader community. Recipients may share GREEN information with peers, trusted government and critical infrastructure partner organizations and service providers with whom they have a contractual relationship, but not through publicly accessible channels.
5.1 (d) WHITE. Sources may use WHITE when the information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. WHITE information may be distributed without restriction, subject to copyright controls. NOTE: Preference for sharing of TLP WHITE, publicly available information is via CONNECT or the email lists.
5.1 If no marking is specified, the information shall default to TLP AMBER.
5.1 Information classified as RED, AMBER, GREEN must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to the level of classification. These controls include, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.

6. SECURITY THREAT LEVELTS
6.1 FS-ISAC will maintain a “Cyber Threat Level” and a “Physical Threat Advisory” to indicate the degree of threat to the sector. SHARE always posts the threat levels.
6.2 There are three Cyber Threat Levels (CTLs) for each FS-ISAC geographic region: Americas, EMEA (Europe, Middle East, Africa) and APAC (Asia-Pacific). The CTLs are set by the region’s respective Threat Intelligence Committee (TICs) and reflect the current threat landscape direct or impacting the sector in that region. The Global CTL is an average of the three regional CTLs. Members can self-nominate to be part of their region’s TIC; however, acceptance is subject to approval based upon the user’s sharing activity and threat intelligence expertise.
6.3 The Physical Threat Advisory is issued by the FS-ISAC Business Resilience Committee (BRC) for North America. Users can self-nominate to the BRC; however, acceptance is subject to approval. BRC members tend to be business continuity managers or physical security specialists.

7. WEBINARS AND CALLS 
7.1 Regional Threat Calls. Tier 5 to 1 member may join the North America and EMEA Threat Calls, which are held twice a month, and Tier 6 to 1 member may join APAC Threat Calls. These provide a current threat landscape review for the members with an intelligence update from the FS-ISAC’s GIO, threat briefs from external speakers and a discussion on the Cyber Threat Level.
7.2 Spotlight Calls. For certain security issues or threats, a special ad hoc call may be prepared for members. This would be a single-issue call to allow for a deep dive into the topic.
7.3 Threat Discussions or Crisis Calls. For immediate, significant issues, a call to gain situational awareness of the incident may be necessary. The FS-ISAC’s GIO may utilize the contact information from IntelX profiles for a broader notification to members during a crisis.

8. FS-ISAC SYSTEM SECURITY
8.1 Information Security Program
FS-ISAC maintains an Information Security Program that at a minimum provides: (i) an organizational structure and appropriate security controls to protect Member and corporate information; (ii) employee and contractor controls including communication of applicable policies, background checks, security awareness, and disciplinary processes; (iii) physical safety and security of facilities including access management, visitor logging and appropriate fire suppression controls; (iv) data and system security controls including access and authorization, firewalls, endpoint security, logging and monitoring and vulnerability management; and (v) system security monitoring and incident response procedures.

9. HELP DESK POLICY AND PROCEDURES
9.1 Users of FS-ISAC’s products and services can find assistance either by contacting admin@fsisac.com or calling the member hotline.

10. ANTITRUST/COMPETITION PROVISIONS
10.1 Policy
10.1 (a) FS‐ISAC, its Board of Directors, and its members will comply with all laws and regulations governing antitrust and anticompetitive practices. FS‐ISAC officers, directors, staff, and members must not engage in any conduct that may constitute violation of these laws, including, but not limited to, price fixing, group boycotts, or allocations of markets among organizations or institutions.
10.1 (b) To assure compliance with this policy:
a. Members are prohibited from discussing any company‐specific, competitively sensitive information, including terms, sales, conditions, pricing, or plans, related to their firms or other firms, including vendors or service providers they engage.
b. The Intelligence Exchange and its forums are not to serve as a conduit for discussions or negotiations between or among vendors, manufacturers or security service providers with respect to any participant or group of participants.
c. Neither the FS‐ISAC staff, officers and directors nor its members and committees are to recommend in any FS‐ISAC-sponsored exchange or forum in favor of or against the coordinated boycott or adoption of any company or product or service of manufacturers or vendors.
d. Each FS‐ISAC member will determine the effect of the exchanged information on its individual purchasing and related decisions.
e. Any breach of these guidelines will be reviewed by the Board of Directors and may result in termination of membership and forfeiture of remaining annual membership fees.

11. CONFIDENTIALITY
11.1 Confidentiality Requirement
11.1 (a) Directors, officers, staff and members may have access to or receive from the FS‐ISAC or participants certain trade secrets and other information pertaining to the disclosing party or its employees, customers and suppliers.
11.1 (b) Confidential information may be disclosed by an FS‐ISAC alert or notification. Confidential information may also be disclosed at member, committee and other meetings of members that may be constituted.
11.1 (c) Directors, officers, staff and members agree that all such Confidential information obtained shall be considered confidential and proprietary to the disclosing party.
11.1 (d) As stipulated in Section 5.3, Traffic Light Protocol, all information is classified as Confidential AMBER by default unless specifically classified otherwise.
11.1 (e) Staff and contractors are required to execute a confidentiality agreement as a condition of employment. Members, including their directors and officers, are bound by the terms of the Subscriber Agreement.
11.1 (f) Parties in possession of Confidential Information may be requested to disclose Confidential Information to law enforcement, a government authority or other third party, pursuant to subpoena or other legal order. To the extent allowed by law, the disclosing party will use reasonable and customary efforts to provide FS‐ISAC with advance notice of such disclosure to allow FS‐ISAC and impacted parties to seek an appropriate protective order or other relief to prohibit or limit such disclosure.
11.2 Confidentiality Agreement
11.2 (a) Recipients of Confidential information will be obligated to:
1. Protect and preserve the confidential and proprietary nature of all Confidential Information.
2. Not disclose, give, sell or otherwise transfer or make available, directly or indirectly, any Confidential information to any third party for any purpose, except as expressly permitted in writing by the FS‐ISAC and the disclosing party.
3. Not use, or make any records or copies of, the Confidential information, except as needed in order to provide specific services in the conduct of their duties, or as required by law or regulations, or as needed to use the information effectively to mitigate risk in their respective organizations.
4. Limit the dissemination of the Confidential information to those with the need to know the Confidential information, provided that such individuals are obligated to maintain the confidential and proprietary nature of the Confidential information.
5. Return all Confidential information and any copies thereof as soon as it is no longer needed or immediately upon the disclosing party’s request, to the extent permitted by law and regulatory retention requirements.
6. Notify the FS‐ISAC immediately of any loss or misplacement of Confidential information, and
7. Comply with any reasonable security procedures designated in the Mutual Non-Disclosure Agreement as may be prescribed by the FS‐ISAC for protection of the Confidential information.

12. RULES MODIFICATION AND PRECEDENCE
12.1 Modification of Rules Approvals
12.1 (a) From time to time these Operating Rules and the Subscription Agreement may be modified with the approval of the Board of Directors. Notifications to current members will be provided at that time.

13. PERSONAL DATA PROTECTION POLICY
13.1 Once an organization is vetted and approved by FS-ISAC and given access to the products and services of FS-ISAC, the organization is subject to and shall comply with the Personal Data Protection Policy.