TF-CSIRT House Rules
v1.2, January 2023: approved by TF-CSIRT Steering Committee (SC), OCF Board of Directors (BoD) and OCF Board of Commissioners (BoC)
[ Adapted from the “Terms of Reference” that ruled TF-CSIRT prior to 12 July 2022, when TF-CSIRT found a new House in the Open CSIRT Foundation (OCF). The then signed new Statutes of OCF defined “House Rules” for TF-CSIRT, which are the logical successor to the “Terms of Reference”. ]1. Definition
1.1 The TF-CSIRT community was established in September 2000 to improve cyber resilience through the promotion and active support of collaboration and development of cyber security incident management and related fields. It shall be known as TF-CSIRT (Collaboration of Cyber Security Incident Response Teams).
1.2 The aims of TF-CSIRT shall be:
1.2.1 to provide a forum for exchanging experiences and knowledge;
1.2.2 to promote common standards and procedures for handling security incidents;
1.2.3 to improve cooperation and coordination in the cyber security community;
1.2.4 to provide a system for recognising and accrediting cyber security teams;
1.2.5 to increase the maturity of cyber security teams by supporting additional certification;
1.2.6 to train staff in the field of cyber security;
1.2.7 to develop and provide useful services for cyber security teams and to coordinate other joint initiatives with other organisations with similar goals as required;
1.2.8 to assist the establishment and development of new cyber security teams; and
1.2.9 to facilitate liaison with policy-making bodies, defence and law enforcement agencies, and other CSIRT relevant organisations.
1.3 The TF-CSIRT operates from July 12th 2022 onwards in accordance with these Terms of Reference, in accordance with the Statutes of the Open CSIRT Foundation, where in Article 6 the Terms of Reference are referred to as House Rules for the Steering Committee of TF-CSIRT (see §4 below).
2. Joining TF-CSIRT
2.1 The TF-CSIRT is open for application to all recognised cyber security teams as well as other organisations and individuals with a bona fide interest in cyber security incident handling, while taking the following guidelines into account:
2.1.1 Teams within the RIPE NCC service region are welcome to apply without restrictions.
2.1.2 Teams outside of the RIPE NCC service region are expected to join a CSIRT initiative in their own wider region (examples: AfricaCERT, APCERT, ASEAN CERT, LACNIC CSIRT, OAS CSIRT, America Network, OIC-CERT, TrustBroker Africa) before applying.
2.1.3 The above constituency definition will be clearly published on the TF-CSIRT website.
2.2 There are four relationship categories in the TF-CSIRT:
2.2.1 Accredited Teams – cyber security teams that are Accredited in accordance with the Trusted Introducer requirements.
2.2.2 Listed Teams – cyber security teams that are Listed in accordance with the Trusted Introducer requirements.
2.2.3 Liaison Organisations – organisations with an interest in cyber security incident handling as recognised by TF-CSIRT from time-to-time. Liaison Organisations will be referred to on the TF-CSIRT website.
2.2.4 Associates – individual persons who are not eligible to be any of the above categories but are admitted at the discretion of the Steering Committee on the basis of personal merit/expertise for the benefit of TF-CSIRT.
2.3 Accredited Teams, Listed Teams and Liaison Organisations must nominate at least two representatives: one primary and one deputy. Other persons from Accredited Teams, Listed Teams and Liaison Organisations may participate in TF-CSIRT activities as delegates.
2.4 Persons participating as delegates must be nominated by a representative of an Accredited Team, Listed Team or Liaison Organisation.
2.5 An Accredited Team can become Certified after successfully completing the Certification process, but this does not constitute a different relationship category.
2.6 For the requirements for all relationship categories (and for Certification), see Article 8.4.
2.7 Teams may be suspended from TF-CSIRT by a majority vote of the Steering Committee. Suspended teams may be reinstated by majority vote of the Steering Committee. Such a vote shall be taken when the cause of suspension has been fully remedied. Steering Committee members who are part of the team considered for suspension or reinstatement may not participate in the vote.
2.8 Suspended teams are not considered to be part of any relationship category with respect to rights and responsibilities within TF-CSIRT, with the exception the right to bring complaints to the Board of Commissioners as set forth in 3.7 and 4.6.
3. TF-CSIRT Chair
3.1 The TF-CSIRT Chair shall be responsible for leading the TF-CSIRT, including chairing the TF-CSIRT Steering Committee, chairing TF-CSIRT meetings, and preparing the agendas in consultation with the Secretary (see Article 4.2) and the Foundation Secretariat. The Chair has the Statutory right to be an ex officio member of the Foundation Board of Directors, with special responsibility to represent TF-CSIRT. In the event the Chair cannot join the Board of Directors for any reason, the Chair has the right to ask another Steering Committee member to join the Board of Directors. The Chair may also represent the TF-CSIRT in communications with external parties. If such communication touches on legal or financial issues concerning the Foundation, the Chair will consult within the Board of Directors.
3.2 The Accredited Teams shall elect the Chair for a term of three years (subject to Article 6.7). Elections shall normally be held immediately before a TF-CSIRT meeting in the September-December period of the year, and the term of office shall run until the TF-CSIRT meeting in the September-December period of the year in which it expires.
3.3 Every Person of an Accredited Team of TF-CSIRT or any Associate of TF-CSIRT is electable as Chair.
3.4 A person may be elected for a maximum of two consecutive terms as Chair, except when they have already been serving on the TF-CSIRT Steering Committee for three or more years when first elected as Chair. In this case, they shall only be eligible for a single term of office. Upon completion of these term(s) of office, they are not eligible to be again elected as Chair until at least one year has passed.
3.5 In the event the Chair resigns, is dismissed, or is no longer capable of performing their duties, then a new Chair shall be elected at the next TF-CSIRT meeting for a term of three years. This term of office shall run until the TF-CSIRT meeting in the September-December period of the year in which it expires.
3.6 In the temporary absence of the Chair, a member of the TF-CSIRT Steering Committee may act as Chair in their place.
3.7 The Accredited Teams have the right to request that the Foundation’s Board of Commissioners dismiss the Chair if the Chair is considered to no longer perform their duties as required. Such a request must be submitted by verifiable digitally signed e-mail to at least two members of the Foundation’s Board of Directors and be supported by at least five Accredited Teams.
4. TF-CSIRT Steering Committee
4.1 The Steering Committee is responsible for coordinating the activities of the TF-CSIRT, the annual budget and statement of accounts, reviewing the performance of the Trusted Introducer and TRANSITS service delivery as well as events (co-) organized by TF-CSIRT, and making decisions on membership and certification issues including but not limited to objections and certifications. The Steering Committee shall also establish a written strategy and review the strategic path annually resulting in an updated strategy (see Article 10.1).
4.2 The members of the Steering Committee shall be the TF-CSIRT Chair and six persons elected by the Accredited Teams.
Electable is any representative or delegate of an Accredited Team of TF-CSIRT and any Associate of TF-CSIRT.
The Steering Committee self-organises and defines areas of responsibility for all members of the Steering Committee. Apart from the Chair role that is defined in §3, the Steering Committee will at least appoint two different members to take on the roles of Secretary and of Treasurer.
4.3 The six elected members shall each serve for a term of three years (subject to Article 6.7), with their terms being staggered so that every year the terms of two of these members expire. Elections shall normally be held immediately before a TF-CSIRT meeting in the September-December period of the year, and terms of office shall run until the TF-CSIRT meeting in the September-December period of the year in which they expire.
4.4 A person may only serve on the Steering Committee in any capacity for a maximum of two consecutive terms, except under Article 3.3 or 5.5. Upon completion of these terms of office, they are not eligible to serve on the Steering Committee in any capacity (including as TF-CSIRT Chair) until at least one year has passed.
4.5 In the event that a Steering Committee member becomes TF-CSIRT Chair, resigns, is dismissed, or is no longer capable of performing their duties, then a new member will be elected immediately before the next TF-CSIRT meeting for a term that will expire when the term of original member would have expired. If this term is one year or less, it will not count for the purposes of calculating consecutive terms.
4.6 The Accredited Teams have the right to request that the Foundation’s Board of Commissioners dismiss a Steering Committee member if that member is considered to no longer perform their duties as required. Such a request must be submitted by verifiable digitally signed e-mail to at least two members of the Foundation’s Board of Directors and be supported by at least five Accredited Teams.
4.7 The Steering Committee will normally meet in conjunction with TF-CSIRT meetings, but may also meet at other times as necessary. Any meetings of the Steering Committee may also take place via audio or video conference.
4.8 The organisation of meetings shall be the responsibility of the Steering Committee Secretary, who shall circulate the agenda at least 14 days before the date of a meeting.
4.9 The Chair shall chair meetings, or if the Chair is unavailable, another Steering Committee member will chair the meeting, in accordance with Article 3.6.
4.10 Meetings shall only be open to Steering Committee members. The Steering Committee may at their own discretion conduct parts of the meetings with the Foundation Secretariat and/or with invited relevant functionaries.
4.11 Minutes of meetings shall by default only be available to the Steering Committee, as confidential and sensitive issues relating to organisations and individuals may be discussed. Information based on Minutes may be spread, as whole or in part, to the Foundation Secretariat and/or relevant functionaries, at the discretion of the Steering Committee. A summary of discussions and decisions shall be made available to the TF-CSIRT.
4.12 Decision-making shall normally be through consent, although failing this each Steering Committee member has one vote. A member may authorise another member to cast a proxy vote on their behalf, but this must be notified by verifiable digitally signed e-mail in advance of the meeting to at least the Chair and Secretary, and no member may vote on behalf of more than one other member.
4.13 Any Steering Committee member, either at a meeting or via the Steering Committee mailing list, may request a poll. Decisions shall be made by simple majority vote and the Chair will have a casting vote in the event of a tie. The quorum required for valid decisions shall be four votes (not including any casting vote). In the case of an e-mail poll, votes must be submitted by verifiable digitally signed e- mail within 14 days of the poll being called on the mailing list.
4.14 The Steering Committee will have a mailing list to facilitate communication amongst Steering Committee members and with relevant others such as the Foundation Secretariat and relevant functionaries. Minutes and other relevant documents will be posted on a restricted access website.
4.15 The Steering Committee shall deal with any dispute issues raised by Teams of TF-CSIRT, according to the dispute resolution process described in 4.16.
4.16 The TF-CSIRT Community must be maintained and supported as trust environment. Should any team feel that another team participating in the community is not meeting the spirit of cooperation entrenched in this community, it is strongly encouraged that the teams discuss the problems with each other to try and establish a resolution. If this is not possible, teams are invited to approach the Steering Committee Chair (or another Steering Committee member in case the Chair might have a conflict of interest). When a complaint is received, the Chair will take the following steps:
4.16.1 The party initiating the complaint will be invited to document the issue via verifiable digitally signed email and share with the TF-CSIRT Steering Committee as a TLP:RED communication. This communication and any communication among the parties must take place in English.
4.16.2 The TF-CSIRT Chair will call for discussion of the issue within the Steering Committee who will decide if there is significant grounds for complaint.
4.16.3 If there are no significant grounds found, the TF-CSIRT Chair will inform the initiating party.
4.16.4 If significant grounds are found, the TF-CSIRT Chair will ask the other party (-ies) to consider the complaint and respond via verifiable digitally signed email.
4.16.5 If necessary, the TF-CSIRT Steering Committee will meet separately with all parties involved in the complaint (either face-to-face or online) to discuss the issues in more detail.
4.16.6 Following these communications, the TF-CSIRT Steering Committee will propose a resolution process and ask the parties to agree to this process.
4.16.7 The decision of the TF-CSIRT Steering Committee is final.
4.16.8 In case of a potential conflict of interest with the Chair or any other Steering Committee member, the remaining Steering Committee members will take all of the above actions, while excluding those members who may have a conflict of interest.
4.16.9 In investigating these complaints, the TF-CSIRT Steering Committee are acting with delegated responsibility from the Open CSIRT Foundation and overall responsibility for all decisions made lies with the Foundation. The Steering Committee will reach out to the chairs of the Board of Directors and Board of Commissioners for advice.
4.16.10 The above dispute resolution process will be clearly published on the TF-CSIRT website.
5. Election of Steering Committee Members
5.1 The organisation of elections shall be the responsibility of the Foundation Secretariat, who shall notify the TF-CSIRT Members of vacancies and call for nominations at least 28 days prior to the date of an election.
5.2 Any Accredited Team may propose any eligible person as a candidate for a vacant position, who must then be seconded by another Accredited Team. Candidates may be proposed up until one week before the commencement of an election.
5.3 A secret ballot shall be held using an appropriate confidential online tool.
5.4 For each ballot, a team will have the same number of votes to cast as open seats. The candidates who receive the most votes will be elected, starting with the seats with the longest terms and continuing until the available seats are filled.
5.5 The Foundation Secretariat will appoint a minimum of two trustees to count the votes in accordance with Article 6.4. Candidates for election shall not be eligible to serve as tellers, and the tellers should preferably be individuals not voting in the election.
5.6 Where there is more than one vacancy, the election for TF-CSIRT Chair will always be held first if required.
5.7 The election of Steering Committee members is subject to ratification by the Foundation’s Board of Commissioners. In the event that a vacant position cannot be filled for whatever reason, the Foundation’s Board of Commissioners may make an appointment for all or part of the term of office.
5.8 For elections to be valid, at least one third of all Accredited Teams must cast a vote.
6. TF-CSIRT Meetings
6.1 A TF-CSIRT Meeting will be organised at approximately four-monthly intervals. Physical meetings will be held at various locations within Europe, taking care to reduce overall costs to participants. Meetings might be held jointly with other organisations.
6.2 An extraordinary meeting may be convened upon request of at least 25% of the Accredited Teams. This request must be conveyed via verifiable digitally signed e-mail to the Foundation Secretariat, who will convene the meeting within 42 days of receipt.
6.3 The organisation of meetings shall be the responsibility of the TF-CSIRT Steering Committee, who can delegate implementation to the Foundation Secretariat and relevant functionaries. Invitations will be sent to all members at least 28 days before the date of a meeting.
6.4 The TF-CSIRT Chair shall chair meetings. If the Chair is unavailable, in accordance with Article 3.6 another member of the TF-CSIRT Steering Committee will chair the meeting.
6.5 Representatives and delegates of Listed Teams, Accredited Teams and Liaison Organisations of TF-CSIRT, as well as Associates have the right to attend meetings. The Chair of the meeting may invite other persons, also known as guests, to participate in all or parts of a meeting.
6.6 The Steering Committee has the right to organise closed meetings of any kind, with more limited attendance, for instance only for Accredited Teams and Associates. The Chair of the meeting may invite other persons, also known as guests, to participate in all or parts of a closed meeting. However, prior to the start of a closed meeting, the Chair must identify guests and the parts of the closed meeting for which they are invited, and if an objection is raised by the representative of an Accredited Team, the invitation must be withdrawn or amended.
6.7 Limits on the total number of participants, or the number of delegates from each team, to a particular meeting or particular sessions within that meeting may apply, at the discretion of the Steering Committee.
6.8 Meeting attendees may be asked to identify themselves and/or provide evidence that they represent their stated affiliation.
6.9 Where decisions need to be taken, each Accredited Team shall have one vote that must be cast by one of their designated representatives. Votes will take place online immediately after the TF-CSIRT meeting at which the issue is presented.
6.10 Any Accredited Team may request a vote at any time by request to the TF-CSIRT Steering Committee.
6.11 Decisions shall be made by a simple majority vote. For decisions to be valid, at least one third of all Accredited Teams must cast a vote.
7. Dissemination
7.1 TF-CSIRT will have a general mailing list to facilitate communication amongst all categories defined in 2. In addition, additional mailing lists to facilitate communication among Listed Teams and Accredited Teams are established, some of them protected by cryptographic means to ensure confidentiality. For specific sub-groups as well as working groups individual mailing lists may be established.
7.2 TF-CSIRT will have a public website featuring all relevant information.
7.3 Reports, presentations and other documentation will be disseminated on the mailing lists, websites and/or at meetings in accordance with the Traffic Light Protocol (TLP) and any other relevant legal or ethical limitations.
8. Trusted Introducer service
8.1 The Trusted Introducer (TI) service is supporting and guiding teams to become Listed or Accredited (and Certified), and individuals to gain Associate status.
8.2 The TI service is organised on behalf of the TF-CSIRT by the Foundation, utilising its own staff, service providers and/or volunteers from the TF-CSIRT membership or other appropriate parties.
8.3 Fees may be charged for Accreditation (and Certification) to recoup the costs of offering the TI service.
8.4 The TI requirements for the relationship categories (and for Certification) shall be set by the TF-CSIRT Steering Committee.
8.5 For all relationship categories, the TI service shall maintain a registry of teams and persons that shall include all relevant contact information, and whether – in the case of Accredited Teams – they have been Certified. The registry will also indicate the country/territory of each cyber security team, using ‘Europe’ or ‘Worldwide’ for teams that have a pan-European or global constituency respectively, or the official short country name in English according to the latest ISO 3166-1 list for those whose constituency is (mainly) in one country/territory.
9. TRANSITS Service
9.1 Training of Network Security Incident Teams Staff (TRANSITS) is the training service of TF-CSIRT. This aims to provide training to both new and experienced personnel of cyber security teams, as well as individuals with a bona fide interest in cyber security incident management and related fields.
9.2 The organisation of TRANSITS training shall be the responsibility of the TF-CSIRT Steering Committee, who can delegate implementation to other appropriate parties.
9.3 Fees may be charged for training to recoup the costs of providing the TRANSITS training.
9.4 Responsibility for development of the training curricula and materials, training standards, and registration of trainers shall rest with the TF-CSIRT Steering Committee.
9.5 The Foundation Secretariat shall maintain a registry of trainers that shall include contact information, and the courses they are qualified to teach.
10. Other Activities
10.1 The TF-CSIRT Steering Committee will annually produce a strategy and associated budget for the coming year as well as a financial statement for the past year. This shall be developed by the TF-CSIRT Steering Committee and the Foundation’s Board of Directors. It shall be presented after approval by the Foundation’s Board of Commissioners at a TF-CSIRT meeting in the second half of any given year.
10.2 TF-CSIRT may create working groups to work on specific activities where such requirement exists and there is support from at least five Accredited Teams. They shall consist of volunteers drawn from the TF-CSIRT community and shall be limited in scope and duration as approved by TF-CSIRT Steering Committee. Support may be requested from the Foundation Secretariat.
11. Amending the House Rules
11.1 These House Rules may be amended by a simple majority vote of the Accredited Teams that participated in the vote on the amendment, provided that votes are cast by at least 50% of the Accredited Teams.
11.2 Changes and amendments to these House Rules will only take effect upon ratification by the Foundation’s Board of Directors and the Foundation’s Board of Commissioners, in that order.