TF-CSIRT Terms of Reference

11th Edition – 29 August 2018

1. Definition

1.1 The Task Force is established to promote collaboration between Computer Security Incident Response Teams (CSIRTs). It shall be known as TF-CSIRT (Collaboration of Computer Security Incident Response Teams).

1.2 The aims of the Task Force shall be:

1.2.1 to provide a forum for exchanging experiences and knowledge;
1.2.2 to promote common standards and procedures for handling security incidents;
1.2.3 to improve cooperation and coordination in the CSIRT community;
1.2.4 to provide a system for recognising, accrediting and certifying CSIRTs;
1.2.5 to train CSIRT staff;
1.2.6 to develop and provide useful services for CSIRTs, and to coordinate other joint initiatives as required;
1.2.7 to assist the establishment and development of new CSIRTs;
1.2.8 to facilitate liaison with policy-making bodies, defence and law enforcement agencies, and other relevant organisations.

1.3 The Task Force will operate from 1 September 2012 in accordance with these Terms of Reference, but remains subject to the authority of GÉANT who may modify the Terms of Reference, appoint or dismiss officials, or dissolve the Task Force if it considers that the activities are no longer useful or relevant.

2. Membership

2.1 The Task Force is open to all recognised CSIRTs according to the approved policy on geographical regions, as well as other organisations and individuals with a bona-fide interest in computer security incident handling.

2.2 There shall be four membership categories:

2.2.1 Full Members – CSIRTs that are accredited in accordance with the Trusted Introducer requirements (see Article 9.4).
2.2.2 Listed CSIRT Members – CSIRTS that are listed in accordance with the Trusted Introducer requirements (see Article 9.4).
2.2.3 Liaison Members – organisations, e.g. FIRST, ENISA, INTERPOL, with an interest in computer security incident handling as recognised by TF-CSIRT from time-to-time. Liaison Members will be listed on the TF-CSIRT website.
2.2.4 Individual Members – individual persons who are not eligible as Full or Liaison Members but admitted at the discretion of the Steering Committee. Individual Members must also be TI Associates.

2.3 Full Members and Listed CSIRT Members must nominate at least two representatives: one primary and one deputy. Liaison Members must nominate at least one representative. It is expected that these representatives will also be the nominated representatives for Trusted Introducer where practical. Other persons from Full and Liaison Member organisations may participate in Task Force activities as delegates.

2.4 Persons participating as delegates must be nominated by a representative of a Full Member or Liaison member.

3. Chair

3.1 The Chair shall be responsible for leading the Task Force, including chairing the TF-CSIRT Steering Committee, chairing TF-CSIRT meetings, and preparing the agendas in consultation with the TF-CSIRT Secretary. The Chair may also represent the Task Force in communications with external parties.

3.2 The Full Members shall elect the Chair for a term of three years (subject to Article 6.7). Elections shall normally be held during a TF-CSIRT meeting in the September-December period of the year, and the term of office shall run until the TF-CSIRT meeting in the September-December period of the year in which it expires.

3.3 A person may be elected for a maximum of two consecutive terms as Chair, except when they have already been serving on the TF-CSIRT Steering Committee for three or more years when first elected as Chair. In this case, they shall only be eligible for a single term of office. Upon completion of these term(s) of office, they are not eligible to be again elected as Chair until at least one year has passed.

3.4 In the event the Chair resigns, is dismissed, or is no longer capable of performing their duties, then a new Chair will be elected at the next TF-CSIRT meeting for a term of three years. This term of office shall run until the TF-CSIRT meeting in the September-December period of the year in which it expires.

3.5 In the temporary absence of the Chair, an elected member of the TF-CSIRT Steering Committee who is in attendance may act as Chair in his/her place. The order of precedence is determined by whoever has served the longest continuous period, and in the event of two or more members having served the same amount of time, the member elected first (as per Article 6.6) will take precedence.

3.6 Full Members may request that GÉANT dismisses the Chair if they consider he/she is no longer performing his/her duties as required. Such a request must be submitted by verifiable digitally signed e-mail.

4. Secretary

4.1 The Secretary shall be responsible for the administration of the Task Force, including organising and announcing meetings, and publishing the proceedings (e.g. minutes and presentations). He/she shall also be responsible for the websites and mailing lists.

4.2 The Secretary will be appointed by GÉANT and is accountable to GÉANT.

5. Steering Committee

5.1 The Steering Committee shall be responsible for coordinating the activities of the Task Force, reviewing the performance of the Trusted Introducer and TRANSITS services and making recommendations to change or expand them, making decisions on membership and certification issues, and providing input to meeting programmes. It shall also advise on future developments and strategic directions, and recommend courses of action where issues occur.

5.2 The members of the Steering Committee shall be the TF-CSIRT Chair, TF-CSIRT Secretary, and six persons elected by the Full Members.

5.3 The six elected members shall each serve for a term of three years (subject to Article 6.7), with their terms being staggered so that every year the terms of two of these members expire. Elections shall normally be held during a TF-CSIRT meeting in the September-December period of the year, and terms of office shall run until the TF-CSIRT meeting in the September-December period of the year in which they expire.

5.4 A person may only serve on the Steering Committee in any capacity for a maximum of two consecutive terms, except under Article 3.3 or 5.5. Upon completion of these terms of office, they are not eligible to serve on the Steering Committee in any capacity (including as TF-CSIRT Chair) until at least one year has passed.

5.5 In the event that an elected member becomes TF-CSIRT Chair, resigns, is dismissed, or is no longer capable of performing their duties, then a new member will be elected at the next TF-CSIRT meeting for a term that will expire when the term of original member would have expired. If this term is one year or less, it will not count for the purposes of calculating consecutive terms.

5.6 Full Members may request that GÉANT dismisses a Steering Committee member if they consider he/she is no longer performing his/her duties as required. Such a request must be submitted by verifiable digitally signed e-mail.

5.7 The Steering Committee will normally meet in conjunction with TF-CSIRT meetings, but may also meet at other times as necessary (although this may be via audio or video conference).

5.8 The organisation of meetings shall be the responsibility of the TF-CSIRT Secretary, who shall circulate the agenda at least 14 days before the date of a meeting.

5.9 The TF-CSIRT Chair shall chair meetings or if/she is unavailable, in accordance with Article 3.5.

5.10 Meetings shall only be open to Steering Committee members and the TI team (see Article 9.2). The Steering Committee may conduct parts of its meetings without the TI team, and/or it may invite other persons to participate in parts of its meetings as guests.

5.11 Minutes of meetings shall only be available to Steering Committee members and the TI team (see Article 9.2) as confidential and sensitive issues relating to organisations and individuals may be discussed, but a summary of the discussions and decisions taken shall be circulated to the Task Force membership.

5.12 Decision-making shall normally be through consensus, although failing this each Steering Committee member has one vote. A member may authorise another member to cast a proxy vote on his or her behalf, but this must be notified by verifiable digitally signed e-mail in advance of the meeting, and no member may vote on behalf of more than one other member.

5.13 Any Steering Committee member, either at a meeting or via the Steering Committee mailing list, may request a poll. Decisions shall be made by simple majority vote and the Chair will have a casting vote in the event of a tie. The quorum required for valid decisions shall be five votes (not including any casting vote). In the case of an e-mail poll, votes must be submitted by verifiable digitally signed e- mail within 14 days of the poll being called on the mailing list.

5.14 The Steering Committee will have a mailing list to facilitate communication amongst Steering Committee members and with the TI team (see Article 9.2). Minutes and other relevant documents will be posted on a restricted access website.

5.15 The Steering Committee shall act on behalf of GÉANT to deal with any dispute issues raised by Members, according to the dispute resolution process published on the TF-CSIRT website.

6. Election of Officials

6.1 The organisation of elections shall be the responsibility of the TF-CSIRT Secretary, who shall notify the Task Force membership of vacancies and call for nominations at least 28 days prior to the date of an election.

6.2 Any Full Member may propose any person as a candidate for a vacant position, who must then be seconded by another Full Member. Candidates may be proposed up until the commencement of an election.

6.3 If only one candidate is nominated for a vacant position, they shall be declared elected unopposed. If there is more than one candidate for a vacant position, a secret ballot shall be held using unsigned and closed ballot papers.

6.4 When a ballot is held, a candidate shall be declared elected if they receive more than 50% of the votes cast, subject to Article 7.13. If no candidate receives sufficient votes, the candidate with the least number of votes is eliminated, and the ballot is repeated until a candidate is successful. If the fewest number of votes is obtained by more than one person at any stage of this procedure, drawing of lots shall be used to determine which person is excluded from the subsequent ballot, or in the case of the last two remaining candidates, which one will be declared elected.

6.5 The TF-CSIRT Secretary will appoint a minimum of two tellers to count the votes in accordance with Article 6.4. Candidates for election shall not be eligible to serve as tellers, and the tellers should preferably be individuals not voting in the election.

6.6 Where there is more than one vacancy, the election for TF-CSIRT Chair will always be held first if required. This will be followed by elections for the TF-CSIRT Steering Committee, starting with the vacant position(s) with the longest term of office and ending with the vacant position(s) with the shortest term of office (as applicable).

6.7 The election of officials is subject to ratification by GÉANT. In the event that a vacant position cannot be filled for whatever reason, GÉANT may make an appointment for all or part of the term of office.

7. Meetings

7.1 The Task Force will meet at approximately four-monthly intervals. Physical meetings will be held at various locations within Europe, taking care to reduce overall costs to participants.

7.2 An extraordinary meeting may be convened upon request of at least 25% of the Full Members. This request must be conveyed via verifiable digitally signed e-mail to the TF-CSIRT Secretary, who will convene the meeting within 42 days of receipt.

7.3 The organisation of meetings shall be the responsibility of the TF-CSIRT Secretary, supported by the TI service (see Articles 9.6 and 9.7). Invitations will be sent to all members at least 28 days before the date of a meeting.

7.4 The TF-CSIRT Chair shall chair meetings or if/she is unavailable, in accordance with Article 3.5.

7.5 Meetings shall normally include a general session and a closed session.

7.6 Representatives and nominated delegates of Full Members and Liaison Members, as well as Individual Members are automatically entitled to attend general sessions.

7.7 Nominated representatives and delegates of Full Members and TI Associates are automatically entitled to attend closed meetings.

7.8 Limits on the number of participants to a particular meeting might apply.

7.9 The Chair of the Meeting may invite other persons to participate in all or parts of a general or closed session. Prior to the start of the meeting, the Chair must identify guests and the parts of the meeting for which they are invited, and if an objection is raised by the representative of a Full Member, the invitation must be withdrawn or amended.

7.10 Meeting attendees may be asked to identify themselves and/or provide evidence that they represent their stated affiliation. In the event of doubt, admittance will be determined in accordance with Article 7.9.

7.11 Where decisions need to be taken, each Full Member shall have one vote that must be cast by one of its designated representatives. A Full Member may authorise a representative of another Full Member to cast a proxy vote on its behalf, but this should be notified by verifiable digitally signed e-mail at least 48 hours in advance of a meeting, and no representative should vote on behalf of more than two Full Members in the same meeting.

7.12 Any Full Member may also request an e-mail poll at any time. Votes must be submitted by verifiable digitally signed e-mail within 28 days of a poll being called on the mailing list.

7.13 Decisions shall be made by a simple majority vote, except under Articles 3.6, 5.6, 6.4, 9.4 and 12.1. For decisions to be valid, at least 25% of all Full Members must either be present in a meeting or cast a vote.

8. Dissemination

8.1 The Task Force will have a general mailing list to facilitate communication amongst all Task Force members. The representatives of all Task Force members may subscribe to this list, as well as any delegate nominated by a Full or Liaison Member representative.

8.2 The Task Force will have a public website providing a general introduction to the Task Force, as well as information on CSIRT contacts, meetings, the Trusted Introducer process, TRANSITS training, and how to establish and develop a CSIRT. It will also provide a repository for CSIRT developed documentation, and links to other relevant organisations.

8.3 Reports, presentations and other documentation will be disseminated on the mailing lists, websites and/or at meetings in accordance with the Information Sharing Traffic Light Protocol (ISTLP), except information subject to copyright restrictions or provided on a non-disclosure basis.

9. Trusted Introducer

9.1 Trusted Introducer (TI) is the listing, accreditation, association and certification service of the Task Force.

9.2 The TI service is contracted on behalf of the Task Force by GÉANT. The TI contractor provides designated staff (the ‘TI team’) to undertake the agreed tasks.

9.3 Fees may be charged for accreditation and certification to recoup the costs of the providing the TI service.

9.4 The TI requirements for listing, accreditation and certification shall be defined by the TF-CSIRT Steering Committee from time-to-time, but may also be amended upon request of at least 50% of the Full Members. This request must be conveyed via verifiable digitally signed e-mail to the TF-CSIRT Secretary.

9.5 The TI service shall maintain a registry of CSIRTs that shall include contact information, whether they are listed or accredited, and whether they have received certification. The registry will also indicate the country/territory of each CSIRT, using ‘Europe’ or ‘Worldwide’ for CSIRTs that have a pan-European or global constituency respectively, or the official short country name in English according to the latest ISO 3166-1 list for CSIRTs whose constituency is (mainly) in one country/territory.

9.6 The TI service shall organise the closed sessions during TF-CSIRT meetings. This includes preparing the programme in collaboration with the TF-CSIRT Chair and Secretary, preparing ballot papers as necessary, ensuring only pre-authorised persons join the meeting, and publishing the proceedings (e.g. minutes and presentations).

9.7 The TI service shall undertake other tasks as agreed by contract. These tasks are defined by the TF-CSIRT Steering Committee, subject to ratification by GÉANT.

10. TRANSITS Training

10.1 Training of Network Security Incident Teams Staff (TRANSITS) is the training service of the Task Force. This aims to provide training to both new and experienced CSIRT personnel, as well as individuals with a bona-fide interest in establishing a CSIRT.

10.2 TRANSITS courses are organised on behalf of the Task Force by GÉANT, utilising personnel from the Task Force membership.

10.3 Fees may be charged for training to recoup the costs of providing TRANSITS courses.

10.4 Responsibility for development of the training curricula and materials, tutoring standards, and registration of tutors shall rest with the TF-CSIRT Steering Committee.

10.5 GÉANT shall maintain a registry of tutors that shall include contact information, and the courses they are qualified to teach.

10.6 The course materials are copyrighted by GÉANT on behalf of the TF-CSIRT membership, although individual authors and/or their employers may also hold copyright in certain items.

10.7 The course materials may be used, in whole or part, for training courses subject to the conditions agreed by the TF-CSIRT Steering Committee from time-to-time, and upon receiving permission of GÉANT. Fees may be charged for use of course materials to recoup the costs of developing and maintaining these.

11. Activities

11.1 The Task Force shall annually produce a list of activities it proposes to undertake in the coming year. This shall be developed by the TF-CSIRT Steering Committee, taking into consideration available effort and resources, and presented for approval at the TF-CSIRT meeting in the September-December period of each year.

11.2 The Task Force may create a maximum of four working groups to work on specific activities where a requirement exists and there is support from at least five Full Members. They shall consist of volunteers drawn from the Task Force members and shall be limited in scope and duration. Administrative support may be requested from the TF-CSIRT Secretary.

12. Amending the Terms of Reference

12.1 These Terms of Reference may be amended by a simple majority vote at a TF-CSIRT meeting.

12.2 Changes to the Terms of Reference will only take effect upon ratification by GÉANT.