Policies

Security defense and response information shared within the REN-ISAC trust community is privileged and confidential. The following principles apply:

1. Members may forward such information only to organizational peers and subordinates, for the purpose of local defense and threat mitigation. Such redistribution must be guided by the principle of least privilege: to protect data, sources, methods, and relationships, only the information necessary for local assessment and action will be shared. If present, information that identifies REN-ISAC, other specific organizations, or named individuals must be removed from information being shared.
2. Information received by the REN-ISAC that identifies individuals or institutions will be securely maintained and will be used solely for the purpose of REN-ISAC activities. The source individual and institution will not be shared with a third party without the consent of the source or the institution¹s primary representative.
3. Any specific information provided to or derived by the REN-ISAC related to a specific institution will be shared only with the registered member of that institution.
4. Any information provided to or derived by the REN-ISAC may be represented in aggregate statistical reports, alerts, or other notifications without specific permission of the information sources.
5. Incident notifications provided or relayed by REN-ISAC will follow the aforementioned principle of minimal privilege. Notifications will identify the specific machines involved in an incident or suspected to be compromised, and will be sent only to the incident handling contacts of the involved organizations.
6. Exceptions to these applicable principles may be attached to specific information or provided by written permission of the source.
7. Organizational failures to comply with REN-ISAC dissemination policies are subject to review and may result in removal from the REN-ISAC trust community.

Page Revised: June 19, 2006
Copyright, Trustees of Indiana University