Changes in the REN-ISAC Governance, 2019
Frequently Asked Questions
TLP: WHITE
1. What changes are taking place?
a. Indiana University is not renewing the 2014 Operating Agreement with REN-ISAC, which, along with the ByLaws, was used to bridge the interests of the REN-ISAC community and Indiana University. The 2014 OA Section 7 “Term” allows the parties to terminate if they don’t want the agreement to renew automatically.
b. The termination date for the 2014 Operating Agreement and the ByLaws was July 24, 2019—the day the termination was announced to the community.
c. The Statement of Shared Commitment and Expectations replaces the Operating Agreement and thus the ByLaws. The Statement accomplishes the same task of bridging the mutual interests of the REN-ISAC members and IU, but in a legally recognized and more organized way, which allows for greater flexibility and timely service development.
d. The working version of the Statement of Shared Commitment and Expectations went into effect on July 24, 2019 and will remain in effect until we have created a more finalized version based on your feedback. While we do not have an exact date for the release of the finalized document, we anticipate it to go into effect by the end of September 2019.
2. Why is this change taking place? (Back to top)
a. IU Legal Counsel has identified salient legal risks inherent in the REN-ISAC’s current governance structure, which puts a burden on the current Board of Directors for decisions that may create legal liability for themselves and IU. That responsibility more appropriately belongs in the hands of the IU Board of Trustees. The use of the term “Board of Directors” is one such example, as the term implies fiduciary and executive authority that the Board does not hold.
b. The 2015 ByLaws (amended in 2017) and 2015 IU Operating Agreement with the REN-ISAC place an administrative burden on the Board of Directors and the REN-ISAC staff to ensure compliance. The Statement of Shared Commitment and Expectations lessens that burden and leaves more time and opportunity to improve REN-ISAC member services through strategic guidance.
c. The new governance structure outlined in the Statement of Shared Commitment and Expectations makes the governance process more accessible to a wide range of individuals, thus encouraging increased member participation in governance activities.
d. The ByLaws required ongoing and time-consuming updates, with 13 sections identified by the Board of Directors for need of replacement or clarification, which the Board can share (or request the REN-ISAC’s Executive Director to share) at their discretion. The Statement of Shared Commitment and Expectations contains all the elements of the ByLaws without being overburdened by minute amendments to the document.
3. Will this impact REN-ISAC services? (Back to top)
a. This will not impact the REN-ISAC services you know and trust. You can continue to rely on the Daily Watch Report for the latest in threat analysis, our mailing lists to share with trusted colleagues at other institutions, SES to increase automated threat intelligence defense, and our CSIRT services for notifications, as well as the workshops, meetings, SANS discounted training, and webinars we provide for professional development and education.
4. Will this impact membership fees? (Back to top)
a. No, this has no bearing on your annual membership fee. The REN-ISAC executive director, in consultation with REN-ISAC staff and the Advisory Council, will continue to work hard to keep membership fees low.
5. What is REN-ISAC’s new organizational structure? (Back to top)
a. Rather than a Board of Directors, which implies fiduciary and executive responsibility over an organization, the REN-ISAC governance framework is evolving to include an advisory council, the responsibilities of which are outlined in the Statement of Shared Commitment and Expectations.
6. Where does the REN-ISAC staff hope the new governance structure will lead the organization in the next few years? (Back to top)
a. The REN-ISAC staff is still firm in its commitment to the REN-ISAC community. We hope that the current elected Board Members will continue to serve REN-ISAC through the Advisory Council. Their guidance will be invaluable in providing strategic direction, feedback, and outcomes from the services we provide.
b. In addition, we believe that this new structure will enable us to further emphasize the community-focused nature of the REN-ISAC. We see the new governance structure as a way to empower new and diverse voices by encouraging all member representatives to come to the REN-ISAC staff or the Advisory Council with their feedback. By working together, we can create a stronger organization with specially crafted services and structures to better fit our members’ needs.
7. Will this change impact the Information Sharing Policy? (Back to top)
a. No, the Information Sharing Policy and other Membership Documents remain the same and fully in effect. Nothing in the evolved governance model changes or will change that. Operationally, REN-ISAC remains, as before, steadfast to the principles of the foundational trust framework that has served our community well since 2003.
8. Does DHS need to approve this change? (Back to top)
a. No approval is needed from DHS. The original MOU with NIPC (a precursor of DHS) called upon IU to manage and operate the REN-ISAC, which is still relevant today.
9. How much revenue does the REN-ISAC gain from membership dues, and how does the Statement of Shared Commitment and Expectation ensure that members receive services that amount to their investment in membership? (Back to top)
a. In the 2019 fiscal year, REN-ISAC collected $950,000 in membership fees.
b. As outlined in the Statement of Shared Commitment and Expectations, the REN-ISAC is not operated to generate and disseminate profit. Membership fees, along with additional funding from sponsors, goes to cover costs and support the REN-ISAC mission and members.
c. The Statement of Shared Commitment and Expectations also sets guidelines for the REN-ISAC staff to enable member engagement in the organization’s financial responsibilities, thereby protecting member investment. In short, the REN-ISAC simultaneously commits to the ongoing strategic evolution of the organization while seeking input from member representatives on how to best serve our community.
d. The Executive Director further enables member engagement in financial matters by providing and publishing an annual report of the REN-ISAC’s activities, which includes financial status, budgets, and relevant audit information.
10. Why were discussions about the organizational changes with the Board marked TLP: RED, and why was the Board restricted from discussing it further until July 24? (Back to top)
a. Out of the desire to give the Board time for to review, consider, and provide input, the REN-ISAC Executive Director and IU leadership kept the distribution limited. While that slowed down the broader announcement and discussion, it proved more successful in the end. The Board provided valuable guidance for a slow, measured approach, as well as excellent feedback and suggestions on the Statement of Shared Commitment and Expectations.
11. Did the Executive Director email private trust communities prior to engaging with the community? (Back to top)
a. No, however, the Executive Director did reach out to partners shortly after the announcement to provide clarifying information about the changes.
12. Who has responsibility for entering into third party agreements on the part of REN-ISAC? (Back to top)
a. IU has always taken on the responsibility for entering into third party agreements on behalf of the REN-ISAC and will continue its role as steward as outlined in the Statement of Shared Commitment and Expectations.
13. Is the REN-ISAC willing to go through a third party assessment utilizing the HECVAT to ensure member data is kept confidential and secure? (Back to top)
a. Yes, the REN-ISAC would be happy to do so and will include it in our plans for the current fiscal year.
14. Has this change had any effect on membership levels? (Back to top)
a. None that we’ve seen thus far.
15. What was covered in the August 22 Techburst? (Back to top)
a. AVP Tom Davis and the REN-ISAC Executive Director Kim Milford briefly reviewed the timeline of governance at the REN-ISAC leading up to the current evolution and answered member questions. If you were unable to attend the TechBurst, you can access a recording on the wiki (login required).
16. Who can I contact with questions? (Back to top)
a. Executive Director Kim Milford, kmilford@ren-isac.net, 317-278-4815
b. AVP of Information Security Tom Davis, tdavis@iu.edu, 812-855-7451
c. Membership Services, membership@ren-isac.net
Relationship with Indiana University
17. By not renewing the Operating Agreement, does it mean IU is no longer supporting the REN-ISAC? (Back to top)
a. IU’s support remains the same under the Statement of Shared Commitment and Expectations. More so than the previous Operating Agreement, the Statement clarifies what members can expect from IU: its continued investment in the REN-ISAC’s management and operations, legal and policy oversight, and overall success.
18. Does this change mean IU is taking over REN-ISAC? (Back to top)
a. No, IU is not taking over. REN-ISAC has always been an administrative unit of IU, much like a research center or institute may be hosted at your institution. As such, REN-ISAC is required to abide by IU policies. IU is proud of its association with the REN-ISAC and is committed to the continued success of the REN-ISAC. The Statement of Shared Commitment and Expectations is a testament to that commitment to our members.
19. Is there a chance IU will reverse course and go back to the original agreement? (Back to top)
a. No. For the reasons outlined throughout this FAQ, IU has terminated the Operating Agreement.
20. Why is the REN-ISAC an administrative unit of IU and not a separate legal entity? (Back to top)
a. Historical perspective: In the early 2000’s, several people involved in security at IU saw that higher education was not represented in the initial structure of ISAC sectors being described by the NIPC, and so would not participate in or benefit from the ISAC structure. IU stepped in and established the REN-ISAC in 2003, intentionally creating a member and community focused organization. IU is proud of the REN-ISAC’s role in helping research and education institutions protect their infrastructure and environments.
b. Legal perspective: Applying for and receiving independent legal standing takes considerable time and expertise, as does the establishment of required policies and procedures and standing with the U.S. Department of Homeland Security and the National Council of ISACs, which requires an application process and approval.
c. Business perspective: It takes significant resources to fund the REN-ISAC and deliver the services our members need. Being an administrative unit of IU allows the REN-ISAC to leverage economies of scale and IU’s expertise on behalf of the REN-ISAC members while reducing duplicative administrative needs, e.g., payroll. These economies of scale help to keep membership fees reasonable.
21. Is this the result of organizational changes at IU? (Back to top)
a. No. This is not the result of any organizational changes at IU, nor are they a precursor to planned organizational changes at IU.
22. Does this change have anything to do with the OmniSOC? (Back to top)
a. No. The REN-ISAC and OmniSOC are two independent entities under IU’s organizational and financial structures with separate missions to meet the needs of their distinct members. The REN-ISAC and OmniSOC teams do, however, meet regularly and work together when structures and missions allow to learn from each other and discover additional economies of scale.
23. What date was the Operating Agreement signed? (Back to top)
a. Unfortunately, the REN-ISAC and IU staff cannot answer this because there is no signed copy on file. After the ByLaws and Operating Agreement were ratified by members in January 2015, the Transitional Board expressed a desire to individually sign the Operating Agreement, and IU’s Office of General Counsel agreed. A copy signed by all the members of the Transitional Board was never received by the Office of General Counsel.
24. When did IU and the REN-ISAC decide to change the organizational structure? (Back to top)
a. Per the terms outlined in the Operating Agreement, IU reviewed the Operating Agreement (and ByLaws) each year. During the review in December 2018, the Office of General Counsel raised concerns about the legality and risk of the Operating Agreement and ByLaws. Upon further review and discussion this year, IU decided not to renew the Operating Agreement and communicated that to the Board in June 2019.
25. If IU had concerns in December, why didn’t they talk to the Board about it then? (Back to top)
a. There were areas that required further research and understanding, namely, the original NIPC charter, the Operating Agreement, and IU’s policy on University-related entities. IU’s General Counsel wanted to fully understand the needs and risks. They also researched other options and arrangements at IU, as well as other institutions. Once the determination not to renew the Operating Agreement was made, the meeting with the Board was scheduled.
26. How much and what does IU contribute to the REN-ISAC for support? (Back to top)
a. For a modest administrative fee of approximately $50,000 per year (it fluctuates from year-to-year based on projected revenue), the REN-ISAC receives office space, internet access, HR and payroll services, financial and legal services, and access to software and other discounted hardware and services. In addition, IU sponsors the REN-ISAC at $100K annually.
27. Does IU get free membership to the REN-ISAC? (Back to top)
a. No, IU pays for their membership fees and has every year since the REN-ISAC opened in 2004, which is the same year that other members began paying membership fees as they joined the REN-ISAC. IU’s current membership fees under the REN-ISAC fee structure are $2,500.
28. What will the REN-ISAC Executive Director and the IU AVP of Information Security do to repair the eroded trust some members feel due to this change? (Back to top)
a. The REN-ISAC Executive Director, IU AVP of Information Security, and the entire REN-ISAC staff will continue to work hard to build back that trust by being open to community feedback either through the Advisory Council or directly through individual member representatives. Based on that feedback, we will continue to create, shape, and provide useful services as we have done throughout the 16-year existence of the REN-ISAC. We remain committed to the REN-ISAC mission and to the community, and through that commitment we hope to further strengthen our trust community in the years to come.
Statement of Shared Commitment and Expectations
29. What is the Statement of Shared Commitment and Expectations? (Back to top)
a. The Statement of Shared Commitment and Expectations is a re-framing of the current ByLaws to better fit the growing, diverse membership of the REN-ISAC. The document contains the basic guidelines articulated in our previous ByLaws, delineating the roles of the REN-ISAC executive director, the Advisory Council, member and management representatives, and staff, as well as the REN-ISAC’s parent institution, Indiana University. The document also eliminates the administrative requirements for updating the more formal, parliamentarian ByLaws.
30. Does the Statement of Shared Commitment and Expectations give IU full administrative control over the REN-ISAC? (Back to top)
a. No. The Statement of Shared Commitment and Expectations clearly articulates and binds IU’s actions as it relates to the REN-ISAC. While IU has full fiduciary, legal, and executive control, the Statement of Shared Commitment and Expectations articulates the member-driven spirit of the REN-ISAC, as well as the role of the Advisory Council and member representatives in continuing to shape the REN-ISAC services to meet member needs.
31. Does the Statement of Shared Commitment and Expectations mean the REN-ISAC services and operations are more vulnerable to legislative changes? (Back to top)
a. No. All organizations must update their policies and practices because of legislative changes from time to time, e.g., when states establish breach notification laws. Naturally, the REN-ISAC needed to update processes to manage the new requirements, but no more or less than any other organization covered by the statute. The same is true for any legislation enacted today.
b. The REN-ISAC continues to operate as an administrative unit of IU as it did since its inception in 2003. The REN-ISAC must meet mandatory requirements with guidance from IU's Legal Counsel. The previous governance structure did nothing to shield the REN-ISAC from legislative changes.
32. How will the Statement of Shared Commitment and Expectations be updated when needed? (Back to top)
a. The Statement of Shared Commitment and Expectations is an intentionally flexible document. We welcome your feedback, and it will evolve over time to continue to meet the needs of the REN-ISAC community.
b. Adjusting the Statement will be administratively simpler than the ByLaws, as we can then assess the needs and urgency of potential changes in a more responsive and timely manner.
33. How do I submit suggestions for the Statement of Shared Commitment and Expectations? (Back to top)
a. You can send your edits and suggestions on the Statement of Shared Commitment and Expectations to any of the contacts listed below or can submit online via our comment form.
34. What is the deadline for submitting edits and suggestions for the Statement of Shared Commitment and Expectations? (Back to top)
a. Because the Statement of Shared Commitment and Expectations is a living document that establishes a new governance framework for continual adaptation, your comments, ideas, and suggestions are always welcome and encouraged. Once comments and ideas from this initial announcement period taper off, the Advisory Council will be called upon to establish a process for ongoing review and revision.
35. Why are the Statement of Shared Commitment and Expectations announcement and FAQs marked TLP: AMBER? (Back to top)
a. Just as the REN-ISAC and IU leadership wanted to ensure Board input first, we now want to hear from you, our members, regarding the Statement of Shared Commitment and Expectations. This is and should be a member discussion, providing you with plenty of time to review the Statement and discuss internally and as a community.
b. In keeping with the TLP: AMBER classification, email responses from member representatives have not and will not be shared outside of REN-ISAC’s chain of command. The chain of command includes IU Legal, the Vice President of Information Technology to whom AVP Tom Davis reports, and the VPIT’s Chief of Staff. Sharing with those individuals who have a need to know will occur only when permission is granted, and individual names will be redacted.
c. We value your input and welcome your suggestions for improving our new organizational framework. If you would like to distribute it to someone outside the community, please contact Executive Director Kim Milford (contact information below).
Advisory Council
36. What’s the difference between the Advisory Council and the Board? (Back to top)
a. The Board worked in a parliamentarian fashion, under a set of ByLaws developed in 2014, ratified in 2015, and updated in 2017 that required constant revisions of administrative rules, regulations, and processes.
b. Under the framework of the Statement of Shared Commitment and Expectations, the Advisory Council will be a more open, diverse, and consensus-driven body that will be able to focus its time on strategically guiding and influencing the goals and services of our growing organization.
37. Does changing the Board to the Advisory Council diminish the REN-ISAC’s commitment to member-driven community consensus? (Back to top)
a. No. The REN-ISAC has witnessed the strengths and successes achieved collectively as a community, and we are deeply committed to continuing to improve through community contributions In fact, the progress away from strict parliamentarian rules in the ByLaws allows the Advisory Council to focus more on strengthening the REN-ISAC services to better serve our members.
b. We trust former Board members, who will be invited to serve on the Advisory Council, to help IU and the REN-ISAC allay member constituents’ concerns about maintaining the reputation of REN-ISAC under the new framework. Articulations regarding the role of the Advisory Council in the Statement of Shared Commitment and Expectations will help, such as providing input on services, products, and goals; budgets and funding; REN-ISAC staffing, hiring, and performance. There are other responsibilities outlined for the Advisory Council in the Statement of Shared Commitment and Expectations as well, such as working with the Executive Director to provide an annual report to members, serving as a spokesperson for the REN-ISAC; and regularly participate in the activities of the REN-ISAC.
38. Will there be elections for members to select who serves on the Advisory Council? (Back to top)
a. Yes, and the Advisory Council will help us figure out the details. We want our members to have a voice, and a democratic choice of representatives is the best way to achieve that. However, the election process was one of those areas that ended up being very time-consuming and wrought with procedural questions and ByLaws issues. We are committed to making the voting process simple, fair, and straight-forward while encouraging and ensuring a high level of participation from our members.
b. Along with the elected members, members should expect some future appointments to the Advisory Council in order to encourage a fuller, more diverse understanding our community. Member representatives from various communities under the REN-ISAC’s “Enterprise Participation” model (officers, research, healthcare, international and regional networks, etc.) may be appointed to assist with developing services and to provide a voice for those communities.
c. Historically, the Board has also included a delegate from Educause, as well as the TAG and MemCom chairs. The same will be true for the Advisory Council.
39. What role does the Advisory Council play in adding or terminating REN-ISAC services? (Back to top)
a. A big role! The Statement of Shared Commitment and Expectations encourages the Advisory Council to provide guidance on the services and activities REN-ISAC provides. As outlined in the Statement, the Advisory Council has the responsibility to review member feedback and provide their own feedback on services to the REN-ISAC Executive Director and Staff. These recommendations greatly impact the types of services the REN-ISAC provides.
Membership Committee
40. What is the future of the Membership Committee, TAG, and other groups? (Back to top)
a. The changes noted do not impact the work of the Membership Committee, TAG, MAT, or any other working group. We still need the time and talents of our members. Only the Board is impacted by this change.
41. How is the Membership Committee comprised? (Back to top)
a. The Membership Committee (MEMCOM) is made up of active member representatives from the XSec community. Currently, MEMCOM has six members with additional support from the REN-ISAC Membership Services Director. The REN-ISAC Technical Director and Executive Director are on the MEMCOM mailing list and are invited to the meetings but do not typically attend.
b. Each year, the MEMCOM Chair invites nominations from the XSec community to replace outgoing members.
c. MEMCOM reviews the nominations and makes their selections based on the nominee’s length of service, their provided background, and their eligibility (must be in XSec, for example).
d. MEMCOM members serve at least one year, but they are typically invited to serve for three years, depending on the turn-over of members.