FIRST Operational Framework

Preface

The text version of this document was converted to Texinfo for conversion to an HTML document. The original text is unchanged except for the following modifications:

  • updated appendix reference to the CERT(r) Coordination Center
  • deletion of the table of contents in favor of an automatically generated version
  • deletion of the title's appearance on the first page after the table of contents
  • changed the four explicit, internal cross-references into Texinfo cross-references with minor rewording for correct grammar
  • substitution of "and" for ampersands in section headings
  • addition of this preface

Introduction

The Forum of Incident Response and Security Teams (FIRST) consists of a network of individual computer security incident response teams that work together voluntarily to deal with computer security problems and their prevention. These teams represent government, law enforcement, academia, the private sector, and other organizations with justifiable interest as determined by the Steering Committee. This Framework describes the FIRST, its organization, and basic operational policies.


Definitions

Response Team
an organization whose function is to assist an information technology community or other defined constituency in preventing and handling security-related incidents. An individual Response Team also takes active steps to raise its constituents' level of awareness of computer security issues and to improve the security of its constituents' information technology resources.
Constituency
a group of users or organizations that is served by a given Response Team and that share specific characteristics, such as a specific organization, computer network, operating system, or other common interest.
FIRST Representative
an individual who is the designated representative of a FIRST Member. The FIRST Representative may delegate this authority and must notify the Secretariat in writing of the delegation.
FIRST Member
a Response Team which is a member of FIRST. In this framework, the terms Member and FIRST Member are used interchangeably.
Incident
an event that has actual or potentially adverse effects on computer or network operations resulting in fraud, waste, or abuse; compromise of information; or loss or damage of property or information. Examples include penetration of a computer system, exploitation of technical vulnerabilities, or introduction of computer viruses or other forms of malicious software.
Liaison
an individual that has a legitimate interest in and value to the FIRST.
Secretariat
a FIRST Member or other group designated by 2/3 vote of the Steering Committee to serve as an administrative distribution point for FIRST, to coordinate FIRST meetings and workshops, maintain Member profile information, and provide general guidance to new Members and potential members.
Steering Committee
a group of individuals responsible for general operating policy, procedures, and related matters affecting the FIRST as a whole.
Advisory Board
a group of individuals providing strategic guidance and advice to the members of the Steering Committee.

Vision and Mission Statement

The goals of FIRST are defined in a Vision and Mission Statement.

The Vision and Mission Statement will be reviewed annually by the Steering Committee. Any proposed changes and / or amendments to the Vision and Mission Statement must be approved by a 2/3 majority of the Steering Committee.

The proposed changes and amendments must then be on the agenda at either the next Annual General Meeting or any Special or Additional Meeting for approval by the membership.

Changes and amendments to the Vision and Mission Statement must be approved by a 2/3 vote of the members present at a General Meeting or Special or Additional Meeting, provided a quorum is present.


FIRST Participation

There are two types of participants in the FIRST:

  • FIRST Members, and
  • Liaisons.

The selection and responsibilities of each type of participant are described in this framework.

Membership

Initial FIRST Members

The initial Response Teams comprising the FIRST are listed in the section Initial Members. Additional members shall be accepted as described below.

Nomination Acceptance Procedures

New Full members must be nominated by two existing Full members. If requested and approved by a 2/3 vote of all members of the Steering Committee, one existing Full member may be sufficient.

New Liaisons must be nominated by one existing Full member.

All nominations must be approved by a 2/3 vote of all members of the Steering Committee. New participants must pay the applicable membership fee upon Steering Committee approval for membership.

The membership fee can be waived, see "Membership Fee Structure and Review".

A proposed new FIRST Member or Liaison must provide the following information in support of its nomination:

  • The name or identification of the group, organization, or individual
  • Reasons for joining the FIRST
  • Benefits to FIRST of nominee's participation
  • Name of FIRST Representative or Liaison point of contact
  • For FIRST Members, identification and description of the nominee's constituency
  • For Liaison Members, the sponsoring Member Team
  • Completion of other appropriate information for the "participant profile" maintained for each Response team as described in the section "Participant Profile".

Before a nomination for a new full member can be approved, at least one of the sponsors must have conducted a site visit. If requested by all sponsors and approved by a 2/3 vote of all members of the Steering Committee, the site visit may be omitted.

The term of membership shall continue as long as the annual membership fee is paid, unless revoked or voluntarily terminated.

Membership Termination

Voluntary Termination

A participant may voluntarily resign from the FIRST at any time. The membership fee is not refundable if a Member or Liaison resigns from FIRST.

Suspension and Revocation

The Steering Committee will initiate membership revocation steps if any of the following conditions apply:

  • noncompliance with this FIRST Framework
  • lack of cooperation
  • failure to contribute to the purposes and goals of the FIRST
  • failure to pay the annual FIRST membership fee within the set time period
  • failure by a liaison to maintain an active FIRST Member Team sponsor.

When a revocation process is begun the participant's access to FIRST rights and facilities may be suspended. Suspension or revocation shall require a 2/3 vote of all members of the Steering Committee.

The participant shall be provided an opportunity for rebuttal prior to revocation.

Lifting suspension and restoration of access to FIRST rights and facilities shall require a 2/3 vote of all members of the Steering Committee.

Participants who have their FIRST membership revoked or suspended for any reason are not entitled to a refund of their membership fee.

Membership Fee Structure and Review

Membership fees will be set and reviewed annually by the Steering Committee. The membership fee structure, due dates and other associated requirements will be determined by the Steering Committee and will be reviewed/modified as necessary on an annual basis to reflect current membership and/or financial issues. The membership fee structure must be approved by a 2/3 majority of the Steering Committee. For the purpose of calculating the increase in revenue, the current and proposed fee structure rates shall be applied to the membership at the time of the Annual General Meeting. A Member's or Liaison's annual membership fee can be waived if a member or their parent organization provides a donation or sponsorship at or above the level of the currently applicable FIRST membership fee.

General Coordination and Organization

The general coordination of FIRST activities will be provided by the Steering Committee, designated committees, and the Secretariat.

The Steering Committee may establish an Advisory Board to seek strategic guidance and advice.

Steering Committee

The Steering Committee shall be responsible for general operating policy, procedures, and related matters affecting the FIRST as a whole.

Steering Committee Membership

The initial Steering Committee shall consist of one representative of each of the initial Response Teams listed in section Initial Members. Five of those original Steering Committee members will be chosen at random to serve until the second General Meeting; the remaining members will serve until the first General Meeting. After the first General Meeting, the Steering Committee shall comprise ten individuals serving two-year terms.

Nomination and Election

Individuals for one-half (5) of the Steering Committee positions shall be elected at each annual General Meeting. A candidate must be nominated by petition of at least six (6) FIRST Members. A FIRST Member may vote for no more than the number of open positions. The five candidates receiving the most votes shall become members of the Steering Committee. Ties shall be broken by random selection.

Chair

The Steering Committee shall elect from its membership a chair to serve a term of one year. A person may not serve as Chair for more than two consecutive one-year terms.

Vacancies

A vacancy shall occur when a Steering Committee member resigns or is removed. A Steering Committee member may be removed for cause by a unanimous vote of the remaining Steering Committee Members. The Steering Committee Chair shall nominate a person to complete the remaining term. The nominee must be approved by a 2/3 vote of the remaining Steering Committee.

Steering Committee Proxies

The Steering Committee may establish rules for the use of proxies for Steering Committee meetings. Adoption of rules by the Steering Committee shall require approval by a two-thirds vote.

Standing and Ad Hoc Committees

The Steering Committee will establish, as necessary, standing and ad hoc committees. The Steering Committee shall appoint the membership and chair of such committees and shall determine their operating procedures.

FIRST Secretariat

A Secretariat shall be designated by the Steering Committee. The responsibilities of the Secretariat shall include coordinating FIRST meetings and workshops, maintaining FIRST Member profile information, keeping informed of individual FIRST Member and Liaison activities, and serving as an administrative distribution point for the FIRST. The Secretariat shall also provide general guidance to new Members, potential members, and Liaisons.

Advisory Board

The Steering Committee will establish, as necessary, an advisory board. The Steering Committee shall appoint the membership and chair of such advisory board and shall determine their operating procedures.

Steering Committee members are not eligable to serve on the advisory board. Membership in the advisory board is otherwise open and does not require any prior involvement with FIRST.

Meetings

General Meetings

The FIRST shall hold a General Meeting annually. FIRST Members are expected to be represented. Each Response Team shall be represented by its FIRST Representative. The business of the annual General Meeting shall include the election of the Steering Committee members and may include any other matter affecting the FIRST. Minutes of meetings shall be taken and distributed to all Members, Steering Committee members, and Liaisons.

Conduct of General Meeting

The chair of the Steering Committee shall preside at the General Meeting. All business shall be conducted in accordance with Roberts' Rules of Order, latest revision.

Voting and Conduct of General Meetings

Each FIRST Representative shall have one vote. A quorum shall be a number of FIRST Representatives equalling one-half the number of FIRST Members plus one (1). All matters except as described elsewhere in this Operational Framework shall be decided by a simple majority vote of the quorum.

Special Meetings

The Chair of the Steering Committee may, upon formal approval of the Steering Committee, call a Special Meeting of the FIRST, to address a specific topic. Additionally such a call for a Special Meeting shall necessarily be issued within seven (7) days should the Chair receive written application for such a meeting, including the specific topic to be addressed, from one quarter of the FIRST members.

Any business (including amendments to the Operational Framework) which would be in order at a General Meeting may be considered at a Special Meeting.

Calling a Special Meeting

The call for a Special Meeting shall include the venue, date, time and time-zone, purpose, and agenda for the meeting; and the call shall be issued via normal channels to the FIRST membership at least fourteen (14) days prior to the date set for the meeting.

Conduct of Special Meetings

Special Meetings may be conducted either face-to-face, as in the Annual General Meeting, or on-line, via a FIRST mailing list or similar mechanism. The technical procedure and time constraints for conducting on-line meetings shall be adopted by the Steering Committee and announced as part of the call for each Special Meeting, and shall include means for certifying attendance, and the presence or absence of a "quorum"; how to authenticate agendas, motions, parliamentary rulings, and votes; how discussions will be conducted, how moderated, and how recorded; the amount of time allowed for each stage of making, discussing, and voting on motions; how each such stage will be synchronized; and how the minutes of such meetings will be recorded, kept appropriately confidential, and approved.

Voting at Special Meetings

Voting at Special Meetings follows the same rules as apply to General Meetings.

Additional Meetings

The Chair of the Steering Committee shall announce an Additional Meeting of the FIRST within ten (10) days, should the Chair receive written application for such a meeting from the FIRST members, including at least one valid proposal.

Proposals to be considered at Additional Meetings are only valid when supported by at least ten (10) FIRST members. Proposals which include amendments to the Operational Framework are only valid when supported by at least one fifth of the FIRST members.

Additional proposals by FIRST members can be submitted to the Chair of the Steering Committee within thirty (30) days after the announcement for the Additional Meeting was issued. The meeting shall be conducted within fifteen (15) to thirty (30) days after the end of this thirty day period.

Any business which would be in order at a General Meeting may be considered at an Additional Meeting.

The Chair of the Steering Committee will delay issuing the announcement for an Additional Meeting whenever necessary to meet the following constraints:

  1. There shall be no Additional Meetings conducted either sixty (60) days before or sixty (60) days after annual General Meetings;
  2. Additional Meetings shall be conducted at least sixty (60) days apart.

Calling Additional Meetings' Conduct and Voting at Additional Meetings

Calling Additional Meetings and Conduct and Voting at Additional Meetings follow the same rules as apply to Special Meetings.

Proxies

If a FIRST Full Member Representative is unable to attend any general, special or additional meeting of FIRST, the Representative may assign a proxy to someone else who is attending. That person does not need to be a FIRST member. Persons holding a proxy should be aware of the voting rules and should seek guidance of the Representative on the issues that he or she will vote on. A proxy holder shall have the same rights as the Representative whom they represent with the exception that they cannot assign the proxy they hold to another person.

The Steering Committee shall designate the manner and form for proxies and shall establish a submission deadline as is necessary for proper validation of proxies prior to meetings. Questions concerning the validity of proxies shall be resolved by the Steering Committee in such a manner that they deem to be fair and appropriate.

Steering Committee Meetings

The Steering Committee shall meet at least semi-annually. A quorum shall comprise at least six (6) members. All matters shall be decided by a two-thirds (2/3) affirmative vote of the quorum except as described elsewhere in this Operational Framework. Minutes of meetings shall be taken and distributed to all Members and Liaisons.

Working Meetings

The Steering Committee may call working meetings to deal with specific subjects. Participation may be limited due to the nature of the subject being addressed.


Participant Requirements and Responsibilities

Each Member and Liaison is expected to adhere to the provisions of this Framework, meet certain operational requirements, and fulfill certain responsibilities to the other participants.

Participant Profile

Each participant must provide and maintain a profile of itself describing the constituency, technical expertise and other information as determined by the Steering Committee.

Communications Support

Each participant must provide the operational and communications support capabilities as determined by the Steering Committee.

First Representative

Each Member must designate a FIRST Representative and alternate. All official correspondence will be addressed as designated by the FIRST Representative.

Liaison Sponsorship

Each FIRST Liaison must have a Member team as a sponsor on a continuing basis. Liaisons must notify the Steering Committee of any changes in their sponsorship in a timely manner.


Funding

Member Participation

All participants must provide their own funding and support for their participation in FIRST activities.

Additional Funding and Support

The Steering Committee or Secretariat may accept funding or other support for FIRST activities.

Operational Activities and Policies

First Communications

All FIRST information and communications shall be provided security protection appropriate to the nature and sensitivity of the information involved.

Handling and Dissemination of Information

All FIRST participants must adhere to the dissemination constraints specified by the originating source. Only the originator may relax any dissemination constraints. Information that has no specific dissemination instructions may not be disseminated further.

Non-Disclosure Agreements

If a FIRST participant obtains information subject to a non-disclosure agreement, no rights to that information may be assumed by other participants.

Public Release of Information

Each FIRST participant should have an established procedure for interaction with the press in accordance with the FIRST participant's constituency requirements. Where possible and appropriate, notices and other information should be distributed to the FIRST in advance of public release. In all situations, an individual Response Team is responsible to its constituents first and may work with the press if necessary to reach its constituency. Individual participants may not speak for other FIRST participants nor the FIRST as a whole. The Steering Committee may authorize the Secretariat or a FIRST participant to speak for the FIRST.

Representation

The people working voluntarily as members of the FIRST are working as employees of their parent organizations. The FIRST is an organization strictly for the purposes as enumerated in the section "Purpose", and is not an official organization or legal entity.

Language

All business of the FIRST shall be conducted in English.


Amendments

Amendments to this Framework must be approved by a 2/3 vote of the members present at a General Meeting or Special or Additional Meeting, provided a quorum is present. The proposed amendment must be on the agenda at either the Annual General Meeting or any Special or Additional Meeting to be considered for acceptance. This Framework shall be reviewed on an annual basis by the Steering Committee and appropriate changes proposed to the FIRST membership.


Dissolution

The FIRST may be dissolved when approved by a 2/3 vote of all the FIRST Representatives.


Initial Members

The following organizations shall be initial members of the FIRST: