Policy SIG

Mission

The Policy SIG formulates and promotes FIRST's position on policy and governance matters in an international context. It advocates the values of FIRST and supports policymakers with factual information, enabling them to understand the needs of incident responders and the importance of global cooperation in securing cyberspace. The SIG promotes FIRST initiatives, but does not lobby. SIG members can, with the approval of the board, represent FIRST in relevant meetings to promote FIRST's position and values. The SIG formulates and documents FIRST's policy position and maintains the FIRST policymaker training.

Goals & Deliverables

Describe the goals and deliverables of what you hope to accomplish in the next year (please explain if a longer approach is needed). Cybersecurity has long been not only a technical topic, but also a governance issue. As early as 2003, the UN Governmental Group of Experts on the use of ICTs began discussing cybersecurity issues. This culminated in the statement that international law holds in cyberspace and the identification of eleven norms of responsible state behavior. At the same time, regional organizations such as the Organization for Security and Cooperation in Europe (OSCE) started working on Confidence Building Measures (CBMs) with the goal of improving collaboration in cybersecurity matters among participating states. The subsequent UN Groups of Governmental Experts (GGEs) as well as the more inclusive Open-Ended Working Group (OEWG) further developed this into the UN Framework for responsible behavior in cyberspace, which rests on four pillars:

1. International law holds in cyberspace
2. States should implement the eleven norms of responsible state behavior
3. States should implement CBMs
4. States should invest in capacity building

The UN framework touches on FIRST's work in many areas. For example, FIRST's code of ethics (ethicsFIRST) is rooted in international law, namely the Universal Declaration of Human Rights. Furthermore, CERTs are explicitly mentioned in existing norms and CBMs. FIRST operates its own capacity building program. For these reasons, FIRST has contributed for many years to policy processes and discussed its stance in an informal group of interested volunteers. FIRST is increasingly recognized as a key stakeholder in discussions around cybersecurity and incident response. Its global scope gives the organization a reputation of being competent and neutral. Thus, we would like to create a formal special interest group (SIG) to help advising on FIRST's position and engagement in governance and policy matters.

Chairs

• Sherif Hashem
• Koichiro (Sparky) Komiyama

Mailing list

• policy-sig@first.org (subscribers only; please complete the Request to Join form below)

Request to Join

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Big Data SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Digital Safety SIG
    • DNS Abuse SIG
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Passive DNS Exchange
    • Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Retail and Consumer Packaged Goods (CPG) SIG
    • Security Lounge SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
    • Volunteer Contribution Record
  • Previous Activities
    • Best Practices Contest