Constitution
Introduction
The IISF was established in 1994 primarily to improve the understanding and practice of Information Security within the business user community in Ireland.
The Irish Information Secuirty forum (IISF) replaced the "Corporate Security Group", which in turn had replaced the "ACF2 User Group" in 1992. The IISF now consists of security professionals and practitioners from a variety of organisations. It is in the best interest of the wider business community that the highest standards of information security be maintained.
In general, information security is not a competitive issue - we may compete vigorously in the market with our respective products and services - but in the area of cybersecurity it is in our own interest that we share information on vulnerabilities and techniques.
Because of the nature of information security, we must be careful about whom we are freely exchanging information with. "Full membership" is therefore restricted to bone-fide businesses, corporations and companies operating in Ireland.
"Associate membership" is available for any individual or company, having a bona-fide business interest in information security, which could be of benefit to the Forum.
1. Constitution Objectives
General
The main objective of the Forum is to improve the understanding and practice of Information Security within the business computer user community. The objectives will be supported by the holding of regular meetings of the members of the Forum, and pursued/managed by the Committee.
Specific
- To exchange information and share experiences of mutual interest.
- To provide a focal point for the users of various information security products.
- To hold presentations on information / cyber security topics.
- To represent the views of IT Security practitioners on matters of public concern.
- To encourage and promote the development of IT security standards and services which meet the needs and concerns of its members.
- Build and maintain an inventory of assets such as model information security policies and standards.
2. Membership Requirements
Membership is open to any organisation or company, which has a business interest in information security and is willing to contribute to the affairs of the Forum (subject to application review). Members will be responsible for ensuring up-to-date contact name and details are supplied to the forum. There are two categories of membership: Full and Associate. Entitlements are as follows:
2.1. Full Member
- Only those organisations in which information security is an important function can be considered eligible for Full Membership of the Forum i.e. where information security is 'used' as a service rather than 'sold' as a service.
- The Organisation applying is recognised as the Member.
- Full Membership is by invitation only and with the approval (proposed and seconded) of a two-thirds majority of existing full members.
- Member organisations that fail to attend at least one meeting in a calendar year may have their membership revoked.
- Member organisations are obliged to pay an annual subscription toward administrative costs incurred by the Forum. Changes to the annual subscription will be put to a vote of members at the AGM.
- Failure to pay the annual contribution within an appropriate time interval of the request being issued (three months from invoice date) may lead to automatic removal of the organisation from Forum membership.
- Members are to actively participate in the operation of the Forum.
- Members will appoint a primary contact usually the individual responsible for Information Security in the organisation, and up to two secondary contacts.
- The primary contact is responsible for notifying the Forum of attendees, changes to details and ensuring adherence to the code of ethics/code of conduct.
Full members are entitled to:
- Send representatives to all IISF meetings and receive all IISF correspondence.
- Raise issues for help/assistance.
- Vote (see section on Voting).
- Make recommendations, or propose topics for discussion.
- Provide advice and guidance on new developments they are involved with.
2.2. Associate Member
- Associate Membership of the Forum is open to any individual or organisation providing information systems products or services, or any related consultancy services or third party vendors.
- Where the associate member is an Organisation rather than an individual, the membership is assigned to the Organisation and not the individual. Where the associate member is an individual rather than an Organisation, the membership is assigned to the individual and not the Organisation.
- Associate Membership is by invitation only and with the approval of a two-thirds majority of all full members.
- Associate Members are not entitled to vote or hold a Forum Committee position.
- At the request of the Forum Chairperson, Associate Members can be excluded from all or any part of a meeting at which their presence is felt to be inappropriate.
- Associate Members that fail to attend at least one meeting in a calendar year may have their membership revoked.
- Associate Members are obliged to pay an annual subscription toward administrative costs incurred by the Forum. Changes to the annual subscription will be put to a vote of members at the AGM. They are also required to pay an introductory fee. The amount to be levied will be put to a vote of members.
- Failure to pay the annual contribution within an appropriate time interval of the request being issued (three months from invoice date) may lead to automatic removal of the organisation from Forum membership.
- Associate Members must not abuse the privilege of membership of the Forum. In particular, meetings and mailings of the Forum must not be used to sell products or services.
Associate members are entitled to:
- Send representatives to all meetings of the Forum.
- Receive all correspondence provided by the Forum.
- Raise issues for help/assistance.
- Make recommendations, or propose topics for discussion.
- Provide advice and guidance on new developments they are involved with.
- Serve as members of sub-committees, when invited by committee members.
2.3. Guests
- Any member, after notifying any member of the Committee may invite up to 2 guests per meeting if they feel future membership may be of interest to the guest.
- Guests must adhere to the code of conduct and respect and comply with any rules of the Forum etc.
Guests are entitled to:
- Receive any appropriate correspondence provided by the Forum re the specific meeting attended.
- Provide advice and guidance on new developments they are involved with.
3. Management Committee
The Management Committee is the body elected by the full members convened in a general meeting. It is charged with responsibility for the management of the affairs and achievement of the goals of the Forum. The Committee has the rights and duties set out in this constitution.
3.1. Membership of the Management Committee
- The Committee shall consist of Officers of the Forum, Fellows and Ordinary Members.
- All candidates for the Committee (except fellows) shall be proposed and seconded by full members and elected at an Annual General Meeting in accordance with the Voting procedures.
- Rights and Duties of the Management Committee.
- The Committee is responsible for all assets of the Forum and for arranging meetings.
- The Committee is empowered to create Sub Committees as and when required. Such Sub Committees shall be given Terms of Reference by the Management Committee. The Chairperson of any such Sub Committee shall be a member of the Management Committee. All Sub Committees shall keep minutes of their meetings, which shall be available to the Management Committee if required.
3.3. Officers of the Forum
Officers of the Forum shall be made up of the Chairperson, Vice-Chairperson, Secretary, Treasurer and a Public Relations Officer. All Officers of the Forum are elected at an Annual General Meeting. (See 5. for details of election procedure.) The term of office for all positions is generally one year and no member organisation can hold more than one office in the same year unless there is a shortfall in the number of nominees versus officer positions. The office of chairman cannot be held for two consecutive terms by the same person.
3.3.1. Chairperson
The Chairperson is responsible for:
- Ensuring that the Forum's business is conducted efficiently, effectively and otherwise in accordance with the provisions of this constitution.
- Chairing Forum meetings in an impartial and fair manner taking into account all viewpoints expressed by members.
- Ensuring that the Forum acts and is seen to act in a manner that is independent and which represents the views, wishes and concerns of the members, free from any undue influence from any other parties.
- Taking decisions, interpreting policy, representing the Forum and generally fulfilling any other obligation(s) or duty conferred on him/her by the Forum including:
- Organising speakers (in conjunction with other committee members)
- Soliciting new members (also shared among other committee members)
- Liasing with product or service suppliers
- The chairman may at their discretion co-opt members to serve as ordinary members of the committee throughout the year
3.3.2. Vice-Chairperson
The Vice-Chairperson is responsible for assisting the Chairperson in carrying-out his or her duties and assuming responsibility for matters delegated to him/her by the chairperson. He/she shall fulfil the role of the chairperson in their absence.
3.3.3. Secretary
- The Secretary is responsible for minuting meetings, distributing agendas, minutes and notifications, co-ordinating attendance at meetings, arranging suitable locations for meetings, co-ordinating speakers/presenters and general administration for meetings (ad-hoc, Committee, IISF meeting and any other meeting deemed beneficial to the Forum members).
- The secretary is also charged with responding to any IISF correspondence being addressed to same (such as the website). Consequently the Secretary may from time to time be responsible for dealing with certain PR related activity.
- Because of the workload involved and bearing in mind necessary absences from meetings, the role of Secretary may be shared amongst two elected individuals in any one year.
3.3.4. Treasurer
The Treasurer is responsible for:
- Preparing an annual budget & Managing the Forum's bank account.
- Payment of invoices and bills.
- Preparing an annual report on the finances of the Forum for presentation at the annual general meeting.
- Credit Control & Signatories list.
3.3.5. PRO
The PRO is responsible for:
- Acting as a spokesperson for the Forum.
- Supporting the secretary in pursuit of benefit to the Forum.
3.4. Ordinary Committee Members
- Ordinary Members of the Management Committee are elected at an AGM in accordance with the Voting procedure.
- The number of Ordinary Members on the Committee shall be determined by the Chairperson in accordance with availability of suitable candidates and the needs of the Forum.
- The ordinary members of the Committee shall be responsible for completing any work assigned (once agreed) during the course of the Committee meetings or any task volunteered.
- The ordinary members of the Committee shall, whenever possible, provide support to the members of the Forum as is defined in the objectives of the Forum.
- Any two members of the Committee will have authority on the Forum's bank account.
4. Meetings
- The Forum will meet regularly at intervals considered appropriate (a minimum of 6 meetings per annum) throughout the year.
- The nominated representative of the member organisation, as specified in the member profile or his/her deputy may attend meetings. In addition a colleague, or any approved guest, can accompany the nominated representative. If space permits members may send more than two persons to a meeting. Such additional persons will be accommodated on a space available basis. Such person should be notified to the secretary in advance to ascertain space availability.
- Minutes of meetings, agendas and other relevant notifications are produced and distributed by the Secretary, to all members. Agendas and minutes should be distributed at least one week in advance of the next meeting, with the exception being a sub-Committee meeting, ad-hoc meeting or EGM, where the time limit may be reduced to the most suitable or appropriate amount of time, with a minimum of 48 hrs in advance of the meeting.
- An Annual General Meeting must be held for the resignation and re-election / appointment of Officers and Committee members and for the presentation of Forum accounts.
- Six full members can request the Committee to convene a meeting.
5. Voting
- A vote cannot be taken at a meeting unless it has previously been notified to members on an agenda with at least one weeks notice.
- A minimum of six full member organisations at a properly convened meeting is required in order for a vote to be held.
- Each full member organisation is entitled to one vote per ballot.
- Voting may be by: Show of hands, Secret ballot, Post or Email.
- Voting on disciplinary matters requires a two-thirds majority of members present.
- All Officers and Committee members of the Forum are elected by nomination and seconding at an Annual General Meeting. In the event of more than one candidate going forward for a position, election will be by means of a majority vote of members present.
- Voting on all other issues is by 'highest number of votes' (majority where possible) vote of members in attendance at meetings.
- The Chairperson only casts a vote on behalf of his or her organisation in the event of a tied vote.
6. Code of Conduct
- All documentation issued by the Forum and matters discussed at meetings are confidential to member organisations/individuals and must not be disclosed by any member or member representative to third parties.
- No member or member representative should act in such a way as to bring the Forum into disrepute.
- Only the Committee may enter into communications on behalf of the Forum. Formal communications should, where possible, be directed to the officers of the Committee.
- Matters discussed in confidence between representatives of member organisations/individuals must only be used for purposes specific to information security.
- All members or members representatives should adhere to the IISF code of ethics.
- All members or member representatives must fulfil the spirit of the constitution.
7. Disciplinary Actions
7.1 Breach of the Code of Conduct will lead to disciplinary action that can include:
- A warning to the member representative to desist from further actions which is in breach of the Code of Conduct.
- Suspension of the member representative from participating in the Forum on a permanent or temporary basis.
- Removal of the member organisation from the membership of the Forum.
- Disciplinary action is not only taken as a result of a breach of the Code of Conduct.
- Disciplinary action requires the approval of two-thirds of the members present at the meeting.
8. Confidentiality
Information provided to the Forum shall at all times be treated in strict confidence and shall not be divulged without the express authorisation from the member(s) or other organisation/individual concerned. Case study and other similar information released to members shall preserve the anonymity of the organisation(s) concerned unless they otherwise consent.
9. Fellowship of the Irish Information Security Forum (FIISF)
From time to time, the Forum may award a Fellowship to any individual of the Forum who is considered to have made an outstanding contribution to the advancement of the Forum and to have given outstanding service to the Forum over a sustained period of time. A Fellow is deemed to be a full member.
Fellows of the Forum are entitled to use the post-nominal letters FIISF. They will have a non-transferable individual right to attend any meeting of the Forum in the future with full membership privileges. The award of Fellowship is deemed to be recognition by one's peers of a significant contribution to the Forum. The award cannot be applied or canvassed for.
At the AGM the chairperson with the backing and agreement of the Committee may nominate any individual whom they deem worthy for Fellowship.
Any candidate for Fellowship should be considered against the following criteria:
- The individual should have worked in information security for over 10 years.
- He/she should have been an active member of the IISF for 5 years or more.
- Ideally they will have served on the Committee for 3 years or more.
- At any time, both the contributions to the Forum's work and the stature of the individual nominated should be commensurate with the standards set by previous recipients.
- There is no overall limit to the number of Fellowships although it is expected that there will be no more than two Fellowships awarded in any year.
10. Code of Ethics
The Forum adopts the following Code of Ethics based on the ISC2 code of Ethics, as detailed below:
Code of Ethics
- "All IISF members commit to fully support this Code of Ethics. Members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of membership.
- There are only four mandatory canons in the code. By necessity such high-level guidance is not intended to substitute for the ethical judgement of the professional.
- Additional guidance is provided for each of the canons. While the Committee in judging behaviour may consider this guidance, it is advisory rather than mandatory. It is intended to help the members in identifying and resolving the inevitable ethical dilemmas that will confront him/her.
Code of Ethics Preamble:
- Safety of the public, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behaviour.
Code of Ethics Canons:
- Protect society, the public, and the infrastructure.
- Act honourably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
The following additional guidance is given in furtherance of these goals:
Objectives for Guidance
- Give guidance for resolving good v. good and bad v. bad dilemmas.
- To encourage right behaviour.
- Teaching.
- Valuing the Forum.
- Discourage certain common but egregious behaviour: Crying wolf, consenting to bad practice and attaching weak systems to the public net
- Consorting with hackers.
Protect society, the public, and the infrastructure
- Promote and preserve public trust and confidence in information and systems.
- Promote the understanding and acceptance of prudent information security measures.
- Preserve and strengthen the integrity of the public infrastructure.
- Discourage unsafe practice.
Act honourably, honestly, justly, responsibly, and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis.
- Observe all contracts and agreements, express or implied.
- Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.
Provide diligent and competent service to principals
- Preserve the value of their systems, applications, and information.
- Respect their trust and the privileges that they grant you.
- Avoid conflicts of interest or the appearance thereof.
- Render only those services for which you are fully competent and qualified.
Advance and protect the profession
- Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
- Take care not to injure the reputation of other professionals through malice or indifference.
- Maintain your competence; keep your skills and knowledge current. Give generously of your time.
- and knowledge in training others.