I4C+ Terms of Reference
May 27, 2021
I4C+ Terms of Reference / NDA Version 1.4 May 27th, 2021 – Working Draft
I4C+ is an Information and Analysis Center (ISAC) whose members are CIOs/CISOs of EU cities exchanging personal sensitive knowledge to improve their individual and collective cyber resilience. Knowledge is understood as the “capability to act”, it is “personal” because it resides in the person of the member CIO/CISO and it is sensitive since in the wrong hands it could increase the probability of a cyber breach for the relevant city. Personal sensitive knowledge in cyber security is typically categorized as “TLP Red” or “TLP Amber” (see the Traffic Light Protocol at https://www.first.org/tlp/ for more details). I4C+ consists of a diverse range of cities and is dedicated to diffusing this knowledge from innovators to late adopters.
The vision of I4C+ is to create a critical mass of cities across the EU pro-actively collaborating in sharing sensitive personal knowledge on cyber safety more rapidly, more widely and more intensively than is currently the case. The mission of I4C+ is to significantly reduce the probability and impact of cyber-attacks. The goal of I4C+ is to support the more effective and sustainable implementation of digital solutions for citizens.
The success of I4C+ depends on an exceptionally high degree of trust among its members. Experience and research show that the community should not contain more than 20-30 members; if more cities join, then parallel communities with suitable collaboration interfaces will be launched. I4C+ collaborates pro-actively with global, EU, national and regional cyber security activities.
Members of I4C+ will primarily exchange knowledge: (a) concerning cyber-breaches and how they were resolved, (b) concerning cyber security solutions used and practical experience with these (c) concerning their cyber strategies and how these are implemented, (d) “Question & Answer” knowledge, whereby questioners are expected to summarize and share back answers received. I4C+ does not store knowledge shared, and (e) good practices. I4C+ will provide regular reports on progress to members and stakeholders.
Members may share personal sensitive knowledge related to the Directives by emailing such to a single central email address. From there it is distributed via email to all members using the secure knowledge sharing infrastructure. All members may share. No quality assurance on knowledge shared is performed centrally since members are experts themselves. No email content is maintained centrally. Knowledge sharing outside of the secure knowledge sharing infrastructure is encouraged as needed. The central premise is that sharing benefits all.
Members are cities represented by at most two of their most senior cyber security representatives. Further delegation is not permitted. New members must be referred by an existing member and admitted by consensus vote of existing members. Formal membership agreements are not implemented. Members are removed by consensus vote of existing members. Members may leave at any time.
All information shared via email will be treated by recipients in accordance with the relevant TLP classification of the message. All information shared in real-time conversations (i.e., via phone calls, video-meetings, face-to-face etc, will be treated in accordance with the Chatham House Rules.