Security Working Group
Exec Summary:
Based on: Security Policy (Public)
What is the Security Working Group (SWG):
The Security Working Group is a dedicated group responsible for ensuring the security, integrity, and reliability of the Cardano blockchain ecosystem, facilitated by Intersect. Comprising key stakeholders, the SWG focuses on developing and enforcing security policies, managing incident responses, and mitigating risks within the ecosystem.
The SWG is responsible for:
Incident Response: Develop and maintain a comprehensive incident response plan to effectively address and manage critical incident response and “alarm bell” management. This includes performing root cause analysis to prevent future occurrences, ensure rapid recovery by appointing a Security Manager.
Risk Management: Identify, assess, record, and mitigate security risks to protect the Cardano blockchain ecosystem. Implement proactive measures to minimize potential threats and vulnerabilities like a risk register.
Security Policies: Develop, review, and enforce security policies and standards to ensure consistent protection across the ecosystem. These policies provide guidelines and procedures to maintain security integrity.
Vulnerability Management: Conduct regular vulnerability assessments to identify and address weaknesses in the system. Manage remediation efforts to ensure timely / effective resolution of identified vulnerabilities through a process for assessment, budget, audit and record for audits. SWG acts as representative, acts as Subject Matter Experts for these topics around budgets and discloses the findings as appropriate.
Security Awareness: Educate stakeholders and community members on security best practices and emerging threats. Foster a security-aware culture to enhance the overall security posture of the ecosystem through educational outreach opportunities as appropriate.
Security Assessment of Code: Assess the quality and security of contracts and code for integrations, edits, and compliance, ensuring adherence to security standards and best practices. Manage and allocate budget for these assessments as necessary.
Guiding Principles:
Confidentiality: Ensure sensitive information is restricted to those who need to know.
Integrity: Maintain the accuracy and reliability of data and systems.
Mission of the SWG:
"To establish and maintain a robust security posture for the Cardano blockchain ecosystem by effectively managing security risks, responding to incidents, and fostering a security-aware community.”
Authority: The SWG operates and reports to the Technical Steering Committee but acts autonomously for the betterment of Cardano. It is accountable for overseeing the security processes, managing incident responses, and ensuring compliance with security policies.
Because of the above (Mission + Authority), we will be focusing on:
Strategic Pillars:
Core Cardano Security: Ensure the security and integrity of the core Cardano blockchain by implementing rigorous security measures and protocols. Focus on safeguarding the foundational infrastructure of the ecosystem.
Rapid Incident Response: Develop and maintain a swift and effective incident response strategy. Ensure rapid detection, containment, and resolution of security incidents to minimize impact and ensure continuity.
Technical Sustainability: Promote the long-term technical sustainability of the Cardano ecosystem by implementing robust security practices. Ensure ongoing maintenance, updates, and improvements to protect against emerging threats and vulnerabilities.
In these Areas (Strategic Pillars), we aim for:
To establish and maintain a robust security process for the Cardano blockchain.
To coordinate and manage incident response activities.
To develop and implement security policies, procedures, and best practices.
To provide regular security assessments and audits.
To educate and inform the community on security-related matters.
Voting Procedure:
In Person or Video Meeting Voting Procedures: All topics on which the SWG will take a vote will need a simple working group majority tallied during the meeting in which the SWG convenes, tally and action to be recorded by the Secretary.
Offline Voting Procedures: All topics on which the SWG will take a vote will need a simple working group majority tallied based on the medium on which the SWG chooses. Current voting procedure utilizes Slack where one or multiple topics will be posted to also for working group comments and the ability to mark a vote based on emojis as dictated by the post instructions. A simple majority of the correct emoji is needed to continue proceedings.
No Vote: In the event of a no vote or insufficient vote, topics or items will then be shelved or facilitated to revision based on the nature of the vote.
A vote by a WG: should be considered binding if it receives a simple majority of positive votes from a quorum consisting of at least two thirds of the working group members being present and participating in the vote
In the case of an emergency: this process may be circumvented in the best interest of resolution and then followed on by this process as appropriate.
Working Group Structure:
Role | Nominee | Responsibility |
Chair | N/A | Serve as agenda setter, moving the working group in direction of it’s assigned or agreed objectives |
Vice Chair | N/A | Support the chair in the same capacity and serve as delegate if chair unavailable |
Secretary | N/A | Serves as liaison for working group, taking minutes, publications, and admin |
Seats | N/A | Serve as decision body composition, analysis work, and contribution to working group directly |
Membership Criteria:
The SWG will be composed of members from the Intersect organization and other stakeholders within the Cardano ecosystem.
Members will be selected based on their expertise in blockchain technology, cybersecurity, and incident response.
Proposed Roles for SWG:
Chairperson: Lead the SWG, coordinate meetings, and ensure the group achieves its objectives.
Incident Response Lead: Oversee the development and execution of the incident response plan.
Risk Manager: Identify and assess security risks, and develop mitigation strategies.
Policy Coordinator: Develop and maintain security policies and standards.
Community Liaison: Educate and inform the community about security practices and threats.
Security Assessment liaison
Brief Summary of Policy roles: Security Working Group (SWG):
Approve individuals given access to sensitive information.
Establish and maintain vetting procedures for insiders and the Security Manager.
Appoint and manage the Security Manager and Responders.
Insulate the rest of Intersect from access to sensitive information.
Report on responses to security issues to the Intersect Board.
Ensure the disaster recovery plan is maintained and up-to-date.
Security Manager (SM):
Receive and acknowledge reports of security issues.
Triage and direct security issues to the appropriate Responder.
Collaborate with Responders to assess and classify the severity of issues.
Ensure security issues are followed up on and security-related processes are followed correctly.
Maintain communication with Finders and ensure responsible disclosure policies are followed.
Insider:
Act responsibly with sensitive information and follow Responder instructions.
Nominated by the Project Management Committee (PMC) and vetted by the SC.
Regularly reviewed and vetted for continued trustworthiness.
Responder:
Directly responsible for the resolution of technical issues.
Triage and set the severity level of issues in collaboration with the SM.
Formulate and execute plans to address issues, involving Insiders as needed.
Communicate with Finders and manage information discipline.
Report activities to the SM.
Nomination Criteria: Technical Expertise
Cardano & Cybersecurity: Deep understanding of Cardano blockchain (architecture, protocols, security features). Knowledge of smart contracts, consensus mechanisms, and transaction validation.
Certifications: CISSP, CISM, CEH, or similar are highly valued, reflecting a solid cybersecurity foundation.
Incident Management: Practical experience in managing and mitigating security incidents in blockchain environments, including use of incident response tools.
Experience
Cybersecurity (3-5 years): Minimum of 3-5 years, specifically in blockchain technologies, focusing on securing networks, applications, and infrastructure.
Incident Response: Proven experience in incident response, root cause analysis, and implementing corrective actions.
Risk Management: Experience in risk assessments, vulnerability identification, and security policy development.
Community Involvement
Cardano Community: Active participation and contributions to open-source projects or security forums within the Cardano ecosystem.
Trustworthiness
Integrity: High level of trustworthiness, essential for sensitive information.
Recommendations: Endorsements from SWG members or respected community members.
Commitment
Dedication: Willingness to commit time, attend meetings, and respond promptly to security incidents.
Collaboration: Effective teamwork and communication with SWG members.
Communication Skills
Clarity: Strong verbal and written skills for explaining complex concepts.
Documentation: Experience in drafting and reviewing security-related documentation.
Nomination Process
Submission: Nominations by SWG members, Intersect board members, or self-nominations.
Review: SWG reviews to ensure criteria are met.
Approval: Final vetting by the TSC.
Confidentiality: Nominee identities are kept confidential during the process.
This framework provides a solid foundation for evaluating and selecting candidates with the right mix of technical expertise, experience, and community involvement, while ensuring confidentiality and trustworthiness throughout the process. Certain requirements may be waived for appropriate experience.
Last updated