What to expect from JCSC

We help individuals and organisations in Jersey prepare for, protect against, and respond to cyber threats. But just as important are why and how we do it.

Why we do what we do:

• We need everyone to be able to trust the systems that store and process our data every day.
• And we want to help ensure that Jersey is a safe place to do live and business.

To do that, we set standards of behaviour for our team – how we do what we do.

When you deal with us, you should expect us to:

• Listen to you carefully and seek to understand your needs
• Be honest with you
• Be thoughtful and considerate in how we engage with you
• Treat your data confidentially
• Tell you if we don’t know the answer
• Show no bias in what we recommend
• Make best efforts in everything we do, for everyone we work for
• Act according to the laws of Jersey
• Take responsibility if we don’t meet expectations, in accordance with our Customer Feedback Policy

Expect us to be:

• Knowledgeable
• Polite and respectful
• Inclusive
• There to make a difference, not get in the way

In exchange, we ask you to:

• Be honest and open with us
• Tell us as soon as you can
• Talk to us directly
• Treat our staff with respect
• Not attend our offices if you are under the influence of non-prescribed drugs or alcohol
• Give us the opportunity to respond to feedback

Introduction

In carrying out our work, JCSC team members have a number of obligations as public employees, as representatives of JCSC, and as professionals.

Members of incident response and security teams (Teams) have access to many digital systems and sources of information. Their actions can change the world. As a member of this profession, a Team member must recognise responsibility to their constituency and to other security professionals, as well as to wider society. The individual must also recognise their responsibility to their own well-being.

JCSC team members are expected to behave in accordance with the values and expectations of the States of Jersey Public Service, of JCSC, and of any professional or industry bodies of which they or JCSC are a member. This document covers the expectations of employees of the States of Jersey Public Service (Part 1 of this Code of Conduct, and the expectations of members of the Forum of Incident Response and Security Teams as reviewed and adopted by JCSC (Part 2 of this Code of Conduct). Collectively, this document is the ‘Codes of Conduct’ for JCSC team members.

• These Codes of Conduct apply to:
• The Director of JCSC
• Employees of JCSC
• Members of Technical Advisory Councils (TACs)

Collectively ‘Team members.’

Part 1: States of Jersey Codes of Practice

As a public body Jersey Cyber Security Centre must operate in compliance with the requirements of the Law of Jersey, and the requirements of the States of Jersey as documented in our Partnership Agreement and Delegation of Authority . In the same way, as employees of the States Employment Board, team members should at all times seek to act in accordance with the applicable States of Jersey Codes of Practice.

In particular, team members must act in accordance with the Standards in Public Service:

Governance

Public servants should act within the law, regulations and policies to ensure decision-making, and actions are taken in the public interest. They must not act for the personal gain for themselves, families or friends either financially or through other benefits.

Loyalty

Public servants should put the interest of the Island and Islanders first and foremost.

Integrity

Public servants should not place themselves under any obligation to outside individuals or organisations that might seek to influence them in the performance of their official duties, direct how they conduct themselves or provide a higher order of loyalty.

Objectivity

Public servants must provide sound, objective advice based on evidence and research. This must be done without political objective or motive.

Probity

Public servants should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider public interest clearly demands. They have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest.

Accountability

Public servants are accountable for their decisions and actions to the public and must submit themselves to appropriate oversight through management, audit and Scrutiny as appropriate. They must be clear about their personal accountabilities and responsibilities in discharging their duties.

Respect

Public servants must promote respect within their organisation, including standards of conduct within the workplace, promotion of equality and fairness in employment and decision-making.  Public servants must be respectful of differences, and ensure diversity, equality and inclusion through their actions and delivery of their services.

Ethics

Public servants should act to promote good ethical decision-making and effective decisions through demonstrating trust, responsibility, fairness and caring; in line with good citizenship. Decisions must be objective and seek to demonstrate advancement and a contribution to the objectives of our organisations.

Part 2: Ethics FIRST

JCSC has adopted the Forum of Incident Response and Security Teams’ EthicsfIRST framework as our supplementary Code of Conduct in addition to the Codes of Practice, subject to amendment of certain terms to reflect legal requirements applicable to JCSC and the expectations placed on public employees.

EthicsfIRST is designed to inspire and guide the ethical conduct of all Team members, including current and potential practitioners, instructors, students, influencers, and anyone who uses computing technology in an impactful way. This framework includes principles formulated as statements of responsibility, based on the understanding that the public good is always the primary consideration. Each principle is supplemented by guidelines, which provide explanations to assist computing professionals in understanding and applying the principle.

The duties are introduced below but are not in order of importance. These duties should not be seen as absolute requirements, but rather as stated in the IETF RFC2119 for the definition of “SHOULD”:

“This word, or the adjective “RECOMMENDED”, means that there may exist valid reasons in particular circumstances to ignore particular [duties], but the full implications must be understood and carefully weighed before choosing a different course.”

For more information on how to deal with possible dilemmas, see Appendix A.

Duty of trustworthiness

Trust is the basis of many relations between Teams and is often required before meaningful exchange of information can occur. The FIRST community is built on this trust, and it can only continue to function in this way if there is a reasonable level of trust between Teams.

Trustworthiness means that Team members should only:

1. enter into commitments that they can keep
2. behave predictably towards other Teams (e.g., respect the TLP standard)
3. uphold the trust relationship they have with other Teams

The trust relationship should be initially assumed and transitive, i.e., Trust on First Use (TOFU), and enable trust for Teams that are trusted by other Teams.

Duty of coordinated vulnerability disclosure

Team members who learn of a vulnerability should follow coordinated vulnerability disclosure by cooperating with stakeholders to remediate the security vulnerability and minimize harm associated with disclosure. Stakeholders include but are not limited to the vulnerability reporter, affected vendor(s), coordinators, defenders, and downstream customers, partners, and users.

Team members should coordinate with appropriate stakeholders to agree upon clear timelines and expectations for the release of information, providing enough details to allow users to evaluate their risk and take actionable defensive measures.

Duty of confidentiality

Team members have a duty to maintain confidentiality in accordance with JCSC classification policies and national security requirements. Requests to keep certain information in confidence may be made explicit, for example, with the Traffic Light Protocol (TLP). Team members should respect such requests whenever possible. If it is not possible to keep information in confidence, for example, due to conflicts with the requirements of local laws, contracts, or a duty to inform, the Team member should advise the Director and the Head of Legal and Governance, either of whom will authorise informing the information owner of this conflict unless there is a legal or operational reason why this is not possible or appropriate.

Some duties of confidentiality are based on laws, regulations, or customs. If, during an incident response, some parties are bound by or expect confidentiality based on such considerations, they should do their best to make these expectations explicit in advance. All parties should then abide by the above expectation to maintain explicit requests to keep information in confidence when possible.

Duty to acknowledge

Teams receive information from many different sources: researchers, customers, other Teams, government entities, etc. Team members should respond to inquiries in a timely manner, even if it is only to confirm that the request has been received. When possible, Team members should set expectations for the next update.

Duty of authorisation

Team members have a legitimate need and right to understand their areas of responsibility, acting only on systems that they are authorised to access. Team members need to be aware of how their actions may affect their constituents and ensure they do not cause additional harm while performing their duties. Where possible, constituents should be consulted before changes are made to their systems or to the services provided to them by JCSC.

Duty to inform

Team members should consider it their duty to keep their constituents informed about current security threats and risks. When Team members have information that can either adversely affect or improve safety and security, they have a duty to inform relevant parties or others who can help, with appropriate effort, while duly considering confidentiality, privacy laws and regulations, and other obligations.

Duty to respect human rights

Team members should be aware that their actions may impact human rights of others through the sharing of information, a possible bias in their actions, or an infringement of property rights. Team members have access to a wide range of personal, sensitive, and confidential information in the course of handling incidents. This information should be handled in a way to uphold human rights.

During incident handling, responders should not act in a biased manner and should do their utmost to eliminate bias from their processes and decision-making, either performed by responders or built into algorithms.

For the purpose of this principle, the notion of “property” (UN Declaration of Human Rights: Article 17) includes intangibles such as intellectual property, as well as ideas and concepts in general, regardless of whether they are legally protected (e.g., patented).

Duty to team health

Teams have a responsibility to continue to provide the services they have promised their constituents. This responsibility includes the physical and emotional health of the Team.
In order to both respect as individuals the members who make up a Team and enable the long-term viability of sustaining an adequate level of service, a Team should strive to maintain a healthy, safe, and positive work environment that supports the physical and emotional health of (all) its members. In order to respond to a crisis, “normal” operations should support emotional health and stress reduction.

Duty to team ability

Incident management is an evolving subject that Team members should continually study. A Team should provide resources to its members for them to study, apply, and advance technological and scientific knowledge within their area(s) of responsibility. Training or educational CPE/CEU credits may contribute, but mere compliance exercises are insufficient to fulfil this duty. A Team should maintain sufficient technological infrastructure so as to enable its services, including adequate measures to protect that infrastructure from interference by outside parties.

Duty for responsible collection

Data collection is necessary for incident response, but a balance should be struck between the goal of incident response and respecting the data stakeholders.

During an investigation, the amount of information needed to collect may change. While progressing through an incident, Team members should adjust what they are collecting as the need changes. Data not directly relevant to an incident and its remediation should be excluded from reporting.

Collected and extracted data must be handled in accordance with applicable laws and respect of user privacy. Permission should be sought before collecting and processing data under the control of a data owner. Applicable law and regulations in handling data should be respected.

Data that may help other response Teams in their efforts related to other incidents should be made available to them, possibly in redacted form. Information that is confidential and proprietary should only be made available with appropriate protections.

Before sharing data with third parties for mitigation, the risks should be weighed against the benefits. Data should only be shared if the benefit clearly outweighs the risks. Sensitive data should be stored in a way that it can easily be destroyed after an incident has been closed. Collected data should be safely destroyed in accordance with data retention policies.

Duty to recognise jurisdictional boundaries

Team members should recognise and respect the jurisdictional boundaries, legal rights, rules, and authorities of the parties involved in activities related to incident response.
Laws, regulations, and other legal issues, such as those related to privacy protection or data breach notifications, may differ between the involved jurisdictions. Jurisdictional boundaries may be determined by the involved parties’ physical locations, such as their countries or domiciles, as well as by other factors concerning those parties.

Even within a single country, laws and regulations may differ between political regions (e.g., between individual states in the USA) or between different businesses, industries, or sectors within that nation (e.g., healthcare, financial services and government facilities). National CSIRTs may have designated responsibilities and/or authority for activities involving constituents within their own jurisdiction, and they may also collaborate with or “hand off” information and activities to other entities that have authority for jurisdictions that cross boundaries.

Team members should be aware of key issues that affect the jurisdictions involved, including but not limited to privacy regulations or data breach notification requirements. Because cyber security and privacy laws and regulations evolve and continue to be updated worldwide, it is advisable to consult with informed legal counsel for guidance whenever issues involve multiple jurisdictional boundaries.

Duty of evidence-based reasoning

Teams should operate on the basis of verifiable facts. When sharing information, such as indicators of compromise (IOCs) or incident descriptions, Team members should provide evidence and scope transparently. If this is not possible, the reasons for not sharing this evidence and scope should be given with the information.

Team members should refrain from spreading or sharing rumours. Any hypothesis should clearly be identified as such.

Transparent evidence and reasoning processes are important even in the case of automated sharing, e.g., during automated sharing of large amounts of information. In this case, a description of the data mining process should be communicated at an intelligible level of detail.

Appendix A

Dealing with dilemmas

It is never possible to provide accurate guidance for all potential eventualities and therefore individual judgement and discretion will sometimes be necessary.

Trust and discretion are particularly important for JCSC to undertake our role effectively. Where the dilemma relates to an external request for the provision of confidential information to third parties, the team member should err towards confidentiality.

Nonetheless, team members may frequently find themselves in a position where no action seems to satisfy all of the ethical principles. In such a situation, a choice must be made as to which principles to prioritise. In this situation, incident handlers are encouraged to reflect on which stakeholders may be affected by their actions and how, preferably in a discussion with a colleague. As a rule, the solution that minimises the infringement of this ethical framework should be chosen.

At times, this might not be possible, e.g., due to external pressures or unforeseen events, or due to conflict between the States of Jersey Codes of Practice and EthicsfIRST. In such a situation, JCSC team members should escalate the issue to the Director and Head of Legal and Governance. The Director and/or Head of Legal and Governance may then issue guidance. Subject to the team member being reasonably satisfied that such guidance is in line with any legal obligations that may apply to them, it is then recommended to proceed as directed, making note of the ethical dilemma, possibly under protest.

Appendix B

Public Guidance: What to expect from JCSC

We recognise that cyber security can be complex. We also understand that we work for all the people of Jersey, and often work with them at challenging times in their lives.

In order to ensure the public expectations of JCSC team members are as easy as possible for everyone to understand, we publish a simple and straightforward one page guidance note on what to expect from JCSC.

This guidance note is shown on the front page of this document.

This is assessed against the Flesch Kincaid reading ease score to ensure readability, with a target of between 70 and 80 (easy):

Score for the guidance note ‘What to expect from JCSC’ (page 1):

Score: 77.63 (easy)

Sentences: 29

Average sentence length: 8.52

Score for the Codes of Conduct (pages 2 onwards):

Score: 39.18 (difficult)

Sentences: 157

Average sentence length: 16.28

Feedback on this document

We welcome feedback on this document at any time, using any of the details on our contact pages. Feedback provided outside a review period will be considered in the next review.