Common use of Restriction of Access Clause in Contracts

Restriction of Access. When asked if threat/intrusion (cyber intelligences) information shared between organisations be restricted to CISOs, the group was split, with 11 saying Yes and 15 saying No. Those who said no, indicated a range of reasons: • It depends on the organisational structure and where the security team / unit is located: cyber intelligence should be made available where it is needed / to those who have to act on the information. • It should be 'trusted' persons (not just CISOs), to ensure information is available to those persons best placed to analyse and act upon it. • CIOs and IT staff. • CISOs could present a 'bottleneck’. • The CISO must have all the information to coordinate the different teams/areas. • The trusted network should be limited to cyber security professionals to prevent confusion or panic. • Relevant information should be distributed to expert analysts and potentially to testers or designers. • It depends on the size of the organisation, number of people involved in security. • For sharing information inside the organisation, a confidentiality policy controls distribution of information inside the organisation (anonymised if required). • IT manager level. • Information sharing must start on a technical level. CISOs usually do not have the capability to present and consume this information in an appropriate way. • SOC leads in our company so SOC leader or SOC contact is an ideal point for sharing. While there are some conflicting views expressed, the general consensus seems to be that for each organisation, they have to decide on the main point of contact, and the internal policy for distribution. Relevant shares include cyber security professionals (analysis and policy adjustment), system designers and engineers etc. (repair/mitigation). Interestingly, when sharing with a wider group (CISO and other team members) only 26% of respondents suggest recipients should receive all the cyber intelligence. The majority (74%) suggest they should receive only part of the information, depending on their role (i.e. only what is relevant to their job). If information of cyber threats/incidents is shared between railway stakeholders, via a trusted point of contact, the decision on who to provide with “selected” information might be part of the trust relationship (i.e. decided by internal policy).