The Toolbox is a web based resource which has been designed to provide step-by-step support to anyone setting up and running a WARP. The contents include:

• help in producing a business case for a WARP;

• assistance with registration;

• guidelines, case studies and reference documents;

• downloads of customisable forms, documents, presentations and spreadsheets;

• downloads of publications which you can re-use;

The Toolbox has been created from the experience of other WARPs

Back to top

Yes, as long as you can demonstrate to CPNI that the WARP will not be used directly to generate profit for your business. For example, if you want to use the WARP model to improve your corporate security effectiveness, then you could use the Toolbox. If you wanted to setup and run a WARP for your local community in conjunction with suitable partners and as long as it was not for profit, then you can use the Toolbox. On the other hand, if you wanted to use the Toolbox to set up and run a WARP as a commercial venture in its own right and for profit, then you would not be allowed to use the Toolbox. If you are in any doubt then send an email outlining your proposition – see Contact us.

Back to top

CERTs work with large communities often on a professional basis. In contrast, WARPs work with small communities on a personal basis and as a result, are usually able to establish a close relationship with its members. We see WARPs as complementary to CERTs, helping to deliver advisories more effectively to small subsets of the CERT’s constituency and promote information security among organizations the CERT cannot reach on its own. Visit News articles section to read a paper describing more about the dynamics of WARP-CERT partnerships .

Back to top

The WARP Forum held in March was aimed at people who were ‘Serious about WARPs’, and the audience was a range of potential WARP Owners, Operators, Champions (see 11.) and others who were interested in WARPs. It is a great opportunity to learn about WARPs, firsthand experiences and lessons learned, from the Operators of the established WARPs. Sign up for the WARP Newsletter to keep in touch with plans for the next Forum planned in March, 2007. .

Back to top

1. A Filtered Warning service - where members receive only the security information relevant to their needs as determined by categories selected in an on-line tick-list. These categories cover Warnings, Advisories associated with Vulnerabilities, Fixes, Threats, Incidents and Good Practice;
2. An Advice Brokering service - where members can learn from other members initiatives/experience using a bulletin board messaging service restricted to WARP members only. Subjects can be anything which adds value to the members eg patch management; training; supplier/product evaluations, security awareness;
3. A Trusted Sharing service - where reports are anonymised so members can learn from each others attacks/incidents without fear of recriminations or embarrassment.

Back to top

As part of CPNI’s role in coordinating the protection of the UK's Critical National Infrastructure (CNI) services against electronic attack, CPNI promotes various types of information sharing model. These models aim to stimulate better promulgation of alerts and warnings, to improve awareness and education, and to encourage incident reporting. The WARP information sharing model addresses the needs of those organisations who cannot justify the cost in setting up a fully resourced helpdesk, as offered by CERTs (Computer Emergency Response Team), but still provides many of the benefits of a CERT.

Back to top

The Centre for the Protection of the National Infrastructure (CPNI) is promoting information sharing and WARPs, and worked closely with the Central Sponsor for Information Assurance (CSIA) on some of the early WARP pilots. The lessons learned from thepilots and the first operational WARPs have been captured by CPNI in this Toolbox, which is available free for anyone to use, subject to specified terms and conditions. CPNI can also provide ongoing advice via its UNIRAS warning and advisory service, which is available to all WARPs.

Back to top

A WARP information sharing community could be based on a business sector, geographic location, technology standards, risk grouping or whatever makes business sense. It is easier to build trust with smaller groups and initial experience has shown communities of less than 100 members work well, although larger groups can also benefit from WARPs if the community is very homogeneous.

Back to top

No. The FWA software is a tool to help develop a full WARP model, where the trust is built and incident sharing flourishes. Though it is useful in its own right, it can only be made available to registered WARPs and cannot be used simply as a standalone delivery system for security advisories.

Back to top

Yes. Currently the FWA software works only on Windows-based server (2003). However, an open source version of FWA might be available in the future. Check the News now and then for the further developments.

Back to top

The FWA software has been regarded as a key feature attracting users to join a WARP, thus, a major ‘foot in the door’. It helps organizations which don’t have the in-house IT security resources, or want to use their resources more efficiently, select advisories which only affect their IT infrastructure and therefore become aware of the threats particular to them. , Through the Advice Brokering Services, the organizations can also discuss the way to act on them together. An established WARP reported that the WARP advisories and news circulated through the FWA also contribute to raising awareness, and the very fact that information is being circulated to the whole community, without favour, encourages trust.

Back to top

1

Case studies are provided throughout the Toolbox as reference documents. New case studies will be added at regular intervals, as well as old ones removed. These will be included in the most appropriate Toolbox section depending on the circumstances. Downloadable case studies are clearly labelled as such, and can be found most quickly by visiting the download section.

Back to top

No. The WARP model was derived from the CERT model, rationalized to make it affordable for small communities by removing the expensive services, such as the response function, since they require more manpower and highly-skilled, expensive staff etc. A WARP can grow into a CERT and offer incident response service but it may hurt the dynamics a WARP has with its members which is the essence of a WARP. CPNI believes that the better strategy would be to develop a closer partnership between WARPs and CERTs so that CERTs can help on a best-efforts basis. WARP members can often get advice and help from other members, from other WARPs, or from Uniras (the UK Govt CERT).

Back to top

Yes. In fact, some of the established WARPs are run by the same operators. It is a good idea because there are economies of scale, however, it is important that the WARP operator deals with each community separately and has a good knowledge of, and associates with each community to maintain a trusted environment. So there must be a balance between efficiency and effectiveness in operating more than one WARP. Sometimes this requires a partnership between one operator who is close to the community, and another who administers the technical aspects (FWA etc). CPNI is developing the FWA software to run multiple WARPs on a single server to save costs while keeping each community discrete and identifiable so that they still feel like a small community.

Back to top

There are two key factors which directly affect the optimum size of a WARP: homogeneity of the community and resources it can afford. If the IT security needs and interests of the members are all very similar, meaning homogeneous, then the number of members may be larger. In contrast, if the needs and interests are very diverse, then the number may need to be small, or the Operator will be overwhelmed trying to deal with the diverse range of subjects and sources. It can be solved by putting into more resources (several technical staff). but it would increase costs. Typically, about 30 to 100 is a good number for a WARP with one technical staff. Taking into account the factors above, you should carefully find the optimum number for your community.

Back to top

You should find a ‘Champion’ for the community you are planning to serve. The Champion is a person who hears about the WARP idea, looks into it further and becomes enthusiastic about establishing a WARP. The Champion may be part of a community or may be responsible for a community, and often becomes the WARP Provider (as well as the WARP Operator). The Champion will help you understand a community and sell the idea to the community. The Champion concept has been identified through observation and proven indeed a key factor in successfully establishing a WARP. For a real case study, see the WARP News articles section.

Back to top

There are the WARPs adopting a ‘team’ approach, which involves several operators each taking a turn, or sharing the burdens of doing the day-to-day operations. Terms of reference for the operator will differ for each WARP. If you are to be hired as an individual operator rather than part of an organization, you should discuss the issue with the WARP Provider.

Back to top

There are many types of organisation who already have a trusted relationship with a community, these include ‘not for profit’ organisations such as Trade Associations, and Chambers of Commerce. There are also many public sector organisations who have focal points whose role is to provide co-ordinated services to its members – London Connects and Kent Connects are examples in Local Government. User Groups, Professional Bodies, Academic partnerships are other examples. Large organisations in both the public and private sectors could also find the WARP model attractive by setting up multiple WARPs and sharing information between them. Several large government departments have expressed an interest in the WARP approach.

Back to top

This will entirely depend upon which services you decide are required by your WARP community. Many of the information sharing ideas promoted by the WARP idea can be achieved simply with a web site and somebody to administer it, but obtaining real value can require more by way of infrastructure. Take a look at the secition on WARP infrastructure for a more detailed answer.

Back to top

Costs will vary from one organisation to another depending on whether the WARP is starting from scratch or can take advantage of existing infrastructure and resources. In some instances a WARP can be setup and run at no cost by using volunteers and manual processes. At the other end of the scale, where full time resources are used with dedicated IT infrastructure, the business case section of the Toolbox contains an exemplar where the costs of setting up and running a WARP have been calculated to be £90k in the first year (circa 2004). If a virtual team can be used where manpower costs are covered elsewhere, then the costs can be reduced to around £26k in the first year, with ongoing running costs of £15k/ year. Within the Toolbox is an Excel spreadsheet which will enable you to calculate the costs for your own organisation, by varying the component costs depending on your own situation.

Back to top

Possible WARP funding models are available in the Toolbox:

• Internal – a WARP hosting organization decides to fund the WARP. This does not have to be new money as it may be possible to utilize the existing budget and resources
• Member subscription – the costs are shared among the WARP memberships;
• Member co-operative – the costs are offset by the members working as part of a virtual team;
• Partnership – the costs are shared with the partner who has interest in the community;
• Sponsorship – the costs are offset by external organizations providing sponsorship;

Back to top

The Toolbox itself will reduce the cost significantly in building and running a WARP. WARPs will also be entitled to receive UNIRAS email warnings and advisories which the WARP can re-use and help reduce some of the costs. There are also opportunities for direct sponsorship and subsidies from a number of sources. In the private sector, IT and security vendors have shown a willingness to provide funding for specific elements of a WARP, from sponsoring a WARP launch event to providing discounted Website hosting – the Toolbox contains details of some likely sponsors. The parent body of the organisation may also see opportunities to combine the WARP with other initiatives thereby providing opportunities to share existing budgets.

Back to top

In the Toolbox you will find marketing brochures, presentations and business case literature to make a convincing case for membership of a WARP.

Back to top

These will be the same as for most Service Providers in line with UK law, where the Provider has to comply with general operating procedures like, for example, the Data Protection Act. In order not to mislead WARP members, and to limit liability, it is a good practice to document agreements between the WARP and its members. Example customisable agreements are included within the Toolbox.

Back to top

If you already have a trusted relationship with a community, or believe you could create this trust, and you would like to help that community increase the effectiveness of their information security at lower cost, then you should seriously consider setting up a WARP for that community. This Toolbox will help you create a business case for setting up a WARP - see Getting started.

Back to top

Yes. You can sponsor a WARP, be an Operator and provide WARP services, assist WARPs by, say, offering a special deal for your services necessary to run a WARP, develop a useful tool for WARPs and so on. Just please keep in mind that a WARP must not be used directly to generate profit for your business.

Back to top

The Operator may be a member, cooperative organization owned by the members, or a person with a suitable skill-set who can be hired externally. Being technically gifted would be no doubt helpful but the key for the Operator is to be a good communicator. Keep that in mind when you look for an Operator.

Back to top