Frequently Asked Questions

Click a relevant question to see the answer. If your query hasn't been addressed, please contact us.

General questions

Questions relating to Members

Questions relating to Operators

Questions relating to Sponsors

We are a commercial company. Can we do something for WARPs?

Questions relating to the Filtered Warnings Application

Answers to General Questions

I represent a non-UK community operating abroad. Can I register to set-up a WARP?

Yes, as long as you can demonstrate to CPNI that the WARP will not be used directly to generate profit for your business. For example, if you want to use the WARP model to improve your corporate security effectiveness, or if you wanted to setup and run a WARP for your local community in conjunction with suitable partners, as long as it was not for profit, then you can use information provided on this website. On the other hand, if you wanted to use the it to set up and run a WARP as a commercial venture in its own right and for profit, then your application for WARP registration would be rejected. If you are in any doubt then send an email outlining your proposition – see Contact us.

What is the difference between WARPs and CERTs?

CERTs work with large communities often on a professional basis. In contrast, WARPs work with small communities on a personal basis and as a result, are usually able to establish a close relationship with its members. We see WARPs as complementary to CERTs, helping to deliver advisories more effectively to small subsets of the CERT’s constituency and promote information security among organisations the CERT cannot reach on its own.

What happens at the Annual WARP Forum?

Once a year, people with an interest in WARPs gather together for the Annual WARP Forum. Typically these Forums consist of a morning plenary session followed by workshops in the afternoon concentrating on topical issues relating to the WARP programme. Following the workshops are further plenary sessions for report back and discussion. The Forums are always well documented and the reports and presentations of each of the last 4 are available below. The last three Forums have all had themes which have directed the plenary and workshop sessions. More information on the Annual Forum

What services can a WARP provide?

A Filtered Warning Service- where members receive only the security information relevant to their needs as determined by categories selected in an on-line tick-list. These categories cover Warnings, Advisories associated with Vulnerabilities, Fixes, Threats, Incidents and Good Practice
An Advice Brokering Service- where members can learn from other members initiatives/experience using a bulletin board messaging service restricted to WARP members only. Subjects can be anything which adds value to the members eg patch management; training; supplier/product evaluations, security awareness
A Trusted Sharing Service- where reports are anonymised so members can learn from each others attacks/incidents without fear of recriminations or embarrassment

Why is CPNI supporting WARPs?

As part of its role in providing authoritative protective security advice to the UK's national infrastructure, specifically in relation to electronic attack, CPNI promotes a number of types of information sharing model. These models aim to stimulate better promulgation of alerts and warnings, to improve awareness and education, and to encourage incident reporting. The WARP information sharing model addresses the needs of those organisations who cannot justify the cost of setting up a fully resourced help desk, as offered by CERTs (Computer Emergency Response Team), but still provides many of the benefits of a CERT.

How can CPNI help me set up a WARP?

CPNI promotes information sharing and WARPs, having worked closely with what was then known as the Central Sponsor for Information Assurance (CSIA) on some of the early WARP pilots. The lessons learned from the pilots and the first operational WARPs have been captured by CPNI in this website, and are freely available for anyone to use, subject to specified terms and conditions.

What type of community is best suited to a WARP?

A WARP information sharing community could be based on a business sector, geographic location, technology standards, risk grouping or whatever makes business sense. It is easier to build trust with smaller groups and initial experience has shown communities of less than 100 members work well, although larger groups can also benefit from WARPs if the community is very homogeneous.

How do I find a person who would make a good WARP operator?

The operator may be a member, cooperative organisation owned by the members, or a person with a suitable skill-set who can be hired externally. Being technically gifted would be no doubt helpful but the key for the operator is to be a good communicator. Keep that in mind when you look for an operator.

Answers to Member Questions

What are the benefits of WARP membership?

Efficient notification of security advisories and warnings; WARP members can select what type of information they want to receive and which they don’t want.
Peer support: WARP members can share collective view of issues and solutions from peers within the community, which could include benchmarking to support better decision making.
Early warning: Finding out about problems and solutions that others are experiencing, and sharing these within the WARP community offers a unique service. Some information will only be available from the WARP community (privileged access to information).
Improved preparedness: Access to a trusted forum to share problems and solutions, as well as raising awareness of local threats and electronic attack issues.
Compliance with ISO27001: Belonging to a WARP satisfies several accreditation requirements.

Are there any real life case studies of the benefits of WARP membership?

Case studies are provided as reference documents. New case studies will be added at regular intervals, as well as old ones removed.

Do I get incident response service, too?

No. The WARP model was derived from the CERT model, rationalised to make it affordable for small communities by removing the expensive services, such as the response function, since they require more manpower and highly-skilled, expensive staff etc. A WARP can grow into a CERT and offer incident response service but it may hurt the dynamics a WARP has with its members which is the essence of a WARP. CPNI believes that the better strategy would be to develop a closer partnership between WARPs and CERTs so that CERTs can help on a best-efforts basis. WARP members can often get advice and help from other members, from other WARPs, or from CSIRT-UK.

How much will membership cost me?

Membership costs of a WARP will depend on the type of WARP you join. In some cases WARP membership is free, either because it is run by volunteers or else the operator has grant funding or is cross subsidising it from other parts of its business. Where a WARP operator has to recover its costs from membership subscriptions, these can vary depending on the level of value add services being provided and the size of the membership. Many WARP operators also take account of the size of the WARP members organisation where for a large organisation an annual subscription can be as much as £1,200/year while for a much smaller organisation it can be from a few tens of pounds to a few hundred.

Answers to Operator Questions

Can I run more than one WARP?

Yes. In fact, some of the established WARPs are run by the same operators. It is a good idea because there are economies of scale, however, it is important that the WARP operator deals with each community separately and has a good knowledge of, and associates with each community to maintain a trusted environment. So there must be a balance between efficiency and effectiveness in operating more than one WARP. Sometimes this requires a partnership between one operator who is close to the community, and another who administers the technical aspects (FWA etc). CPNI is developing the FWA software to run multiple WARPs on a single server to save costs while keeping each community discrete and identifiable so that they still feel like a small community.

What is the appropriate number of members for a WARP?

There are two key factors which directly affect the optimum size of a WARP: homogeneity of the community and resources it can afford. If the IT security needs and interests of the members are all very similar, meaning homogeneous, then the number of members may be larger. In contrast, if the needs and interests are very diverse, then the number may need to be small, or the operator will be overwhelmed trying to deal with the diverse range of subjects and sources. It can be solved by putting into more resources (several technical staff). but it would increase costs. Typically, about 30 to 100 is a good number for a WARP with one technical staff. Taking into account the factors above, you should carefully find the optimum number for your community.

How do I get to know the community I am going to serve?

You should find a ‘champion’ for the community you are planning to serve. The champion is a person who hears about the WARP idea, looks into it further and becomes enthusiastic about establishing a WARP. The champion may be part of a community or may be responsible for a community, and often becomes the WARP operator. The champion will help you understand a community and sell the idea to the community. The champion concept has been identified through observation and proven indeed a key factor in successfully establishing a WARP.

The cost model says ‘one technical operator’. What if I, the only operator, want a holiday?

There are the WARPs adopting a ‘team’ approach, which involves several operators each taking a turn, or sharing the burdens of doing the day-to-day operations. Terms of reference for the operator will differ for each WARP. If you are to be hired as an individual operator rather than part of an organisation, you should discuss the issue with the WARP operator.

What type of organisation is in a good position to set up and run a WARP?

There are many types of organisation who already have a trusted relationship with a community, these include ‘not for profit’ organisations such as Trade Associations, and Chambers of Commerce. There are also many public sector organisations who have focal points whose role is to provide co-ordinated services to its members – London Connects and Kent Connects are examples in Local Government. User Groups, Professional Bodies, Academic partnerships are other examples. Large organisations in both the public and private sectors could also find the WARP model attractive by setting up multiple WARPs and sharing information between them. Several large government departments have expressed an interest in the WARP approach.

What facilities and personnel will I need to run a WARP?

This will entirely depend upon which services you decide are required by your WARP community. Many of the information sharing ideas promoted by the WARP idea can be achieved simply with a web site and somebody to administer it, but obtaining real value can require more by way of infrastructure. Take a look at the section on WARP infrastructure for a more detailed answer.

How much will it cost to set up and run a WARP?

Costs will vary from one organisation to another depending on whether the WARP is starting from scratch or can take advantage of existing infrastructure and resources. In some instances a WARP can be setup and run at no cost by using volunteers and manual processes. At the other end of the scale, where full time resources are used with dedicated IT infrastructure, the business case section of the site contains an exemplar where the costs of setting up and running a WARP have been calculated to be £90k in the first year (circa 2004). If a virtual team can be used where manpower costs are covered elsewhere, then the costs can be reduced to around £26k in the first year, with ongoing running costs of £15k/ year. This Excel spreadsheet which will enable you to calculate the costs for your own organisation, by varying the component costs depending on your own situation.

How am I going to fund the costs?

Possible WARP funding models are available:

Internal- a WARP hosting organisation decides to fund the WARP. This does not have to be new money as it may be possible to utilize the existing budget and resources
Member subscription- the costs are shared among the WARP memberships
Member co-operative- the costs are offset by the members working as part of a virtual team
Partnership- the costs are shared with the partner who has interest in the community
Sponsorship- the costs are offset by external organisations providing sponsorship

Though the situation differs for each WARP, CPNI encourages WARPs to provide their services to members at no cost for the first year if possible, then charge a low subscription, or find some other way of funding it thereafter.

Can I obtain sponsorship in setting up a WARP?

Information on this site will reduce the cost of building and running a WARP significantly. WARPs will also be entitled to receive CSIRT-UK email warnings and advisories which the WARP can re-use and help reduce some of the costs. There are also opportunities for direct sponsorship and subsidies from a number of sources. In the private sector, IT and security vendors have shown a willingness to provide funding for specific elements of a WARP, from sponsoring a WARP launch event to providing discounted Website hosting. The parent body of the organisation may also see opportunities to combine the WARP with other initiatives thereby providing opportunities to share existing budgets.

How do I get potential members to join?

In this site you will find marketing brochures, presentations and business case literature to make a convincing case for membership of a WARP.

What are my liabilities if I choose to setup and run a WARP?

These will be the same as for most Service Providers in line with UK law, where the operator has to comply with general procedures like, for example, the Data Protection Act. In order not to mislead WARP members, and to limit liability, it is a good practice to document agreements between the WARP and its members. Example customisable agreements are included within the website.

Why should I consider setting up a WARP?

If you already have a trusted relationship with a community, or believe you could create this trust, and you would like to help that community increase the effectiveness of their information security at lower cost, then you should seriously consider setting up a WARP for that community. This website will help you create a business case for setting up a WARP - see Produce business case.

Answers to Sponsor Questions

We are a commercial company. Can we do something for WARPs?

Yes. You can sponsor a WARP, be an operator and provide WARP services, assist WARPs by, say, offering a special deal for your services necessary to run a WARP, develop a useful tool for WARPs and so on. Just please keep in mind that a WARP must not be used directly to generate profit for your business.

Answers to FWA Questions

I just want to use the FWA software. Can I do that?

No. The FWA software is a tool to help develop a full WARP model, where the trust is built and incident sharing flourishes. Though it is useful in its own right, it can only be made available to registered WARPs and cannot be used simply as a standalone delivery system for security advisories.

My IT infrastructure is not Windows-based. Does it mean I cannot use the FWA software?

Yes. Currently the FWA software works only on Windows-based server (2003 and 2008).

How does FWA software help the community?

The FWA software has been regarded as a key feature attracting users to join a WARP, thus, a major ‘foot in the door’. It helps organisations which don’t have the in-house IT security resources, or want to use their resources more efficiently, select advisories which only affect their IT infrastructure and therefore become aware of the threats particular to them. , Through the Advice Brokering Services, the organisations can also discuss the way to act on them together. An established WARP reported that the WARP advisories and news circulated through the FWA also contribute to raising awareness, and the very fact that information is being circulated to the whole community, without favour, encourages trust.