Identify Community
The first and most important activity is choosing the community for the WARP, and this stage should include undertaking some market research.
This choice of community and the type of market research will depend to a large degree on who you are, and the organisation you represent. The diversity of types of WARP operator is a strength of the WARP concept and to help you identify your own community, a number of real life case studies have been documented on this site. Some existing WARP communities are listed below.
Local Authority communities
There are a number of organisations that already have a trusted relationship with a community of Local Authorities, based on geographic location. Examples of these can be found in the WARP directory, or you can search for the relevant authority using our map.
Given that there were existing relationships in many cases, identifying the community was made simpler. However, market research is still a vital element to judge how receptive the membership will be to WARP services.
In one case this market research was achieved by the prospective WARP provider approaching someone in a Local Authority whom they already knew to have a good understanding of the information security issues which the WARP could address. This person already had existing contacts and agreed to call a half day workshop with these contacts. The results of this workshop are provided as a case study reference document:
Case Study - Meeting between local authorities discussing the creation of a WARP
Case Study - Short presentation to help Q&A session at WARP start-up workshop
In another case, the market research was conducted at a higher level where the prospective WARP provider gave a presentation at an existing meeting of Local Authority Directors. This high level top down approach, and the lower level bottom up approach are both effective ways to judge the community's interest in joining a WARP.
Trade Association and Chamber of Commerce communities
There are many membership organisations such as Trade Associations and Chambers of Commerce who already provide a range of services to their members. These often have large memberships (>1000 members), which is too large for a typical WARP, especially early on. Some means must therefore be found to choose a sub-community within this membership that would be most receptive to becoming members of a WARP.
In one case, a number of members in the organisation had recently raised Information Security as an area of interest and had created a sub-committee to provide direction and advice to members. The chairman of this committee would be a good stakeholder to approach to include WARPs on their next meetings agenda. In this case, CPNI was able to send a representative to provide a presentation at the meeting e.g. the case study below:
Case Study - CPNI presentation to a Security Committee to gauge interest in WARPs
Partnership - commerce and academic communities
This WARP model is not intended to be used for profit making business ventures, as stated in the WARP Code of Practice. However, a commercial company working with an independent organisation such as a University, setting up a not-for-profit WARP would be welcomed. The benefits to the commercial company in this case would be increased marketing exposure to the community, contribution to the general good and other partnership opportunities. One example of this type of partnership is where a Regional Development Agency is funding the creation of a Technology Centre in a redevelopment area, in partnership with local businesses and Universities. In this case WARPs were seen to be a valuable differentiator for the Technology Centre.
Large public sector department communities
Providing a WARP within a large public sector department, and choosing the community, provides different issues and opportunities from those in the previous cases. The first difference is that due to the large scale of these departments, it is likely that co-ordinated multiple WARPs will be required rather than one large WARP. The other difference is that these sub-communities are more likely to be subject to direct management control, whereas most WARPs are completely free-standing and independent.
In one case a large Government agency looked at setting up a WARP to help with its information governance responsibilities.
Another large government department looked at working closely with its managed service provider to set up a WARP to provide a more rigorous and defined security role in its customer/supplier relationship.
Large Corporate communities
Commercial organisations are allowed to establish WARPs, provided that they do so on a Not-for-Profit basis, though they can establish this on a cost-recovery basis. They would need to be able to satisfy other WARPs that they were not exploiting the model, network and tools directly for profit.
Two examples of this which were considered are:
- A large telco using the model in conjunction with an internal CERT to improve incident reporting and provide effective warnings and advice internally. This initial phase will then be developed to provide services to customer groups and partners who are at particular risk of electronic attack.
- Another Managed Service Provider is using the WARP model to better disseminate advisories to its product customers, and assist them in sharing advice & best practice and gathering feedback on its services as well as on incidents affecting them.