Roles and Responsibilities of Federations
- Follow the [IR] requirements described by Sirtfi, and [OS], [TR] and [PR] as applicable 
- Provide a security contact point (e.g. email@example.com) available to all federation participants, federation operators, other federations and external organisations
- Define communication channels to be used for security incident response by federation participants
- Appoint a Federation Security Incident Response Coordinator when notified about a suspected security incident. This role may be played by a federation participant or external entity, such as a Research Community or e-Infrastructure CSIRT, as appropriate.
- Ensure a unique identifier is assigned for each security incident
- Provide or source technical expertise necessary to assist federation participants (forensics, technical investigation, log analysis, etc.)
The Federation Security Incident Response Coordinator is responsible for following the Incident Response Procedure for Federation.
Federation Security Incident Response Procedure for Federation Security Incident Response Coordinators
1. Assist federation participants in performing appropriate investigation, system analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
2. Ensure all affected participants in the federation (and, if applicable, in other federations) are notified
via their security contact with a “heads-up” within one local working day. If other federations are affected, the eduGAIN security contact point must be notified, even if affected participants in all other federations have been contacted directly.
3. Coordinate the security incident resolution process and communication with affected participants until the security incident is resolved.
4. Ensure suspension of service (if applicable) are announced in accordance with federation and interfederation practices.
5. Share additional information as often as necessary to keep all affected participants up-to-date with the status of the security incident and enable them to investigate and take action should new information appear.
6. Assist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
7. Produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER  or higher.
8. Update documentation and procedures as necessary.