The group of industry, academics and advocates charged with developing standards for the cybersecurity Information Sharing and Analysis Organizations (ISAOs) just released a draft of its guiding document and is looking for public comment.
The ISAO Standards Organization Product Outline sets out to define exactly what an ISAO should be, how it should function and how it should cooperate with other similar organizations, including other ISAOs, sector-specific Information Sharing and Analysis Centers (ISACs) and government entities like the National Cybersecurity and Communications Integration Center (NCCIC).
Download: ISAO SO Product Outline
The document is the first step in a multi-phase process for establishing the standards by which the private sector can share sensitive, timely cyber threat information with the government and vice versa.
“To address this problem effectively will require more than just establishing a number of disparate information sharing organizations,” according to the draft. “It will require a coordinated effort that effectively identifies and considers the existence and ongoing formation of ISAOs to understand where information sharing is occurring and its impact.”
The guidance suggests an effective ISAO should provide three specific services to its members:
Situational awareness: ISAO members need to understand both the tactical and strategic aspects of the environment in which they are managing risks. This support includes activities to collect and share information, analyze it and recommend what to do with it.
Decision-making: ISAOs need to disseminate actionable information that will enable their members to make decisions related to their current security posture and allocation of security and IT resources. This support involves receiving information, establishing its relevance to the organization, assessing potential impacts, identifying potential actions, and selecting the best course of action.
Actions: ISAO members ultimately will take actions based on received information and analysis. Organizations will develop detailed actions and assign responsibilities, implement the actions and evaluate their effectiveness, providing feedback for further consideration.
The document also outlines the future of the standards group’s work, including the different “products” — guidance documents — that will be developed over the next few years.
These include guidance on governance; service offerings (capabilities); operating models (types of ISAOs); information sharing policy; information collection and dissemination; sharing models and mechanisms; security of data and systems; funding models; start-up activities and key planning factors; partnerships and support; and government relations.
The Standards Organization got started in September 2015 with a $10 million grant from the Department of Homeland Security. The group — led by researchers from the University of Texas at San Antonio, the Logistics Management Institute and the Retail Cyber Intelligence Sharing Center — expects the entire process will take between two and five years.
"With a diverse group of players — government, individuals and private businesses — there are conflicting concerns to be balanced," Rick Lipsey, the group’s deputy director and senior strategic cyber lead at LMI, told Federal Times in September. "This is done through a voluntary consensus standards development process, where we promote discussion and move toward a goal of common security and privacy of business and individuals."
Garnering public comment is a significant part of that process.
Comments on the draft products outline should be submitted through the ISAO website by June 17 to be considered in the next round of revisions.