ISAO 200-1: Foundational Services and Capabilities v0.2

Request For Comment

The request for comment period for this draft concluded on Wednesday, March 28. All comments are currently under review and adjudication by working groups. Comments received after the March 28th deadline are welcomed and may be included in future adjudication and revision periods.

Appendix A of the ISAO 100-2 publication introduced a list of several services and capabilities that an ISAO could perform as baseline offerings. Those services and capabilities were categorized into Foundational, Advanced, and Unique. The purpose of this document is to assist ISAOs by providing a more in-depth review of the foundational services and capabilities of an ISAO: collection and dissemination, facilitate member sharing, analyze information, and surveying members. This in turn will give ISAOs a better understanding of how they can operationalize the technical, analytical, and personnel that are built around those capabilities and services.

The structure of this document is framed to begin with the simpler capabilities and services, and progress to those that are more challenging. This will facilitate a natural progression for ISAOs that are further along in their evolution to navigate to the area within the document that is appropriate for their current situation. Additionally, collection and dissemination have been split as separate services and capabilities, and thus each will have its own chapter. After evaluating the processes and technologies for collection and dissemination, WG2 felt that each was distinct enough to be independent services and capabilities.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from March 13, 2018 – March 28, 2018. Both fields listed below (line number and comment) are the exact contents as submitted by the commenter.

Line ReferenceCommentDisposition
9insert "that ISAOs could voluntarily choose to provide"Partial Acceptance
18voluntarily choose to provide, at the request of its members,Partial Acceptance
18What are baseline offerings? Wouldn’t that ‘baseline” differ for each ISAC/ISAO?

Recommend to delete.
Partial Acceptance
20These are not "capabilities of an ISAO," but rather products and services they can provide to members. The term is used to describe the capability, not the ISAO. Would prefer something that says "foundational services and capabilities ISAOs could choose to provide to their members" or some such thing.Partial Acceptance
22-23Please re-phrase so that it reads: "This will help ISAOs effectively manage their resources and implement programs, policies and services that meet the needs of their members." or something similar.Partial Acceptance
25-27I think I understand the intent here, but not all ISAOs will want to "progress" and there is no need for them to do so if they are meeting the needs of their constituents. Rejected
44delete this term and insert "an organization's" since a survey helps with all aspects of an ISAO, not just foundational services.Partial Acceptance
134-135Are we sure of this? Printing surveys, sending them via post, paying for postage out and back, and manually combing through the responses is more cost effective than an online survey?Partial Acceptance
150 How are these disadvantages different from any of the others? Every survey needs willing participants and a statistically valid representation.Partial Acceptance
158-159Are telephone interviews the most time consuming? Wouldn’t that be face to face?Partial Acceptance
229-232Are we quoiting NIST or Johnson, Badger, et all?Partial Acceptance
235Comma can be removed after reports and before “and.’Accepted
236-238We can't agree to include this. There are other ways to collect information other than sensors, and saying that an ISAO should deploy these goes beyond a foundational service. In fact, this section does not touch on the "Foundational" items in Appendix A. The list of Foundational Services in Appendix A is: "Facilitate a way for members to share data. Pull or partner on an existing daily report and disseminate via e-mail to the membership. Send out an e-mail survey to determine what members want to see and best format for distribution." Deploying sensors and repositories is beyond foundational.Partial Acceptance
243This might be true, but not sure this is part of the Foundational services listed in Appendix A.Rejected
245We might want to explain of how it lowers cost to members. Also must note this is well beyond what was listed as Foundational in Appendix A. Partial Acceptance
262I think we need to include the obvious fact that the more information one has, the more resources it requires to collect, review and analyze the information.Accepted
274We are well beyond foundational. Appendix A talks about finding blogs and reports, not collecting feeds.Rejected
288To avoid confusion to the reader, we should focus only on Foundational services and capabilities. Partial Acceptance
293-302These go well beyond the foundational list in appendix A.Partial Acceptance
307-309Sentence needs to be re-written to say, “As mentioned previously, information exchanged from members to the ISAO can build trust throughout that entire community.” Or something along those lines.Accepted
310Re-write, please, to say, “ This requires methods, means and sources be vetted by the ISAO.”Accepted
317-318When talking about evaluating systems, it seems to me we again are moving beyond the Foundational capabilities outlined in Appendix A.Accepted
319Appendix A focused on looking at information (blogs, news reports etc.) and not data.Rejected
324While this may be true, this is certainly well beyond the foundational services in Appendix A.Accepted
327Again, auditing data feeds (even setting up data feeds) is not identified as a foundational capability in Appendix A.Accepted
328-329Not foundationalAccepted
338-345This is well beyond the foundational services identified in Appendix A. Also, ISAO/ISAC incident response likely will be much different than incident response within a specific enterprise,Partial Acceptance
352-353I have no comment here. Just can't get it to un-highlight. :o)No Action Required
361-363Other than saying, start small and grow, I'm not certain we provide any real guidance to ISAOs seeking to provide the foundational services identified in Appendix A. We spend too much time talking about capabilities and services that are beyond foundational.Accepted
361-363A bit of a run-on, should say something along the lines of: "Starting out with too many methods, tools and sources can complicate the process. In turn, reducing the level of service that the ISAC can provide its membership.Accepted
Starting out with too many methods, tools and sources can complicate the process. In turn, reducing the level of service that the ISAC can provide its membership.Accepted
373Just cyber threat information sharing?Accepted
382-385Yes, but this is not our purpose. Our purpose is to help ISAOs in understanding how they can provide analysis as a foundational service, if they wanted to do so. For example, the Foundational capability in Appendix A is: Provide a forum for members to discuss and identify common issues and trends. Rejected
389-391Let's focus this chapter on giving ISAOs the information they need to do thisNo Action Required
402Agree, but this is not what Appendix A describes as a Foundational Capability. Appendix A states: "Providing a forum for members to discuss and identify common issues and trends."Rejected
478Not sure this is Foundational.Partial Acceptance
486It seems to me content is out of place here. We should include this where we talk about the type of information that can be shared, where we currently just focus on CTI. I think the list of examples here is much closer to what a Foundational capability is than much of the other content in the document. We should focus the dissemination section on helping ISAOs (and their members) share this type of information.Partial Acceptance
525We need to provide more context to these if thus is to be meaningful to our audience. Instead of using only TLP, we should stress the importance of having a policy that details how information is stored, handled, and shared. TLP is an example of a policy related to how information can be shared.Partial Acceptance
Figure B-1It's a nice graphic, but it goes well beyond foundational and I worry it will scare people awayNo Action Required