Request For Comment
The product outline serves as a unifying framework to identify and organize the topics to be addressed by the ISAO Standards Organization (ISAO SO). It is designed to take into consideration the different types of ISAOs that may be formed and the various levels of capabilities each may incorporate. It presents an organized approach to developing the various documents pertinent to ISAOs while considering the immediate needs of emerging ISAOs.
The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The three fields listed below (including line number, importance, and comment) are the exact contents as submitted by the commenter.
|General||There doesn't seem to be provision to account for global or language analysis. Working in the cyber security field, I notice that a lot of the information we receive are not always in English and may require language and cultural analysis. There has to be policies on distributing, analyzing, qualifying, and sharing these incidents among ISAOs. In addition, language skills are also benefits that can be shared between collaborating ISAOs.||Accepted|
|28||Which greatly expanded the number and type of information sharing organizations that will be developed should be changed to "that could be developed" since there is no guarantee that these organizations will be stood up.||Accepted|
|35-38||When talking about the two overarching efforts that are important to ISAOs, we should also mention the protection of the shared information and control over distribution. Many organizations are reluctant to enter into these types of arrangements out of fear of losing competitive advantage or increased liability.||Accepted|
|104||As part of the definition "any entity or collaboration" - it seems like this would more accurately be described as "any collaborative entity or group" I don't think it would be accurate to state that an ISAO is "any collaboration" - that would define it too broadly. I also think that this should probably be described as set up by more than one organization for the express purpose of doing the following activities, right? It should not just be a single org setting it up.||Rejected|
|117-120||This section does not really provide Explanations or Examples as the title seems to allude to. Recommend updating or removing.||Accepted|
|153-169||This section is missing a bullet that speaks to the value provided from pooling resources and cross-leveraging information and resources in a time where budgets are extremely tight. ISAOs can act as a "force Multiplier" for their constituents by allowing the different member organizations to benefit from resources expended by each of the members.||Accepted|
|155-156||A set of indicators and best practices alone will not make the members more secure. The provision of these indicators and BPs will help inform risk-based decision-making for the members, and allow them to make better/more timely decisions, but just providing them will not make the members more secure. Action is still required on the part of the members to enhance security. Recommend changing to "An informative set of cybersecurity threat indicators and best practices provided by ISAOs will increase situational awareness and better inform risk-based decisions for member organizations."||Accepted|
|162-166||This bullet basically builds on the first bullet (Lines 155-156) and does not present a new thought, but rather builds on the first bullet. Recommend combining those two bullets to streamline things.||Accepted|
|167-168||This line is true regardless of whether the member is part of an ISAO or not. Recommend striking this bullet as it adds no value beyond what the other bullets already provide.||Accepted|
|211||Clearinghouse versus Membership: All ISAOs would have members, so the bullet should just be Clearinghouse to indicate that the ISAO would operate as an informal place for receiving and distributing information.||Accepted|