ISAO Startup Topics v0.2 (SWG1)

Request For Comment

The request for comment period for this draft concluded on Friday, June 17, 2016. All comments were reviewed and adjudicated by working groups. Comments received after the June 17 deadline may be included in future adjudication and revision periods.

This document, and its separate sections, is designed to take into consideration the different types of ISAOs that may be formed and the various levels of capabilities each may incorporate. It provides an overall organized approach to developing the various documents pertinent to ISAOs, while considering the immediate needs of emerging ISAOs. Individual Standards Working Groups will develop and refine specific sections of this document in coordination with other SWGs as directed by the ISAO Standards Organization, and will consider how each section must fit into the larger picture defining the creation and operation of an ISAO.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The line reference and comment fields listed below are the exact contents as submitted by the commenter.

Line ReferenceCommentDisposition
12Add an Insurance Construct and Governance as wellAccepted
12-340Though lines 106 and 107 Though lines 106 and 107 explain that this is a description of a “fully capable” ISAO, the Governance section (lines 122 - 340) could seem really overwhelming to a smaller/simpler ISAO. Maybe a section with minimum suggested requirements. Accepted
55-59The description of "public health and safety" is part of the Preparedness, Response, and Recovery because prior to and after a "Incident" there is a level of PTSD and Behavioral Health issues that occur. (x5) Steps of Grieving due to a disruption of "normal life activities."Rejected
55,56Choice of wording. "public health and safety" seems like a secondary concern (for ISAOs) to security which should be the focus and listed first.Accepted
84-86The inclusion of the entities should always be stated, Public, Private, and Academic.Accepted
93, 472What is the definition of a member of ISAO? To clearly understand what kind of organizations can form an ISAO or be a part of an ISAO, it is important to provide a definition of term "member". Furthermore, defining the term member is important to clearly establish that a wide range of organizations can be an ISAO- for example, a single company ISAO that shares information thought its products and services with customers would not have “members” but "customers".Under Review
99& 100Should these 2 lines be bullets?Under Review
105Should the ISAO and ISAC be similar in foundational operations that include all (x16) Sectors of the critical Infrastructure protection?Rejected
106What is meant with "fully capable" versus "capable" ? Are there different levels of the ISAO's core foundations based on the "expertise" of each member or organization? Who deams each member or organization "fully" capable? The tools/techniques used in each of the (x16) Critical Sectors should already be understood by the Public, Private, Academic representatives as proven "capable."Accepted
106Will the ISAO be facilitated the same as the ISACs to include a Lexicon?Accepted
107To include governance regarding Legal and Insurance compliance guidelines.Under Review
109Suggest using "or" (disjunctive) in enumerating different activities of ISAOs (collect, share, analyze information, provide recommendations as to what to with the analyzed information received) to account for varying degrees of capabilities among entities who will form or certify as ISAO and varying needs of organizations. For example, some organization will only receive threat indicators, other may only share indicators with other organizations. There will be organizations that will lack resources or/and expertise to make use of cyber threat information and may hire third party providers to use the information on their behalf. Recommend to implement throughout the document.Accepted
115, 416Sharing of information is an important element of a comprehensive cybersecurity strategy but in itself won't make members of ISAOs more secure.Accepted
117And include guidelines for Legal and Insurance to assist in Preparedness, Response, and Recovery.Under Review
118Should the aggregating information from ISAO's be in alignment with ISAC for each Sector?Rejected
121, 430,460,472,489,500, 510Many of the governance issues are not applicable to or inconsistent with the concept of single company ISAO that shares information with its customers through products and services. In these ISAOs many of the governance issues listed will be governed by internal legal and policy instruments. Recommend recognizing in the document that this is in an informative guidance which may or may not be implemented depending on individual circumstances of an ISAO. This is important to accommodate a wide-set of entities that can form an ISAO as described in EO 13691.Accepted
125Add "approved-list" of virtual secured sites for communications (i.e. Google Drive, Drop Box, Go-To Meeting, Conference America) Rejected
144-147What Cyber Insurance Policy will be associated with the ISAO? Who will be monitoring the NDA/Security agreements within the ISAO? Will the ISAO's operational/logistical model follow the ISACs ?Rejected
157Add Academic Institutions and remove generic "institutions". What about USA "Coalition Allies/Partners with Foreign Investments?" Under Review
165Classes " remove keep "Categories of Members" (note per Behavioral Health)Accepted
171Definitely have an NDA / Membership Agreement to support the "safe sharing" culture.Accepted
172Membership Fees (Dues) appropriately affordable to the Organization / Sole Proprietor's thresholds of business (Fortune 500, Mid-Size, 8A, Independent Consultants)Accepted
178Conflict Resolution items should be covered under the "Code of Conduct" but have separate protocols.Rejected
343In the section on service offerings, it is important to recognize varying degrees of capabilities among entities and varying needs of organizations. For example, some mature ISAOs will be able to conduct all the activities listed in service offerings, some will only have resources and capabilities to conduct some of them, and some will hire third party providers to execute some or all of these activities on their behalf. The recognition of the varying degrees of capabilities of an ISAO will likely encourage a wider range of organizations to join the ISAO ecosystem and fulfill the objective of EO 13691 of robust market for information sharing. Accepted
354List of types of ISAOs fails to consider the full range of ISAO models which could range from small, community based organizations, to highly capable for profit, single company ISAOs as envisioned by the EO 13691. Accepted
398Insert after line 398--INFORMATION ANALYSIS The document includes various steps in information sharing lifecycle such as information sharing, collection, and dissemination, but fails to acknowledge important steps in information analysis. Recommend including the following section pertaining to information analysis: * Relate indicators to business functions and risk * Relate activities to attack life cycle * Heuristics and accuracy; true postives and false negatives * Define functional analysis (how, when, scope) * Reactive reporting (post-mortum to an incident) * Pro-active reporting (assessments) * Frequency of reporting and depth of information detail* Feedback to verify assessmentsAccepted
417Various organizations, even within the same ISAO can have varying information sharing needs and information sharing may have different role in their risk management strategy. For instance in geographically-based ISAO geography might be the only common denominator between organizations who participate in an ISAO. Recommend making "information sharing problem" plural to acknowledge the possibility of existence of several problems information sharing is aimed to solve for a given ISAO. Under Review
432While it is important to pre-determine a set of data ISAO will be gathering to address a threat, gathering threat intelligence not related to a certain attack or threat might be needed from a long term perspective for larger situational awareness about threats- to establish trends, patterns, etc. Suggest acknowledging this principle. Accepted
533Will this Lexicon be similar to the ISAC's for each (x16) Critical Infrastructure?Rejected