Security v0.2 (SWG4)

Request For Comment

Security measures are critical to protect the cyber threat information that ISAOs and their members share. ISAOs that choose to work with the U.S. Department of Homeland Security will have other requirements to review as well, in addition to existing regulatory and legal cybersecurity requirements at the state, local, federal, and international level. This draft document lays out the initial types of issues ISAOs should consider and discuss with their membership. It is not intended to be a final document, but a starting point for discussion and input in the ISAO Standards Organization process.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The three fields listed below (including line number, importance, and comment) are the exact contents as submitted by the commenter.

Line ReferenceCommentDisposition
55Recommend including the example of two factor authentication as a basic security measure needed to share and disseminate threat informationAccepted
62-65The presumption of this passage is that ISAO membership is corporate rather than individual, however, this presumption may not be valid for all ISAOs. Some of the more effective informal trust groups in existence today are based on an individual trust model rather than a corporate representation model. This passage should be rewritten to reflect the possibility of ISAOs with individual members.Deferred
68Recommend adopting a current standard for attack and breach notifications. There isn't a need to create new if one common standard exists such as CJCSI 6501 or CNSS or NIST.Accepted
78Recommend that standards advice against classifying information as it is counterproductive to sharing of threat intel broadly. Recommend clearly acknowledging that the originator of the data should determine sharing restrictions as uncertainty on this level may hinder willingness of organizations to share information. Furthermore, it is also important to acknowledge that data classification, distribution and labeling should not be used if the primary sources for identifying vulnerabilities and threats in the commercial sphere. Accepted