Protecting Consumer Privacy in Cybersecurity Information Sharing

The work of the ISAO SO is dependent on the vast knowledge and experience of the volunteers who make up the Working Groups. Each group is tasked to develop specific standards and guidelines for the creation and functioning of ISAOs. Active working group member, Megan Stifel, is an attorney and the founder of Silicon Harbor Consultants, a firm that provides strategic cybersecurity operations and policy counsel. She was an integral part of the development of ISAO SP-4000: Protecting Consumer Privacy in Cybersecurity Information Sharing.

The ISAO SO recently published a new document titled, ISAO SP-4000: Protecting Consumer Privacy in Cybersecurity Information Sharing, available for download on the ISAO.org website. The document supplements the high-level guidance set forth in Section 9 “Information Privacy” of ISAO 300-1: Introduction to Information Sharing, published in September 2016 to further assist entities as they assess the potential privacy implications of cybersecurity information sharing. It builds upon the previously published basic principles by outlining actions to promote efficient and effective information sharing while minimizing the impact on privacy interests. Importantly, this document reflects the contributions of industry, civil society, and the government.

The primary audience for this document is risk managers and those involved within an entity on a cross-disciplinary basis in making decisions about how to approach privacy when sharing cybersecurity information. Nevertheless, this document is maturity agnostic, and reflects actions an organization should consider regardless of its information sharing capabilities.

The practices identified in the document are consistent with the Cybersecurity Information Sharing Act of 2015 (CISA) and draw upon Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities from the Departments of Homeland Security and Justice; the identified practices make additional suggestions to advance privacy and facilitate robust information sharing.

ISAO SO Special Publications are documents authored by the ISAO SO working groups using an open and transparent consensus-driven development process. These documents are designed to be shorter than the ISAO SO General Publications while addressing specific topics to meet the needs of information sharing organizations.