ISAO SO Provides Certification Trust Model Update

ISAO SO to Survey ISAOs and Research Methods for Fostering Trusted Relationships for Information Sharing

The Information Sharing and Analysis Organization Standards Organization is committed to an open and transparent process of developing ecosystem-driven and consensus-based guidelines addressing ISAO needs. The development of these guidelines continues to be driven by numerous experienced community volunteers. The ISAO SO deeply appreciates the working group members who tirelessly volunteer their time in support of this important endeavor.

In December 2017, the ISAO SO issued a public Request for Comment period regarding certification as a possible means for building trust within the ecosystem. Comments were submitted by a wide section of the sharing community, including financial services, communications, information technology, water, healthcare, multiple U.S. sector coordinating councils, the U.S. Chamber of Commerce and the British Standards Institution (BSI). The membership of these organizations represents a large set of companies successfully sharing critical threat information today. The majority of comments indicated that certification would not foster the desired trust that was at the center of the proposed Certification Model and identified other concerns, such as continuing information sharing as a voluntary tool and preserving beneficial organizational flexibility. The overwhelming majority recommended against proceeding with certification, something many stated was neither necessary nor warranted at this time.

The ISAO SO and working group leaders met, via webinar, on January 25, 2018 to discuss the comments received. While arguments both for and against certification were discussed at the meeting, the consensus was that now is not the right time to move forward with ISAO-related certification efforts. As the number of ISAOs increases, the ISAO SO will readdress the issue if and when the information sharing community feels it would be of benefit to the community. Some comments recommended undertaking efforts to examine how existing sharing organizations have established trusted relationships. These ideas also were discussed and considered by the ISAO SO leadership on the call. However, the issue of trust, and the best, scalable, methods for doing so still need to be addressed. Therefore, based on received recommendations and discussions:

The ISAO SO will conduct additional research and gather more information on methods used for creating trusted relationships that have successfully fostered information sharing.
The ISAO SO will survey the information sharing community and determine if a forum for ISAOs, similar to the National Council of ISACs (NCI), would benefit the community by providing a setting where ISAOs may interact and discuss topics important to the ecosystem.
The ISAO SO will monitor the needs of emerging ISAOs and the broader market landscape, while exploring ways and mechanisms to bolster ISAO stand-up, sustainment, and structural trust-building across the ecosystem and among ISAO stakeholders.

The ISAO SO remains committed to the information sharing community and is proud to serve as its voice. Submitted comments and recommendations will be made available on the website, ISAO.org.

The ISAO Standards Organization

About author

The ISAO Standards Organization is a non-governmental organization established October 1, 2015, and led by the University of Texas at San Antonio (UTSA) with support from LMI and R-CISC. Our mission is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.