The ISAO Standards Organization is developing the Resource Library as part of our effort to promote robust information sharing and analysis related to cybersecurity risks and incidents.
The Resource Library is a hub of resource links, documents, tools, templates, checklists, and best practices essential for the development of services and capabilities needed to improve effective information sharing and analysis within any community of interest. Whether you’re part of an existing information sharing organization, looking to form one, or simply want to learn more about the subject, we invite you to explore our growing collection of digital resources. The Resource Library will inform and empower your organization with knowledge and tools to improve your cybersecurity posture.
Type of Resource
Search
-
(ISC)²(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. (ISC)² offers a portfolio of credentials that are part of a holistic, programmatic approach to security.
-
(ISC)² Center for Cyber Safety and EducationThe Center for Cyber Safety and Education is the nonprofit, charitable foundation of (ISC)². The Center is the global authority on internet safety education and the leading source of research and information on the international information security ...
-
Attack PreventionAttack Prevention is an online resource that provides thousands of free network security whitepapers, videos, podcasts, and security tools.
-
Business Continuity Plan Resources from Ready.govTemplates and guidelines from Ready.gov for businesses to develop their own Business Continuity Plans.
-
Business Laws from the US Small Business AdministrationA summary of laws and regulations relevant to small businesses provided by the US Small Business Administration.
-
Carnegie Mellon CSIRT Development and Training (CDT) TeamCarnegie Mellon Software Engineering Institute’s CSIRT development and training (CDT) team helps organizations to develop, operate and improve incident management capabilities. Organizations can take advantage of the products, training, reports and w...
-
Carnegie Mellon Software Engineering Institute (SEI)The SEI offers tools and methods for a wide variety of ISAO activities to include cyber risk and resilience management, network situational awareness, vulnerability analysis, among others.
-
Carnegie Mellon Software Engineering Institute (SEI) Cert Coordination CenterAddresses risks at the software and system level. Identifies and addresses existing and potential threats, notifies system administrators and other technical personnel of these threats, and coordinates with vendors and incident response teams worldwi...
-
Center for Strategic and International Studies (CSIS) Critical Controls for Effective Cyber DefenseCSIS’ Critical Controls for Effective Cyber Defense, commonly referred to as The 20 Critical Controls, is a consensus document outlining 20 crucial controls that form a prioritized baseline of information security measures that can be applied across ...
-
CIO Magazine – 10 Great Cybersecurity News SourcesThis link provides unusual, but helpful, access to the author’s Top Ten Cybersecurity News Sources for anyone to consider as up-to-date information about cybersecurity and breaking news. The article is dated but the additional links to the ten sites ...
-
Cyber Defense MagazineThis link provides timely and important topics on IT security information. Whitepapers, latest news, and upcoming cyber security events. The monthly E-Magazine sign-up is free.
-
Cyber Threat AllianceThe Cyber Threat Alliance is a group of cyber security practitioners from organizations who have chosen to work together to share threat information to improve defenses against cyber adversaries.
-
Department of Justice (DOJ) Best Practices for Victim Response and Reporting of Cyber IncidentsAny Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber-attack. A quick, effective response can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response...
-
DHS Automated Indicator Sharing (AIS)The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of info...
-
DHS Coordinating CouncilsThe NIPP established four cross-sector councils that participate in planning efforts regarding the development of national priorities and policy related to the resilience and capacity-building objectives of the NIPP: the Critical Infrastructure Cross...
-
DHS Critical Infrastructure Cyber Community Voluntary Program (C³)Voluntary Program to assist in enhancing critical infrastructure cybersecurity and to encourage the adoption of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework, released in February 2014. The C³ Voluntary Program...
-
DHS Cyber Information Sharing and Collaboration Program (CISCP)The Cyber Information Sharing and Collaboration Program (CISCP) is a no-cost information sharing partnership between enterprises and DHS. It creates shared situational awareness across critical infrastructure communities, enhances cybersecurity colla...
-
DHS Cyber Infrastructure Survey Tool (C-IST)The Cyber Infrastructure Survey Tool (C-IST) is an assessment of essential cybersecurity practices in place for critical services within critical infrastructure organizations. C-IST is a structured, interview-based assessment focusing on more than 80...
-
DHS Cyber Security Advisors (CSAs)Cyber Security Advisors (CSAs) are regionally located DHS personnel who direct coordination, outreach, and regional support to protect cyber components essential to the sustainability, preparedness, and protection of U.S. critical infrastructure and ...
-
DHS Cybersecurity Evaluation Tool (CSET) and On-Site Cybersecurity ConsultingThe Cybersecurity Evaluation Tool (CSET), a self-assessment tool, offers assessments of the security posture of industrial control systems. Features include mapping to control systems standards based on the sector, as well as a network architecture m...
-
DHS Cybersecurity Service Offering Reference AidsDHS’s National Protection and Programs Directorate (NPPD) has developed a list of freely available reports and resources pertinent to managing the acquisition of cybersecurity services. It is not intended to be exhaustive but covers a wide range of c...
-
DHS Cybersecurity Workforce Development ToolkitOrganizations need to have the right staff in place to protect their information, customers, and networks. They need to find and keep top cybersecurity staff. DHS has a new resource to help organizations get—and keep—the right cybersecurity staff and...
-
DHS Enhanced Cybersecurity Services (ECS)Enhanced Cybersecurity Services (ECS) is an intrusion prevention and analysis capability that helps U.S.-based companies protect their computer systems against unauthorized access, exploitation, and data exfiltration. ECS works by sharing sensitive a...
-
DHS Federal Virtual Training Environment (FedVTE)Virtual Training Environment (FedVTE) content library contains prerecorded classroom cybersecurity training for Federal Government personnel and contractors, as well as state, local, tribal, and territorial government personnel. FedVTE provides gover...
-
DHS Homeland Security Information Network (HSIN)The Homeland Security Information Network (HSIN) is the trusted network for homeland security mission operations to share sensitive but unclassified information. Federal, state, local, territorial, tribal, international, and private-sector homeland s...
-
DHS Protective Security Advisors (PSAs)Protective Security Advisors (PSAs) are security subject matter experts who engage with SLTT government mission partners and members of the private-sector stakeholder community to protect the Nation’s critical infrastructure. Regional directors overs...
-
DHS Stop.Think.Connect. CampaignLaunched in 2010, the Stop.Think.Connect. (STC) campaign was created to empower Americans to reduce cyber risk online by incorporating safe habits into their online routines. The campaign was conceived by a private coalition, the National Cyber 602 S...
-
Disaster Recovery Plan Resources from Ready.govTemplates and guidelines from Ready.gov for businesses to develop their own Disaster Recovery Plans.
-
Electronic Communications Privacy Act of 1986A summary of the ECPA, which protects the privacy of communications.
-
Email Monitoring RulesA list of laws governing how and when employers can monitor their employees’ electronic communication.
-
FBI Domestic Security Alliance Council (DSAC)Modeled on the U.S. Department of State’s Overseas Security Advisory Council, the Domestic Security Alliance Council (DSAC) was created in October 2005 to strengthen information sharing with the private sector to help prevent, detect, and investigate...
-
FBI Fusion CentersFusion centers are usually set up by states or major urban areas and run by state or local authorities, often with the support of the FBI. They “fuse” intelligence from participating agencies to create a more comprehensive threat picture, locally and...
-
FBI Internet Crime Complaint Center (IC3) Complaint Reporting FormOnline form for reporting internet fraud such as phishing.
-
FBI Internet Crime Complaint Center (IC3) Prevention TipsTips from the FBI for businesses to protect themselves from IT disasters and cyber threats. Information about ransomware, including tips on how to protect against it. Information about business email compromises, including tips on how protect again...
-
FCC Communications Security, Reliability and Interoperability Council (CSRIC)The mission of the Communications Security, Reliability and Interoperability Council (CSRIC) is to provide recommendations to the Federal Communications Commission (FCC) to ensure optimal security and reliability of communications systems, including ...
-
FCC Cybersecurity Planning GuideThe Cybersecurity Planning Guide is designed to meet the specific needs of a company using the FCC’s customizable Small Biz Cyber Planner tool. The tool is designed for businesses that lack the resources to hire dedicated staff to protect their busin...
-
FCC Cybersecurity Tip SheetThe FCC has released a Cybersecurity Tip Sheet, which outlines the top 10 ways for entrepreneurs to protect their companies—and customers—from cyber-attack. This streamlined resource features tips on creating a mobile device action plan and on paymen...
-
FCC Small Business Cyber Planner 2.0Information technology and high-speed Internet service are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. In October 2012, the FCC relaunched the Small Biz Cyber Planner 2.0, an ...
-
Federal Emergency Management Agency (FEMA) Emergency Planning ExercisesThe Federal Emergency Management Agency (FEMA), Private Sector Division, Office of External Affairs, introduced a series of tabletop exercises in 2010 as a tool to help private-sector organizations advance their continuity, preparedness, and resilien...
-
FFIEC Cybersecurity Assessment ToolIn light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecur...
-
FTC Tips: CAN-SPAM Act Compliance Guide for BusinessThe CAN-SPAM Act establishes requirements for commercial messages, gives recipients the right to have companies stop e-mailing them, and spells out tough penalties for violations.
-
FTC Tips: Careful Connections: Building Security in the Internet of ThingsThe Careful Connections guidance provides advice for businesses about building security into products connected to the Internet of Things, including proper authentication, reasonable security measures, and carefully considered default settings.
-
FTC Tips: Children’s Online Privacy Protection Rule Six-Step Compliance Plan For Your BusinessThis compliance guidance is a step-by-step plan for determining whether a company is covered by the Children’s Online Privacy Protection Act, and it guides companies on how to comply with the rule.
-
FTC Tips: Complying With the FTC’s Health Breach Notification RuleThis guidance helps businesses complying with the Federal Trade Commission’s (FTC’s) Health Breach Notification Rule specifically determine whether they are covered by the rule and what they must do if they experience a breach of personal health reco...
-
FTC Tips: Disposing of Consumer Report Information RuleThis guidance provides information on how companies can comply with the Disposal Rule, which requires companies to take steps to securely dispose of sensitive information derived from consumer reports once they are finished with it.
-
FTC Tips: Fighting Identity Theft With the Red Flag Rule Guide For BusinessThis guide provides businesses with tips to determine whether they need to design an identity theft prevention program.
-
FTC Tips: Information Compromise and Risk of Identity Theft Guidance For Your BusinessThese days, it is almost impossible to be in business and not have personally identifying information about customers or employees. If this information falls into the wrong hands, it could put them at risk for identity theft. This guidance provides b...
-
FTC Tips: Mobile Health Apps Interactive ToolThis interactive tool can help businesses determine which federal rules may apply when they are developing a health app for mobile devices.
-
FTC Tips: Mobile Health Providers Best PracticesWhen developing a health app, sound privacy and security practices are key to consumer confidence. These FTC best practices should help businesses build privacy and security into their apps. These practices also can help companies comply with the FTC...
-
FTC Tips: Peer-To-Peer File Sharing Guide For BusinessMost businesses collect and store sensitive information about their employees and customers. This guide provides businesses using Peer-to-Peer (P2P) file-sharing software with the security implications of using such software and ways to minimize the ...
-
FTC Tips: Protecting Personal Information Guide For BusinessThis guide provides practical tips for businesses on creating and implementing a plan for safeguarding personal information.
-
FTC Tips: Start With Security Guide For BusinessThis guide offers 10 practical lessons that businesses can learn from the FTC’s 50-plus data security settlements. Lessons include suggestions like “Start with security,” “Control access to data sensibly,” and “Require secure passwords,” each complet...
-
Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world. This document provides guidance for inform...
-
ICS-CERT Control Systems Recommended PracticesICS-CERT offers a list of recommended practices aimed at helping industry understand and prepare for ongoing and emerging control systems cybersecurity issues, vulnerabilities, and mitigation strategies. ICS-CERT works with control systems manufactur...
-
ICS-CERT Control Systems TrainingSystems Cyber Emergency Response Team (ICS-CERT) offers training in industrial control systems security at the overview, intermediate, and advanced levels, including web-based and instructor-led formats.
-
ICS-CERT Cyber Incident Response and AnalysisThe NCCIC Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers incident response services to owners of critical infrastructure assets that are experiencing impacts from cyber-attacks. Services include digital media and malware a...
-
ICS-CERT Cybersecurity Evaluation Tool (CSET)The Cybersecurity Evaluation Tool (CSET), a self-assessment tool, offers assessments of the security posture of industrial control systems.
-
Information Systems Security Association (ISSA)ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.
-
Information Week: Dark ReadingThe Dark Reading site is well known amongst cybersecurity personnel. Along with most helpful items to review Dark Reading also provides the latest on attacks/breaches and vulnerabilities/threats. The Executive Editor, Ms. Higgins, writes up-to-date a...
-
Infosecurity MagazineThis magazine provides informative cybersecurity information under headings such as Topics, News, Webinars, and Whitepapers. Subscription is free.
-
InfraGardInfraGard is a partnership between the FBI and the private sector. It is an association of people who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and i...
-
International Council of Electronic Commerce Consultants (EC-Council)Provides information about the EC Council programs including Certified Ethical Hacker, Security Analyst, Advanced Network Defense and a host of other relevant cyber-security programs. The EC Council is a recognized authority around the globe.
-
International Telecommunications Union — Telecommunications (ITU-T) StandarizationThe International Telecommunication Union is a specialized agency of the United Nations responsible for issues that concern information and communication technologies. The Study Groups of ITU’s Telecommunication Standardization Sector assembles globa...
-
ISACAAs an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control...
-
IT Preparedness Tips from the DHS and FEMA for Business on Ready.govTips from the DHS and FEMA for businesses to protect themselves from IT disasters and cyber threats.
-
Microsoft Brochure TemplatesTemplates for awareness brochures, newsletters, posters, and more.
-
MITRE PublicationsMITRE has publications regarding many aspects of cybersecurity and provide tactics, techniques, and procedures to assist ISAOs.
-
Multi-State Information Sharing and Analysis Center (MS-ISAC)Grant-funded by DHS, the Multi-State Information Sharing and Analysis Center (MS-ISAC) exists to improve the overall cybersecurity posture of state, local, tribal, and territorial governments and is designated as the key resource for cyber threat pre...
-
National Checklist Program (NCP)The National Checklist Program (NCP) is the US government repository of publicly available security checklists (or benchmarks) that provide details low level guidance on setting the security configuration of operating systems and applications.
-
National Cyber Awareness System (NCAS)The National Cyber Awareness System produces advisories, alert and situation reports, analysis reports, current activity updates, daily summaries, indicator bulletins, periodic newsletters, recommended practices, a Weekly Analytic Synopsis Product (W...
-
National Cyber Exercise and Planning Program Exercise TeamThe NCCIC’s National Cyber Exercise and Planning Program (NCEPP) provides cyber exercise and cyber incident response planning support to all DHS stakeholders. NCEPP delivers a full spectrum of cyber exercise planning workshops and seminars, and condu...
-
National Cyber Security Alliance (NCSA) Online Safety TipsTips for businesses to protect themselves from cyber threats while using the internet.
-
National Cyber Security Awareness MonthRecognizing the importance of cybersecurity awareness, the Department of Homeland Security leads National Cyber Security Awareness Month (NCSAM) annually in October. The Department is committed to raising cybersecurity awareness across the nation and...
-
National Cyber-Forensics & Training AllianceThe National Cyber-Forensics & Training Alliance, located in Pittsburgh, consists of experts from industry, academia, and the FBI who work side by side to share and analyze information on the latest and most significant cyber threats.
-
National Cybersecurity Assessment and Technical ServicesThe NCCIC’s National Cybersecurity Assessment and Technical Services (NCATS) offers cybersecurity scanning and testing services that identify vulnerabilities within stakeholder networks and provide risk analysis reports with actionable remediation re...
-
National Cybersecurity Preparedness ConsortiumTo fill the cyber security preparedness training and technical assistance gap and to increase cyber security preparedness throughout the nation five universities have partnered and collaborated to establish the National Cybersecurity Preparedness Con...
-
National Infrastructure Protection PlanThe National Infrastructure Protection Plan (NIPP) provides a framework for collaboration between DHS and the private sector and implements Federal Government policy for improving the Nation’s resilience. It lays out the structural model through whic...
-
National Initiative for Cybersecurity Careers and Studies (NICCS)The National Initiative for Cybersecurity Careers and Studies (NICCS) portal is a one-stop shop for cybersecurity careers and studies. It connects the public with information on cybersecurity awareness, degree programs, training, careers, and talent ...
-
National Security Cyber Assistance Program (NSCAP)The National Security Cyber Assistance Program (NSCAP) explores viable approaches to defend against current cyber threats inherent within the cyber domain.
-
National Training and Education DivisionThe National Training and Education Division (NTED) provides tailored training to enhance the capacity of state and local jurisdictions to prepare for, prevent, deter, respond to, and recover safely and effectively from potential manmade and natural ...
-
NICCS National Cybersecurity Workforce FrameworkThe National Cybersecurity Workforce Framework is an online resource that classifies the typical duties and skill requirements of cybersecurity workers. It is meant to define professional requirements in cybersecurity, much as in other professions su...
-
NIST Framework For Improving Critical Infrastructure CybersecurityCreated through collaboration between industry and government, the Framework for Improving Critical Infrastructure Cybersecurity consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, f...
-
NIST Interagency Report 7621—Small Business Information Security: The FundamentalsSmall businesses are a very important part of the economy and a significant part of the critical U.S. economic and cyber infrastructure. Because larger businesses have been strengthening information security with significant resources, technology, pe...
-
NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)This document by the National Institute of Standards and Technology (NIST) uses a broad definition of PII in order to identify as many potential PII sources as possible in order to protect this information.
-
NIST Special Publication 800-150: Guide To Cyber Threat Information SharingThis draft guide provides guidelines for establishing, participating in, and maintaining cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, the importance of building trust, the handling ...
-
NIST Special Publication 800-36: Guide To Selecting Information Technology Security ProductsThe selection of information technology security products is an integral part of the design, development, and maintenance of an infrastructure that ensures confidentiality, integrity, and availability of mission-critical information. NIST Special Pub...
-
Penetration Testing and Cybersecurity Excercise Tools by KaliA Linux package built explicitly for learning about cybersecurity and penetration testing.
-
Regional Consortium Coordinating Council (RC3)RC3 is a consortium composed of regional groups engaged in partnering functions in support of resilience, all-hazards planning and coordination, training, cybersecurity, and other resilience projects and initiatives. RC3 supports its member organizat...
-
Security IntelligenceThis site provides important webinars on subjects covering a spectrum from data protection technologies to identity governance. Webinar registration is free.
-
Security Policies by Sans.orgTemplates which businesses can use to develop their own security policies.
-
STIX, TAXII, and CYBOXThe Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and Cyber Observable Expression (CYBOX) tools are an open community-driven effort and a set of free, available specifications that help ...
-
U.S. Security AwarenessDedicated to increasing security awareness among the general population and the technology community. Basic Security is aimed at the average person, Advanced Security is aimed at technologists, senior management and legislators involved in security a...
-
US-CERT and ICS-CERT National Cyber Awareness SystemAlerts, bulletins, tips, and technical documents are published by ICS-CERT and US-CERT. ICS-CERT and US-CERT also provide response support and defense against cyber attacks for the Federal Civil Executive Branch and facilitate information sharing and...
-
US-CERT Cyber Resilience Review (CRR)The Cyber Resilience Review (CRR) is a no-cost, voluntary, nontechnical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated...