Request For Comment
The request for comment period for this draft concluded on Wednesday, March 28. All comments are currently under review and adjudication by working groups. Comments received after the March 28th deadline are welcomed and may be included in future adjudication and revision periods.
Appendix A of the ISAO 100-2 publication introduced a list of several services and capabilities that an ISAO could perform as baseline offerings. Those services and capabilities were categorized into Foundational, Advanced, and Unique. The purpose of this document is to assist ISAOs by providing a more in-depth review of the foundational services and capabilities of an ISAO: collection and dissemination, facilitate member sharing, analyze information, and surveying members. This in turn will give ISAOs a better understanding of how they can operationalize the technical, analytical, and personnel that are built around those capabilities and services.
The structure of this document is framed to begin with the simpler capabilities and services, and progress to those that are more challenging. This will facilitate a natural progression for ISAOs that are further along in their evolution to navigate to the area within the document that is appropriate for their current situation. Additionally, collection and dissemination have been split as separate services and capabilities, and thus each will have its own chapter. After evaluating the processes and technologies for collection and dissemination, WG2 felt that each was distinct enough to be independent services and capabilities.
Submitted Comments
The ISAO SO invited the public to provide comments on this document from March 13, 2018 – March 28, 2018. Both fields listed below (line number and comment) are the exact contents as submitted by the commenter.
| Line Reference | Comment | Disposition |
|---|---|---|
| 9 | insert "that ISAOs could voluntarily choose to provide" | Partial Acceptance |
| 18 | voluntarily choose to provide, at the request of its members, | Partial Acceptance |
| 18 | What are baseline offerings? Wouldn’t that ‘baseline” differ for each ISAC/ISAO? Recommend to delete. | Partial Acceptance |
| 20 | These are not "capabilities of an ISAO," but rather products and services they can provide to members. The term is used to describe the capability, not the ISAO. Would prefer something that says "foundational services and capabilities ISAOs could choose to provide to their members" or some such thing. | Partial Acceptance |
| 22-23 | Please re-phrase so that it reads: "This will help ISAOs effectively manage their resources and implement programs, policies and services that meet the needs of their members." or something similar. | Partial Acceptance |
| 25-27 | I think I understand the intent here, but not all ISAOs will want to "progress" and there is no need for them to do so if they are meeting the needs of their constituents. | Rejected |
| 44 | delete this term and insert "an organization's" since a survey helps with all aspects of an ISAO, not just foundational services. | Partial Acceptance |
| 134-135 | Are we sure of this? Printing surveys, sending them via post, paying for postage out and back, and manually combing through the responses is more cost effective than an online survey? | Partial Acceptance |
| 150 | How are these disadvantages different from any of the others? Every survey needs willing participants and a statistically valid representation. | Partial Acceptance |
| 158-159 | Are telephone interviews the most time consuming? Wouldn’t that be face to face? | Partial Acceptance |
| 229-232 | Are we quoiting NIST or Johnson, Badger, et all? | Partial Acceptance |
| 235 | Comma can be removed after reports and before “and.’ | Accepted |
| 236-238 | We can't agree to include this. There are other ways to collect information other than sensors, and saying that an ISAO should deploy these goes beyond a foundational service. In fact, this section does not touch on the "Foundational" items in Appendix A. The list of Foundational Services in Appendix A is: "Facilitate a way for members to share data. Pull or partner on an existing daily report and disseminate via e-mail to the membership. Send out an e-mail survey to determine what members want to see and best format for distribution." Deploying sensors and repositories is beyond foundational. | Partial Acceptance |
| 243 | This might be true, but not sure this is part of the Foundational services listed in Appendix A. | Rejected |
| 245 | We might want to explain of how it lowers cost to members. Also must note this is well beyond what was listed as Foundational in Appendix A. | Partial Acceptance |
| 262 | I think we need to include the obvious fact that the more information one has, the more resources it requires to collect, review and analyze the information. | Accepted |
| 274 | We are well beyond foundational. Appendix A talks about finding blogs and reports, not collecting feeds. | Rejected |
| 288 | To avoid confusion to the reader, we should focus only on Foundational services and capabilities. | Partial Acceptance |
| 293-302 | These go well beyond the foundational list in appendix A. | Partial Acceptance |
| 307-309 | Sentence needs to be re-written to say, “As mentioned previously, information exchanged from members to the ISAO can build trust throughout that entire community.” Or something along those lines. | Accepted |
| 310 | Re-write, please, to say, “ This requires methods, means and sources be vetted by the ISAO.” | Accepted |
| 317-318 | When talking about evaluating systems, it seems to me we again are moving beyond the Foundational capabilities outlined in Appendix A. | Accepted |
| 319 | Appendix A focused on looking at information (blogs, news reports etc.) and not data. | Rejected |
| 324 | While this may be true, this is certainly well beyond the foundational services in Appendix A. | Accepted |
| 327 | Again, auditing data feeds (even setting up data feeds) is not identified as a foundational capability in Appendix A. | Accepted |
| 328-329 | Not foundational | Accepted |
| 338-345 | This is well beyond the foundational services identified in Appendix A. Also, ISAO/ISAC incident response likely will be much different than incident response within a specific enterprise, | Partial Acceptance |
| 352-353 | I have no comment here. Just can't get it to un-highlight. :o) | No Action Required |
| 361-363 | Other than saying, start small and grow, I'm not certain we provide any real guidance to ISAOs seeking to provide the foundational services identified in Appendix A. We spend too much time talking about capabilities and services that are beyond foundational. | Accepted |
| 361-363 | A bit of a run-on, should say something along the lines of: "Starting out with too many methods, tools and sources can complicate the process. In turn, reducing the level of service that the ISAC can provide its membership. | Accepted |
| Starting out with too many methods, tools and sources can complicate the process. In turn, reducing the level of service that the ISAC can provide its membership. | Accepted | |
| 373 | Just cyber threat information sharing? | Accepted |
| 382-385 | Yes, but this is not our purpose. Our purpose is to help ISAOs in understanding how they can provide analysis as a foundational service, if they wanted to do so. For example, the Foundational capability in Appendix A is: Provide a forum for members to discuss and identify common issues and trends. | Rejected |
| 389-391 | Let's focus this chapter on giving ISAOs the information they need to do this | No Action Required |
| 402 | Agree, but this is not what Appendix A describes as a Foundational Capability. Appendix A states: "Providing a forum for members to discuss and identify common issues and trends." | Rejected |
| 478 | Not sure this is Foundational. | Partial Acceptance |
| 486 | It seems to me content is out of place here. We should include this where we talk about the type of information that can be shared, where we currently just focus on CTI. I think the list of examples here is much closer to what a Foundational capability is than much of the other content in the document. We should focus the dissemination section on helping ISAOs (and their members) share this type of information. | Partial Acceptance |
| 525 | We need to provide more context to these if thus is to be meaningful to our audience. Instead of using only TLP, we should stress the importance of having a policy that details how information is stored, handled, and shared. TLP is an example of a policy related to how information can be shared. | Partial Acceptance |
| Figure B-1 | It's a nice graphic, but it goes well beyond foundational and I worry it will scare people away | No Action Required |
