Request For Comment
The request for comment period for this draft concluded on Friday, June 17, 2016. All comments were reviewed and adjudicated by working groups. Comments received after the June 17 deadline may be included in future adjudication and revision periods.
This document, and its separate sections, is designed to take into consideration the different types of ISAOs that may be formed and the various levels of capabilities each may incorporate. It provides an overall organized approach to developing the various documents pertinent to ISAOs, while considering the immediate needs of emerging ISAOs. Individual Standards Working Groups will develop and refine specific sections of this document in coordination with other SWGs as directed by the ISAO Standards Organization, and will consider how each section must fit into the larger picture defining the creation and operation of an ISAO.
Submitted Comments
The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The line reference and comment fields listed below are the exact contents as submitted by the commenter.
| Line Reference | Comment | Disposition |
|---|---|---|
| 12 | Add an Insurance Construct and Governance as well | Accepted |
| 12-340 | Though lines 106 and 107 Though lines 106 and 107 explain that this is a description of a “fully capable” ISAO, the Governance section (lines 122 - 340) could seem really overwhelming to a smaller/simpler ISAO. Maybe a section with minimum suggested requirements. | Accepted |
| 55-59 | The description of "public health and safety" is part of the Preparedness, Response, and Recovery because prior to and after a "Incident" there is a level of PTSD and Behavioral Health issues that occur. (x5) Steps of Grieving due to a disruption of "normal life activities." | Rejected |
| 55,56 | Choice of wording. "public health and safety" seems like a secondary concern (for ISAOs) to security which should be the focus and listed first. | Accepted |
| 84-86 | The inclusion of the entities should always be stated, Public, Private, and Academic. | Accepted |
| 93, 472 | What is the definition of a member of ISAO? To clearly understand what kind of organizations can form an ISAO or be a part of an ISAO, it is important to provide a definition of term "member". Furthermore, defining the term member is important to clearly establish that a wide range of organizations can be an ISAO- for example, a single company ISAO that shares information thought its products and services with customers would not have “members” but "customers". | Under Review |
| 99& 100 | Should these 2 lines be bullets? | Under Review |
| 105 | Should the ISAO and ISAC be similar in foundational operations that include all (x16) Sectors of the critical Infrastructure protection? | Rejected |
| 106 | What is meant with "fully capable" versus "capable" ? Are there different levels of the ISAO's core foundations based on the "expertise" of each member or organization? Who deams each member or organization "fully" capable? The tools/techniques used in each of the (x16) Critical Sectors should already be understood by the Public, Private, Academic representatives as proven "capable." | Accepted |
| 106 | Will the ISAO be facilitated the same as the ISACs to include a Lexicon? | Accepted |
| 107 | To include governance regarding Legal and Insurance compliance guidelines. | Under Review |
| 109 | Suggest using "or" (disjunctive) in enumerating different activities of ISAOs (collect, share, analyze information, provide recommendations as to what to with the analyzed information received) to account for varying degrees of capabilities among entities who will form or certify as ISAO and varying needs of organizations. For example, some organization will only receive threat indicators, other may only share indicators with other organizations. There will be organizations that will lack resources or/and expertise to make use of cyber threat information and may hire third party providers to use the information on their behalf. Recommend to implement throughout the document. | Accepted |
| 115, 416 | Sharing of information is an important element of a comprehensive cybersecurity strategy but in itself won't make members of ISAOs more secure. | Accepted |
| 117 | And include guidelines for Legal and Insurance to assist in Preparedness, Response, and Recovery. | Under Review |
| 118 | Should the aggregating information from ISAO's be in alignment with ISAC for each Sector? | Rejected |
| 121, 430,460,472,489,500, 510 | Many of the governance issues are not applicable to or inconsistent with the concept of single company ISAO that shares information with its customers through products and services. In these ISAOs many of the governance issues listed will be governed by internal legal and policy instruments. Recommend recognizing in the document that this is in an informative guidance which may or may not be implemented depending on individual circumstances of an ISAO. This is important to accommodate a wide-set of entities that can form an ISAO as described in EO 13691. | Accepted |
| 125 | Add "approved-list" of virtual secured sites for communications (i.e. Google Drive, Drop Box, Go-To Meeting, Conference America) | Rejected |
| 144-147 | What Cyber Insurance Policy will be associated with the ISAO? Who will be monitoring the NDA/Security agreements within the ISAO? Will the ISAO's operational/logistical model follow the ISACs ? | Rejected |
| 157 | Add Academic Institutions and remove generic "institutions". What about USA "Coalition Allies/Partners with Foreign Investments?" | Under Review |
| 165 | Classes " remove keep "Categories of Members" (note per Behavioral Health) | Accepted |
| 171 | Definitely have an NDA / Membership Agreement to support the "safe sharing" culture. | Accepted |
| 172 | Membership Fees (Dues) appropriately affordable to the Organization / Sole Proprietor's thresholds of business (Fortune 500, Mid-Size, 8A, Independent Consultants) | Accepted |
| 178 | Conflict Resolution items should be covered under the "Code of Conduct" but have separate protocols. | Rejected |
| 343 | In the section on service offerings, it is important to recognize varying degrees of capabilities among entities and varying needs of organizations. For example, some mature ISAOs will be able to conduct all the activities listed in service offerings, some will only have resources and capabilities to conduct some of them, and some will hire third party providers to execute some or all of these activities on their behalf. The recognition of the varying degrees of capabilities of an ISAO will likely encourage a wider range of organizations to join the ISAO ecosystem and fulfill the objective of EO 13691 of robust market for information sharing. | Accepted |
| 354 | List of types of ISAOs fails to consider the full range of ISAO models which could range from small, community based organizations, to highly capable for profit, single company ISAOs as envisioned by the EO 13691. | Accepted |
| 398 | Insert after line 398--INFORMATION ANALYSIS The document includes various steps in information sharing lifecycle such as information sharing, collection, and dissemination, but fails to acknowledge important steps in information analysis. Recommend including the following section pertaining to information analysis: * Relate indicators to business functions and risk * Relate activities to attack life cycle * Heuristics and accuracy; true postives and false negatives * Define functional analysis (how, when, scope) * Reactive reporting (post-mortum to an incident) * Pro-active reporting (assessments) * Frequency of reporting and depth of information detail* Feedback to verify assessments | Accepted |
| 417 | Various organizations, even within the same ISAO can have varying information sharing needs and information sharing may have different role in their risk management strategy. For instance in geographically-based ISAO geography might be the only common denominator between organizations who participate in an ISAO. Recommend making "information sharing problem" plural to acknowledge the possibility of existence of several problems information sharing is aimed to solve for a given ISAO. | Under Review |
| 432 | While it is important to pre-determine a set of data ISAO will be gathering to address a threat, gathering threat intelligence not related to a certain attack or threat might be needed from a long term perspective for larger situational awareness about threats- to establish trends, patterns, etc. Suggest acknowledging this principle. | Accepted |
| 533 | Will this Lexicon be similar to the ISAC's for each (x16) Critical Infrastructure? | Rejected |
