Request For Comment
The request for comment period for this draft concluded on Friday, June 17, 2016. All comments were reviewed and adjudicated by working groups. Comments received after the June 17 deadline may be included in future adjudication and revision periods.
Measures to protect privacy are critical to ensure that the cyber threat information ISAOs and their members share shields private or sensitive information from unauthorized disclosure. ISAOs that choose to work with the U.S. Department of Homeland Security will have other privacy-related requirements to review as well, in addition to existing regulatory and legal privacy requirements at the state, local, federal, and international level. This draft document lays out the initial types of privacy-related issues that ISAOs should consider and discuss with their membership.
Submitted Comments
The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The line reference and comment fields listed below are the exact contents as submitted by the commenter.
Line Reference | Comment | Disposition |
---|---|---|
General | Many excellent points for consideration. The SWG should consider development of checklists or templates to facilitate satisfying privacy needs | Rejected |
General | These comments were submitted by The InfraGard National Capital Region Members Alliance (INCRMA), Regulatory & Policy Working Group, whose members hail from both government and industry. The InfraGard National Capital Region Members Alliance (INCRMA) is an alliance with the FBI's Washington Field Office and individuals committed to protecting the nation's critical infrastructure. Our chapter has the same footprint as the FBI field office with which we are aligned - Washington, DC and northern Virginia. Our mission is to improve and extend information sharing between critical infrastructure stakeholders, in both the private and public sectors, with the government, particularly the FBI, to protect those infrastructure assets from physical and/or cyber attack. As a result of this exchange, timely information and intelligence is delivered, investigations are initiated and/or enhanced, vital economic and national security assets are protected, and lasting relationships are formed between law enforcement and infrastructure owners/operators. | Rejected |
General | Will the ISAOs have access to classified information, for example if they are targeted by state-sponsored attacks? If so, how will they be vetted? | Deferred |
4 | Some ISAOs will also engage in analyzing the information. Suggest adding “analysis” to the list of activities ISAO can engage in. | Accepted |
13 | Suggest using "or" (disjunctive) in enumerating different activities of ISAOs (receive, retain, use, and disseminate cyber threat indicators) to account for varying degrees of capabilities among entities and varying needs of organizations. For example, some organization will only receive threat indicators, other may only share indicators with other organizations. There will be organizations that will lack resources or/and expertise to make use of cyber threat info and may hire third party providers to use the information on their behalf. Recommend to implement throughout the document. | Accepted |
19 | In a single company ISAO that shares information through its products and services with its customers, processes and procedures for privacy protections will be likely driven by company's legal and privacy statues. This should be recognized. Additionally, many organizations who will either become an ISAO or participate in an ISAO will likely have established processes and procedures for privacy protection. If these processes and procedures comply with existing privacy laws, organizations should not be compelled to establish new/additional processes and procedures. This should be also recognized in the privacy guidance. | Accepted |
24 | Recommend providing definition for "permitted information" as this is not an established term used in cybersecurity context. | Rejected |
38-51 | In this passage it may also be worth calling out other forms of protected information such as PHI (HIPAA is already cited) and Customer Proprietary Network Information (CPNI), as well as the ECPA statutes for protecting email communications. Also, when sharing information with DHS, the existing mechanisms for additional measures to protect Protected Critical Infrastructure Information (PCII) can be used. (Arguably, CPNI and PCII fit better into the Security document than the Privacy document because they do not necessarily pertain to individual privacy, but they should be called out in one place or the other.) | Accepted |
66 | Suggest that this principle takes into considerations that ISAO members' internal procedures and processes will govern what an organization can share from privacy standpoint and they will not be able to follow ISAO's instructions in this area. Suggest recognizing this in the guidance. | Accepted |
72 | Why just "state privacy laws?" Many privacy laws are federal. Recommend omitting "state" from this principle. | Accepted |
74 | Add hashing to segmentation and review of PII. The process should be comprised of review, redaction and hashing. Hashing enables to identify that a field in one IOC is identical to a field in another IOC, even if it would otherwise constitute PII. | Accepted |
81 | The guidance is focused on sharing with DHS. The guidance should recognize the existence of other government and agency-led information-sharing programs as they may be of interest for ISAOs or member organizations active in a particular sector, for example Department of Energy's Cybersecurity Risk Information Sharing Program (CRISP). | Rejected |
142 | This principle appears redundant as they data will be anonymized prior to distribution. | Accepted |
145 | The requirement for an ISAO to develop technology or the ability to audit access to databases containing PII may be a burdensome requirement for smaller organizations who may lack expertise or resources to fulfill this requirement. A possibility of procuring this service should be acknowledged. | Accepted |
151 | While it is important to pre-determine a set of data ISAO will be gathering to address a threat, gathering threat intelligence not related to a certain attack or threat might be needed from a long term perspective for larger situational awareness about threats- to establish trends, patterns, etc. Suggest omitting the word "directly" to accommodate a larger set of threat data. | Accepted |
166 | The extent to which an organization will cooperate with law enforcement will be governed by each ISAO member's internal policies, especially if a member is an industry player. Determinations of collaboration with law enforcement are also likely made on case by case basis. Suggest removing this principle. | Accepted |