A standards organization created by President Barack Obama but led by a non-government group on Friday issued its initial set of voluntary guidelines aimed at improving sharing of cyber threats between and within the public and private sectors.
“The information sharing ecosystem takes a big step forward with Friday’s publications,” Greg White, executive directors o f the Information Sharing and Analysis Organization Standards Organization (ISAO SO), said in a statement. “The ISAO SO, supported by a dedicated cadre of volunteers, aims to grow the information sharing community and equip it with the tools needed to improve the cyber security posture of all communities of interest across the nation.”
The four new guidelines have fairly basic sounding titles that demonstrate their foundational nature. They are:
· Introduction to ISAOs (ISAO 100-1), which provides an overview of Information Sharing Analysis Organizations;
· Guidelines for Establishing an ISAO (ISAO 100-2), which is aimed at working through the most critical considerations in creating and effective organization;
· Introduction to Information Sharing (ISAO 300-1) describes a conceptual framework for information sharing concepts, the types of cyber security-related information an ISAO may want to share, ways an organization can facilitate information sharing, and privacy and security concerns that may need to be addressed;
· And, U.S. Government Relations, Programs, and Services (ISAO 600-2), which addresses relevant federal laws and regulations regarding cyber information sharing within the U.S., including state and local perspectives.
Through the 2015 executive order, Obama directed DHS to “encourage” the establishment of ISAOs as entities that could serve as touch points for information sharing about cyber threats with the private sector and with the federal government. The ISAOs can be sector specific, sub-sector, regional, or other and include members from the public or private sectors or both.
Information sharing about cyber threat indicators and incidents between and among the government and private sector is viewed as a critical factor in combating and mitigating cyber security attacks and breaches. The vast majority of critical infrastructure in the U.S. is owned and operated by the private sector and is the subject of constant cyber attacks.
The sooner indicators of threats are shared with other organizations the more likely that the same or similar attack codes can be thwarted, is at the heart of the information sharing regime.
The Defense Department and DHS have had information sharing arrangements with elements of the private sector for years. DHS, in March, turned on an automated information sharing capability to quickly share threat indicators within the federal government and between the department and industry.
The ISAO SO will host an online public meeting on Oct. 20 to address future upcoming publications as well as a national information sharing conference in 2017.
“These publications provide the cornerstones to build out an information sharing ecosystem at unprecedented scale,” Rick Lipsey, deputy director of the ISAO SO, said in a statement. “However, they are just the beginning. The ISAO SO is helping the community to evolve a consensus-based corporate body of knowledge. We anticipate updating and expanding these guidelines based on feedback from their implementation.”
The guidelines were created through participation of more than 160 experts from industry, government and academia and included input and feedback from the public, White said.