ISAO SO Product Outline Draft Document – Request For Comment ISAO SO – 2016 v0 2 ISAO Standards Organization Dr Greg White Executive Director Rick Lipsey Deputy Director May 2 2016 Copyright © 2016 ISAO SO Information Sharing and Analysis Organization Standards Organization Any part of this publication may be distributed posted reproduced stored in a retrieval system or transmitted in any form or by any means without the prior written permission of the copyright owner ISAO SO Product Outline Table of Contents Purpose and Use 1 Introduction 1 Problem Statement 2 What Is an ISAO 3 Explanation and Examples 4 Categories of ISAOs SWG 2 4 ISAO Support for Organizations SWG 2 4 Value Proposition 5 Products 5 Governance SWG 1 5 Service Offerings ISAO Capabilities SWG 2 6 Operating Models Types of ISAOs SWG 2 6 Information Sharing Policy SWG 3 7 Information Collection and Dissemination SWG3 7 Sharing Models and Mechanisms SWG 3 8 Models 8 Mechanisms 8 Security of Data and Systems SWG 4 8 Funding Models SWG 1 8 Start-Up Activities Key Planning Factors SWG 1 9 Partnerships and Support SWG 5 9 Government Relations SWG 6 9 Appendix 9 iii ISAO SO Product Outline 1 PURPOSE AND USE 2 3 4 5 6 7 8 9 10 11 12 13 This outline serves as a unifying framework to identify and organize the topics to be addressed by the ISAO Standards Organization ISAO SO These topics were identified through a series of public meetings and data calls and will be refined through the work of the ISAO SO’s Standards Working Groups SWGs Topics may be addressed through statements of principle policies process descriptions guidelines templates data standards and other products The sequence of document development and publication will be determined by the ISAO SO in consultation with the SWG chairs While these source documents will ultimately be consolidated or synopsized to appear in a single volume for ease of reference they will each be released as they are developed to meet the urgent needs of private and public organizations to improve their cybersecurity posture through effective information sharing and analysis 14 15 16 17 Many of these topics will require inputs from multiple SWGs to ensure the cohesion of the complete body of work The designation of a specific SWG or the ISAO SO in the outline below implies responsibility to consolidate applicable inputs to address the topic 18 INTRODUCTION 19 20 21 22 23 24 25 26 27 28 29 30 31 The importance of information sharing to computer security has been discussed for well over a decade Early realization of its importance led to the creation of Information Sharing and Analysis Centers ISACs for the nation’s critical infrastructures In February 2015 the White House issued Executive Order EO 13691 “Promoting Private Sector Cybersecurity Information Sharing ” which called for the Secretary of the Department of Homeland Security DHS to “strongly encourage the development and formation of Information Sharing and Analysis Organizations ISAOs ” These new entities could be “organized on the basis of sector sub-sector region or any other affinity ” which greatly expanded the number and type of information sharing organizations that will be developed To help with their establishment EO 13691 directed DHS to “enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization” ISAO SO 32 33 34 35 36 37 In developing the standards guidelines and other documents that are needed to help entities create and operate ISAOs the ISAO SO established a number of Standards Working Groups These groups were created to address specific areas pertinent to creating or operating ISAOs When developing the various documents the SWGs must consider the two overarching efforts important to ISAOs the sharing of cybersecurity information and the analysis of the information that 1 ISAO SO Product Outline 38 39 40 has been shared The purpose of these efforts is ultimately to improve the Nation’s ability to “detect investigate prevent and respond to cyber threats ” while protecting the privacy and civil liberties of citizens 41 42 43 44 45 46 47 48 49 To accommodate the expanded list of entities that can form ISAOs described in EO 13691 there will be different types of ISAOs with different objectives and capabilities There will also be varying levels of organizations within the ISAOs and there may be commercial entities that form to provide services to ISAOs Some ISAOs may be formed on a very informal basis and may have little or no desire to collect and analyze the information in near-real time for its members Other ISAOs may be highly interested in near-real time analysis and dissemination of actionable information to better protect its members and may have as an objective the ability to help respond to security incidents affecting its members 50 51 52 53 54 55 56 57 58 59 60 61 Additionally an ISAO may initially form with limited objectives and target capabilities but then evolve over time to increase its ability to assist its members by adding additional capabilities and objectives For example an ISAO may initially be created to simply share cybersecurity-related information among security professionals in its member organizations then increase the type and frequency of information it shares and add the capability to analyze shared information to better detect and prevent cybersecurity attacks then ultimately add a 24 7 operational capability to assist its members with ongoing cybersecurity incidents Conversely an ISAO may elect to maintain limited capabilities to best serve the needs and capabilities of its constituents The goal of the ISAO SO is to be as inclusive as possible in finding a place for any individual or organization that wishes to be part of the Nation’s overall information sharing effort 62 63 64 65 66 67 68 This product outline is designed to take into consideration the different types of ISAOs that may be formed and the various levels of capabilities each may incorporate It presents an organized approach to developing the various documents pertinent to ISAOs while considering the immediate needs of emerging ISAOs Individual SWGs will develop and refine specific products in coordination with other SWGs as directed by the ISAO SO and will consider how each product must fit into the larger framework defining the creation and operation of an ISAO 69 PROBLEM STATEMENT 70 71 EO 13691 clearly lays out the problem that is being addressed by the creation of a network of ISAOs It states 72 73 74 In order to address cyber threats to public health and safety national security and economic security of the United States private companies nonprofit organizations executive departments and agencies 2 ISAO SO Product Outline 75 76 77 agencies and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible 78 79 80 81 82 83 84 Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States The purpose of this effort is to encourage the voluntary formation of such organizations to establish mechanisms to continually improve the capabilities and functions of these organizations and to better allow these organizations to partner with the Federal Government on a voluntary basis 85 86 87 88 89 90 Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals that preserves business confidentiality that safeguards the information being shared and that protects the ability of the Government to detect investigate prevent and respond to cyber threats to the public health and safety national security and economic security of the United States 91 92 93 94 95 96 97 98 99 100 101 To address this problem effectively will require more than just establishing a number of disparate information sharing organizations It will require a coordinated effort that effectively identifies and considers the existence and ongoing formation of ISAOs to understand where information sharing is occurring and its impact Additionally the undertaking needs to consider how the efforts of individual ISAOs can be combined into an overarching information sharing network for the Nation to improve the cybersecurity resiliency of participants The effort must be as inclusive as possible appropriately incorporating vetted information from multiple sources Due consideration must be given to determining the level of trust that can be placed in such information which requires that the national effort address issues such as trust reliability and information overload 102 WHAT IS AN ISAO 103 104 105 The term “Information Sharing and Analysis Organization ” or ISAO means any entity or collaboration created or employed by public- or private-sector organizations for purposes of 106 107 108 • gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems so as to ensure their availability integrity and reliability 109 110 111 • communicating or disclosing critical cyber and related information to help prevent detect mitigate or recover from the effects of an interference compromise or incapacitation problem related to cyber systems and 3 ISAO SO Product Outline 112 113 114 • 115 116 NOTE This definition was coordinated with SWG chairs in late February 2016 but will be refined in concert with standards development deliberations 117 118 119 120 121 122 123 voluntarily disseminating critical cyber and related information to its members federal state and local governments or any other entities that may be of assistance in carrying out the purposes specified above EXPLANATION AND EXAMPLES • ISAOs consolidate analyze and distribute cyber information to their members • Overview of ISAO categories and capabilities CATEGORIES OF ISAOS SWG 2 ISAO SUPPORT FOR ORGANIZATIONS SWG 2 124 125 126 127 128 129 While recognizing there is no single description of capabilities that will fit all ISAOs it is important to consider a description of the functions that a “fully capable” ISAO will have to support its members This discussion will help emerging ISAOs determine the capabilities and objectives they wish to develop—keeping in mind that the initial set of objectives and capabilities may evolve as the ISAO matures 130 131 132 133 134 A fully capable ISAO will provide a variety of services to support its members These services and the capabilities that are needed to provide them should be designed to support ISAO members as they manage strategic and tactical cyberrelated risks The type of support can be grouped into three broad categories with some overlap between them These categories are 135 136 137 138 • Situational awareness ISAO members need to understand both the tactical and strategic aspects of the environment in which they are managing risks This support includes activities to collect and share information analyze it and recommend what to do with it 139 140 141 142 143 144 • Decision-making ISAOs need to disseminate actionable information that will enable their members to make decisions related to their current security posture and allocation of security and IT resources This support involves receiving information establishing its relevance to the organization assessing potential impacts identifying potential actions and selecting the best course of action 145 146 • Actions ISAO members ultimately will take actions based on received information and analysis Organizations will develop detailed actions and assign 4 ISAO SO Product Outline 147 148 149 150 151 152 153 responsibilities implement the actions and evaluate their effectiveness providing feedback for further consideration For each type of support individual members or organizations will have responsibilities addressing their own needs as well as responsibilities to the ISAO The ISAO in turn also has responsibilities for each of these categories that address the ISAO membership as a whole VALUE PROPOSITION 154 ISAOs offer the following benefits to their members and other ISAOs 155 156 • An informative set of cybersecurity threat indicators and best practices provided by ISAOs will make individual members more secure 157 158 159 • ISAOs implemented in accordance with a consistent yet flexible framework can replicate and extend current trust relationships by establishing a common shared set of values and expectations 160 161 • Members enhance their knowledge about how to protect themselves from detect and react to cyber threats 162 163 164 165 166 • By aggregating information from multiple organizations ISAOs present a richer picture of malicious activity taking place around the country and the world Member organizations can use this enriched information to improve their individual and collective security blocking attacks they would not have seen otherwise 167 168 • ISAO members can carry out effective and timely responses if they discover unauthorized intrusions 169 170 171 172 173 PRODUCTS The following sections list areas of support and the products that the ISAO SO or SWGs identified in parentheses will develop GOVERNANCE SWG 1 • Charter legal construct 174 • For-profit and not-for-profit considerations 175 • Single-company ISAOs 176 • Conditions under which information is shared SWG 3 177 • Code of conduct 178 • Participation guidelines 5 ISAO SO Product Outline 179 • Common lexicon 180 • Legal framework for sharing 181 • ISAO contracts and agreements including non-disclosure agreements 182 • Membership qualifications 183 • ISAO certification multiple types 184 185 • Process for handling storing and sharing personally identifiable information SWG 4 186 • Intellectual property rights 187 • Member outreach by the ISAO 188 • Compliance and separation policy SWG 4 189 • Interaction of member organizations 190 • Information sharing concept and rules of the road SWG 3 191 192 SERVICE OFFERINGS ISAO CAPABILITIES SWG 2 • Vulnerability management 193 • Best practices library 194 • Situational awareness 195 • Threat warning actionable intelligence 196 • Operational support and assistance 197 • Support for incident response and recovery 198 • Risk management 199 • Information management and analysis 200 • Trusted information sharing and collaboration environment services 201 202 OPERATING MODELS TYPES OF ISAOS SWG 2 • Categories of ISAOs 203  Risk-based e g ecosystem-wide vulnerability 204  Threat-based general or specific either methods or individual actors 205  Individuals and informal group-based 206  Industry- and sector-based 207  Geographically based 208  Technology-based 209  Issue-based 6 ISAO SO Product Outline 210  Limited time or special event-driven 211  Clearinghouse versus membership 212 • Structuring ISAOs for state local sector etc 213 • Outsourcing analysis considerations 214 • Scaling of ISAOs 215 • Operational cost of ISAO based on ISAO maturity capability 216 217 INFORMATION SHARING POLICY SWG 3 • Use of shared information 218 • Prioritization of information for exchange 219 • Vetting of data and information received 220 • Ownership of information 221 • Liability of sharing information 222 • Minimizing data shared 223 • Anonymity of data shared 224 • Anonymity of information sources 225 • Integrity of information shared 226 • Framework for sharing between ISAOs 227  One-way information sharing 228  Two-way information sharing 229  Information sharing networks 230 • Procedures for capability for real or near-real time exchange 231 • Handling sensitive information SWG 4 232 • Handling classified information SWG 4 233 • Privacy protections SWG 4 234 • Considerations when sharing with the federal government SWG 6 235 • International considerations SWG 6 236 237 238 239 INFORMATION COLLECTION AND DISSEMINATION SWG3 • Process to identify what’s important to members • Data model for sharing information 7 ISAO SO Product Outline 240 • Level of analysis to be provided 241 • How to get companies to share 242 • Triggers for sharing 243 • Effective information control policies or principles 244 SHARING MODELS AND MECHANISMS SWG 3 245 246 MODELS • Mesh network 247 • Hub and spoke 248 • Publish-subscribe 249 • Peer to peer 250 • Flooding 251 • Portal 252 253 MECHANISMS • Face to face 254 • Telephone 255 • Email listserv 256 • Website postings 257 258 • Automated primary indicator and defensive measures then follow on information 259 260 SECURITY OF DATA AND SYSTEMS SWG 4 • Infrastructure on premises and cloud 261 • Member anonymity 262 • Data and dissemination assurance 263 • Distribution discrimination 264 265 FUNDING MODELS SWG 1 • Membership 266 • Subscription 267 • For profit 268 • Non profit 8 ISAO SO Product Outline 269 270 START-UP ACTIVITIES KEY PLANNING FACTORS SWG 1 • Establishing the ISAO’s purpose and strategy 271 • Standard criteria and terminology 272 • ISAO contracts and agreements 273 • Member outreach by the ISAO 274 • Marketing the ISAO 275 • Membership benefits 276 • ISAO staff certifications and qualifications 277 • Core components of ISAO trust requirements business 278 • Information sharing procedures process and standards 279 • Business plans organizational structures roles and responsibilities 280 • Definition of ISAO service offering 281 • Creating ISAO capabilities and structure 282 • Operating a new ISAO 283 • Measures of effectiveness 284 285 PARTNERSHIPS AND SUPPORT SWG 5 • Peer relationships and inter-ISAO collaboration 286 • Relationships with national tribal and regional entities SWG 6 287 • Mentoring 288 • ISAO SO support ISAO SO 289 • Commercial industry support 290 • Government programs SWG 6 291 292 GOVERNMENT RELATIONS SWG 6 • Partnership with the government information exchange and collaboration 293 • Law enforcement liaison 294 • Information sharing and regulator relations 295 • Protections when sharing with regulators 296 297 298 APPENDIX • Definitions • References 9