New standards coming for ISAOs

There are no common standards for data collection and dissemination at private-sector cybersecurity information sharing groups, but that is expected to change soon.

Shutterstock image.
 

A group charged with developing standards around information sharing announced Nov. 1 that it will be releasing a draft plan later this month to establish a voluntary self-certification process and criteria for Information Sharing and Analysis Organizations.

Greg White, speaking on behalf of the ISAO Standards Organization at the International Information Sharing Conference in Washington, D.C., said the plan will be released in mid-to-late November 2017. The organization is concerned that there are little to no standards for information sharing groups to ensure that the data they are sharing is high quality and trustworthy.

"Right now, anybody who wants to can call themselves an [Information Sharing and Analysis Center] or an ISAO, and there's nothing stopping them," White said.

He described the plan as "skeletal" and said the organization will be looking to get feedback from the public and stakeholder organizations.

"Roughly what we imagine … is something like a self-certification [followed by] some sort of baseline certification and then potentially some additional certifications based on specific services and capabilities beyond that," White said.

He said that voluntary self-certification on its own would not do much to engender greater trust among the wider public, so the organization also floated the possibility of an additional baseline certification process conducted by an independent third party to confirm that an organization is sticking to its own stated guidelines.

"Baseline certification would be a third-party organization coming along and saying, 'Yea, verily, looks like you are indeed doing that,' and boom you get the stamp of approval," White said.

Detailed criteria for the draft plan will be drawn in part from a recently released report on foundational services and capabilities for ISAOs, and White told FCW that the group is focusing in particular on sections related to collection, analysis and dissemination of information.

The ISAO Standards Organization was established through the 2015 executive order 13691. Members of the organization were selected by the Department of Homeland Security to establish standards for cybersecurity information sharing organizations.

The group is made up of officials from the University of Texas at San Antonio, LMI and the Retail Cyber Intelligence Sharing Center.