Very few businesses could say their Cybersecurity program wouldn’t benefit from assistance or information sharing with external organizations. The federal government has heard the need for help and developed two different efforts towards these ends, the Information Sharing and Analysis Center (ISAC) and the Information Sharing and Analysis Organizations (ISAO).
The ISAC is the older of the partnership organizations, being signed into existence with President Clinton issuing a “Presidential Decision Directive” in 1998. The ISAC is an industry specific non-profit organization, coordinated at the top level with the Federal office of the National Coordinator. Their goal is to gather and share information on cyber-threats against critical infrastructure. ISACs also work to facilitate the sharing of data between public and private sector groups.
The ISAO had its origin on February 15th, 2015 with President Obama issuing the presidential order entitled “Promoting Private Sector Cybersecurity Information Sharing”. The ISAO functions to promote voluntary cyber threat information sharing within industry sectors. To this end, Obama’s executive order directed the U.S. Department of Homeland Security (DHS) to encourage development of ISAOs for private companies, non-profits, government departments, and state, regional and local agencies.
Overview – There are 25 ISACs in place to work with organizations in different sectors, helping them understand the threats and how it could affect their specific operations. https://www.nationalisacs.org/member-isacs.
The first part of the original Presidential Order (PDD-63) states:
“Information Sharing and Analysis Center (ISAC): The National Coordinator, working with Sector Coordinators, Sector Liaison Officials and the National Economic Council, shall consult with owners and operators of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analysis center. The actual design and functions of the center and its relation to the NIPC will be determined by the private sector, in consultation with and with assistance from the Federal Government. Within 180 days of this directive, the National Coordinator, with the assistance of the CICG including the National Economic Council, shall identify possible methods of providing federal assistance to facilitate the startup of an ISAC.(Clinton, 1998)
Many of these ISACs will develop specialized tools to help secure organizations, as well as provide information about threats that the specific sector might need to consider. For example, the Healthcare based ISAC might share information about vulnerabilities with specific medical devices.
ISACs and ISAOs offer significant benefits to SMBs. We encourage businesses of all sizes to seek out those in their sector for threat and other information to enhance their security posture.