There's been a lot of talk lately about ISACs and industry-wide cybersecurity information sharing. What are the guidelines for getting involved with an ISAC? Is it free? And what commitments are required?
Ask the expert!
Got a vexing question about enterprise security management for Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
Information Sharing and Analysis Centers (ISACs) can be a valuable source of information for information security managers. The concept originated with the signing of Presidential Decision Directive 63 by President Bill Clinton in 1998. This directive focuses on preventing physical attacks and cyberattacks against critical infrastructure by sharing information between the public and private sectors. The first ISACs were created for industries related to critical infrastructure, such as agriculture, banking, chemical, energy, health care and others. However, there are now some ISACs that focus on specific geographic regions as well.
The costs to participate vary for each group. Costs range from $250 per user account to $25,000 per company. Each company must usually sign a nondisclosure agreement to protect the confidentiality of contributed security information. It's worth noting that a company must be ready to share the type of cybersecurity information mentioned above to get the maximum return on the investment.
The type of cybersecurity information that is shared through the ISAC will be a combination of industry-specific and general threats. Power- and energy-specific ISACs will have shared information specific to that industry and the technology in use, such as SCADA or other automated controls, for example. The general threats that are shared would include attacks on the Internet perimeter or information on types of malware. Many ISACs pushed out advice to members on Conficker, DNS cache poisoning and Anonymous, for example.
Information sharing is usually voluntary, and companies should review any applicable compliance or regulatory requirements before posting their information. The type of information that is shared could include packet captures or system logs. Companies should sanitize these logs of any proprietary or customer information that they could include before submitting.
ISACs can be valuable, but be selective about which ISAC to join. You can easily become overwhelmed with information. However, with a little due diligence on selection criteria, ISACs can be a valuable source of information. You will get much more value if you look for an ISAC that is specific to your industry or geographic region. You should also look at the current membership of an ISAC for companies that you would like to share information with due to business relationships or common infrastructure.
This was first published in May 2013