Information Sharing and Analysis Organizations

min read

Security matters. It's a simple idea, and it is the driving force behind cybersecurity and information sharing initiatives. In February 2015, President Obama signed Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing. This executive order clarified the need and encouraged the development of Information Sharing and Analysis Organizations (ISAOs) to improve our nation's cybersecurity posture against the burgeoning threat of cybercriminals, hacktivists, and nation state actors.

The history of ISAOs traces back to the creation of Information Sharing and Analysis Centers (ISACs). These centers were proposed in 1998 by Presidential Decision Directive 63 to address vulnerabilities to the nation's critical infrastructures. A new idea inherent in the establishment of ISACs was the concept that timely sharing of actionable cyberintelligence and cybersecurity best practices is imperative to the success of like-minded organizations. The ISACs also demonstrated the power of multiplying the efforts of many organizations focused on the needs of a specific sector to bolster the security of each of its members. ISAOs are structured to adopt this concept of collaborative cybersecurity and scale it beyond critical infrastructure sectors to meet the needs of any community of interest: private or public, large or small, geographic or sector-based.

ISAOs are aptly named — while they are more formally defined in the executive order, the primary characteristic of an ISAO is the sharing and analysis of information related to cybersecurity risks and incidents between and among its members. Specific services and capabilities can be tailored to meet member needs and resources.

Quick, efficient, and regular information sharing among companies and organizations is critical to protecting organizations from cybersecurity threats. The 2016 Verizon Data Breach Investigations Report found the majority of attacks exploit vulnerabilities that have had patches available for months, if not years. In fact, 85% of successful exploits occur from the top 10 vulnerabilities.

In October 2015, the University of Texas at San Antonio joined forces with LMI, a nonprofit government consulting firm, and the Retail Cyber Intelligence Sharing Center to form the Information Sharing and Analysis Organization Standards Organization (ISAO SO). The mission of the ISAO SO is to improve the nation's cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.

The ISAO SO has worked with a sense of urgency over the past year to assemble a group of over 160 volunteers from multiple industries, government agencies, and academic institutions to assist with the development of a set of voluntary standards and guidelines for the creation and functioning of ISAOs. Even before the initial guidelines are formally published at the end of this month, we've seen the creation of ISAOs to meet our nation's urgent needs. From legal services to health care to the sports industry, ISAOs are popping up across the nation.

ISAOs can take many different shapes to support the needs of geography, industry, or other special interests, but at the end of the day, they embody the idea that security matters. The formation of these organizations illustrates that companies recognize that sharing information increases the safety and security of individual organizations and the nation as a whole.

The ISAO SO is approaching a critical milestone: on September 30, 2016, the ISAO SO will release its first publication of standards and guidelines to address the most pressing needs of new and emerging ISAOs. The topics and questions addressed in ISAO 100-1: Guidelines for Establishing an ISAO and ISAO 600-1: U.S. Government Relations, Programs, and Services will include:

  • What needs to be considered by a newly forming ISAO?
  • What capabilities should a new ISAO provide to its membership?
  • What types of information will be shared, and how is that information sharing facilitated?
  • What security and privacy is needed for a newly formed ISAO?
  • What support processes will be available?
  • What government programs and services are available to assist ISAOs?

We encourage you to visit the ISAO SO website to explore these questions and review early drafts of the publications. However, the publication of initial documents is only the beginning of the ISAO story. These guidelines and standards will equip new and emerging ISAOs with the tools needed to succeed. In the coming months, we will continue to develop standards and guidelines that go beyond ISAO 100-1 and 600-1 to provide additional detailed information and incorporate lessons learned. The cybersecurity field is ever evolving, and we must work to adapt and grow as an information sharing and analysis ecosystem.

We take great pride in the transparency and collaboration demonstrated through the standards and guidelines development process. We invite you to be part of this process:

  • Create an ISAO or join an existing ISAO: If you feel that your organization could benefit from the creation of an ISAO, we'd encourage you to reach out to the ISAO SO. We can provide you with the information to get started and offer support. If an ISAC or ISAO already exists that suits the needs of your organization, contact them to find out how you can join.
  • Get more information about ISAOs: Review our draft documents and, after September 30, our initial voluntary standards and guidelines.
  • Join the discussion: We host monthly online public meetings and quarterly in-person public forums. Check out the ISAO events page to learn more.
  • Join a working group: We are constantly looking to increase our system of active contributors. We encourage you to join a Working Group as we continue to develop future standards and guidelines.

The work of the ISAO SO is critical to improving the security of the nation and world at large. By successfully implementing ISAOs through codified standards and guidelines, we hope to create a more secure and resilient nation that is connected, informed, and empowered.

Research and Education Community’s ISAC

The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) was established in 2004 to support operational cybersecurity for research and education networking organizations. REN-ISAC facilitates information sharing, assisting organizations in protecting against and responding to cyberthreats. REN-ISAC services include threat intelligence, incident notification and analysis, alerts and advisories, situational awareness, and educational opportunities. Learn more.


Rick Lipsey is the deputy director of the ISAO Standards Organization and also the senior strategic cyber lead for LMI. Previously, he served 28 years in the military and retired as the Vice Commander of the Air Force component of United States Cyber Command. Follow @ISAO_SO on Twitter.

© 2016 Rick Lipsey. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.