Financial Management of Cyber Risk
In conjunction with the American National Standards Institute (ANSI), ISA published its first handbook for enterprises which examines corporate cyber security from an economic perspective as much as the technical one.
This publication "The Financial Management of Cyber Risk: 50 Questions Every CFO Should Ask" was the first of its kind.
In 2010 ANSI & ISA published a second, more extended edition which outlines a detailed action program for the financial management of cyber risk from multiple levels of enterprise risk including the human resources issues, the corporate communication issues, the legal and compliance issues as well as technical operations and risk management perspectives.
A team of reviewers including Melissa Hathaway and the the CIOs and CFOs from major non-ISA member companies have already enthusiastically endorsed the publication which has already been selected for inclusion in the registration packets at two major, non-ISA aligned, conferences on cyber security.
In fall of 2009 the U.S. State Department sponsored ISA to travel to Estonia to brief the NATO Cyber Command on ISA's model for sustained cyber security, the Cyber Security Social Contract. ISA was also invited to meet with European Union officials to conduct a series of similar briefings in Geneva.
ISA has been asked to return to Europe in fall of 2010 and brief a series of private sector organizations, in addition to additional meetings with European officials to discuss how to institute European versions of the ISA priority programs build on the differing cultural and legal assumptions as determined by the EU.
ISA has proposed major alterations in the public private partnership to protect cyber security. In November 2009 ISA articulated a market oriented approach to encourage greater investment in cyber security through the development of a "The Cyber Security Social Contract".
It proposes the government's role would be to identify successful standard practices and technologies for cyber security and then provide a menu of market incentives to encourage private investment in the implementation of these mechanisms.
When the Obama Administration issued its comprehensive report on cyber security, "The Cyber Space Policy Review", last May, the first document they quoted was the ISA's "The Cyber Security Social Contract".
In fact the Administration's Executive Summary both begins and ends by citing ISA publications. Throughout the Administration's document ISA policy papers are cited more than a dozen time, far more than any other source.
In December 2010 ISA released "Social Contract 2.0: A 21st Century Program for Effective Cyber Security", a follow up document to the "The Cyber Space Policy Review" outlining how the Administration can implement their proposal.
ISA has testified before both the House and Senate and since the publication of our implementation document the FCC has requested ISA input on how to use this construct in its upcoming National Broadband implementation Plan, the Department of Commerce has asked ISA to brief its Economic Security Working Group, DHS's Software Assurance Forum has asked ISA to keynote its last two conferences on this topic, the DoD has appointed ISA to it's working group on supply chain management.
Also, in conjunction with the NSC, NSA, DHS, Treasury and several other agencies will host an ISA organized conference call focusing on specific implementation of ISA proposals for the use of insurance to motivate additional cyber security best practices.
Securing the Electronics Supply Chain
In 2006 ISA launched industry's first integrated program analyzing the complex problems of managing the global IT supply chain so as to assure products and services would be secure. Under Carnegie Mellon's leadership ISA hosted a series of national conferences which brought together hundreds of experts from industry, government and academia to conduct a thorough analysis of the problem.
In 2008 ISA engaged one of the nation's top cyber economists Scott Borg, head of the US Cyber Consequences Unit to assist ISA in taking our initial work and building out a sustainable framework to security the IT supply chain including informational technology as well as economic social and legal issues.
ISA completed the framework in 2009 and was the only organization to provide comments on the subject to be cited in President Obama's 2009 cyber security review conducted by Melissa Hathaway.
In 2010 ISA has launched a new program of invitation only workshops designed to move the ISA supply chain framework through the standardization and best practices levels. ISA anticipates that this third phase of its supply chain program will be completed by the third quarter of 2010.
Unified Communications Platforms - VoIP Security
ISA has led a program in conjunction with the National Institute of Standards and Technology (NIST) to attempt to adapt the SCAP program to unified communications platforms.
ISA has brought together a broad base of government, industry and academic experts to determine the adaptability of SCAP to these digital platforms.
In addition to the continual work of the task forces, ISA has reported on its findings in multiple sessions at the annual NIST conference on mobile communication security. ISA is currently exploring expanding this program in conjunction with NSA and other aligned efforts.
The Internet Security Alliance (ISA) is a unique multi-sector trade association which provides thought leadership and strong public policy advocacy as well as business and technical services to its membership. The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries. ISA’s mission is to integrate advanced technology with the realistic business needs of its members and enlightened public policy to create a sustained system of cyber security.