REN-ISAC logo

Information Sharing Policy

Document version 2.1, September 22, 2009

0.1REN-ISAC Organizational Documents
 
1.Charter
2.Membership Guide
3.Membership Terms and Conditions
4.Membership Fees
5.REN-ISAC Information Sharing Policy  ( this document )
6.REN-ISAC Disclaimer
0.2Table of Contents
 
1.Background
2.Disclaimer
3.Information Sharing Categorizations
4.Sensitivity Classification
5.Criticality
6.Confidence
7.Target Audience
8.Non-Attribution
9.Information Sharing Procedures
10.Disclosure
11.Breach
12.Copyright
1.0Background
1.1The REN-ISAC is a private community for sharing sensitive information regarding cyber security protection and response. Information shared within the REN-ISAC community relates to IT security measures, and is privileged and confidential.
1.2An institution or organization is the REN-ISAC "member" and is represented in information sharing by "member representatives". Information is shared to the member representative, not to the institution. Certain classifications of information cannot be further disseminated by the member representative. The member representative uses the shared information to formulate protection and response actions for the institution.
 The following principles apply.
2.0Disclaimer
2.1Information is shared within REN-ISAC for the objective of cyber security protection and response. Information is shared in good faith and there are no explicit or implied guarantees or warranties to the veracity or applicability of the information.
2.2Information received from any REN-ISAC service, product, or member must be analyzed fully by representatives of the receiving institution, and inherent risks determined and understood. Any local action taken must be informed by local technical expertise and applied as appropriate to the local technical, functional, and cultural environments.
2.3The REN-ISAC, its sponsoring organizations, and members accept no responsibility for negative impacts of any sort that results from local actions taken on information sent to the membership generally, or to specific institutions.
3.0Information Sharing Categorizations
3.1Information shared within REN-ISAC must be categorized according to Sensitivity, and optionally according to Criticality, Confidence, and Target Audience.
 
CategoryRequirementPurpose
SensitivityMandatoryDefines the limits of distribution
CriticalityOptionalAdvises regarding urgency of response
ConfidenceOptionalHelps determine response and timing
Target AudienceOptionalRoutes information to the appropriate audience
  4.0Sensitivity Classification
 Four classifications of Sensitivity are defined. In order of increasing sensitivity they are: Public Use, Limited Use, Privileged Use, and Restricted Use.
 sensitivity image
4.1Default classification
4.1.1All information shared within REN-ISAC is considered Privileged Use unless otherwise explicitly stated, or if the information is shared in a channel that has a specific sensitivity classification, e.g. the XSec-only Restricted Use mailing list. The default classification applies to information shared in any manner, including, but not limited to, mailing lists, web pages, Internet Relay Chat, meetings, etc.
 4.2Public Use Information
4.2.1The Public Use classification is self descriptive. In general, REN-ISAC is not a channel for sharing public use information. Such information should be shared in forums where the widest possible audience may benefit.
 4.3Limited Use Information
4.3.1Limited Use information is often derived from open sources, however, value has been added through consolidation or analysis, such that the information may prove useful for persons intending to commit malicious acts.
4.3.2Limited Use information can be redistributed outside the REN-ISAC membership when meeting the following criteria:
1.Can be shared only to trusted persons within your organization who are involved in security protection or response, for example, to a trusted private mailing list that supports the security needs of IT support providers in schools and departments at your institution.
2.Must not be redistributed in any manner in which the information will become publicly accessible. Members should be cautious of private mailing lists that have public archives.
3.Must not contain identification of institutions, organizations, or individuals who have not authorized the release, unless the information is otherwise publicly available, or if the information is directly applicable to a warranted protection or response action.
4.If appropriate, may mention REN-ISAC, but must be scrubbed of the identification of REN-ISAC channel names (e.g. mailing list names, etc.), and the names of REN-ISAC information sources.
5.The following Information Sharing Restriction and Disclaimer must be placed at the head of the redistribution:
 

Information Sharing Restrictions and Disclaimer: The following information must not be publicly released. It can be shared ONLY to trusted persons within your organization who are involved in security protection or response. There are no guarantees for accuracy of the information, or to its impact when applied in protection or response measures. Each recipient must evaluate the information and assume all risks of use. The text of this restriction and disclaimer must accompany all redistribution. No other dissemination is permitted.

 4.4Privileged Use Information
4.4.1Privileged Use information can be shared among REN-ISAC General and XSec Member Representatives, and may be further shared within a member's organization, only when meeting the following criteria:
1.Can be shared only for the purpose of a specific operational protection or response action - cannot be shared for general purpose situational awareness or enrichment.
2.Can be shared only to persons within the member's organization, who have need-to-know for operational defense, threat mitigation, or response.
3.Sharing must be guided by the principle of least privilege: i.e., to protect data, sources, methods, and relationships, only the minimum information necessary for local assessment and action should be shared.
4.The member who shares must have a reasonable expectation of trust in the recipient, and must communicate that expectation to the recipient.
5.Must not contain identification of institutions, organizations, or individuals who have not authorized the release, unless the information is otherwise publicly available, or if the information is directly applicable to a warranted protection or response action.
6.If appropriate, may mention REN-ISAC, but must be scrubbed of the identification of REN-ISAC channel names (e.g. mailing list names, etc.), and the names of REN-ISAC information sources.
7.The following Information Sharing Restriction must be placed at the head of the share:
 

Information Sharing Restrictions and Disclaimer: The following information must not be publicly released. It can be shared ONLY for the purpose of a carrying out a specific operational protection or response action, only to trusted persons within your own organization who have need-to-know, and only the minimum information necessary for local assessment and action should be shared. An expectation of trust must be communicated to the recipient. There are no guarantees for accuracy of the information, or to its impact when applied in protection or response measures. Each recipient must evaluate the information and assume all risks of use. The text of this restriction and disclaimer must accompany all redistribution. No other dissemination is permitted.

4.4.2REN-ISAC member representatives are responsible and accountable for the disposition of Privileged Use information that they share within their organization, according to the terms described in section 11.0, Breach, and in the REN-ISAC Disclaimer.
 4.5Restricted Use Information
4.5.1Restricted Use information cannot be redistributed or further shared in any manner. The member representative who receives Restricted Use information should assimilate the information and formulate corresponding protection and response actions for the institution.
4.5.2Whenever sharing Restricted Use information in a REN-ISAC channel that defaults to a lower sensitivity classification, the following should be placed at the head of the information:
 

Information Sharing Restrictions: The following information is classified as Restricted Use in accordance with the REN-ISAC Information Sharing Policy. The information must not be redistributed or further shared in any manner.

4.5.3For well-defined and limited purposes, Referred Trust can be used to get certain operational data that is classified as Restricted Use, into the hands of non-member representative individuals who can act on the data. For more information, see the Referred Trust section of the Membership Guide.
5.0Criticality
5.1The optional Criticality indicates the potential impact of the information and the need for timely action based on the information. The levels are:
 
CriticalityExpected action
RoutineRoutine interest, does not require immediate action, general advice regarding normally-experienced malicious activity.
ImportantRequires action in response to specific threat activity, or for protection due to an increase in attacks, or vulnerability.
UrgentRequires immediate and decisive action. Reflects a potentially catastrophic issue.
6.0Confidence
6.1The optional Confidence designation provides rough guidance for decisions on received information. It can also facilitate the timely sharing of information, with caveat, prior to complete analysis. The Confidence designation should not substitute for providing additional narrative assessment of the reliability of the source and/or data. Confidence designations are:
 
Confidence
High
Medium
Low
7.0Target Audience
7.1The optional Target Audience designation can be used to provide focus for action or consideration. The designations are:
 
Target Audience
Operations/administration
Management/decision
Executive
8.0Non-Attribution
8.1Under certain circumstances, a member or other information sharing partner may possess useful information, but not wish to be attributed when sharing the information. In that case, the member or partner can pass the information directly to the REN-ISAC security operation center (soc@ren-isac.net), and/or staff, and request non-attribution. If the information is appropriate for the membership, REN-ISAC staff will forward, without attribution.
9.0Information Sharing Procedures
9.1Information is shared within the REN-ISAC community by means of various channels, including but not limited to: mailing lists, IRC, webcasts, conference calls, in-person meetings, wiki, data feeds, and person-to-person.
9.2In all cases other than person-to-person, the channel will have an explicitly defined Sensitivity Classification. In general, channels that support information sharing among all member representatives are marked Privileged Use. Channels that support XSec-only communications are Restricted Use. In the absence of an explicit marking for the channel, or on information shared in the channel, the default classification is Privileged. Information classified to a lower sensitivity can be shared on the channels, but should be explicitly marked as carrying the lower classification.
9.3In the case of person-to-person communications, without a priori agreement, it may be unclear whether the communication is personal, or under REN-ISAC auspices. The parties should agree at the outset to parameters guiding the communication.
9.4Members can share information directly to the REN-ISAC community, or indirectly, and if desired, without attribution, via REN-ISAC handlers. Refer to section 8.0 Non-Attribution.
9.5Regardless of the method of communication and attribution chosen, the member should first decide on sensitivity and share and/or mark appropriately. Optionally, the information may be marked for criticality, confidence, and target audience (sections 5.0, 6.0, and 7.0).
9.6Considerations for classifying sensitivity as Privileged or Restricted Use include:
1.The degree of recipient vetting required for comfortable and safe sharing.
2.The extent to which the information can be shared to non-members within a recipient member's organization.
3.The organizational capability of the recipients to act on the information.
9.7A member may, at its discretion, expand the distribution of information that it was the sole source of, by reclassifying to a lower sensitivity.
9.8If a General Member possesses information that requires Restricted Use sharing, the member is encouraged to send that information to a REN-ISAC handler for redistribution.
10.0Disclosure
10.1In the event that a member is required, by open records, freedom of information, subpoena, or any other law or regulation, to disclose information pertaining to the non-public activities of REN-ISAC, or non-public use information that was shared within REN-ISAC, the member shall promptly notify the REN-ISAC Executive and/or Technical Directors before responding to the request, consult regarding whether there are legitimate grounds to narrow or contest disclosure, and disclose only information that the member determines in their sole discretion is legally obligated to disclose.
11.0Breach
11.1Inappropriate disclosure of information shared within the REN-ISAC private trust community would expose methods of protection and response to our adversaries, and could expose institutions to unwanted scrutiny, publicity, and damage to reputation. Additionally, inappropriate disclosure would damage the vital trust relationships that sustain the flow of information within and to our community.
11.2It is imperative that information shared within the REN-ISAC community be handled in accordance with policy. Failure to adhere to policy will result in membership review and consequences proportionate to the breach of trust. Consequences may include, but not be limited to: reaffirmation of the information sharing policies, counseling, reprimand, or loss of membership.
11.3Actual or suspected breaches of the Information Sharing Policy, whether intentional or accidental, must be immediately reported to the Membership Committee. Anonymity of third-party reporters will be honored.
12.0Copyright
12.1The copyright of a work product submitted by a member is retained by the member.
12.2By submitting a work to REN-ISAC, the member agrees to use of the work in accordance with marked Sensitivity Classification (section 4.0), Information Sharing Procedures (section 9.0), and the REN-ISAC Disclaimer.
12.3The copyright holder may further publish a work outside REN-ISAC provided the work does not contain, in whole or part, non-public information derived from REN-ISAC sources for which the author does not hold copyright, or have permission of the copyright holder.
12.4A member may use their copyright of a work to distribute the work freely within their institution beyond the restrictions of the REN-ISAC Sensitivity Classification, even though another member receiving the information through REN-ISAC may not enjoy the same right.