Information Sharing Policy

Synopsis
REN-ISAC is a private community for sharing sensitive information regarding cyber security protection and response. Information shared within the REN-ISAC community relates to IT security measures, and is privileged and confidential.  In other words, information shared by REN-ISAC, and between REN-ISAC members, cannot be freely shared with non-members.  We all communicate with certain expectations of privacy and appropriate use.  The text that follows is an overview of our Information Sharing Policy.  See the full text here.

Sensitivity Classification
REN-ISAC members communicate with four classifications of sensitivity in mind.  In order of increasing sensitivity they are: Public Use, Limited Use, Privileged Use, and Restricted Use.
All information shared within REN-ISAC is considered Privileged Use unless otherwise explicitly stated, or if the information is shared in a channel that has a specific sensitivity classification.  For example, the mailing list for XSec members has a default classification of Restricted Use. The default classification applies to information shared in any manner, including, but not limited to, mailing lists, web pages, Internet Relay Chat, meetings, etc.

Public Use Information
The Public Use classification is self descriptive. In general, REN-ISAC is not a channel for sharing public use information. Such information should be shared in forums where the widest possible audience may benefit.

Limited Use Information
Limited Use information is often derived from open sources, however, value has been added through consolidation or analysis, such that the information may prove useful for persons intending to commit malicious acts.
Limited Use information can be redistributed outside the REN-ISAC membership when meeting the following criteria:

1. Can be shared only to trusted persons within your organization who are involved in security protection or response, for example, to a trusted private mailing list that supports the security needs of IT support providers in schools and departments at your institution.
2. Must not be redistributed in any manner in which the information will become publicly accessible. Members should be cautious of private mailing lists that have public archives.
3. Must not contain identification of institutions, organizations, or individuals who have not authorized the release, unless the information is otherwise publicly available, or if the information is directly applicable to a warranted protection or response action.
4. If appropriate, may mention REN-ISAC, but must be scrubbed of the identification of REN-ISAC channel names (e.g. mailing list names, etc.), and the names of REN-ISAC information sources.
5. See the Information Sharing Restriction and Disclaimer here.

Privileged Use Information
REN-ISAC member representatives are responsible and accountable for the disposition of Privileged Use information that they share within their organization, according to our terms and guidelines.  Privileged Use information can be shared among REN-ISAC General and XSec Member Representatives, and may be further shared within a member's organization, only when meeting the following criteria:

1. Can be shared only for the purpose of a specific operational protection or response action - cannot be shared for general purpose situational awareness or enrichment.
2. Can be shared only to persons within the member's organization, who have need-to-know for operational defense, threat mitigation, or response.
3. Sharing must be guided by the principle of least privilege: i.e., to protect data, sources, methods, and relationships, only the minimum information necessary for local assessment and action should be shared.
4. The member who shares must have a reasonable expectation of trust in the recipient, and must communicate that expectation to the recipient.
5. Must not contain identification of institutions, organizations, or individuals who have not authorized the release, unless the information is otherwise publicly available, or if the information is directly applicable to a warranted protection or response action.
6. If appropriate, may mention REN-ISAC, but must be scrubbed of the identification of REN-ISAC channel names (e.g. mailing list names, etc.), and the names of REN-ISAC information sources.
7. See the Information Sharing Restriction and Disclaimer here.

Restricted Use Information
Restricted Use information cannot be redistributed or further shared in any manner. The member representative who receives Restricted Use information should assimilate the information and formulate corresponding protection and response actions for the institution.
See the Information Sharing Restriction and Disclaimer here.