Sharing information on cyber-security
For example, when they collaborate in the investigation and resolution of serious international cyber-attacks. This type of information is very sensitive and needs to be restricted to specific people whom might never have met each other.
In 2009, ENISA (European Network and Information Security Agency) published a Best Practices Guide (GPG) for the Exchange of Information. Its objective was to help the EU States and other interested parties create and manage a network dedicated to the exchange of Security information. To deal with the problem of secure distribution of information ENISA proposes, in Appendix C of this guide, the use of the so-called “Traffic Light Protocol”. It’s a tag that is printed in the documents that are shared and its color represents four levels or distribution rights. Recipients are committed to not sharing information beyond the provisions on the label.
The Guide does not mention any mechanism, such as encryption, for protecting the information exchanged and makes no mention of the use of an Information Rights Management (IRM) system. Perhaps because of this, organizations responsible for defending cyber-security have not begun to share security related information. Honestly, we expected more from ENISA.
Now, experts have embodied in this statement which omitted ENISA your guide: that the most reliable way of sharing such information is through an MRI as Prot-On. Therefore, companies that are certified according to ISO / IEC 27001:2005, must demonstrate that adequately protect the information you share with the outside, using technologies that limit the distribution destination, as do the IRM. And, using an IRM, competitors and governments wary, not being forced to make “leaps of faith” when sharing highly sensitive information on cyber threats to critical infrastructure of a country.