Front Page: NCSC-FI
Front Page: NCSC-FI
Go to Search

Information exchange practices for cooperation groups

Making sure that information is distributed and processed in the appropriate way is a precondition for functional cooperation and network-based activities. Rules have been developed to enable the distributors of information to indicate how it should be processed and disseminated further.

The Traffic Light Protocol (TLP) classification system and the Chatham House Rule discussed on this page are rules based on voluntary participation, with the aim of encouraging open information exchange. They are commonly used by a range of Finnish and international groups.

The Chatham House Rule governs information exchange in the context of meetings and briefings, whereas the Traffic Light Protocol system relates to the exchange of documents and information in a more general sense. All those who take part in the processing of information must take care to ensure that the rules are observed. Furthermore, the recipient of the information must obtain the consent of its originator in order to carry out more extensive processing of the information.

The classifications are not legally binding, and are instead based on mutual trust among people and organisations. The activities of public authorities are governed by the Act on the Openness of Government Activities (621/1999).

Chatham House Rule

The Chatham House Rule is based on the principle that meetings held under it allow participants to use the information discussed, but they cannot reveal who made any comment, their affiliation, or the identities of other participants. The rule is intended to encourage openness and information exchange by giving participants a guarantee that the source of comments will not become known. It is always advisable to remind participants of relevant principles related to information exchange at the beginning of meetings.

Traffic Light Protocol

The TLP may be used in the context of meetings as well as other channels of information exchange and communications. While the TLP has been interpreted in a number of different ways, it is fundamentally important that the recipients of information understand the relevant conditions related to its processing and act accordingly. Several definitions exist as regards the processing of information classified as TLP:AMBER in particular. The Finnish Transport and Communications Agency follows the definition of the Forum of Incident Response and Security Teams (FIRST Standards Definitions and Usage Guidance — Version 1.0). The classification system is used by a number of national and international cybersecurity groups in which the Finnish Transport and Communications Agency takes part.

When classifying information according to the TLP, it is advisable to avoid selecting an unnecessarily strict designation, as doing so limits the ways in which the information may be used and thus decreases the utility of information exchange. In case of doubt, the originator of the information should be contacted for clarification before distributing the information further. Recipients should consider access to information designated TLP:RED, TLP:AMBER or TLP:GREEN a privilege.

According to the FIRST definition, there are four designations:

1. TLP:RED — Not for disclosure, restricted to participants only

Information with this designation should only be distributed directly and in person to the recipient. The recipient may not disseminate the information further even within the group or the organisation with which he or she is affiliated. “For your eyes only.”

2. TLP:AMBER — Limited disclosure, restricted to participants’ organisations 

Information may be disseminated to other members of the group, within the organisation with which the recipient is affiliated, and to persons affiliated with the organisations’ stakeholders who need to know the information in order to take necessary action. The originator of the information is at liberty to specify additional limitations or freedoms with regard to the processing of the information. “Personalised need to know.”

3. TLP:GREEN — Limited disclosure, restricted to the community

The information may be disseminated freely within the recipient’s organisation and distributed to partner organisations or relevant communities or sectors. The information may also be shared freely with other members of the information exchange group. However, it may not be published on the internet, for example. “Good to know.”

4. TLP:WHITE — Disclosure is not limited

The information may be disseminated freely while taking into account the possible restrictions specified in applicable legislation. Such restrictions may arise from copyright law, for example. Information designated TLP:WHITE is typically already publicly available.

TLP-designated documents should indicate the TLP colour of the information at the top of the document, e.g. "TLP:GREEN". If the information in a single document spans multiple designations, the applicable TLP colour should be indicated before each paragraph or section.

Example: The strictest designation this example contains is TLP:AMBER. TLP:GREEN: Information for dissemination within the information security community on a “good to know” basis. TLP:AMBER: Sensitive information whose distribution must be restricted to persons relevant in the context of defending against the information security threat in question.