Front Page: NCSC-FI
Front Page: NCSC-FI
Go to Search

Information exchange practices for cooperation groups

Making sure that information is distributed and processed in the appropriate way is a precondition for functional cooperation and network-based activities. Rules have been developed to enable the distributors of information to indicate how it should be processed and disseminated further.

The Traffic Light Protocol (TLP) classification system and the Chatham House Rule discussed on this page are rules that are based on voluntary participation, with the aim of encouraging open information exchange. They are commonly used by a range of Finnish and international groups.

The Chatham House Rule governs information exchange in the context of meetings and briefings, whereas the Traffic Light Protocol system relates to the exchange of documents and information in a more general sense. All those who take part in the processing of information must take care to ensure that the rules are observed. Furthermore, the recipient of the information must obtain the consent of its originator in order to carry out more extensive processing of the information.

The classifications are not legally binding, but based on mutual trust among people and organisations. The activities of public authorities are governed by the Act on the Openness of Government Activities (621/1999).

Chatham House Rule

The Chatham House Rule is based on the principle that meetings held under it allow participants to use the information discussed, but they cannot reveal who made any comment, their affiliation, or the identities of other participants. The rule is intended to encourage openness and information exchange by giving participants a guarantee that the source of comments will not become known. It is always advisable to remind participants of relevant principles related to information exchange at the beginning of meetings.

Traffic Light Protocol

The TLP may be used in the context of meetings as well as in other channels of information exchange and communications. While the TLP has been interpreted in a number of different ways, it is fundamentally important that the recipients of information understand the relevant conditions related to its processing and act accordingly. Several definitions exist as regards the processing of information classified as TLP:AMBER in particular. The Finnish Transport and Communications Agency follows the version 2 definition of the Forum of Incident Response and Security Teams (FIRST Standards Definitions and Usage Guidance — Version 2.0). (External link) The classification system is used by a number of national and international cybersecurity groups in which the Finnish Transport and Communications Agency takes part.

When classifying information according to the TLP, it is advisable to avoid selecting an unnecessarily strict designation, as doing so limits the ways in which the information may be used and thus decreases the utility of information exchange. In case of doubt, the originator of the information should be contacted for clarification before distributing the information further. Recipients should consider it a privilege to gain access to TLP-designated information.

According to the FIRST definition, there are four labels and a sub-label for the designation AMBER:

TLP-liikennevaloprotokollan esimerkki leimat (TLP:RED, TLP:AMBER+STRICT, TLP:AMBER, TLP:GREEN, TLP-CLEAR)

1. TLP:RED — Not for disclosure, restricted to participants only

For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organisations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.

2. TLP:AMBER — Limited disclosure, restricted to participants’ organisations 

Limited disclosure, recipients can only spread this on a need-to-know basis within their organisation and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organisation only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organisations involved. Recipients may share TLP:AMBER information with members of their own organisation and its clients, but only on a need-to-know basis to protect their organisation and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organisation only, they must specify TLP:AMBER+STRICT.

3. TLP:GREEN — Limited disclosure, restricted to the community

Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organisations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defence community.

4. TLP:CLEAR Disclosure is not limited

Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.

TLP-designated documents MUST indicate the TLP colour of the information in the header and footer of each page of the document, e.g. "TLP:GREEN". If the information in a single document spans multiple designations, the applicable TLP-label MUST be indicated before each paragraph or section.

Example:

The strictest designation this example contains is TLP:AMBER.

TLP:GREEN: Information for dissemination within the information
security community on a “good to know” basis.

TLP:AMBER: Sensitive information whose distribution must be
restricted to persons relevant in the context of defending against
the information security threat in question.