No, TLP is not an American girl band from the 90’s. It’s an acronym for Traffic Light Protocol, a method for sources to signify any limitations regarding the further spread of the information being shared.

Meant to facilitate and simplify information exchange, TLP is widely used by Computer Security Incident Response Teams (CSIRT) within the European Union.

For TLP, simplicity is key. Whoever is sharing information tags the document, presentation, email, phone call, or meeting in a dimly lit pub with “TLP:COLOR.” Yes, TLP encompasses all forms of information: written, visual, verbal and potentially telepathic.

Recently, the Forum of Incident Response and Security Teams (FIRST) decided to update the five-year-old protocol with version 2.0, hoping to optimize it by

– Removing “synonyms and colloquialisms to improve accessibility for non-native English speakers.”

– Focusing “on consistent language and terminology, adding definitions for community, organization, and clients.”

– Adding “a colors table to include RGB, CMYK, and hexadecimal color codes.”

– Changing TLP:WHITE to TLP:CLEAR and adding an additional “Strict” label to TLP:AMBER to denote information that should only be shared with the recipient’s organization.

Why the update? Well, according to Don Stikvoort, the FIRST TLP-SIG co-chair, “We are increasingly spreading more confidential and sensitive information inside our community, inside companies, inside business sectors, inside countries, and worldwide. We need systems that are easy to use, simple to understand, and straightforward enough that translation does not impact the meaning to ensure that we share sensitive information with the appropriate audience. The updated and modernized TLP version 2.0 does just that.”

Simple enough.

• TLP:RED = Not for disclosure, restricted to participants only. For example, information shared within a meeting is limited to those present at the meeting.

• TLP:AMBER = Limited disclosure, restricted to participants’ organizations, and clients and customers that need to know the information in order to protect themselves or prevent further harm.

• TLP:AMBER+STRICT restricts the sharing of information by the recipient to the recipient’s organization..

• TLP:GREEN = Limited disclosure, restricted to a recipient’s community. Recipients can share information with peers and partner organizations within their sector, but not through in-band channels.

• TLP:CLEAR  = Recipients could yell this information into a bullhorn in Times Square, information can be distributed without restriction.

It’s important to note that the Traffic Light Protocol has no legal weight and is not meant to trump any legislation regarding data sharing and classification. Don’t mix TLP with Confidential, Secret and Top Secret tags.

A further word of warning from the European Union Agency for Cybersecurity (ENISA):

“Sharers must not succumb to the power that this control gives them. It is easy to tag everything as TLP:RED and be done with it. It is also useless, as it will make most receivers unable to act on the information they get. Moreover, over-tagging will quickly be detrimental to the sharer’s reputation and the trust they get from the community.”

#FIRST #ENISA #CSIRT #TLP #Information_Sharing

Photo by Jonny Rogers on Unsplash