T4.4.2 - INFORMATION RELEASED INTO INFORMATION SHARING COMMUNITIES Implementation Guidance
The entity shall follow the format, classification, and treatment requirements of the information sharing community for information released into information sharing communities.
Back to T4.4.2 - P4 - INFORMATION RELEASED INTO INFORMATION SHARING COMMUNITIES
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard (also refer to National Cyber Information Sharing Policy).
Based on urgency, potential consequences and technical constraints, it may not be possible for an entity to validate all information before transmission into the information sharing community. Where limitations exist, these should be indicated as part of the message. Also, indicating reservations on credibility of information is particularly important where the source is anonymous or unknown. It is important to indicate where the originator has been able to validate the information given directly, and can vouch for its authenticity.
There are technical mechanisms that can be used to provide authenticity without compromising anonymity. For example, shared cryptographic secrets could be used to confirm that a communication originated from a member of the community without revealing the actual identity of the originator.
Each recipient should be responsible for obtaining any necessary authorizations for wider release from the originator prior to onwards distribution.
In inter-sector communications, the originator may not know who all the entities that receive the information will be. In such a case, a general or specific sector release approval will need to be granted.
In addition, all information sharing communities should define rules for the protection of information in transit, and only permit members to join the community if such rules are accepted and implemented by the prospective member. Any supporting entity should implement such rules internally.
Information sharing communities should consider implementing alternative mechanisms for information sharing that do not rely on electronic messaging, and enabling members to specify that specific messages are distributed by such other routes.
Back to T4.4.2 - P4 - INFORMATION RELEASED INTO INFORMATION SHARING COMMUNITIES
