BS ISO 22396:2020 pdf download – Security and resilience – Community resilience – Guidelines for information exchange between organizations
6.4.4 Information classification system
An information security management system should be an integrated part of the information exchange structure. Security aspects should be taken into account in the structuring of processes, systems and controls. An information security management system should include several controls on information assets. As a first step in the process of establishing the information exchange, the participating organizations should create and agree upon a classification scheme for the information, taking into consideration how the information exchange arrangement will relate to already established protocols and concepts. The classification of information should be made in accordance with value, criticality and sensitivity to unauthorized disclosure or modification. Legal requirements can apply. The classification should indicate the value of the asset in terms of confidentiality, integrity and availability, and should be continuously updated throughout the whole life cycle. The classification of information is an exclusive decision of the organization (private or public) owning the information and is decided based on operational concerns and/or the sensitivity of information.
Examples of information classification systems include the following.
— Information security management systems (see the ISO/IEC 27000 family of standards): such a framework protects the confidentiality of the information, as well as its correctness and availability by managing risks and bringing trust to the involved parties.
— The traffic light protocol (TLP): the information classification system TLP is meant to encourage greater sharing of sensitive information between organizations. It allows the source of information to tag it with a colour, specifying to the recipient the terms of further distribution or disclosure. If a wider distribution than what the coding permits is required, the recipient must first consult the source who has the last word. The TLP requires a certain trust amongst the participators. The sharer must trust the receivers enough to not over-tag the information, and the receivers must trust the sharer’s reasons for tagging it with a certain colour and respect those limitations. (See Annex A.)
6.5.1 General
The participating organizations should have established routines and processes for how to run and maintain the information exchange arrangement, including processes for developing and obtaining technical assistance and updating it as required. The participating organizations should encourage face-to-face meetings and agree to a platform for sharing information in order to make the information exchange effective and efficient.
6.5.4 Technical aspects
The participating organizations should choose a suitable technical platform and make decisions with respect to the different technical aspects of the information exchange, ranging from security aspects of the meeting rooms to secure communication that can be used for information exchange when not attending meetings. The platform should be chosen to recognize that trustful information sharing is highly dependent on appropriate procedures, so that sensitive information is anonymized and only distributed in a proper format. The technical aspects of the information exchange should be under continual development and include best practices that increase the level of security. NOTE This document does not specify technical requirements but identifies principles for using technical support in information exchange.