[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Information Exchange Policy (IEP) Framework
I think this looks great but the JSON example below is somewhat confusing to me. Why does it say the type is tlp-marking, when it uses IEP?
Is this just a typo,or is IEP some kind of TLP addition?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Struse, Richard" ---08/02/2016 10:40:14 AM---I support this addition.
From: "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>
To: Terry MacDonald <terry.macdonald@cosive.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 08/02/2016 10:40 AM
Subject: RE: [cti-stix] Information Exchange Policy (IEP) Framework
Sent by: <cti-stix@lists.oasis-open.org>
9.1.6. Information Exchange Policy Marking Object Type
The information exchange policy marking type sub-object defines how you would represent an Information Exchange Policy (IEP) using the FIRST Information Exchange Policy Framework. Information Exchange policy marking types do not override each other.
Property Name | Type | Description |
type (required) | string | The value of this field MUST be iep-marking. |
iep-policy (required) | string | An IEP policy statement applied to the content marked by this marking definition. |
9.1.7. Examples
{
"type": "marking-definition",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2016-08-01T00:00:00Z",
"modified": "2016-08-01T00:00:00Z",
"version": 1,
"definition": {
"type": "tlp-marking",
"iep-policy": {
"id": "01bc4353-4829-4d55-8d52-0ab7e0790df9",
"must-encrypt-transit": true,
"must-encrypt-rest": true,
"actions": "no action",
"redistribution": "external trusted partners",
"redistribution_ext": {
"vocab_id": "http://us-cert.org/tlp-vocab",
"value": "red"
},
"attribution": "must not attribute",
"obfuscation": "must obfuscate source",
"commercial-use": "allowed",
"terms-of-use": "TOU text",
"start-date": "2016-01-31 10:09:00",
"end-date": "2017-01-31 10:09:00",
"reference": "https://www.mycompany.com/myieppolicy",
"version": 1
}
}
}
---------
Futher details:
FIRST realized that the Traffic Light Protocol only allowed producers to communicate basic sharing restrictions to the recipients of data. It covered the basic Sharing policy, but didn't address the Action, Handling, or Licensing restrictions at all.
The timely distribution of sensitive information will only thrive in an environment where both producers and consumers have a clear understanding of how shared information can and cannot be used, with very few variations of interpretation.
FIRST members realized that the industry needed a Information Exchange Policy that would provide organizations who create threat intelligence content with a richer ability to inform their recipients of how they may use the intel they receive.
Thus the FIRST Information Exchange Policy Framework was born.
The IEP framework is structured as 4 Policy Groups that act as high level categories which are intended to encapsulate the majority of individual policy statements one would require. The four policy types are supported: Handling, Action, Sharing, and Licensing (HASL).
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]