Skip to content

Asserting Data Markings on Content

Jump to bottom Edit New page
John Wunder edited this page Nov 6, 2015 · 3 revisions

Asserting Data Markings on Content

Pre-1.2.1 Use Case (True/False): True

Relevant to which SCs (STIX/TAXII/CybOX): STIX/CybOX/TAXII

Abstraction Level (High, Medium or Low): High

Related Use Cases: (none yet)

Description: A producer must be able to "mark" data with certain attributes about how it should be shared and handled. These markings must be unambiguous to a consumer.

Stakeholders

  • Stakeholder: Basic Sharing Community

    • Goals
      • An organization sharing data is able to unambiguously mark entire "top-level objects" (indicators, campaigns, etc.) with some set of markings. Objects with different markings may be shared at the same time with the same consumers.
      • An organization re-sharing data is able to maintain the existing markings applied to the top-level objects.

  • Stakeholder: Advanced Sharing Community

    • Goals
      • All goals of the basic sharing community
      • An organization is able to share top-level objects where fields in the object have different markings.

Preconditions

  1. One or more marking structures have been defined that will be used to mark data
  2. The data to be marked exists and is encoded in STIX

Dependencies

  1. The definition of actual marking structure(s) and a means of referencing or embedding them.

Main Success Scenario

Basic

  1. Organization A creates three indicators (Indicator A, Indicator B, and Indicator C) related to a piece of malware (TTP A).
  2. Organization A determines that Indicator C is sensitive and should be marked TLP:RED, while the other data is not sensitive and is marked TLP:GREEN.
  3. Organization A shares all of the data with Organization B. Indicator A, B, and TTP A are marked at TLP:GREEN and Indicator C is marked TTP:RED.
  4. Organization B receives the data and, in its systems, marks the TLP:GREEN data as resharable within the community but Indicator C as non-sharable.

Advanced

  1. Organization A creates one indicator. The indicator itself is TLP:GREEN, but the description contains information about how it was derived and is therefore TLP:RED.
  2. Organization A shares the indicator with Organization B.
  3. Organization B re-shares the indicator, but the TLP:RED description is not included.
Add a custom footer
Add a custom sidebar
Clone this wiki locally