1.1.1 Who defines it as sensitive?
1.1.2 Ascertain sensitive info from source
1.2 How to protect sensitive info?
1.2.1 Attempt to obtain/produce info without need for NDAs
2.1 Platform (prototype) NEISAS
2.1.1 Share confidential information in a trusted model
2.1.4.1 CSIRTs use this tool
2.1.5 How much does it cost?
2.2.2 User/password not enough
2.2.3.1 Levels of confidentiality
3.1.2 No -- what mechanism for sharing?
3.2.3 Need to clearly define who is internal to DSSA WG?
3.3.1 Agreeing to public output
3.3.3 Sharing without attribution
3.3.4 Mechanism for classification
3.4 Permission must come from source
3.5 Code of conduct for group
4.1 Principles (Mikey's suggestion for topic-header)
4.1.1 Containment by small/constrained team (output/status)
4.1.2 Multiple small teams
4.1.3 Define several levels of disclosure (Chatham House rules)
4.2 Types of confidential material
4.2.1 Data (for analysis)
4.2.2 Internal processes/trade secrets
5.1.1 Sign legal document
5.1.2 Use section in the DSSA charter, non-disclosure agreement, no additional agreement
5.1.3 Specify different levels of confidentiality?
5.1.4 Three levels of confidentiality
5.1.5 Sign agreement from the start or for special occasions? -- Mandatory to sign at the beginning.
6.1.1 Sub-working groups may need to access sensitive or proprietary information in order for the DSSA to do its work
6.1.2 These procedures are an exception to accountability and transparency standards
6.1.3 No formal NDA required for membership in the DSSA
6.2.1 Only required where members of sub-working groups need to access and protect confidential information
6.2.1.1 If needed: sub-WG members sign formal Affirmation of Confidentiality and Non-Disclosure agreement
6.2.1.2 If needed: project or issue-specific Non-Disclosure Agreement
6.2.1.3 If needed: separate private sub-working group email lists