Official website of the South African National CSIRT

Traffic Light Protocol

Traffic Light Protocol (TLP) Matrix

 The CSHUB-CSIRT follows Traffic Light Protocol(TLP) in the table below,  which is defined by the FIRST.Org as a standard for information classification. This policy cannot by applied for information that is classified as per the Republic of South Africa (RSA) Government of classification  rules.

TLP   Distribution Principle Description Examples
 RED  Not for disclosure, restricted to participants only  Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.  Personal identification information, passwords
 AMBER  Limited disclosure, restricted to participants' organisations  Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organisations involved. Recipients may only share TLP:AMBER information with members of their own organisation, and with clients or customers who need to know the information to protect themselves or prevent further harm.  Incident information, asset vulnerabilities, cybersecurity assessment and advisory reports
 GREEN  Limited disclosure, restricted to community  Sources may use TLP:GREEN when information is useful for the awareness of all participating organisations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organisations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.  Presentations to constituency and community
 WHITE  Disclosure is not limited  Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.  Public articles, e.g. cybersecurity awareness material, generalised and anonymised incident coordination statistics


Incident coordination

Receiving, triaging, and responding to requests and reports, and analysing cyber incidents and events.

Cybersecurity assessment and advisory

Detailed review and analysis of constituent's publicly viewable assets.


Gather and develop security advisories and intrusion alerts to help constituents to protect their systems and networks.

Security-related information dissemination

Provision of a comprehensive and categorised collection of relevant publicly available documentation that aids in improving security.

Cybersecurity awareness building

Increase security awareness for citizens through the dissemination of various artefacts.

Identification of national standards

Identification of appropriate de facto rigorous, semantically correct,clear, and understandable standards.

Promotion of national standards

Promote the use of the de facto national standards, which facilitate threat sharing between the constituents of the Cybersecurity Hub via implementation of threat sharing platforms.

Establishment of Sector-CSIRTs

Promotion of collective capacity via public-private partnerships for the advancement of cybersecurity best practises all via the establishment of sector-CSIRTs.

Skills and training

Development and promotion of a national cybersecurity skills framework approved by relevant national institutions.