THR-01: Threat Intelligence Program
Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.
Control Question: Does the organization implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities?
General (21)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC3.2-POF6 CC3.2-POF7 CC3.3 CC3.3-POF1 CC3.3-POF2 CC3.3-POF3 CC3.3-POF4 CC3.3-POF5 CC3.4-POF6 CC9.1 CC9.2-POF13 |
| COSO 2017 | Principle 8 |
| IMO Maritime Cyber Risk Management | 3.5.4.1 |
| ISO 27002 2022 | 5.7 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.C(5) 4.D(4) |
| NIST 800-53 R4 | PM-16 |
| NIST 800-53 R5 (source) | PM-15 PM-16 |
| NIST 800-53 R5 (NOC) (source) | PM-15 PM-16 |
| NIST 800-161 R1 | AT-3(8) PM-15 PM-16 |
| NIST 800-161 R1 Level 1 | PM-15 PM-16 |
| NIST 800-161 R1 Level 2 | PM-15 PM-16 |
| NIST 800-171 R2 (source) | 3.12.3 3.14.3 |
| NIST 800-171 R3 (source) | 03.11.02.a 03.14.03.a |
| NIST 800-207 | NIST Tenet 7 |
| NIST CSF 2.0 (source) | DE DE.AE-07 ID.RA-03 ID.RA-08 |
| PCI DSS 4.0.1 (source) | 6.3 |
| SPARTA | CM0009 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | THR-01 |
| SCF CORE ESP Level 1 Foundational | THR-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | THR-01 |
| SCF CORE ESP Level 3 Advanced Threats | THR-01 |
US (13)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | THREAT-1.I.MIL2 THREAT-1.L.MIL3 THREAT-1.M.MIL3 THREAT-2.A.MIL1 THREAT-2.B.MIL1 THREAT-2.C.MIL1 THREAT-2.E.MIL2 THREAT-2.F.MIL2 THREAT-2.G.MIL2 THREAT-2.H.MIL2 THREAT-2.I.MIL3 THREAT-2.J.MIL3 THREAT-2.K.MIL3 THREAT-3.A.MIL2 RISK-2.J.MIL3 |
| US CERT RMM 1.2 | COMM:SG1.SP1 OTA:SG1.SP2 OTA:SG2.SP1 |
| US CISA CPG 2022 | 1.G 1.H 3.A |
| US CMMC 2.0 Level 2 (source) | CA.L2-3.12.3 SI.L2-3.14.3 |
| US CMMC 2.0 Level 3 (source) | CA.L2-3.12.3 SI.L2-3.14.3 |
| US CMS MARS-E 2.0 | PM-16 |
| US DHS CISA TIC 3.0 | 3.UNI.ETINT |
| US DHS ZTCF | SEC-05 TRF-01 |
| US FFIEC | D1.G.SP.Inn.1 |
| US HIPAA HICP Small Practice | 8.S.B |
| US NISPOM 2020 | 8-103 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.10(a)(2) 500.10(a)(3) |
| US - TX DIR Control Standards 2.0 | PM-15 PM-16 |
EMEA (10)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 13.1 45.1 45.1(a) 45.1(b) 45.1(c) 45.2 45.3 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 3.10 5.3 |
| EMEA Israel CDMO 1.0 | 23.1 23.4 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-12-4 |
| EMEA Saudi Arabia ECC-1 2018 | 2-10-4 2-13-1 2-13-2 2-13-3 2-13-4 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.3.16 |
| EMEA UK CAF 4.0 | A2.b |
| EMEA UK DEFSTAN 05-138 | 1204 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS234 | 17 |
| APAC India SEBI CSCRF | EV.ST.S1 |
| APAC Singapore MAS TRM 2021 | 4.2.1 13.5.1 13.5.2 14.3.1 14.3.2 14.3.3 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.2 |
| Americas Canada CSAG | 1.3 |
| Americas Canada OSFI B-13 | 3.0 3.1 3.1.1 3.1.6 |
| Americas Canada ITSP-10-171 | 03.11.02.A 03.14.03.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.
Level 1 — Performed Informally
Threat Management (THR) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Threat management is decentralized.
- IT personnel subscribe to threat feeds to maintain situational awareness of emerging threats.
Level 2 — Planned & Tracked
Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.
- Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
- IT/cybersecurity personnel:
Level 3 — Well Defined
Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for Thread Management (TM) practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for TM.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to TM.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including TM.
- A Security Operations Center (SOC), or similar function:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
- Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled
Threat Management (THR) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.
Assessment Objectives
- THR-01_A01 a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.
- THR-01_A02 sources of threat intelligence are defined.
- THR-01_A03 a risk assessment methodology is identified.
- THR-01_A04 sources of threat intelligence are employed as part of a risk assessment to guide and inform the development of organizational systems and security architectures.
- THR-01_A05 sources of threat intelligence are employed as part of a risk assessment to guide and inform the selection of security solutions.
- THR-01_A06 sources of threat intelligence are employed as part of a risk assessment to guide and inform system monitoring activities.
- THR-01_A07 sources of threat intelligence are employed as part of a risk assessment to guide and inform threat hunting activities.
- THR-01_A08 sources of threat intelligence are employed as part of a risk assessment to guide and inform response and recovery activities.
- THR-01_A09 contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to facilitate ongoing security education and training for organizational personnel.
- THR-01_A10 contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to maintain currency with recommended security practices, techniques and technologies.
- THR-01_A11 contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to share current security information, including threats, vulnerabilities and incidents.
- THR-01_A12 threat management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
- THR-01_A13 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support threat management operations.
- THR-01_A14 responsibility and authority for the performance of threat management-related activities are assigned to designated personnel.
- THR-01_A15 personnel performing threat management-related activities have the skills and knowledge needed to perform their assigned duties.
Evidence Requirements
- E-THR-04 Threat Intelligence Program (TIP)
-
Documented evidence of a formal capability that intakes and analysis threat information to determine specific threat to the organization and necessary actions to mitigate the threat(s).
Threat Management
Technology Recommendations
Medium
- Threat intelligence program
Large
- Threat intelligence program
Enterprise
- Threat intelligence program