THR-02: Indicators of Exposure (IOE)

There is no evidence of a capability to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization.

C|P-CMM1 is N/A, since a structured process is required to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization.

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

• Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
• IT/cybersecurity personnel:

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

• A Security Operations Center (SOC), or similar function:
• An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
• Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.

Threat Management (THR) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Threat Management (THR) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
• Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.