THR-03.1: Threat Intelligence Reporting

There is no evidence of a capability to utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives.

Threat Management (THR) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Threat management is decentralized.
• IT personnel subscribe to threat feeds to maintain situational awareness of emerging threats.

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

• Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
• IT/cybersecurity personnel:

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

• A Security Operations Center (SOC), or similar function:
• An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
• Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.

Threat Management (THR) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives.