THR-06.1: Security Disclosure Contact Information

There is no evidence of a capability to enable public submissions of discovered or potential security vulnerabilities.

C|P-CMM1 is N/A, since a structured process is required to enable public submissions of discovered or potential security vulnerabilities.

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

• Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
• IT/cybersecurity personnel:
• A Vulnerability Disclosure Program (VDP) is formed to receive and triage unsolicited input from the public about vulnerabilities in organizational systems, services and processes.

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

• A Security Operations Center (SOC), or similar function:
• An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
• Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
• A Vulnerability Disclosure Program (VDP) is formed to receive and triage unsolicited input from the public about vulnerabilities in organizational systems, services and processes.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enable public submissions of discovered or potential security vulnerabilities.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enable public submissions of discovered or potential security vulnerabilities.