Skip to main content

THR-09: Threat Catalog

THR 5 — Medium Protect

Mechanisms exist to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.

Control Question: Does the organization develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade?

General (10)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) A1.2-POF11 CC3.2-POF6 CC9.1
IMO Maritime Cyber Risk Management 3.5.4.1
NAIC Insurance Data Security Model Law (MDL-668) 4.C(2) 4.C(5)
NIST 800-171 R3 (source) 03.15.02.a.03
NIST 800-172 3.11.5e
NIST CSF 2.0 (source) DE ID.RA-03 ID.RA-04 ID.RA-05 PR.IR-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) THR-09
SCF CORE ESP Level 1 Foundational THR-09
SCF CORE ESP Level 2 Critical Infrastructure THR-09
SCF CORE ESP Level 3 Advanced Threats THR-09
US (6)
Framework Mapping Values
US CISA CPG 2022 3.A
US CMMC 2.0 Level 3 (source) RA.L3-3.11.5E
US DHS ZTCF TRF-01
US HIPAA Administrative Simplification 2013 (source) 164.306(b)(2)(iv)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(b)(2)(iv)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.9(b)(1)
EMEA (4)
Framework Mapping Values
EMEA EU NIS2 Annex 13.2.1
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 3.3 5.3
EMEA Saudi Arabia IoT CGIoT-1 2024 1-4-4
EMEA UK CAF 4.0 A2.b C1.f
Americas (2)
Framework Mapping Values
Americas Canada OSFI B-13 3.0 3.1.6
Americas Canada ITSP-10-171 03.15.02.A.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.

Level 2 — Planned & Tracked

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

  • Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

  • A Security Operations Center (SOC), or similar function:
  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
  • Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.

Assessment Objectives

  1. THR-09_A01 the organization maintains a threat catalog that documents applicable internal and external threats that are specific to the organization.
  2. THR-09_A02 the threat catalog documents both natural and manmade threats.
  3. THR-09_A03 on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats.
  4. THR-09_A04 the threat catalog is updated, based on a current threat assessment.

Evidence Requirements

E-THR-06 Threat Catalog

Documented evidence of a threat catalog.

Threat Management

Technology Recommendations

Micro/Small

  • Documented threat catalog

Small

  • Documented threat catalog

Medium

  • Documented threat catalog

Large

  • Documented threat catalog

Enterprise

  • Documented threat catalog

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free