THR-10: Threat Analysis
Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Control Question: Does the organization identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats?
General (11)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | A1.2-POF11 CC3.2-POF6 CC3.2-POF9 CC3.4-POF6 |
| IEC TR 60601-4-5 2021 | 4.6.2 |
| IMO Maritime Cyber Risk Management | 3.5.2.3 |
| ISO/SAE 21434 2021 | PM-06-08 RQ-09-03.a RQ-09-03.b RQ-09-03.c RQ-09-03.d RQ-09-03.e RQ-09-03.f RQ-09-04 RQ-15-01 RQ-15-02 RQ-15-03 RQ-15-04 RQ-15-05 RQ-15-06 RQ-15-07 RQ-15-08 RQ-15-09 RQ-15-10 RQ-15-11.a RQ-15-11.b RQ-15-11.c RQ-15-12.a RQ-15-12.b RQ-15-12.c RQ-15-12.d RQ-15-12.e RQ-15-13.a RQ-15-13.b RQ-15-13.c RQ-15-13.d RQ-15-14 RQ-15-15 RQ-15-16 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.C(2) 4.C(3) 4.C(5) |
| NIST 800-171 R3 (source) | 03.14.03.b |
| NIST CSF 2.0 (source) | DE DE.AE-07 ID.RA-04 ID.RA-05 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | THR-10 |
| SCF CORE ESP Level 1 Foundational | THR-10 |
| SCF CORE ESP Level 2 Critical Infrastructure | THR-10 |
| SCF CORE ESP Level 3 Advanced Threats | THR-10 |
US (5)
| Framework | Mapping Values |
|---|---|
| US DHS ZTCF | SEC-05 TRF-01 |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(b)(2)(iv) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(b)(2)(iv) |
| US SEC Cybersecurity Rule | 17 CFR 229.106(a) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.9(b)(1) |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 3.10 5.3 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-4-4 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC India SEBI CSCRF | ID.RA.S4 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 3.1 3.1.1 3.1.2 3.1.6 |
| Americas Canada ITSP-10-171 | 03.14.03.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to embed false data or steganographic data in files to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Level 2 — Planned & Tracked
Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.
- Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
- IT/cybersecurity personnel:
Level 3 — Well Defined
Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.
- A Security Operations Center (SOC), or similar function:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
- Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Assessment Objectives
- THR-10_A01 on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats.
- THR-10_A02 a threat catalog captures applicable internal and external threats from the threat assessment.
- THR-10_A03 each item in the threat catalog is prioritized, based on the potential threat to the organization.
Evidence Requirements
- E-THR-07 Threat Analysis
-
Documented evidence of a completed threat analysis.
Threat Management
Technology Recommendations
Micro/Small
- Documented threat analysis
Small
- Documented threat analysis
Medium
- Documented threat analysis
Large
- Documented threat analysis
Enterprise
- Documented threat analysis