IVI Framework Viewer

Security Threat Profiling

C1

Gather intelligence on IT security threats and vulnerabilities to better understand the IT security threat landscape within which the organization operates – including, for example, the actors, scenarios, and campaigns that might pose a threat.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Threat Profiling at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Conduct some basic intelligence gathering and create basic threat profiles.
    Outcome
    Basic threat profiles are used in one or two high risk assessment activities but there is no consistent methodology in place
    Metric
    # Threat areas covered by the threat profile
3Intermediate
  • Practice
    Establish a consistent intelligence gathering and threat profile process that identifies threat levels and new and emergent threat types in the IT function and some business areas.
    Outcome
    Standardized threat profiles covering several areas (e.g. key emerging threats) are in place and can be used in assessment and mitigation activities. There is greater awareness of new and key threats and the availability and consistency of information on them.
    Metric
    # Threat areas covered by the threat profile # Threat agents identified
4Advanced
  • Practice
    Establish and maintain a consistent and organization-wide intelligence gathering and threat profile process. Ensure benchmark data from industry sources are incorporated into threat profiles.
    Outcome
    An organization-wide consistent threat profile process ensures awareness of key threats among all key stakeholders. Benchmarking allows evaluation of threats in an industry context with meaningful, relative placement of threats along the threat profile's dimensions. It ensures validity and quality assurance.
    Metric
    # Threat areas covered by the threat profile % Projects and operational systems in the various threat categories % Ratio of actual threat profile benchmarking exercises to required benchmarks (set out in the policy/handbook)
5Optimized
  • Practice
    Ensure intelligence is gathered and threat profiles are defined in collaboration with the business ecosystem and review/update them as required.
    Outcome
    Threat profiles are kept up-to-date and relevant through collaborative input and review processes
    Metric
    Frequency of threat profile updates