Security Threat Profiling
Gather intelligence on IT security threats and vulnerabilities to better understand the IT security threat landscape within which the organization operates – including, for example, the actors, scenarios, and campaigns that might pose a threat.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Threat Profiling at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Conduct some basic intelligence gathering and create basic threat profiles.
- Outcome
- Basic threat profiles are used in one or two high risk assessment activities but there is no consistent methodology in place
- Metric
- # Threat areas covered by the threat profile
- 3Intermediate
- Practice
- Establish a consistent intelligence gathering and threat profile process that identifies threat levels and new and emergent threat types in the IT function and some business areas.
- Outcome
- Standardized threat profiles covering several areas (e.g. key emerging threats) are in place and can be used in assessment and mitigation activities. There is greater awareness of new and key threats and the availability and consistency of information on them.
- Metric
- # Threat areas covered by the threat profile # Threat agents identified
- 4Advanced
- Practice
- Establish and maintain a consistent and organization-wide intelligence gathering and threat profile process. Ensure benchmark data from industry sources are incorporated into threat profiles.
- Outcome
- An organization-wide consistent threat profile process ensures awareness of key threats among all key stakeholders. Benchmarking allows evaluation of threats in an industry context with meaningful, relative placement of threats along the threat profile's dimensions. It ensures validity and quality assurance.
- Metric
- # Threat areas covered by the threat profile % Projects and operational systems in the various threat categories % Ratio of actual threat profile benchmarking exercises to required benchmarks (set out in the policy/handbook)
- 5Optimized
- Practice
- Ensure intelligence is gathered and threat profiles are defined in collaboration with the business ecosystem and review/update them as required.
- Outcome
- Threat profiles are kept up-to-date and relevant through collaborative input and review processes
- Metric
- Frequency of threat profile updates