1.0 Purpose
The purpose of this policy is to set the requirements for proper facilitation and operation of the XXX threat intelligence program. The development of a threat intelligence program will support the continuous improvement of the overall network security, as well as offering the opportunity to engage in in-depth collection, analysis, and communication of IOCs while providing visibility into our immediate threat landscape to identify red flags before they turn into full-blown issues.
2.0 Scope
This Threat Intelligence Policy applies to all business processes and data, information systems and components, personnel, and physical areas of XXX.
3.0 Policy
The Threat Intelligence Program will adhere to the steps of Planning, Collection, Analysis, Communication, and Collaboration & Feedback.
3.1. Planning
- The Threat Intelligence Program will be established and governed with roles and responsibilities.
- The Threat Intelligence Team will combine the following responsibilities:
- Malware analysis
- Reverse-engineering
- Forensics and eDiscovery
- Management of threat intelligence
- Intelligence gathering, analysis, and distribution of threat information
- Threat assessment
- Collaboration with all information security teams within the organization
- A threat collaboration environment will be established to safeguard different aspects of the organization, while filling intelligence gaps of other roles.
- The threat collaboration environment will be composed of teams including Threat Intelligence, Vulnerability Management, Incident Management, and Security.
- An analytical methodology will be decided upon and adhered to, ensuring the organization to proactively mitigate advanced threats.
3.2. Collection:
a. A threat intelligence strategy will be established and maintained on a regular basis, at least annually.
b. Internal and external sources will be used for intelligence gathering. Sources must be relevant, timely, and reliable. These feeds will be analyzed daily for the most up-to-date, relevant intelligence gathering.
c. Industry-recommended standards for formatting and exchange of threat data will be used during collection. The fewest standards capable of providing the functionality needed will be used, including STIXX, TAXII, and openIOC .
3.3. Intelligence Analysis:
a. A formalized process for analysis must be established, educated, and updated.
b. A Threat Escalation Protocol (TEP) will be established for critical intelligence escalation procedures.
c. The Diamond Model will be used for carrying out threat analysis based on hypothesis generation and testing.
d. Threat analysis software may be used, subject to organizational vendor risk assessments and procurement procedures.
e. A threat intel portal or central knowledge base will be established and utilized.
f. Runbooks will be established, distributed, and followed to handle specific security incidents.
3.4. Collaboration & Feedback:
a. Alerts, briefings, and reports generated and distributed to relevant stakeholders regularly [indicate frequency, e.g.: daily alerts, weekly briefings, monthly reports.
b. An intelligence feedback loop will be established to ensure accurate and consistent threat intelligence.
Threat Intelligence Project Charter
Business Driver | Concerns/Motivations |
Increased security | Limited visibility into the threat landscape means more solutions need to be put in place. Meet the operating needs of the organization in a secure manner:Safeguard data at rest, in transit, and in use across on-premise and hosted systems.Safeguard the confidentiality, integrity, and availability of the network, systems, and applications to the required levels by the business.There are no cookie-cutter solutions to threat intelligence– threat intelligence solutions offer other helpful security features to provide an all-cylinders-firing security tool. |
In response to an incident | Organization suffered an incident where the network was breached. In order to strengthen its network security, a threat intelligence program is a necessary initiative to address gaps in defenses. Move from a reactive response model to a predictive model to identify risks before potential impact and threats before potential attack. |
Replacement | Our previous threat intelligence program was not sufficient in preventing today’s attacks and needs to be reevaluated. |
Risk management concerns | Our current threat intelligence program does not provide a formalized data collection, analysis, or collaboration process – all critical components to ensuring we maintain a risk management-focused environment. |
Roles and Responsibilities
Individuals needed and responsible for threat intelligence may include the following:
- Chief Information Security Officer
- Senior management
- Security team staff
- Help desk
- Information owner
- Information systems staff
- Building and/or facilities management staff
Other individuals that may be needed include representation from:
- Public Affairs
- Legal/Compliance department
- Internal Audit/Risk Management
- Other workforce members involved in the incident or needed to fix/resolve it
- Contractors (as necessary)
Many of these roles will work together to form the threat collaboration environment. Organizations must look at the threat intelligence with a holistic mindset. Threat intelligence operates as a component of the larger threat collaboration environment and must be designed to complement existing security operations.
Project Team
Role | Name | Contact Information | Involvement |
Project Sponsor | Full-time (Core), Part-time Involved at a singular stage | ||
Project Manager | |||
Information Sharing/Liaison Analyst | |||
Security Operations Team | |||
Incident Response Team | |||
Vulnerability Management Team | |||
Stakeholder/Vendor Management Analyst | |||
Subject Matter Experts |
Financial Obligations for a Threat Intelligence Implementation
Total Budget | $ |
Hardware | |
Software Licensing | |
Third-Party Software | |
Application Licensing | |
Documentation and Training | |
Annual Maintenance Costs | |
Etc. |
Project Costs
Expense | Approved Budget | Actual Cost |
Staffing | ||
RFP Submission Costs | ||
Consulting Costs |
4.0 Policy Compliance
4.1 Compliance Measurement
The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
4.2 Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.