Example of Threat Intelligence Policy

1.0 Purpose

The purpose of this policy is to set the requirements for proper facilitation and operation of the XXX threat intelligence program. The development of a threat intelligence program will support the continuous improvement of the overall network security, as well as offering the opportunity to engage in in-depth collection, analysis, and communication of IOCs while providing visibility into our immediate threat landscape to identify red flags before they turn into full-blown issues.

2.0 Scope

This Threat Intelligence Policy applies to all business processes and data, information systems and components, personnel, and physical areas of XXX.

3.0 Policy

The Threat Intelligence Program will adhere to the steps of Planning, Collection, Analysis, Communication, and Collaboration & Feedback.

3.1. Planning

  1. The Threat Intelligence Program will be established and governed with roles and responsibilities.
  2. The Threat Intelligence Team will combine the following responsibilities:
    • Malware analysis
    • Reverse-engineering
    • Forensics and eDiscovery
    • Management of threat intelligence
    • Intelligence gathering, analysis, and distribution of threat information
    • Threat assessment
    • Collaboration with all information security teams within the organization
  3. A threat collaboration environment will be established to safeguard different aspects of the organization, while filling intelligence gaps of other roles.
  4. The threat collaboration environment will be composed of teams including Threat Intelligence, Vulnerability Management, Incident Management, and Security.
  5. An analytical methodology will be decided upon and adhered to, ensuring the organization to proactively mitigate advanced threats.

3.2. Collection:

a. A threat intelligence strategy will be established and maintained on a regular basis, at least annually.
b. Internal and external sources will be used for intelligence gathering. Sources must be relevant, timely, and reliable. These feeds will be analyzed daily for the most up-to-date, relevant intelligence gathering.
c. Industry-recommended standards for formatting and exchange of threat data will be used during collection. The fewest standards capable of providing the functionality needed will be used, including STIXX, TAXII, and openIOC .

3.3. Intelligence Analysis:

a. A formalized process for analysis must be established, educated, and updated.
b. A Threat Escalation Protocol (TEP) will be established for critical intelligence escalation procedures.
c. The Diamond Model will be used for carrying out threat analysis based on hypothesis generation and testing.
d. Threat analysis software may be used, subject to organizational vendor risk assessments and procurement procedures.
e. A threat intel portal or central knowledge base will be established and utilized.
f. Runbooks will be established, distributed, and followed to handle specific security incidents.

3.4. Collaboration & Feedback:

a. Alerts, briefings, and reports generated and distributed to relevant stakeholders regularly [indicate frequency, e.g.: daily alerts, weekly briefings, monthly reports.
b. An intelligence feedback loop will be established to ensure accurate and consistent threat intelligence.

Threat Intelligence Project Charter

Business DriverConcerns/Motivations
Increased securityLimited visibility into the threat landscape means more solutions need to be put in place. Meet the operating needs of the organization in a secure manner:Safeguard data at rest, in transit, and in use across on-premise and hosted systems.Safeguard the confidentiality, integrity, and availability of the network, systems, and applications to the required levels by the business.There are no cookie-cutter solutions to threat intelligence– threat intelligence solutions offer other helpful security features to provide an all-cylinders-firing security tool.
In response to an incidentOrganization suffered an incident where the network was breached. In order to strengthen its network security, a threat intelligence program is a necessary initiative to address gaps in defenses. Move from a reactive response model to a predictive model to identify risks before potential impact and threats before potential attack.
ReplacementOur previous threat intelligence program was not sufficient in preventing today’s attacks and needs to be reevaluated.
Risk management concernsOur current threat intelligence program does not provide a formalized data collection, analysis, or collaboration process – all critical components to ensuring we maintain a risk management-focused environment.
Identify the business drivers that are behind your threat intelligence project.

Roles and Responsibilities

Individuals needed and responsible for threat intelligence may include the following:

  • Chief Information Security Officer
  • Senior management
  • Security team staff
  • Help desk
  • Information owner
  • Information systems staff
  • Building and/or facilities management staff

Other individuals that may be needed include representation from:

  • Public Affairs
  • Legal/Compliance department
  • Internal Audit/Risk Management
  • Other workforce members involved in the incident or needed to fix/resolve it
  • Contractors (as necessary)

Many of these roles will work together to form the threat collaboration environment. Organizations must look at the threat intelligence with a holistic mindset. Threat intelligence operates as a component of the larger threat collaboration environment and must be designed to complement existing security operations.

Project Team

RoleNameContact Information Involvement
Project Sponsor   Full-time (Core), Part-time Involved at a singular stage
Project Manager   
Information Sharing/Liaison Analyst   
Security Operations Team   
Incident Response Team   
Vulnerability Management Team   
Stakeholder/Vendor Management Analyst   
Subject Matter Experts   
Project Team

Financial Obligations for a Threat Intelligence Implementation

Total Budget$
Software Licensing 
Third-Party Software 
Application Licensing 
Documentation and Training 
Annual Maintenance Costs 
Breakdown of Costs

Project Costs

ExpenseApproved BudgetActual Cost
RFP Submission Costs  
Consulting Costs  

4.0 Policy Compliance

4.1 Compliance Measurement
The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
4.2 Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a Reply