Sample Threat Assessment Standard:
Sample Threat Assessment Standard
The <Your Company Name> (the "Company) Sample Threat Assessment and Monitoring Policy defines objectives for establishing specific standards on the assessment and ongoing monitoring of threats to Company information assets.
This Threat Assessment Standard builds on the objectives established in the Sample Threat Assessment and Monitoring Policy, and provides specific instructions and requirements for assessing and prioritizing threats.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company Information Assets, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.
Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.
II. Requirements
- A. Assessment
- 1. Threat assessments of the systems, networks, and applications that store, process, or transmit Company information assets should be conducted on a routine basis according to the confidentiality classification:
Confidentiality Classification Review Interval (at a minimum) Public Annually Internal Use Only Annually Confidential Semi-annually Restricted Quarterly
- 2. Threat assessments should cover the following areas:
- 2.1. The threat sources and mechanisms should be identified:
- 2.1. The threat sources and mechanisms should be identified:
- Threat sources including but not limited to trusted insider (employee), trusted outsider (partners, contractors), distrusted insider (disgruntled employee or contractor), or distrusted outsider, as well as environmental sources such as floods, fires, earthquakes, etc.
- Threat sources including but not limited to trusted insider (employee), trusted outsider (partners, contractors), distrusted insider (disgruntled employee or contractor), or distrusted outsider, as well as environmental sources such as floods, fires, earthquakes, etc.
- Threat mechanisms including but not limited to social engineering, virus, denial of service, etc.
- Threat mechanisms including but not limited to social engineering, virus, denial of service, etc.
- 2.2. Threat motives should be determined:
- 2.2. Threat motives should be determined:
- Intentional (Malicious).
- Accidental (Non-malicious).
- Natural (Act of God).
- Intentional (Malicious).
- 2.3. The threat activity or action should be determined:
- 2.3. The threat activity or action should be determined:
- Disclosure (Confidential).
- Corruption (Integrity).
- Destruction, Removal, or Interruption (Availability).
- Disclosure (Confidential).
- 2.4. The information assets that are targeted or affected by the threats should be identified.
- 2.4. The information assets that are targeted or affected by the threats should be identified.
- 2.5. Findings from vulnerability assessment activities should be analyzed to identify the vulnerabilities that could be exploited by the assessed threats.
- 2.5. Findings from vulnerability assessment activities should be analyzed to identify the vulnerabilities that could be exploited by the assessed threats.
- 2.6. Existing or planned controls that deter threats should be identified.
- 2.6. Existing or planned controls that deter threats should be identified.
- 2.7. The threat type should be identified as one of the following:
- 2.7. The threat type should be identified as one of the following:
- Limited exposure (non-active).
- Multiple exposures (unknown state).
- Multiple exposures (active).
- Limited exposure (non-active).
- 2.8. The threat visibility should be identified as one of the following:
- 2.8. The threat visibility should be identified as one of the following:
- Low profile (no publicity).
- Moderate profile (local publicity).
- High profile (national publicity).
- Low profile (no publicity).
- 2.9. The cost impact of threats should be identified as one of the following:
- 2.9. The cost impact of threats should be identified as one of the following:
- No cost impact (within planned budge or risk transferred).
- Cost impact greater than $250,000 (budget overrun or opportunity costs).
- Cost impact greater than $1 million (direct revenue or public safety).
- No cost impact (within planned budge or risk transferred).
- 2.10. The sensitivity to the threat should be identified as one of the following:
- 2.10. The sensitivity to the threat should be identified as one of the following:
- Generally accepted as cost of doing business
- Business unit level
- Corporate level
- Generally accepted as cost of doing business
- 3. The findings from threat assessment activities should be integrated, as appropriate, into the Security Awareness Program.
- B. Prioritization
- 1. The Threat Priority Ratings include High (Priority 1), Medium (Priority 2), and Low (Priority 3) and must be determined by combining the factors of threat type, threat visibility, cost impact, and sensitivity.
- 2. The Threat Assessment Rating Procedure must be used to determine and assign the proper Threat Priority Rating to identified and assessed threats.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Threat Assessment Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Threat Assessment Standard.
Company management is responsible for ensuring that the Threat Assessment Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for planning threat assessment activities.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Threat Assessment Standard and associated guidelines; ensuring threat assessments are performed; participating in the planning and closing phases of threat assessments; and participating in planning efforts to deter assessed threats.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in threat assessments; assisting with prioritizing assessed threats; cooperating and supporting Company efforts to deter assessed threats; and notifying appropriate Company personnel of identified and assessed threat on information systems for which they are responsible.
IV. Enforcement and Exception Handling
Failure to comply with the Threat Assessment Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Threat Assessment Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Threat Assessment Standard.
V. Review and Revision
The Threat Assessment Standard will be reviewed and revised in accordance with the Sample Threat Assessment and Monitoring Policy.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer