3.3.16 Threat Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should define, approve and implement a threat intelligence management process to identify, assess and understand threats to the Member Organization information assets, using multiple reliable sources. The effectiveness of this process should be measured and periodically evaluated.
Objective
To obtain an adequate understanding of the Member Organization’s emerging threat posture.
Control considerations
| 1. | The threat intelligence management process should be defined, approved and implemented. | |
| 2. | The effectiveness of the threat intelligence management process should be measured and periodically evaluated. | |
| 3. | The threat intelligence management process should include: | |
| a. | the use of internal sources, such as access control, application and infrastructure logs, IDS, IPS, security tooling, Security Information and Event Monitoring (SIEM), support functions (e.g., Legal, Audit, IT Helpdesk, Forensics, Fraud Management, Risk Management, Compliance); | |
| b. | the use of reliable and relevant external sources, such as SAMA, government agencies, security forums, (security) vendors, security organizations and specialist notification services; | |
| c. | a defined methodology to analyze the threat information periodically; | |
| d. | the relevant details on identified or collected threats, such as modus operandi, actors, motivation and type of threats; | |
| e. | the relevance of the derived intelligence and the action-ability for follow-up (for e.g., SOC, Risk Management); | |
| f. | sharing the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS members). | |