Publication Summary¶
| Title | Threat Intelligence Policy |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.1 Yearly |
| Date of issue | December 11, 2023 |
| Owner | CEO/Founder |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | December 11, 2023 | Olaf Jacobson | First draft document |
Table of Contents
2 Threat intelligence policy 5
2.1 Strategic threat intelligence 5
2.2 Tactical threat intelligence 5
Introduction¶
In order to accurately assess risk, manage incidents and implement controls in an appropriate way, it is important that Soon maintains a clear picture of the threats it faces, both internally and externally. Knowledge of the groups that are active in launching attacks, their chosen targets, their motivations, technologies and techniques is essential to ensure that our security posture remains relevant to the threats we face, and that it adapts as the threats evolve.
This policy sets out the approach that Soon takes to the gathering, analysis and use of threat intelligence at the strategic, tactical and operational layers.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon systems.
The following policies and procedures are relevant to this document:
-
Threat Intelligence Process
-
Authorities Contacts
-
Special Interest Group Contacts
-
Information Security Incident Response Procedure
Purpose of this document¶
The Threat Intelligence Policy is an overarching document that is intended to establish the principles upon which many of the controls within this section of the standard are based.
Areas of the standard addressed¶
The following areas of the ISO/IEC 27001 standard are addressed by this document:
-
A.5 Organizational controls
-
A.5.1 Policies for information security
-
A.5.7 Threat intelligence
Threat intelligence policy¶
It is Soon policy to collect and analyse threat intelligence available from third parties that is relevant to our organization in terms of the industries, markets and locations in which we operate, the technology we use to deliver services to our employees, partners and customers, and the risks we believe we face.
The threat intelligence we collect and process must be as accurate and detailed as possible, and provide clear actionable guidance that may be used to react appropriately and in a timely way to the changing threat landscape.
To meet these goals, it is essential that clear objectives are set for the production of threat intelligence so that our available resources are used effectively to focus on issues that are relevant to our situation.
Defined and documented processes and procedures will be followed to ensure that threat intelligence activities are structured and measurable, and that the deliverables produced meet the required standards.
Soon will address the collection and processing of threat intelligence at the strategic, tactical and operational levels.
Strategic threat intelligence¶
At the strategic level, threat intelligence activities will focus on the collection and analysis of high-level information regarding groups of attackers, their motivation, typical targets, types of attack and current levels of activity. This is likely to include assessment of the threat level from nation states, criminal gangs in specific countries, politically motivated groups and from specific types of attack such as ransomware.
Sources of information regarding this level of threat may include government agencies, news reports and high-level reports from commercial organizations.
Reports at this level may be produced on an annual basis to identify trends, and when justified by events, such as an escalation in the threat. This information will allow Soon to reach a view as to the overall threat level at a particular point in time and will inform the risk assessment process in general terms.
Tactical threat intelligence¶
The tactical level is concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization.
Information at this level will be collected more regularly than at the strategic level and will typically need to be communicated more quickly within the organization. Sources of information may include government agencies, blogs and news feeds of commercial organizations and our own security information and event management (SIEM) systems.
Operational threat intelligence¶
At the operation threat intelligence level information will be collected and processed in many cases in real time and will relate to specific and potentially ongoing attacks, including indicators of compromise (IOCs) which may allow us to identify cases where we have suffered a breach. At this level of threat intelligence there is a strong link with our information security incident management process which allows us to react to an actual or suspected compromise of our systems, and with our vulnerability management process which deals with applying patches and closing weaknesses.
Sources of information at this level will include our own systems and monitoring tools, subscriptions to government, industry or local discussion groups and alerts issued by third parties.
Sharing threat intelligence¶
It is Soon policy to form relationships with other organizations which may be subject to the same threats, for example in the same industry, location or using the same technology, to share threat intelligence on a mutual basis. This may also include active participation in information sharing forums, but care must be taken that information given by Soon employees remains in compliance with our incident management procedures (for example during an active breach).