Questionnaire for CTI Maturity
Your Maturity rating:
What follows is a summary of the CTIM maturity levels, followed by a breakdown of your assessment. We will give a high level perspective on the maturity of your organization by looking at the main domains of the CTI maturity model. The second perspective provides a more detailed insight by diving into the components from which the domains are constructed.
Your unique identification code is EXAMPLE. Please store this code somewhere safe as it allows you to retrieve your results.
CTI Maturity Levels
A CTIM maturity level is a well defined evolutionary stage which describes a certain level of ability for CTI within your organisation. Each level is attributed certain characteristics regarding your CTI processes. The level 'defined' for example indicates that you have defined your core CTI processes and can perform these repeatedly. More advanced characteristics are attributed to higher maturity levels, where the most advanced are found at level 5. Maturity levels thus provide a path that an organisation can follow when transitioning from ad-hoc CTI to a highly mature environment. The CTI maturity model describes a total of 6 distinct levels, which are displayed in the figure followed by a short description is provided.
- Ad-Hoc: The organisation has not started with CTI, or does so following an ad-hoc approach.
- Defined: This level indicates that core CTI processes are defined and can be performed repeatedly.
- Aligned: The CTI processes are aligned with the organisation following standard processes and procedures.
- Controlled: The CTI group measures and controls intelligence production through processes and procedures.
- Optimising: The organisation works to optimise the CTI production according to strategic requirements.
- Innovating: At this state the organisation functions at the cutting edge, going beyond optimising its processes by developing new solutions and predicating future actor developments.
The CTIM model has a top layer called Domains. This section represents the results of your assessment by providing a perspective based on these domains. There are a total of 5 domains, each of which has been fitted with an individual maturity score. These are represented in the following table for a quick overview.
Focus Area Breakdown
The CTIM model represents multiple layers of detail, each domain is build from multiple Focus Areas. These allow for a more detailled decomposition regarding your maturity rating. This section investigates your assessment results results by providing a perspective on each of these focus area. This will allow you to determine the best course of action when it comes to specific improvements to further grow cyber threat intelligence within the organisation. The results in this section are presented by two visualisations.
This report provides you with the maturity scoring for your organisation. When further growing cyber threat intelligence within your organisation it is our recommendation to place focus first within those domains and focus-areas that have the lowest rating. This provides a path for improvement and investments with the best return on investments. The recommendations provided below, then, are aimed to help you with reaching the next maturity level.
Critical Business Functions
Understanding how critical business functions depend on an organisations critical assets enables the creation of risk profiles where vulnerabilities can be determined. Such vulnerabilities carry a higher cyber risk with them, and knowledgable threats are more likely to target them. Sharing this information with the cyber threat intelligence group will help them provide the information an organisation requires to reduce or even mitigate the risk posed by such assets.
Organisations understanding of their cyber risks want to know what the potential impact is on their operations. Threats can have a extremely low chance of occuring, however when they do they might impact an organisation for a significant time period. Others might occur daily, however hardly influence dialy operations. By creating such risk assessments the organisation is able to determine their risk strategies and then use cyber threat intelligence to support their decision making processes.
The organisation works to improve understanding of the stakeholders threat intelligence requirements, identifying needs based on operational context, critical business functions, and critical assets. This leads to a prioritization which helps the cyber threat intelligence group with alignment of their resources when responding to intelligence requests.
Cyber threat intelligence is used by stakeholders to reduce the cyber threats to their operations. The organisation has set a policy specifying this should be part of their decision making processes. Stakeholders are taking stock in the intelligence generation process, and actively work with the cyber threat intelligence group to obtain the specific information they require.
Cyber threat intelligence has a clear position within the structure of the organisation, which depends on the preferences of each individual organisation. Some prefer to locate CTI within their Security Operations Centers, while others have a specific intelligence department, of which cyber threat intelligence is a component. Having a clear position within the organision makes the chain of command clear, helping the organisation to actively define and drive CTI.
Stability of the CTI group is an important part of the organisation. Decisions are made using a risk based approach, which requires intelligence products as input to their decision making processes. Ensuring stability is done by assessing the workload of talent, evaluation of available skill and capabilities, and maintaining a pool listing internal and external talent sources. Success is demonstrated by a CTI group able to cover work surgest successfully.
Training and Development
Organisations are working towards a security aware culture by running specific awareness programs. Their importance are emphasized by an organisational mandate which specifies employees are expected to following security awareness trainings. A more aware organisation is likely to make better use of cyber threat intelligence, and can people will provide information that helps the intelligence generation processes.
Cyber threat intelligence is generated by people with diverse backgrounds and a specific skillset. To develop CTI talent organisations implement trainings specifically on requirements for CTI analysts. INSA for example provides information on the development of CTI talent in their Cyber Intelligence whitepaper.
Secure Infrastructure Design
Having basic security controls in place, you should start to determine baseline network behaviour. Your security controls allow responses to all phases of a security compromise, and be able to absorb threat intelligence produced by your organisation. Merging threat intelligence with your established baseline should enable you to detect deviations and suspicious behaviours. You work towards an adaptive network infrastructure such that requirements are met.
Available resources are limited within most organisations, by applying prioritization on the discovered vulnerabilities they are able to determine where resources should be spend, and when. By incorporating public sources they further extend their vulnerability capabilities which supports their process of vulnerability prioritization and response capabilities. Discovery of vulnerabilities leads to a various mitigation strategies, where the best ones can be selected using in threat intelligence offerings within your organisation. Strategies to mitigate vulnerabilities within organisations typically include, but are not limited to, accepting of vulnerabilities, treating the vulnerabilities, or simply stopping activities (such as decommissioning an old system).