Has your organization developed and implemented threat modeling processes to identify risks to data and determine appropriate risk responses?
Explanation
Threat modeling is a structured approach to identifying potential threats, vulnerabilities, and attack vectors that could compromise your data assets. By systematically analyzing how an attacker might target your systems, you can better understand your risk exposure and prioritize security controls.
Effective threat modeling helps organizations make informed decisions about risk mitigation strategies, whether through accepting, avoiding, transferring, or reducing identified risks.
Evidence of fulfillment could include documented threat models (such as STRIDE, DREAD, or attack trees), risk assessment reports that incorporate threat modeling outputs, or meeting minutes from threat modeling sessions that show the process of identifying threats and determining risk responses.
Implementation Example
Develop threat models to better understand risks to the data and identify appropriate risk responses
ID: ID.RA-05.162
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

