My organization is working to move our NIST maturity and one of the ways my team can help is in the area of Threat Modeling.
There are some specific questions around TM but it seems that NIST looks at Networking, Database and Application Threat Modeling separately. To be honest, I didn’t know modeling was done in different pillars but holistically.
Here are a few of the NIST questions. I would love feedback on how I can use a tool like IriusRisk to move the needle on these.
- Which of the following describe how network threat modeling is performed by the organization?
- TM performed against network attack surfaces
- Against data flow
What is the estimated % of all databases for which the organization performs threat modeling to identify and prioritize potential threats?
Which of the following describe the organization's implementation of threat modeling
#3 is focused on application TM incorporated in SDLC
BTW - NIST defines SDLC as System Development Lifecycle