The effective management of your intelligence activities relies on prioritizing the intelligence requirements against available intelligence capabilities. For this reason, we write intelligence requirements and prioritize them determined by the ability of the resulting intelligence to inform the stakeholders and support their decisions.
The relative assigned priority of an intelligence requirement reflects the criticality of the decision it supports. Simply put, some decisions are more critical than others. For instance, identifying a new threat actor without a clear understanding of the actor’s capabilities is less of a priority than an existing threat actor known to your organization with new infiltration methods and a change in espionage intent sabotage in the form of disk wiping.
Of note: intelligence collection, analysis, and reporting should focus on critical systems and data. Standard intelligence requirements do not include publicly communicated software vulnerabilities or control weaknesses in a desktop office suite. Consider weaknesses a risk due to the vulnerability that requires modification(s) to process or technology controls such as stop gaps before a patch. These are functions of risk, vulnerability management, and day-to-day security operations, better known as routine information security hygiene.
Intelligence requirements for which stakeholders have an anticipated and stated priority in their tasking for planning and decision making.
The intelligence effort needed to drive your intelligence team findings and high-level recommendations should follow suit. The intelligence function receives prioritized data on critical systems, sensitive information (personally identifiable information, intellectual property, etc.), supply chain organizations (internal/external – hardware/software), and other areas of concern for the corporation. The combination of the above with stated requirements from stakeholders are factors in prioritization. The intelligence organization is not charged with gathering and maintaining critical systems and sensitive information but uses that knowledge to craft intelligence requirements.
A thorough understanding of the stakeholder’s intent, knowledge of the supported plan, and anticipated decisions included therein should guide PIR nominations for approval.
- Narrowly defined intelligence requirements help the prioritization process.
- Due to the many topics they address, broadly posed questions are challenging to answer and difficult to parse.
- Difficulties associated with dividing an intelligence requirement into its parts makes it difficult to prioritize the entirety of the collection and production workload associated with them.
Because of their scope, broadly crafted questions often include low priority topics.
Intelligence collectors should routinely collaborate with analysts to identify what intelligence is already known and what intelligence is not known. Jointly, collectors and analysts assess the production of new information and intelligence to inform decisions during planning or to guide operations. The iterative process occurs automatically and focuses on the gaps in knowledge, analysis, and collection.
Ideally, each of the supporting production requirements entered should prescribe only one verb (i.e., the analytic task to be performed) and one object to be analyzed.
Intelligence requirements do generally not focus on indicators of compromise, patch management, desktop software, smartphones, or other like-devices.
- Intelligence requirements drive collection.
- The collection maintains data provenance.
- Data analysis drives reporting and briefing.
- Analytic reports forecast and warn.
Preferably, we should pose questions in a manner that their answers create a decision “advantage.” That is, craft questions to allow stakeholders direct action before it is too late. The continuous gathering of information within the context of the strategic end state and assessment processes allows intelligence team to keep their respective running staff estimates. By collecting and analyzing information about changes to the operational environment, changes to system behavior, or changes to adversary capabilities, analysts can draw conclusions related to the next series of adversary courses of action (CoA) and provide early warning.
Intelligence analysts must understand all relevant aspects of the operating environment. Our situational understanding should include the adversary’s disposition and the socio-cultural nuances of individuals and groups in the operating environment. Stakeholders require and expect timely intelligence estimates that accurately identify adversary intentions, support information security and associated groups adjustments to controls, threat levels, and security posture, and estimate future adversary CoA in sufficient detail to be actionable.
Distill this mass of information into intelligence to support an estimate of the situation and adversary capabilities and intentions. The estimative nature of intelligence distinguishes it from the mass of other information available to stakeholders, including communicated vulnerabilities and available patches.
Intelligence should increase stakeholders understanding of the threat and adversary’s probable intentions, end states, objectives, most likely and most dangerous CoA, strengths, and critical capabilities.