Projects - Threat, Risk Assessment (TRA)
TRA process is not a means to an end. It is a continual process that once started should be reviewed regularly to ensure that the protection mechanisms currently in place should adequately address the security requirements of the organization in terms of integrity, availability and confidentiality. TRA should be an integral part of the overall life cycle of the infrastructure. Any risk management model has to fit with how an organization makes decisions about its risk exposure and how it likes to manage it.
Many of our clients have requested SITIS Inc. to conduct an independent security controls assessment of the potential risks of bringing their new system to production (in terms of people, process and technology).This specific review provides recommendations on what security controls should exist before this system is placed into a production state. It will include:
- a brief Statement of Sensitivity (SOS) to identify and categorize the system's assets according to it's confidentiality, integrity and availability values based upon injuries that may reasonably be expected in the event of a compromise;
- an identification of deliberate threats, accidents and natural hazards that might affect these assets adversely with an analysis of the likelihood of occurrence and gravity of impact;
- an assessment of vulnerabilities, based on an evaluation of existing or proposed security measures and their adequacy;
- an analysis of residual risks for each asset that is vulnerable to specific threats; and
- where assessed residual risks exceed the [Low or Medium] level, a list of recommendations proposing additional safeguards to achieve a [Low or Medium] target risk level with an assessment of their effectiveness and cost.
- Government of Canada Security Policy
- Government of Canada's Harmonized Threat and Risk Assessment (HTRA) Methodology
- CERT-Octave Criteria Version 2
- Harnser Group- PRISM™, a Performance and Risk-based Integrated Security Methodology