• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
October 1999
Foreword
This document entitled
Threat and Risk Assessment Working Guide
provides guidance to anindividual (or a departmental team) carrying out a Threat and Risk Assessment (TRA) for anexisting or proposed IT system. This document will help determine which critical assets are mostat risk within that system, and leads to recommendations for safeguards that will reduce any risksto acceptable levels.By following the guidance given therein, a TRA can be carried out such that it results in a concisereport that:
 
defines the IT system under assessment;
 
states the aim of the assessment, along with the desired security level to be attained;
 
identifies potentially vulnerable parts of the system;
 
states the potential impacts of successful threat events on: the IT system; the businessfunctions that the IT system supports; and the applications used to carry out the businessfunctions, in terms of confidentiality, integrity and availability; and
 
provides recommendations that would lower the risks to acceptable levels.
© 1999 Government of Canada, Communications Security EstablishmentP.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4This publication may be reproduced verbatim, in its entirety, without change, for educational andpersonal purposes only. However, written permission from CSE is required for use of the materialin edited or excerpted form, or for any commercial purpose.
 
October 1999
 
Threat and Risk Assessment Working GuideTable of ContentsOctober 1999i
Table of Contents
LIST OF ABBREVIATIONS AND ACRONYMS.............................................................VII1.0INTRODUCTION.......................................................................................................1
1.1Background.......................................................................................................11.2Purpose.............................................................................................................21.3Scope................................................................................................................2
2.0 STEPS IN THE THREAT-AND-RISK ASSESSMENT PROCESSS.........................7
TASK 1 – PREPARE AND PLAN..............................................................................71.1Understand the overall process.........................................................................71.2Determine the scope of the threat-and-risk assessment...................................71.2.1Determine the level of analysis required, and how much detailshould be in the final report....................................................................71.2.2Identify the required resources (time, funding, personnel, etc.)..............81.2.3Collect security policies and standards...................................................81.2.4Review the collected documents............................................................81.2.5Revise the scope as required.................................................................81.3Identify the boundaries of the analysis..............................................................81.4Choose the analysis team.................................................................................91.4.1Identify and recruit the team members who will perform the analysis....91.4.2Familiarize the team members with their requirements, and assignduties......................................................................................................91.5Produce a Preliminary Statement of Sensitivity...............................................101.5.1Establish a target level (maximum level) of acceptable risk.................101.6Collect information for the IT system description............................................101.6.1Create a list of the documents as they are collected............................111.6.2Review the list of documents for completeness, and obtain missingdocuments............................................................................................111.6.3Review all documents collected in order to identify any componentsof the IT system that might have been missed, but that should beincluded within the boundary of the analysis........................................111.6.4Revise the boundary as required..........................................................111.7Collect existing descriptions of the organization..............................................121.7.1Include these documents on the list created in Step 1.6.1...................121.7.2Identify and record key personnel positions.........................................121.7.3Create a list of personnel......................................................................121.8Formulate a system description......................................................................121.9Devise a work plan..........................................................................................131.9.1Review (and revise if required): the team members selected inStep 1.4; and their assigned duties......................................................131.9.2Review the organizational and management information collectedin Step 1.7............................................................................................131.9.3Review the system description formulated in Step 1.8.........................131.9.4Develop questionnaires for the interviews of key personnel.................131.9.5Identify personnel to receive questionnaires........................................14
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...