High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
October 1999
Foreword
This document entitled
Threat and Risk Assessment Working Guide
provides guidance to anindividual (or a departmental team) carrying out a Threat and Risk Assessment (TRA) for anexisting or proposed IT system. This document will help determine which critical assets are mostat risk within that system, and leads to recommendations for safeguards that will reduce any risksto acceptable levels.By following the guidance given therein, a TRA can be carried out such that it results in a concisereport that:
•
defines the IT system under assessment;
•
states the aim of the assessment, along with the desired security level to be attained;
•
identifies potentially vulnerable parts of the system;
•
states the potential impacts of successful threat events on: the IT system; the businessfunctions that the IT system supports; and the applications used to carry out the businessfunctions, in terms of confidentiality, integrity and availability; and
•
provides recommendations that would lower the risks to acceptable levels.
© 1999 Government of Canada, Communications Security EstablishmentP.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4This publication may be reproduced verbatim, in its entirety, without change, for educational andpersonal purposes only. However, written permission from CSE is required for use of the materialin edited or excerpted form, or for any commercial purpose.
October 1999
Threat and Risk Assessment Working GuideTable of ContentsOctober 1999i
Table of Contents
LIST OF ABBREVIATIONS AND ACRONYMS.............................................................VII1.0INTRODUCTION.......................................................................................................1
1.1Background.......................................................................................................11.2Purpose.............................................................................................................21.3Scope................................................................................................................2
2.0 STEPS IN THE THREAT-AND-RISK ASSESSMENT PROCESSS.........................7
TASK 1 – PREPARE AND PLAN..............................................................................71.1Understand the overall process.........................................................................71.2Determine the scope of the threat-and-risk assessment...................................71.2.1Determine the level of analysis required, and how much detailshould be in the final report....................................................................71.2.2Identify the required resources (time, funding, personnel, etc.)..............81.2.3Collect security policies and standards...................................................81.2.4Review the collected documents............................................................81.2.5Revise the scope as required.................................................................81.3Identify the boundaries of the analysis..............................................................81.4Choose the analysis team.................................................................................91.4.1Identify and recruit the team members who will perform the analysis....91.4.2Familiarize the team members with their requirements, and assignduties......................................................................................................91.5Produce a Preliminary Statement of Sensitivity...............................................101.5.1Establish a target level (maximum level) of acceptable risk.................101.6Collect information for the IT system description............................................101.6.1Create a list of the documents as they are collected............................111.6.2Review the list of documents for completeness, and obtain missingdocuments............................................................................................111.6.3Review all documents collected in order to identify any componentsof the IT system that might have been missed, but that should beincluded within the boundary of the analysis........................................111.6.4Revise the boundary as required..........................................................111.7Collect existing descriptions of the organization..............................................121.7.1Include these documents on the list created in Step 1.6.1...................121.7.2Identify and record key personnel positions.........................................121.7.3Create a list of personnel......................................................................121.8Formulate a system description......................................................................121.9Devise a work plan..........................................................................................131.9.1Review (and revise if required): the team members selected inStep 1.4; and their assigned duties......................................................131.9.2Review the organizational and management information collectedin Step 1.7............................................................................................131.9.3Review the system description formulated in Step 1.8.........................131.9.4Develop questionnaires for the interviews of key personnel.................131.9.5Identify personnel to receive questionnaires........................................14
Sections
« prev | next »- 1.0INTRODUCTION
- 1.1Background
- 1.2Purpose
- 1.3Scope
- Figure 1 – Risk Management Model
- Table I – Tasks in the Threat-and-Risk Assessment process
- TASK 1 – PREPARE AND PLAN
- 1.1 Understand the overall process
- 1.2Determine the scope of the threat-and-risk assessment
- 1.2.2 Collect security policies and standards
- 1.2.3 Review the collected documents
- 1.2.5Revise the scope as required
- 1.3 Identify the boundaries of the analysis
- 1.4 Choose the analysis team
- 1.5 Produce a Preliminary Statement of Sensitivity
- 1.6Collect information for the IT system description
- 1.6.4Revise the boundary as required
- 1.7Collect existing descriptions of the organization
- 1.7.2Identify and record key personnel positions
- 1.7.3Create a list of personnel
- 1.8Formulate a system description
- 1.9Devise a work plan
- 1.9.5Identify personnel to receive questionnaires
- TASK 2 – COLLECT DATA FOR ANALYSIS
- TASK 5 – PERFORM A THREAT ANALYSIS
- TASK 7 – PERFORM A RISK ANALYSIS
- ANNEX A – Rating Tables
- Asset Sensitivity Rating
- Table II - Asset Sensitivity Rating Scale
- Threat Agent Rating
- Table III - Threat Agent Capability and Motivation Ratings
- Table IV - Threat Agent Rating Combinations
- Vulnerability Rating
- Table VI - Vulnerability Severity and Exposure Ratings
- Table VII - Vulnerability Rating Combinations
- ANNEX B – Sample Description of a Typical IT System Architecture
- B.1Contents
- B.2Concept of Operations
- B.3Mode of Operation
- ANNEX C – Sample Questionnaire
- ANNEX D – Contents of a Statement of Sensitivity
- Annex E – The Level-of-Granularity Numbering Scheme
- Annex F – Sample List of IT System Assets
- Annex G – Sample List of Threat Agents
- Annex H – Sample List of Threat Events
- Annex I – Sample List of Vulnerabilities
- ANNEX K – GLOSSARY
- ANNEX L – GLOSSARY SOURCES
Add a Comment