Harmonized Threat and Risk Assessment (TRA) Methodology ( CSE-RCMP)
Harmonized TRA Methodology (TRA-1)
- TRA-1 - Tool
- TRA-1 - A-5: Sample Statement of Work for TRA Consulting Services
- TRA-1 - A-6: Sample TRA Work Plan
- TRA-1 - B-2: Asset Listing
- TRA-1 - B-5: Asset Valuation Table / Statement of Sensitivity
- TRA-1 - C-2: Threat Listing
- TRA-1 - C-4: Threat Assessment Table
- TRA-1 - D-2: Vulnerability Listing
- TRA-1 - D-4: Vulnerability Assessment Table
- TRA-1 - E-2: List of Assessed Residual Risks
- TRA-1 - F-2: Safeguard Listing
- TRA-1 - F-5: Recommendations Table
- TRA-1 - F-6: Outline TRA Report)
- TRA-1 - G-1: TRA Worksheet
Harmonized Threat and Risk Assessment
RiskView H-TRA solution automates the Government of Canada Harmonized Threat and Risk Assessment model and helps organizations identify, evaluate, prioritize, and report risks. The model is summarized in the above depiction and explained below. While the solution is dynamic and allows the user to start anywhere, it follows a five step process as outlined below.
1. Identify Assets
Identify Assets (e.g. data, equipment, buildings) and assign a value based on their confidentiality and their impact in terms of financial, legal, privacy, or possible injury to people. Assets are assigned a value from Very Low (1) to Very High (5) based on a threshold that can be changed for an industry or an organization depending on their risk appetite.
2. Identify Threats
Threats to an organization can be external, internal, competitors, foreign governments, natural, or other. The more you identify and list such threat the better the result of your TRA. Each threat is assigned a value based on the likelihood and impact of the threat.
3. Identify Vulnerabilities
The third step and the most labor intensive step is the vulnerability assessment for each asset, where each vulnerability is assigned a value based on its likelihood and impact. There are many methodologies for identifying vulnerabilities and ranking them. For example, you may use RiskView’s methodology for identifying IT network and application security vulnerabilities as depicted below.
4. Calculate Residual Risks
The last step is to calculate the residual risk. The risk calculation and conversion is based on the following formula. The tool helps with the automated calculation of the residual risks: Residual Risk Value = Asset Value [1..5] * Threat Risk [1..5] * Vulnerability Residual Risk [1..5]