Harmonized Threat and Risk Assessment

RiskView H-TRA solution automates the Government of Canada Harmonized Threat and Risk Assessment model and helps organizations identify, evaluate, prioritize, and report risks. The model is summarized in the above depiction and explained below. While the solution is dynamic and allows the user to start anywhere, it follows a five step process as outlined below.

1. Identify Assets

Identify Assets (e.g. data, equipment, buildings) and assign a value based on their confidentiality and their impact in terms of financial, legal, privacy, or possible injury to people. Assets are assigned a value from Very Low (1) to Very High (5) based on a threshold that can be changed for an industry or an organization depending on their risk appetite.

2. Identify Threats

Threats to an organization can be external, internal, competitors, foreign governments, natural, or other. The more you identify and list such threat the better the result of your TRA. Each threat is assigned a value based on the likelihood and impact of the threat.

3. Identify Vulnerabilities

The third step and the most labor intensive step is the vulnerability assessment for each asset, where each vulnerability is assigned a value based on its likelihood and impact. There are many methodologies for identifying vulnerabilities and ranking them. For example, you may use RiskView’s methodology for identifying IT network and application security vulnerabilities as depicted below.

4. Calculate Residual Risks

The last step is to calculate the residual risk. The risk calculation and conversion is based on the following formula. The tool helps with the automated calculation of the residual risks: Residual Risk Value = Asset Value [1..5] * Threat Risk [1..5] * Vulnerability Residual Risk [1..5]

5. Monitor and Report

Report and Monitor findings. The tool allows for either pre-made PDF reports, or fully customized company Word documents.