Threat Risk Assessment
The standardized Threat Risk Assessments (TRA) process will identify areas of risk, assess those risks, and identify activities to reduce risks to an acceptable level. The output of this process will help identify appropriate controls for reducing / managing risk.
Data Perceptions’ TRA process will lead your organization’s key information security stakeholders in workshops to identify assets and their assigned owners which might affect Confidentiality, Integrity and Availability of information in the organization.
Assets can include applications, databases, infrastructure, and external services/outsourced processes. Associated risks will be identified, analyzed, and evaluated and the appropriate risk treatment will be applied to reduce, remove, or otherwise mitigate each risk.
A treatment plan will be developed which will outline the risk criteria, analysis, treatments, and who is accountable for the mitigation steps.
​
Data Perceptions’ Risk Register & Threat Risk Assessment Report will include:
​
-
Identification of potential threats and vulnerabilities and reasonably anticipated threats.
-
Classification of the likelihood and potential impact of threat occurrence.
-
Recommendations for remediation action plans that ranks threats and deficiencies in order of importance.
-
Gap Analysis Report.
A risk assessment framework is used to assist the organization in integrating risk management into significant activities and functions. The effectiveness of the risk assessment will depend on its integration into the governance of the organization, including decision-making. This requires support from stakeholders, particularly top management.
​
To the Right is an illustration of the components of a TRA framework.
1. Identify Your Information Assets
-
Assets that are valuable to the business such as infrastructure, applications, databases and people via interview process.
2. Identify the Asset Owners (Responsible)
-
Who within the business is owner of the assets? (we would interview Finance, HR, Dev, IT)
3. Identify Risks to Confidentiality, Integrity, and Availability (CIA) of the Assets
4. Identify the Risk Owners (Accountable)
-
Would be someone who can do something about the risk. (Upper Management)
5. Analyze the Risks
-
Impact if the Risk Were to Materialize.
-
Risk Score Chart
6. Identify the Level of Risks
-
Identify vulnerabilities (Internal, in your control) and threats (External).
7. Prioritize the Risk Treatment
-
Risk Mitigation, Risk Acceptance, Risk Avoidance, Risk Transfer.