Add to collection(s) Add to saved
  1. Business
  2. Finance

Word

advertisement 
TRA-1 Harmonized Threat and Risk Assessment Methodology
Appendix G-1 - TRA Worksheet
TRA Phase – Process – Activity
Preparation Phase
 Establish TRA Project Mandate
 Determine the Scope of Assessment
o Planning Factors
 Purpose of the Assessment
 Stage of Development
 Risk Environment
 Some Practical Considerations
 Select TRA Team
o Team Size
o Team Qualifications
o Core Team Members
o Other Resources
 Draft TRA Work Plan
Asset Identification and Valuation Phase
 Identify Assets within the Scope of Assessment
o Tangible Assets
o Intangible Assets
o Personnel
o Services
o Asset Listing
 Assess Injuries
o Injury Table (Table 1 below)
 Assign Asset Values
o Practical Application
 Confidentiality
 Availability
 Integrity
 Multiple Values
o Other Issues
 Variable Asset Values
 Aggregation and Inference
 Asset Valuation Conventions
 Compile Asset Valuation Table/Statement of Sensitivity
Threat Assessment Phase
 Identify Threats
o Threat Classes
 Deliberate Threats
 Accidental Threats
 Natural Hazards
o Sources of Threat Data
o Data Collection Techniques
o Threat Listing
 Assess the Likelihood of Occurrence (Table 2 below)
 Assess the Gravity (Table 3 below)
 Assign Threat Levels (Table 4 below)
 Compile and Prioritize Threat Assessment Table
Appendix G-1
TRA Worksheet
G1-1
Reference
Page No.
 Annex A, Section 3
 Annex A, Section 4
o Section 4.2
 Section 4.2.2
 Section 4.2.3
 Section 4.2.4
 Section 4.2.5
 Annex A, Section 5
o Section 5.2
o Section 5.3
o Section 5.4
o Section 5.5
 Annex A, Section 6 (Appendix A-6)
A-3
A-4
A-4
A-4
A-6
A-7
A-7
A-8
A-8
A-9
A-9
A-11
A-13
 Annex B, Section 2 (Appendix B-1)
o Section 2.2
o Section 2.3
o Section 2.4
o Section 2.5
o Section 2.9 (Appendix B-2)
 Annex B, Section 3
o Section 3.3 (Appendix B-4)
 Annex B, Section 4
o Section 4.2
 Section 4.2.2
 Section 4.2.3
 Section 4.2.4
 Section 4.2.6
o Section 4.3
 Section 4.3.2
 Section 4.3.3
 Section 4.3.4
 Annex B, Section 5 (Appendix B-5)
B-2
B-2
B-2
B-3
B-3
B-5
B-6
B-8
B-10
B-11
B-11
B-11
B-12
B-13
B-13
B-13
B-14
B-15
B-15
 Annex C, Section 2
o Section 2.2
 Section 2.2.2
 Section 2.2.3
 Section 2.2.4
o Section 2.3 (Appendix C-1)
o Section 2.4
o Section 2.5 (Appendix C-2)
 Annex C, Section 3 (Appendix C-3)
 Annex C, Section 4 (Appendix C-3)
 Annex C, Section 5 (Appendix C-3)
 Annex C, Section 6 (Appendix C-4)
C-1
C-2
C-2
C-2
C-2
C-3
C-3
C-4
C-11
C-13
C-14
C-17
2007-10-23
TRA-1 Harmonized Threat and Risk Assessment Methodology
Risk Assessment Phase – Vulnerability Assessment
 Identify Existing and Proposed Safeguards
 Assess Their Effectiveness
 Determine Remaining Vulnerabilities
o Sources of Vulnerability Data
o Data Collection Techniques
o Vulnerability Listing
 Assess Their Impact
o Probability of Compromise (Table 5 below)
o Severity of Outcome (Table 6 below)
 Assign Vulnerability Levels (Table 7 below)
 Compile and Prioritize Vulnerability Assessment Table
Risk Assessment Phase – Calculation of Residual Risk
 Compute Residual Risks
o Basic Risk Calculation (Table 8 below)
o Risk Levels (Table 9 below)
 Compile Prioritized List of Assessed Residual Risks
Recommendation Phase
 Identify Unacceptable Residual Risks
o Risk Ranges (Table 9 below)
 Select Potential Safeguards
o Safeguard Effectiveness
 Identify Costs
o Direct Costs
o Indirect Costs/Benefits
o Cost Effectiveness
 Assess Projected Residual Risks
 Prepare Final TRA Report
 Annex D, Section 2
 Annex D, Section 3
 Annex D, Section 4
o Section 4.3 (Appendix D-1)
o Section 4.4
o Section 4.5 (Appendix D-2)
 Annex D, Section 5 (Appendix D-3)
o Section 5.2
o Section 5.3
 Annex D, Section 6
 Annex D, Section 7 (Appendix D-4)
D-1
D-2
D-5
D-10
D-11
D-11
D-13
D-13
D-15
D-17
D-20
 Annex E, Section 2
o Section 2.2
o Section 2.3 (Appendix E-1)
 Annex E, Section 3 (Appendix E-2)
E-1
E-1
E-2
E-4
 Annex F, Section 2
o
Section 2.3
 Annex F, Section 3 (Appendix F-2)
o Section 3.3 (Appendix F-3)
 Annex F, Section 4
o
Section 4.2
o
Section 4.3
o
Section 4.4 (Appendix F-4)
 Annex F, Section 5 (Appendix F-5)
 Annex F, Section 6 (Appendix F-6)
F-1
F-2
F-4
F-6
F-9
F-9
F-10
F-11
F-13
F-13
Asset Identification and Valuation Phase
Level of Injury
Very High
High
Medium
Low
Very Low
Table 1: Graduated Injury Table
Injury to People
Physical
Psychological
Widespread Loss of Life
Widespread Trauma
Potential Loss of Life
Serious Stress/Trauma
Injury/Illness
Public Suspicion/Doubts
Discomfort
Minor Embarrassment
Negligible
Negligible
Financial Impact
> $1 billion
> $10 million
> $100 thousand
> $1 thousand
< $1 thousand
Threat Assessment Phase
Past
Frequency
Daily
1-10 Days
10-100 Days
100-1,000 Days
1,000-10,000 Days
Over 10,000 Days
Appendix G-1
TRA Worksheet
Table 2: Threat Likelihood Table
Remote Location but Similar Assets
Same Location
or
Similar Assets
Same Location but Different Assets
High
High
High
High
High
Medium
Medium
Low
Low
Very Low
Very Low
Very Low
G1-2
Remote Location
Other Assets
High
Medium
Low
Very Low
Very Low
Very Low
2007-10-23
TRA-1 Harmonized Threat and Risk Assessment Methodology
Threat Assessment Phase (continued)
Table 3: Threat Gravity Table
Magnitude of
Accidents or Natural Hazards
Highly Destructive
Extremely Grave Error
Widespread Misuse
Deliberate Threat Agent
Capabilities
Extensive Knowledge/Skill
Extensive Resources
Threat Impact or Gravity
High
Limited Knowledge/Skill
Extensive Resources
or
Extensive Knowledge/Skill
Limited Resources
or
Moderate Knowledge/Skill
Moderate Resources
Moderately Destructive
Serious Error
Significant Misuse
Medium
Limited Knowledge/Skill
Limited Resources
Modestly Destructive
Minor Error
Limited Misuse
Low
Threat Impact
High
Medium
Low
Table 4: Threat Levels Table
Threat Likelihood
Very Low
Low
Medium
Low
Medium
High
Very Low
Low
Medium
Very Low
Very Low
Low
High
Very High
High
Medium
Risk Assessment Phase – Vulnerability Assessment
Table 5: Vulnerability Impact on Probability of Compromise (Prevention)
Safeguard Effectiveness
No Safeguard
Safeguard Largely Ineffective
Probability of Compromise > 75%
Safeguard Moderately Effective
Probability of Compromise 25-75%
Safeguard Very Effective
Probability of Compromise < 25%
(Safeguard Performs Only Detection,
Response or Recovery Functions)
Appendix G-1
TRA Worksheet
Associated Vulnerabilities
Easily Exploited
Needs Little Knowledge/Skill/Resources
Assets Highly Accessible
Assets Very Complex/Fragile/Portable
Employees Ill-Informed/Poorly Trained
Not Easily Exploited
Needs Some Knowledge/Skill/Resources
Assets Moderately Accessible
Assets Fairly Complex/Fragile/Portable
Moderate Employee Awareness/Training
Difficult to Exploit
Needs Extensive Knowledge/Skill/Resources
Assets Highly Accessible
Assets Very Simple/Robust/Static
Employees Well-Informed/Trained
G1-3
Probability of
Compromise
High
Medium
Low
(Not Applicable)
2007-10-23
TRA-1 Harmonized Threat and Risk Assessment Methodology
Risk Assessment Phase – Vulnerability Assessment (continued)
Table 6: Vulnerability Impact on Severity of the Outcome (Detection, Response or Recovery)
Severity of
Safeguard Effectiveness
Associated Vulnerabilities
Outcome
Unlikely to Detect Compromise
No Safeguard
Damage Difficult to Contain
Safeguards Largely Ineffective
Prolonged Recovery Times/Poor Service Levels
High
Assets Exposed to Extensive Injury
Assets Very Complex/Fragile
Employees Ill-Informed/Poorly Trained
Compromise Probably Detected Over Time
Damage Partially Contained
Safeguard Moderately Effective
Moderate Recovery Times/Service Levels
Medium
Assets Exposed to Moderate Injury
Assets Fairly Complex/Fragile
Moderate Employee Awareness/Training
Compromise Almost Certainly Detected Quickly
Safeguard Very Effective
Damage Tightly Contained
Assets Exposed to Limited Injury
Low
Quick and Complete Recovery
(Safeguard Performs Only
(Not Applicable)
Assets Very Simple/Robust
a Prevention Function)
Employees Well-Informed/Trained
Table 7: Vulnerability Assessment
Vulnerability Impact on Severity of Vulnerability Impact on Probability of Compromise
(Prevention)
the Outcome(Detection, Response
& Recovery )
Low (N/A)
Medium
High
Medium
High
Very High
High
Low
Medium
High
Medium
Very Low
Low
Medium
Low (N/A)
Risk Assessment Phase – Calculation of Residual Risk
Table 8: Numeric Scores for Asset Value, Threat and Vulnerability Levels
Asset Value, Threat and
Very Low
Low
Medium
High
Vulnerability Levels
Scores for Risk Computation
Basic Risk Score
Risk Level
Number of Outcomes
in Range
Risk Acceptability
1
2
3
Table 9: Risk Levels and Ranges
1-4
5-12
15-32
Very Low
Low
Medium
Very High
4
5
36-75
High
80-125
Very High
13
34
43
28
7
Definitely
Acceptable
Probably
Acceptable
Possibly
Acceptable
Probably
Unacceptable
Definitely
Unacceptable
Notes:
1. The TRA Worksheet lists all successive processes and activities within each phase of a TRA project.
2. Copies of all tables required to assess asset values, threat and vulnerability levels, and residual risks are included
in the same logical sequence for ease of use.
3. This worksheet with copies of the Asset Valuation Table/Statement of Sensitivity (Appendix B-5), Threat
Assessment Table (Appendix C-4), Vulnerability Assessment Table (Appendix D-4), List of Assessed Residual
Risks (Appendix E-2) and Recommendations Table (Appendix (F-5) form the basic toolkit to complete a TRA.
Appendix G-1
TRA Worksheet
G1-4
2007-10-23
Related documents
Charity Law Association
Charity Law Association
10. Health status risk and consent form (Word 26 KB)
10. Health status risk and consent form (Word 26 KB)
US Population Census 2003 Statistical Abstract
US Population Census 2003 Statistical Abstract
Appendices listed in numerical order Section 9.49 of the Code of
Appendices listed in numerical order Section 9.49 of the Code of
Appendix B - Event Analysis Report Template
Appendix B - Event Analysis Report Template
Mental Health Case Management Services for Adults
Mental Health Case Management Services for Adults
Guidelines for revision of the IPC
Guidelines for revision of the IPC
Download
advertisement