Data Perceptions’ TRA process will lead your organization’s key information security stakeholders in workshops to identify assets and their assigned owners which might affect Confidentiality, Integrity and Availability of information in the organization.
Assets can include applications, databases, infrastructure, and external services/outsourced processes. Associated risks will be identified, analyzed, and evaluated and the appropriate risk treatment will be applied to reduce, remove, or otherwise mitigate each risk.
A treatment plan will be developed which will outline the risk criteria, analysis, treatments, and who is accountable for the mitigation steps.
Data Perceptions’ Risk Register & Threat Risk Assessment Report will include:
Identification of potential threats and vulnerabilities and reasonably anticipated threats.
Classification of the likelihood and potential impact of threat occurrence.
Recommendations for remediation action plans that ranks threats and deficiencies in order of importance.
Gap Analysis Report.
A risk assessment framework is used to assist the organization in integrating risk management into significant activities and functions. The effectiveness of the risk assessment will depend on its integration into the governance of the organization, including decision-making. This requires support from stakeholders, particularly top management.
To the Right is an illustration of the components of a TRA framework.
1. Identify Your Information Assets
Assets that are valuable to the business such as infrastructure, applications, databases and people via interview process.
2. Identify the Asset Owners (Responsible)
Who within the business is owner of the assets? (we would interview Finance, HR, Dev, IT)
3. Identify Risks to Confidentiality, Integrity, and Availability (CIA) of the Assets
4. Identify the Risk Owners (Accountable)
Would be someone who can do something about the risk. (Upper Management)
5. Analyze the Risks
Impact if the Risk Were to Materialize.
Risk Score Chart
6. Identify the Level of Risks
Identify vulnerabilities (Internal, in your control) and threats (External).
7. Prioritize the Risk Treatment
Risk Mitigation, Risk Acceptance, Risk Avoidance, Risk Transfer.
This security assessment is an in-depth review of 198 security controls. The assessment can be adapted to align with the most common security frameworks (ISO 27001/2, GDPR, NIST 800-53, NIST 800-171, PCI DSS, COBIT, PIPEDA, HIPAA, or the Canadian Baseline Cyber Security Controls).
Information Security and Operations Scorecard
Recent Security Related Articles
Locking the Door is Not Enough
Organizations need to go beyond prevention techniques and invest in detection & response capabilities.
Most enterprises have long been focused on preventing the bad guys from getting in to their networks and systems.
Historically, the especially security conscious enterprises -- ones that understood their organizations were ....more
In the Business Continuity Institute 2018 Horizon Scan Report, four of the top 10 threats identified by business leaders are most often the result of a social engineering exploit. In a recent ....more