Business Solutions

• IT Solutions
• IT Consulting
• IT Security
• Technical Resourcing
• Engineering Consulting
• Research and Development

Threat and Risk Assessment Services

In February 2002, the Government Security Policy (GSP) was released. Under this new policy, new and existing systems with designated and classified data must undergo a Threat and Risk Assessment (TRA). For new systems, the TRA must be performed before deployment.

In addition, TRAs are a critical component to conducting Privacy Impact Assessments.

What is a TRA?

A Threat and Risk Assessment (TRA) is a formalized process used to determine the risks to Information Technology (IT) assets and provide recommendations to lower the risks to acceptable levels. A TRA performs the following tasks:

• Defines the IT system under assessment;
• States the aim of the assessment as well as the desired security level to be attained;
• Identifies potentially vulnerable parts of the IT system; States the potential impacts of successful threat events on the IT system, the business functions it supports, and the applications that carry them out;
  
  The potential impacts are stated in terms of Confidentiality, Integrity, and Availability.
• Provides recommendations to lower risks to acceptable levels.

TRA Deliverables

A Threat Risk Assessment produces ten deliverables plus associated appendices to provide a comprehensive report with a high level of detail.

A TRA has the following deliverables:

• System Description
• Preliminary Statement of Sensitivity
• List of Non-Compliant Areas
• Statement of Sensitivity Report
• Threat Risk Analysis Report
• Vulnerability Analysis Report
• Risk Analysis Report
• Preliminary Risk Assessment Report
• Final Risk Assessment Report
• Executive Summary

CISTEL's TRA Methodology

Cistel Technology prepares TRAs using the Communications Security Establishment's guidelines (ITSG-04) augmented by components from the RCMP and Carnegie Mellon University.

Cistel Technology employs a combination of interviews, questionnaires, information gathering, and a consultative process that keeps the client informed. Cistel Technology recognizes the need for a balance between safeguards, business program requirements, and budgets. Our mandate is to deliver a TRA that meets a client's needs while maintaining security.

Cistel Technology's TRA methodology is regularly updated to include new technologies, threats, and vulnerabilities.

Cistel is pleased to announce that it has recently been awarded the Cyber Protection Supply Arrangement (CPSA) for Work Stream 2 - Comprehensive IT Security Risk Management Consulting Services. Within this Stream, Cistel’s IT Security Team will be able to assist Departmental and Agency stakeholders with IT security projects, including MITS implementations.

To learn more about CISTEL’s MITS Practice or other security and privacy legislation consulting services, please contact security@cistel.com.