Threat and Risk Assessment (TRA)

A security threat and risk assessment (TRA) is the process of identifying and mitigating threats and risks to the confidentiality, integrity, and/or availability of information. A TRA involves identifying what information is at risk, determining the relative magnitude of the risk, and deciding what to do about the risk. The goal of risk management is to ensure that risks remain within acceptable limits and that the cost of countermeasures is affordable. A TRA is a collaborative process where representatives of various groups within the organization develop a shared understanding of threat and risk requirements and options. TRAs provide evidence to customers and regulators that your business has applied the appropriate security due diligence to its products and services. 

A Threat and Risk Assessment (TRA) and a penetration test both assess your business’ security. A TRA encompasses all security, including your business’ entire security governance, cybersecurity threats and risks, human risks, errors, and vulnerabilities. A penetration test is a technical test that focuses solely on assessing your IT infrastructure’s cybersecurity. 

Yes, we conduct Threat and Risk Assessments (TRAs) for our clients and we can also update a past TRA report.

The TRA report includes the following major components:

• Security Readiness Assessment: A comprehensive gap analysis checklist based on information security management systems requirements for ISO 27001. It is a key input into the evaluation of current security safeguards and vulnerabilities.
• Context establishment: An outline of the current security environment the TRA is evaluating, including: report objectives, scope, corporate description, system description, environmental constraints, evaluation criteria, and risk tolerance.
• Solution overview: An overview of technical, application, and security architectures, and security safeguards and services.
• Asset identification and valuation: A summary listing the business’ information technology assets, including information, software, hardware, facilities, services, key personnel, and intangibles. Each asset is rated for its sensitivity to confidentiality, integrity, and availability. 
• Threat assessment: An assessment that defines security threat scenarios (use cases), identifies threat agents, and determines threat exposure based on threat agent motivation and capability.
• Vulnerability assessment: An assessment that identifies existing safeguards and vulnerabilities based on the readiness assessment, including identifying potential consequences should vulnerabilities be exploited by a threat agent.
• Risk assessment: A comprehensive assessment of security risks, including risk identification, risk estimation, and risk evaluation.
• Risk treatment plan: An action plan outlining recommendations for addressing each risk currently exceeding the risk tolerance level.