When it comes to securing your company, there is simply no “one-size-fits all” option. Every business has its own set of security and privacy requirements based on everything from the industry you are a part of to your country’s specific regulations. The hard and fast truth is, you can’t protect yourself from what you don’t know about – which is why identifying the threats and risks that are specific to your company is essential to building a robust security and privacy program. This is where a Threat Risk Assessment (TRA) comes in.
First things first – what is a Threat Risk Assessment? NIST defines it as a tool that “[identifies, estimates, and prioritizes] risk to organizational operations, assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”
A comprehensive TRA will prioritize ways to decrease both the likelihood of a breach as well as the impact should one occur.
Ultimately, a TRA is a systematic process that seeks to answer the following questions:
- What are the assets that need to be secured?
- How will the business be impacted if the assets are damaged or lost?
- Who/what are the current and potential threats?
- Who/what are the current and potential vulnerabilities?
- What can be done to optimize your security and privacy program?
- What can be done to minimize damage in the case of a breach?
The result of a comprehensive TRA should be a clear understanding of the unique threats and risks your company faces and tactics to optimize your security and privacy program against them.
Do I need a TRA?
Threat Risk Assessments are the best way to build a solid foundation for your security and privacy program and are critical for risk management and data protection.
Key benefits of conducting a TRA at the beginning of your security journey and on a regular basis thereafter:
- Provides a data driven summary of your current posture along with clear recommendations for how to optimize your program.
- Improves security strategy efficiency by supporting leaders in making informed decisions about security and privacy.
- Provides recommendations on how to optimize your security program to defend against attacks and mitigate damage.
- Fulfill compliance requirements for frameworks including HIPAA, PIPEDA, and GDPR.
- Supports developing a company culture of security by helping to build security and privacy training, materials, and resources.
Furthermore, many regulatory frameworks like ISO27001, GDPR, and OTN require up-to-date Threat Risk Assessments to achieve compliance.
What Does a Good TRA Look Like?
When it comes to assessing your company’s threats and vulnerabilities, this is not the place to cut corners. Unfortunately, particularly for fast-growing companies, the appeal of taking the fast way tends to trump doing things the right way. This results in TRAs that are full of gaps and can lead to completely avoidable vulnerabilities and even worse – breaches.
When looking to start your own TRA process, or if you outsource the task to a third party, make sure your final report will include the following:
- Executive Summary – An executive summary that outlines the details of the TRA including timeline, scope, team, methodology, and systems under review.
- Policies & Safeguards – An overview of the company’s existing security and privacy policies and safeguards like risk identification and mitigation, security and privacy risk, awareness training, and incident response.
- Vulnerability & Penetration Testing – A summary of the results of any testing that has been done to identify potential weaknesses and provide a review of the security posture of your company.
- Recommendations and Action Plans – Details on how you can improve your information systems and general security and privacy program.
Where Do I Start with Conducting a TRA?
There are 5 basic steps to conducting a TRA:
1. Identify All Business Assets
Assets are both physical and online resources that are used to carry out the vital functions of the business. Taking inventory of your company’s assets will help identify which are most vulnerable and the best methods to protecting them.
Assets can include:
- Tangible assets: Buildings, vehicles, hardware, machinery, software, raw materials, networks, or cash on hand.
- Intangible assets: Supply chains, business reputation, or industry knowledge. They’re not listed on balance sheets, but they impact the ability of a company to generate revenue.
- Intellectual assets: Patents, trademarks, brand names, logos, collected data, and trade secrets. While similar to intangible assets, laws protect the company’s ownership of intellectual assets.
2. Identify the Threats that Each Asset is Susceptible to
Security and privacy laws hinge on reducing your risk of a breach, theft, or corruption of confidential information by threats.
Identifying your company’s threats and risks allows your company to be as prepared as possible to mitigate the likelihood of a breach and to prepare your team if one does occur.
There are several types of risks that might affect your business:
- Human threats: Human error, intentional leaks, non-paying clients, workplace violence, ineffective management, and employee illness or injury.
- Technological threats: Cyberattacks, disrupted production or delivery, dated hardware or software, viruses, and corrupted data.
- Physical threats: Loss or damage of physical assets, Internet or utility outages, stolen devices, unsecured facilities, accidents, and fires.
- Economic threats: Changes in market conditions, consumer preferences, sudden economic downturns, and other pressures affecting pricing.
- Political threats: Changes in import/export laws and tariffs, the introduction of national compliance demands, and regulations or laws imposed by the government.
- Natural threats: Hurricanes, tornadoes, wildfires, flooding, and earthquakes.
We can’t actually plan for every threat in existence. Start with known threats that are relevant to your company according to geography, industry, etc… Engaging a third party expert can help identify the possible unknown threats that you may be overlooking and help determine the risk level facing your company by conducting a TRA.
3. Conduct an Impact Analysis for Each Asset
During the impact analysis, you’ll take a look at the different ways in which each threat and vulnerability might affect assets and the wider business operations. Some consequences to consider might include:
- Personnel injuries or casualties
- Property damage
- Data loss
- Business process interruption
- Loss of customers and reputation
- Fines and penalties
- Lawsuits
Identify the consequences associated with each asset and determine if it would render the asset non-functional, compromised, or eliminated entirely.
4. Identify Resources Needed to Address Vulnerabilities
Figure out what it will take to protect an asset, either by mitigating or eliminating vulnerabilities, or replacing the asset with a more secure alternative.
Follow these tips to ensure that your plan remains cost-effective:
- Never spend more money protecting an asset than what it would cost to replace it with a more secure and up to date alternative. This may seem obvious, but you’d be surprised how often it happens – usually with accumulated and unexpected costs.
- Consider the asset’s lifecycle. It may currently be worthwhile to protect it, but there will come a point when it’s better to replace it.
- Seek to protect an asset enough to lower the risk of loss but not so much that it affects the asset’s functionality. It isn’t always necessary – or cost-effective – to seek total protection.
5. Create a Threat Risk Assessment Report
Your report should discuss findings and opportunities for improvement with senior management and technical leads. Once you have received approval, move forward with your mitigation strategies.
Keep in mind, this is a very general overview of a TRA and the complexity and depth of each one will differ depending on the company and their specific security and privacy requirements. This is why engaging an expert with experience and insights can streamline the process. Conducting a TRA is a tedious process, but it doesn’t have to be difficult!
Not sure where to start? Connect with the Carbide Team to learn more about how we can support your security and privacy journey with comprehensive solutions including TRAs.