A Simplified TRA (Threat and Risk Assessment) Example

A Simplified TRA (Threat and Risk Assessment) Example

Still Under Writing…

A Threat and Risk Assessment analyzes a software or hardware system for vulnerabilities, examines potential threats associated with those vulnerabilities, and evaluates the resulting security risks. A vulnerability is any “flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” (NIST SP800-30 Risk Management Guide for Information Technology Systems). The level of threat is determined from the potential for any natural, human or environmental source to trigger or exploit any identified vulnerability. The risk assessment looks at both the probability of that threat occurring, and the impact on both system and organization should it occur. An appropriate strategy can then be formulated for each risk depending on severity (such as acceptance of the risk, adoption of a mitigation plan, or implementation of an avoidance strategy).

Define TRA Methodology

NIST
SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems
FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems

Define Process

Based on FIPS 200, the generalized format for expressing the
security category (SC) of an information system is:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, moderate, or high.

Since the potential impact values for confidentiality, integrity, and availability may not always be the
same for a particular information system, the high water mark concept must be used to determine the
overall impact level of the information system.

Define Scope

Organizations must meet the minimum security requirements in this standard by selecting the
appropriate security controls and assurance requirements as described in NIST Special Publication
800-53, Recommended Security Controls for Federal Information Systems

The selected set of security controls must include one of three, appropriately
tailored8
security control baselines from NIST Special Publication 800-53 that are associated with the
designated impact levels of the organizational information systems as determined during the security
categorization process.
– For low-impact information systems, organizations must, as a minimum, employ
appropriately tailored security controls from the low baseline of security controls defined in
NIST Special Publication 800-53 and must ensure that the minimum assurance requirements
associated with the low baseline are satisfied.
– For moderate-impact information systems, organizations must, as a minimum, employ
appropriately tailored security controls from the moderate baseline of security controls
defined in NIST Special Publication 800-53 and must ensure that the minimum assurance
requirements associated with the moderate baseline are satisfied.
– For high-impact information systems, organizations must, as a minimum, employ
appropriately tailored security controls from the high baseline of security controls defined in
NIST Special Publication 800-53 and must ensure that the minimum assurance requirements
associated with the high baseline are satisfied.

Output

CategorySecurity
Control
LowModerateHigh
Access ControlAdministrator
Multi Factor Authentication
 xx
Access ControlCentralized
Authentication
 xx
Access ControlMachine
Authentication
 xx
Access ControlPhysical
Security
xxx
Access ControlRole-based
Authentication / Least Privilege
 xx
Access ControlSeparation
of duties
 xx
Access ControlUser
Multi Factor Authentication
  x
AuditAudit
Data Review
xxx
AuditLogin
Audit
xxx
Configuration ManagementConfiguration
Change Control
xxx
Configuration ManagementNotification
of changes
  x
Configuration ManagementSystem
Component Inventory
xxx
Contingency PlanningContingency
Plan
xxx
Contingency PlanningDisaster
Recovery Site
  x
Contingency PlanningOffsite
Backup
 xx
Contingency PlanningOnsite
Backup
xxx
Incident ResponseIncident
Response
xxx
Media ProtectionSecure
Delete
 xx
Risk AssessmentPenetration
Testing
  x
Risk AssessmentVulnerability
Management
xxx
System and Communication ProtectionData
Leak Protection (DLP)
 xx
System and Communication ProtectionDoS
Protection
  x
System and Communication ProtectionEncryption
at rest
 xx
System and Communication ProtectionEncryption
in transit
xxx
System and Communication ProtectionIsolation
in multi-tenant environment
 xx
System and Communication ProtectionNetwork
Segregation
  x
System and Information IntegrityAntivirus/Antimalwarexxx
System and Information IntegrityFile
Integrity Monitoring
 xx
System and Information IntegrityHost
IDS
  x
System and Information IntegrityNetwork
IDS
 xx
System and Information IntegrityPatch
Management
xxx
System and Information IntegrityPriviledged
Access Management
  x
System and Information IntegritySystem
Hardening
xxx
System and Information IntegritySystem
Health Monitoring
xxx
TrainingAwareness
and Training
xxx
     

Other Documents:

Canadian Centre for Cyber Security -Annex 3A – Security Control Catalogue (ITSG-33)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.