Security Threat and Risk Assessment What are Security Threat and Risk Assessments (TRAs)?

A Threat Risk Assessment (TRA) is the overall activity of assessing and reporting security risks for an information system to help make well informed risk-based decisions. A TRA also documents risk ratings and planned treatments of the risks.

Each risk assessed must consider the likelihood to which a threat may leverage a weakness, the potential impact, and an acknowledgement of what this could mean to the organization. The criticality of an information system and security classification of information stored and handled by the system should be reviewed and considered when conducting a TRA. For each risk that is identified, a planned treatment or acceptance must be documented. Risk findings from the TRA activity should be communicated to the appropriate project sponsors and stakeholders.

TRAs should be completed for new or significantly modified information systems and during planning, development and implementation of an information system. A review and updated TRA should be conducted throughout the life of an existing information system for any significant or material change(s) and must also consider any previously identified risks. For critical systems, a review schedule should also be maintained to ensure that TRAs are periodically conducted throughout the life of an information system.

Each jurisdiction will have a unique security threat landscape and may have specific requirements for TRAs, but we have provided a sample TRA template here that should at least help to start the security conversation in your project.

As always, before making use of any of our resources, please read and accept our disclaimer: