Annex 1 - Threat Risk Assessment

The university should conduct regular security and privacy threat risk assessments. The following template is adapted for the University services environment from the template in the COACH Security and Privacy Guidelines for Health Information Systems, itself adapted from the Royal Canadian Mounted Police Threat and Risk Assessment for Information Technology.

  1. Definition of Assets
  2. Threat Assessment
  3. Risk Assessment
  4. Recommendations

Part 1 - Definition of Assets

The university should identify all assets that may be subject to risk. These assets include:

  1. Data/Information

    Examples:
    - Data bases
    - Data files
    - University records
    - Hardcopy files and printouts
    - Reference and educational material
    - Billing records

  2. Software

    Examples:
    - Commercial software products
    - Custom developed application software
    - Database management software
    - Operating systems
    - Network software

  3. Hardware

    Examples:
    - Mainframe, Mini and Microcomputers
    - Disk and tape drives
    - Printers
    - Terminals
    - Fax machines
    - Modems
    - Power Supplies
    - Communications devices (routers, controllers, etc.)

Part 2 - Threat Assessment

  1. Agent or Event

    For each asset, identify the potential agents or events that could place the asset at risk.

    - Examples:
    - Theft
    - Vandalism
    - Fire
    - Flood
    - Power Loss
    - Unauthorised access
    - Viruses
    - Corruption of data

  2. Class of Threat

    For each agent or event, classify by the following types of threat:

    - Disclosure
    - Interruption
    - Modification
    - Removal
    - Destruction

  3. Likelihood

    How likely is the event to occur? For example, is the university located in a high crime area? In such a case the likelihood of theft or vandalism may be high. Classify the likelihood of each agent or event as:

    - Low - means there is no history and the threat is unlikely to occur

    - Medium - means there is some history and an assessment that the threat may occur

    - High - means there is significant history and an assessment that the threat is quite likely to occur

  4. Impact

    What is the impact of the event occurring? For example, if the central processor were destroyed, would student service be compromised, or would it result in inconvenience until backup facilities are put in place?

    Rate the impact of each possible event as:

    - Very serious (eg. may compromise patient care),

    - Serious (eg. may disrupt normal operations, cause significant inconvenience to clients, or be costly to rectify),

    - Less serious (eg. may disrupt non-critical operations, cause limited inconvenience to employees).

  5. Consequences

    What are the consequences of the event occurring? For example, if a microcomputer was stolen, would the consequence be the monetary loss of an asset, or would there by a loss of privacy because patient information was stored on the machine?

    Identify the potential consequences as follows:

    - Loss of privacy
    - Loss of trust
    - Loss of asset
    - Loss of service

Part 3 - Risk Assessment

This section assesses the adequacy of existing safeguards to protect against potential threats.

  1. Existing Safeguards

    List the existing safeguards to protect against the potential event. For example, the university may have after hours security and surveillance cameras installed at all entrances to the facility to protect against theft or vandalism, or access security already built into the present system to protect against computer hackers.

  2. Vulnerability

    In consideration of existing safeguards, is the university still vulnerable to the possible threat? Describe the vulnerability (ie. How can a threat/threat agent get at the asset being protected).

  3. Risk

    What is the risk to the university of the event occurring?

    Note: Risk refers to the university's ability to protect itself in the face of the event occurring, not to the likelihood of the event happening.

    Rate the potential risk as:

    - Low - requires some attention and consideration for safeguard implementation as good business practice.

    - Moderate - requires attention and safeguard attention in the near future.

    - High - requires immediate attention and safeguard implementation.

Part 4 - Recommendations

  1. Proposed Safeguards

    In consideration of the potential vulnerability and risk, what additional safeguards are recommended to lower the risk to an acceptable level? Describe the proposed measures.

    Note: There may be a number of alternative safeguards, providing different levels of protection, which will be selected based on the availability of resources, acceptable level of risk, etc.

  2. Projected Risk

    Rate the projected risk if the proposed safeguards are put into place as:

    - Low
    - Moderate
    - High

    Ranking of safeguards - not always practical to implement all the high solutions because of technical or physical limitations, time or financial constraints.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page