Forword - Cyber
Appendix F-6 - Outline TRA Report
|Outline TRA Report |Cross-References |
|Executive Summary | |
| | |
|Recommended for all but the shortest TRA reports. | |
|Presented in one or two pages to describe: | |
|the purpose and subject of the assessment; | |
|assessed residual risks that are unacceptable; | |
|the primary recommendations; | |
|the estimated cost of all recommendations; and | |
|the projected residual risks once the recommendations have been approved and implemented. | |
|Background | |
| | |
|Identify the organization or department. |Appendix A-6, Section 1, Background. |
|Provide some context for the TRA project with a description of: | |
|the business line and its operating environment; | |
|service delivery levels and obligations; | |
|the rationale for a new facility or IT system; or | |
|the specific security problem to be addressed. | |
|The actual content will vary according to the subject and purpose of the assessment. | |
|Aim | |
| | |
|State the purpose of the TRA project in a single sentence. |Annex A, Section 4.2.2, Purpose of the |
| |Assessment. |
|Mandate | |
| | |
|Briefly summarize the authority of the TRA team. |Annex A, Section 3, Mandate of the TRA |
|Attach a copy of any written instructions. |Project. |
|Attach a copy of the approved TRA Work Plan. |Appendix A-6, |
| |Sample TRA Work Plan. |
|Scope | |
| | |
|Identify the subject of the TRA project. |Annex A, Section 4, Scope of Assessment. |
|Define the bounds of the assessment, indicating: | |
|what falls within the scope of the TRA project; and | |
|which related assets do not. | |
|Use schematic diagrams or floor plans to illustrate the scope. | |
| | |
|Note any related TRA reports: | |
|describe their relationship with the current assessment; and | |
|list them in an attachment. | |
|Asset Identification and Valuation | |
| | |
|Describe the more important: |Annex B, Asset Identification and |
|assets, both tangible and intangible, normally at the group or subgroup level; |Valuation Phase. |
|employees who rely upon these assets to perform their jobs; | |
|the services they provide; and | |
|the injuries that might arise in the event of compromise. | |
|In general, a short paragraph should suffice for each entry. | |
|Summarize other items in the Asset Valuation Table/Statement of Sensitivity, which should be attached|Appendix B-5, Asset Valuation Table. |
|as an annex. | |
|Threat Assessment | |
| | |
|Describe the more serious threats, normally at the activity or agent category level of detail. |Annex C, Threat Assessment Phase. |
|Indicate the assets affected and the likely types of compromise. | |
|Again, a short paragraph should suffice for each entry. | |
|Summarize other items in the Threat Assessment Table, which should be attached as an annex. |Appendix C-4, Threat Assessment Table. |
|Vulnerability Assessment. | |
| | |
|Describe serious vulnerabilities, usually at the group level. |Annex D, Vulnerability Assessment. |
|Indicate the assets affected and the threats facilitated. | |
|Avoid too much technical detail in the body of the report. | |
|Again, a short paragraph should suffice for each entry. |Appendix D-4, Vulnerability Assessment |
|Summarize other items in the Vulnerability Assessment Table, which should be attached as an annex. |Table. |
|Risk Assessment. | |
|Describe all assessed residual risks that are unacceptable | |
|To streamline the assessment: |Annex E, Calculation of Residual Risk. |
|concentrate on the more serious risks; and | |
|consolidate as many as possible into broad groupings. | |
|Again, a short paragraph should suffice for each entry. |Appendix E-2, List of Assessed Residual |
|Summarize other items in the List of Assessed Residual Risks, which should be attached as an annex. |Risks. |
|Recommendations. | |
| | |
|Summarize each of the recommendations, including their costs. |Annex F, Recommendations Phase. |
|Present the projected residual risk. |Appendix F-5. |
|Capture the details in an annex. | |
|Attachments | |
| | |
|Some of the following may not be relevant in every case: | |
|Mandate of the TRA Project (where stated explicitly). | |
|TRA Work Plan (including a list of all TRA team members). |Appendix A-6. |
|Related TRA Reports (where applicable). | |
|Asset Valuation Table/Statement of Sensitivity. |Appendix B-5. |
|Threat Assessment Table. |Appendix C-4. |
|Vulnerability Assessment Table. |Appendix D-4. |
|List of Assessed Residual Risks. |Appendix E-2. |
|Recommendations Table. |Appendix F-5 |
|Personnel Interviewed and Sites Visited. | |
|Reference Documents, including – | |
|Relevant Federal Statutes, | |
|Government and Departmental Policies/Directives, | |
|Security Standards and Guidelines, | |
|Design Documentation, | |
|Site Plans, | |
|Vendor Manuals, for both Users and Operators, | |
|Incident Reports/Threat Assessments, | |
|Product Evaluation Reports, | |
|Vulnerability Assessments, | |
|Security Test and Evaluation Reports | |
[pic]
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- best cyber security etfs 2019
- fast forword reading program
- best cyber security stocks 2019
- best cyber security stocks
- cyber security eft
- where to report cyber scams
- champlain college cyber security review
- another word for cyber security
- cyber school jobs in pa
- online cyber schools in pennsylvania
- cyber security key words
- cyber scams and frauds