Develop and Conduct Threat and Risk Assessments

If you don’t assess risk, you’re accepting it.

Onsite Workshop

Lack of risk assessments or informal risk processes can result in:

  • Unintentional risk acceptance.
  • Poor strategic planning of mitigating controls.
  • Confusion about how one project’s risk relates to another.

A formal, standardized risk assessment process leads to:

  • A defensible and repeatable risk assessment model.
  • Security controls designed to prevent risk associated with a particular project.
  • Informed risk decisions, rather than reliance on hunches.

Module 1: Define the Scope

The Purpose

  • Define the scope of the threat and risk assessment, including data types and assets.
  • Determine the organizational risk tolerance.

Key Benefits Achieved

  • Scope is clearly laid out for the assessment of risk.
  • Risk tolerance has been identified, which will be needed to see if this particular project is above the tolerance level.

Activities: Outputs:
1.1 Determine when to initiate a threat and risk assessment.
  • Criteria to initiate a risk assessment.
1.2 Identify system elements and data types within scope of the assessment, and map data to elements.
  • Defined scope of assessment, including data mapped to system elements.
1.3 Define the organizational risk tolerance.
  • Defined risk tolerance level.

Module 2: Conduct the Risk Assessment

The Purpose

Assess the risk associated with the particular project.

Key Benefits Achieved

Understanding of the risk associated with the particular project or initiative.

Activities: Outputs:
2.1 Determine frequency and impact definitions.
  • Frequency and impact definitions, which can extend to entire risk environment.
2.2 Identify relevant threats to the project by using STRIDE.
  • Identified threats and their severity.
2.3 Determine risk actions being taken currently.
2.4 Identify current countermeasures and calculate mitigated risk severity.
  • Evaluation of effectiveness of current controls for this project and how it affects risk.
2.5 Review the results of the risk assessment.
  • Final results of the risk assessment.

Module 3: Communicate and Manage Results

The Purpose

Determine what risk decisions must be made as part of a larger risk management program.

Key Benefits Achieved

Understanding of how to proceed with the project, with risk-based decisions.

Activities: Outputs:
3.1 Proceed with project, if below risk tolerance, with comparison to macro risk level.
3.2 Determine appropriate risk actions, if above risk tolerance – whether to mitigate, transfer, terminate, or accept the risk.
  • Determination of what risk action to take.
3.3 Plan for mitigation against threats, if above risk tolerance, with a “what if” analysis.
  • Plan for new or improved mitigating controls to bring the threat severity to an acceptable level.
3.4 Enter results into risk register as part of risk management project.
  • Connection of results to the IT security risk register.

Workshop icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book a Workshop View Blueprint
GET HELP Contact Us
VL Methodology