TRA-1 Harmonized Threat and Risk Assessment Methodology

Appendix A-5 - Sample Statement of Work for TRA Consulting Services

1 Objective

The purpose of this Statement of Work (SOW) is to describe the work entailed in conducting a threat and risk assessment (TRA) of the [name of facility/system]. [Provide a brief description of the facility/system in the body of the SOW; all suitable plans, schematics and more detailed material are to be relegated to an annex.] As a minimum, the TRA will include:

·  a Statement of Sensitivity (SOS) to identify and categorize relevant assets according to their confidentiality, integrity and availability values based upon the injuries that may reasonably be expected in the event of a compromise;

·  an identification of deliberate threats, accidents and natural hazards that might affect these assets adversely with an analysis of the likelihood of occurrence and gravity of impact;

·  an assessment of current vulnerabilities, based on an evaluation of existing or proposed security measures and their adequacy;

·  an analysis of residual risks for each asset which is vulnerable to specific threats; and

·  where assessed residual risks exceed the [Low or Medium] level, a list of recommendations proposing additional safeguards to achieve a [Low or Medium] target risk level with an assessment of their effectiveness and cost.

2 Tasks and Deliverables

2.1 Preparation Phase

2.1.1 General

[Departmental authorities may wish to complete the Preparation Phase[1] before issuing an SOW for consulting services to conduct the actual TRA. In that case, this section may be omitted from the SOW. If a contractor is engaged to perform the Initial Planning, however, the SOW should include a general description of the Initial Planning phase and its deliverables.]

Careful planning is required before initiating a TRA to determine the scope of the assessment, identify resource requirements and develop a realistic work plan. To achieve these goals, the contractor must work in close cooperation with the Project Authority (PA), the Technical Authority (TA), security officials and facility or system managers. The contractor will be provided with all reference material, listed at Section 4 below, and any other information necessary for the completion of this task. Information-gathering activities may include interviews with personnel at various levels of the organization.

2.1.2 Initial Planning Deliverables

The sole deliverable for the Preparation Phase is a complete TRA Work Plan[2] which includes:

·  a clearly stated Aim for the TRA;

·  a statement of Scope with a description of the [facility or system] under consideration, its mission and concept of operation, as well as the boundaries of the assessment and any dependencies or interconnections with other [facilities or systems];

·  any Limitations or restrictions on the TRA;

·  the Target Risk Level accepted by the responsible manager;

·  a list of personnel who will participate in the TRA process as Team Members or sources of information;

·  all necessary Logistic Arrangements, including security screening and access requirements, travel arrangements, administrative support and other resource requirements;

·  a list of Input Documentation and TRA Deliverables; and

·  a detailed TRA Schedule listing all major activities, assigned resources, start and completion dates, and any dependencies.

2.2 The Threat and Risk Assessment

2.2.1  General

Once the TRA Work Plan has been approved at the end of the Preparation Phase, the contractor shall develop four mandatory deliverables to address the four-step TRA process prescribed by the Government Security Policy (GSP):[3]

·  identifying the employees and assets to be safeguarded in a Statement of Sensitivity;

·  determining the threats to employees and assets in Canada and abroad, and assessing the likelihood and impact of threat occurrence;

·  assessing risks based on the adequacy of existing safeguards and vulnerabilities; and

·  recommending any supplementary safeguards that will reduce the risk to an acceptable level.

2.2.2 Asset Identification and Valuation Phase[4]

In the second phase, the contractor will identify and list employees, assets and services within the scope of the assessment, and assign values for confidentiality, availability and integrity, as appropriate, based upon the injuries that might reasonably be expected in the event of compromise. The results of this analysis shall be presented as a Statement of Sensitivity in a tabular form, the one deliverable for this portion of a TRA project, and fully annotated to justify the findings.[5]

1.2.3  Threat Assessment Phase[6]

The third phase of a TRA project requires the contractor to identify real and potential threats that could reasonably be expected to affect employees, assets or services adversely. Pertinent threat information should be obtained from departmental security authorities and the responsible lead agencies, specifically CSIS, CSE and the RCMP. Key deliverables for this portion of the TRA comprise:

·  a tabular list of real and potential threats that could injure employees or compromise assets and services within the scope of the assessment;[7] and

·  an assessment of the likelihood and impact of their occurrence.[8]

2.2.4 Risk Assessment Phase[9]

In the fourth phase of a TRA project, the contractor will deliver an assessment of residual risks to employees, assets and services identified in the second phase arising from threats analyzed in the third phase. The two mandatory deliverables are the Vulnerability Assessment derived from an evaluation of existing or proposed safeguards and their effectiveness,[10] and the Risk Assessment listing all residual risks to employees, assets and services within the scope of the assessment.[11]

2.2.5 Recommendations Phase[12]

Based upon the findings of the Risk Assessment completed in previous phase, the contractor will propose the addition, modification or removal of safeguards to achieve an acceptable level of residual risk.[13] The projected residual risk, that which remains after the recommendations have been approved and implemented, shall be identified explicitly, as shall the costs of the recommended changes.[14]

3 Project Management

3.1 Project Authority (PA)

The PA for this TRA project is [name, position and telephone number of the overall coordinator of the TRA project selected in accordance with section 5.4.7 of Annex A].

3.2 Technical Authorities (TA)

The TAs for this project are [names, positions and telephone numbers of designated subject matter experts who will provide technical input to the TRA, including security authorities, facility managers or systems administrators, and other members of the TRA Team].

3.3 TRA Methodology

The contractor shall employ the Harmonized Threat and Risk Assessment (TRA) Methodology for this project. [Specify alternatives if applicable.]

3.4 Personnel Qualifications

The contractor shall provide personnel who have solid experience and knowledge of both the TRA process and the subject of the assessment, normally demonstrated by the successful completion of at least three previous TRAs on similar [facilities or systems].

3.5 Security Requirements

This SOW is [classified (state level) or categorized (state level)], the work performed under this contract will be [security classification] and the deliverables associated with the completion of the work detailed in this document will be [security classification]. The contractor analyst(s) must possess valid security screening to at least the level specified for the work and the deliverables. [Note: The Statement of Sensitivity identifies the value of employees, assets and services while the Vulnerability Assessment lists the attributes of an asset or its environment that may be exploited by threats to cause damage. These are major considerations when assigning a security category (Classified or Protected) to TRA deliverables. Where the TRA involves proprietary information from a third party, such as a product vendor, the contractor should be required to sign an appropriate non-disclosure agreement.]

3.6 Schedule

As stipulated in Section 2.1 [if the contractor is to conduct the Initial Planning], the contractor shall develop a TRA Work Plan with a detailed schedule showing milestones, critical activities and dependencies for the completion of the work by [a date specified by the contracting authority]. The contractor shall complete this TRA project within [time frame cited in the TRA Work Plan] following award of the contract, with intermediate deliverables submitted to the TA and PA in accordance with the approved TRA Work Plan. [For greater clarity, each of the deliverables and the associated target dates might be presented in a table or, for a very complex TRA project, a GANTT chart].

3.7 Approval of Deliverables

All deliverables will be reviewed for quality and completeness, and signed off by the designated TAs before proceeding to the next phase of the project. The final TRA report must be approved by the PA before the contract may be finalized.

3.8 Progress Reporting

The contractor shall provide routine [generally weekly] progress reports to the designated TA. Verbal progress reports are acceptable. [Where written reports are preferable, specify the format and content].

3.9 Place of Work

All work shall be conducted at the contractor’s place of business, except for interviews with departmental personnel which shall be coordinated with the designated TA. [If the TRA project includes sensitive information, ensure that a facility security clearance with document safeguarding capability to the appropriate level has been specified in section 3.5 above].

3.10 Proprietary Information

All information and documents made available to the contractor during the course of this project are deemed proprietary, and shall be returned upon completion of the TRA.

3.11 Handover

The contractor shall table the following at a handover meeting arranged by the TA, within two(2) working days of the satisfactory completion of the project:

·  a list of all changes to the deliverables in response to comments from the TA and PA;

·  all final deliverables in [specify format and number of copies]; and

·  all proprietary information and documents provided to the contractor during the project.

Annex A to Sample Statement of Work (SOW)

References:

Government Security Policy, Treasury Board Secretariat, February 2002.

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/gsp-psg_e.asp

Operational Security Standard: Asset Identification, Treasury Board Secretariat, Draft.

Operational Security Standard: Business Continuity Planning, Treasury Board Secretariat, March 2004.

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/ossbcp-nsopca_e.asp

Operational Security Standard: Management of Information Technology Security, Treasury Board Secretariat, April 2004.

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp

Operational Security Standard: Security Risk Management, Treasury Board Secretariat, Draft.

Harmonized Threat and Risk Assessment (TRA) Methodology, Communications Security Establishment and Royal Canadian Mounted Police, August 2007.

Privacy and Data Protection Policy, Treasury Board Secretariat, December 1993.

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP1_1_e.asp

Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks, Treasury Board Secretariat, August 2002.

http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld_e.asp

Privacy Impact Assessment Policy, Treasury Board Secretariat, May 2002.

http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp

Risk Management Policy, Treasury Board Secretariat, April 1994.

http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/riskmanagpol_e.asp

A Guide to Certification and Accreditation for Information Technology Systems (MG-4), Communications Security Establishment, January 1996.

http://www.cse-cst.gc.ca/en/publications/gov_pubs/itsg/mg4.html

[Not all of the foregoing references may be necessary for any given TRA. Simply list what is applicable. Add any other material specific to the subject of the TRA, such as business plans, design documentation and relevant threat assessments].

Appendix A-5 A5-6 2007-10-23

Sample Statement of Work for TRA Consulting Services

[1] Described in Annex A.

[2] Appendix A-6 provides a Sample TRA Work Plan.

[3] Described in the Management Summary.

[4] Described in Annex B.

[5] Appendix B-5 provides a sample Statement of Sensitivity or Asset Valuation Table.

[6] Described in Annex C.

[7] Appendix C-4 provides a sample Threat Assessment Table.

[8] Appendix C-3 amplifies the measures of likelihood and impact or gravity and their calculation.

[9] Described in Annexes D and E.

[10] Appendix D-4 provides a sample Vulnerability Assessment Table.

[11] Appendix E-2 provides a sample Risk Assessment Table.

[12] Described in Annex F.

[13] Appendix F-3 identifies explicit Safeguard Selection Criteria while Appendix F-2 provides a Safeguard Listing to support the Recommendations.

[14] Appendix F-5 provides a sample Recommendations Table.