0333 444 0881
0333 444 0881

The Technical Risk Assessment Toolkit

Technical Risk Assessment is a due diligence activity that is often avoided because they can take too long to keep pace with demand for change in some delivery environments – until now!

Cyber Smart Associates Technical Risk Assessment Tool (TRA) enables consistent and speedy generation of Technical Risk Assessment outputs that can be used to support a variety of downstream activities, including generation of risk based security requirements, support to technical design authority options assessments for investment cases, proof of concepts, development of security enforcing functions for new products / architectures, Privacy Impact Assessments and ongoing changes in a product group, delivery programme, or service.

Tool Description

Cyber Smart’s Technical Risk Assessment Tool is designed for use by Security Architects, the tool can be used to generate detailed Privacy Impact Assessments, or Technical Security Risk Assessments that can guide the options selection process for risk-based security controls or specific security functions/products in a candidate architecture. The tool is ideal for Security Architects who work in cost conscious organisations that develop and implement change based on security risk.

Key Benefits

  • Ease of set up of risk calculation parameters
  • You can customise and add your own control output selections from any framework of your choice such as ISO/IEC 27001, NIST CSF, or Common Criteria Frameworks.  The tool comes pre-loaded with control options from the CIS Critical Security Controls & CSA Cloud Controls Matrix frameworks.
  • Once set up, the risk assessments can be re-calculated to support change
  • Risks are prioritised to support effective risk treatment and cost control
  • Risk treatments are presented in a dashboard format that reduces risk levels each time a control is selected
  • This tool significantly reduces the amount of time and effort that it takes to document a technical risk assessment

 

*Please Note: This tool will have performance issues on older versions of computer equipment with insufficient processing power, or older 32Bit versions of Windows Excel. We recommend your system is using at least a modern multi core processor and the 64Bit version of Windows Excel.

The Tool In Action

The Risk Assessment Process

  • Model the system and identify the ‘Assurance Targets’
  • Identify and Prioritise Information System Assets
  • Identify Threats; this Tool assesses the Impact a Threat Actor could have based on ‘Capability & Motivation’ parameters
  • Identify & prioritise the risks
  • Select appropriate security controls
  • Manage the project’s residual risks

Technical Risk Assessment Toolkit

Define The Assurance Targets

  • Assign Data Transaction types in each Assurance Target
  • Set the dynamic or static volumes for each asset. The high values increase the ‘Impact Level’ to take into account sensitive data aggregation
  • Check the Impact Level value is correct. Set your CIA profile interpretation for each asset
  • Information Assets and Data Connection types are prefixed with a number that relates to a ‘Privacy Sensitivity Index’ or ‘Business Impact Level’ value that is used in the threat calculation

 

ID Threat Actors Parameters

  • Define the relevant Threat Sources and likely Threat Actors, assign relevant Assurance Target they could compromise, and assess their Capability & Motivation values
  • Depending on what type of risk assessment (Cardinal/Thematic or Technical) assign relevant Threat Vectors (TV Type)
  • Technical Threat Vectors are recommended for Risk Assessments that support discussion in Technical Working Groups with Developers & Engineers

Selecting Mitigating Security Controls

Mitigating Security Control Options readily selectable in this tool include:

  • Cloud Security Alliance – Cloud Controls Framework
  • CIS Critical Security Controls
  • Some mandatory GDPR requirements

Discuss with your working group the controls, and select the appropriate control.

Generating Risk Profile Metrics

  • When controls have been applied to every risk, click on Show Dashboard to view risk graphs and charts
  • You can change/create your own charts for your dashboard based on the values in the risk management dashboard