Security Threat & Risk Assessment

Security Threat & Risk Assessment

Security Threat and Risk Assessment

forSYSTEM

<ORGANIZATION>

January 1, 2017

by<REVIEWER>

Table of Contents

1Target & Scope

Target

Stakeholders

Context

Purpose

Criticality

2Vulnerabilities & Threats Identification

Identify Vulnerabilities

Identify Threats

3Risk Assessment and Treatment

Identify Risks

4Next Steps and Recommendations

Identify Actions

5Approvals

Service Owner Signature

Security Signature

1Target & Scope

Target

This Security Threat and Risk Assessment covers the following information system:

Name / Description

Stakeholders

Prepared by / Service Owner

Context

<fill out background information here including relevant regulatory requirements

Purpose

Type / Notes
New system / 
Material change to existing system / 
Follow-up review / 
Other (specify) / 

Criticality

Type / Notes
Does the system hold confidential data? / Yes
No
Does the system hold personal information? /  Yes
 No
Has a Privacy Impact Assessment (PIA) been performed? /  Yes
 No
What is the maximum level of harm if key information was disclosed to wrong parties? /  None
 Minor
 Serious
 Very Serious
What is the maximum level of harm if the information were subject to unauthorized change? /  None
 Minor
 Serious
 Very Serious
What is the maximum length of time the system can be unavailable? /  None
 1 hour
 1 day
 1 week
 1 month+
Any other dependencies for the system? /  Yes
 No

2Vulnerabilities & Threats Identification

Identify Vulnerabilities

ID / Vulnerability & Description / Likelihood of exploitation (L/M/H)
V1 / Example / Low
V2 / Example / Medium
V3 / Example / High
V4
V5
V6

Identify Threats

ID / Threat & Description / Threat Actor / Impact (L/M/H)
T1 / Example / Insider / Low
T2 / Example / Organized crime / Medium
T3 / Example / Nation state / High
T4
T5
T6

1

Security Threat & Risk Assessment

3Risk Assessment and Treatment

Identify Risks

ID / Risk / Description / Inherent Risk (L/M/H) / Controls / Residual Risk (L/M/H)
R1 / Example / Example / Medium / Example / Low
R2 / Example / Example / High / Example / Medium
R3 / Example / Example / High / Example / High
R4
R5
R6

4Next Steps and Recommendations

Identify Actions

ID / Action / Vulner-
ability / Threat / Risk / Owner / Due Date
A1 / Example / V1, V3 / - / R2 / J. Doe / 2017-01
A2 / Example / V2 / T1 / - / J. Doe / 2017-03
A3
A4
A5
A6

5Approvals

Service Owner Signature

The Service Owner has reviewed the risks and recommendations, and signs below as acceptance of the risks:

Service Owner Name / Service Owner Signature

Security Signature

The security team has reviewed the risks and recommendations, and signs below to confirm that the assessment was completed according to the process:

Security Name / Security Signature

1