Today, I am interviewing Goldy Gaind, an Ottawa-area IT Security Professional who has done many Threat and Risk Assessments (TRAs) for Government of Canada Departments. Hopefully, my questions and his answers will be helpful for GC managers and consultants who are trying to meet all their MITS compliance targets by yesterday (or at least Dec. 31, 2006).

If you have any further questions, please add comments by clicking on the “Comments” link at the bottom of this post.


SW: How much should a typical TRA cost for a GoC department?

GG: The price of a TRA will depend on the scope. If the TRA is for an uncomplicated on-line application, the contract can sometimes be sole-sourced for $25K on several different GC contracting vehicles.

SW: What are the variables that determine the cost?

GG: Some of the variables that would determine the scope would be whether the system being assessed is at the conceptual, production stage or an update to the existing TRA. I find the least difficult TRAs are the ones conducted on existing services. On the smaller TRAs, the typical duration would be anywhere between 20-25 days.

SW: Are there any ways for a Client to estimate total cost for a TRA?

GG: A very simple project plan would include:

• Project kick-off including providing the Client with an agreed upon Project Plan

• Conducting interviews and reviewing documentation-usually left up to the Project Authority to schedule - the delivery date will slip if this task is not promptly addressed

• Drafting a brief Statement of Sensitivity (SoS), then providing it to the Client for comments and consensus

• TRA continues while Client reviews SOS

• Incorporating Client comments on SOS

• Writing the TRA

• Client reviewing of TRA and providing comments

• Incorporating Client comments

• Packaging and delivering the report

• Sometimes a consultant will be able to add Vulnerability Assessment (VA) and Penetration Testing (Pen Testing) to the job, to provide a report on currently known vulnerabilities in the Operational Environment (Extra value and associated cost)

• Optional Client presentation (Extra value and associated cost)

As you can see there can be variation in the size of each of these activities. In the simplest case, Clients usually budget a minimum of $25K for a high level TRA. However, some can cost well over $50K and may require multiple analysts to break the work into smaller portions.

SW: What criteria should be used in choosing a TRA specialist, either internal or outsourced?

GG: Most TRAs are outsourced because it frees up internal resources as well as providing the Project Authority or Security Officer with an independent assessment.

The TRA analyst should be chosen based on their expertise, of course. Most of the clients I have dealt with request a senior resource. That way there is little doubt about the quality of the deliverables. The conduct of a handful of small TRAs does not constitute a senior resource. However the cut-and-paste/cookie cutting TRAs exist; clients today are usually looking for a more thorough assessment and, more importantly, a clearly identified and documented assessment that will assist them in their decision making process.

SW: Thanks very much, Goldy. As you point out, this is the minimum that should be budgeted. Each organization’s mileage may vary, depending on the complexity of their system and the criticality of their information and other IT assets. But this is a great guideline to start with.

For more information, one often-referenced source of TRA guidance is the “Threat and Risk Assessment Working Guide“, published by the Communications Security Establishment.

Again, if anyone has comments, please click on the “Comments’ link below.

- Scott