© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2017, ISBN: 978-0-660-09751-0
From: Canadian Centre for Cyber Security
In this 3-day course, you will learn about the Threat Risk Assessment methodology using the ITSG-33 ISSIP and CSE’s new ASTRA tool to help you conduct your assessments. The course will further your knowledge of ITSG-33 in a practical application for any Government IT project.
The objectives of this course are to ensure that upon successful completion, the participant will be able to:
Project/Program Managers, IT Security Designers, Architects, Engineers and Managers
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
You will not receive a reply. For enquiries, please contact us .
My lh learning account, summary of 508 – harmonized threat and risk assessment (htra) methodology within the itsg-33, 508 – harmonized threat and risk assessment (htra) methodology within the itsg-33, course description.
In this 3-day course, you will learn about the Threat Risk Assessment methodology using the ITSG-33 ISSIP and CSE’s new ASTRA tool to help you conduct your assessments. The course will further your knowledge of ITSG-33 in a practical application for any Government IT project.
Module 1: htra overview.
Project/Program Managers, IT Security Designers, Architects, Engineers and Managers
The challenge.
The cyber threat landscape is constantly changing and evolving. Risks to your organization can come from cyber criminals, hacktivists, state-sponsored actors, and malicious insiders.
Your systems, applications, and networks are constantly being probed by such groups looking for potential weaknesses or gaps in your security posture. What plan do you have to identify and manage these risks before an attacker exploits them? Consider conducting a Threat and Risk Assessment (TRA).
A Threat and Risk Assessment (TRA) is designed to be a foundational aspect of an organization’s risk management program. A TRA consists of the following steps:
A TRA aims to help you better identify, assess, and manage your information security risks at an enterprise level.
Richter’s TRA approach leverages a customized version of the Harmonized Threat and Risk Assessment (HTRA) methodology developed by the Royal Canadian Mounted Police (RCMP) and Communications Security Establishment (CSE).
We work with both business and technical stakeholders to understand your environment, the business impact of any incidents that may impact your environment’s confidentiality, integrity or availability, and the presence (or lack thereof) of any controls/safeguards you have in place.
From there, we provide tailored recommendations to your organization’s size, scope, and maturity to manage any identified risks effectively.
Royal Canadian Mounted Police
www.rcmp.gc.ca
Home > LSA for Physical Security > Publications > G13-01 Secure Storage Rooms (SSR)
Lsa for physical security.
Physical security guide lead agency publication g13-01.
This Guide replaces all previous versions of G1-029
Issued: July 2013
Definitions, abbreviations, referenced commercial standards, how to use this guide, design-basis threat and secure storage room design premise, table 1 security recommendations, frequently asked questions.
Authority Having Jurisdiction - Normally the local city, municipality or county building inspector. For Canadian Forces Bases the Authority Having Jurisdiction will be the Canadian Forces Fire Marshall.
Attack Side - The side of the door or wall that is exposed to the adversary.
Base-line Threat - Threat(s) that are common to government departments in Canada under normal security conditions, as specified in the Operational Security Standard on Physical Security.
Day Door - A door to a secure room or vault with a primary lock which when unlocked in the morning by the person responsible is still secured by a secondary lock (usually electronic access control) which can be opened (until the primary lock is re-locked) by authorized assistants.
Design-Basis Threat (DBT) - The threat(s) which the specific protection measure (equipment, procedure or policy) is designed to mitigate. Unless specified otherwise, RCMP protective designs and guides are meant to mitigate a DBT based upon the Base-line Threat.
Compromise - The unauthorized access to, disclosure, destruction, removal, modification, use or interruption of assets or information.
Hinge Pair - Industry practice is to specify hinges by pairs. For example, doors with 3 hinges are specified as “1½ pair”.
Maximum Security Pin - A hinge pin that has been fixed after insertion by welding, pinning, or other permanent means to prevent hinge pin removal without the use of special tools. Set screws are not permitted. Affords greater security than a Non-Removable Pin. (ref.: ANSI 156.1 (2006)).
Non-Removable Pin - A hinge pin secured by a set screw or other equivalent means (ref.: ANSI 156.1 (2006)).
Open Shelf Storage - Storage other than in approved security containers and safes. Open shelf storage includes storage where records are kept in containers or commercial fire and/or water resistant containers.
Safety Stud - A projecting member on one surface of a full mortise leaf that engages a hole in the opposite leaf when the door is closed. (ref.: ANSI 156.1 (2006))
Security Container - A totally enclosed container or specially designed room functioning as a storage container (e.g.: Secure Storage Room).
Secure Room (SR) - Term used to denote a room constructed to specifications of the RCMP Guide G1-029. Although not an RCMP-endorsed practice, these rooms were commonly constructed to create security zones, secure working rooms (or suites), as well as for secure storage (the original intended application).
Secure Storage Room (SSR) - The formal term and abbreviation used to identify a room which is designed to the specifications of the RCMP Guide G13-01. Note: The term “Secure Storage Room” does not automatically replace the term “Secure Room” (level 1 or 2). Existing Secure Rooms should only be referred to as Secure Storage Rooms (SSRs) if they are actually being used in a manner consistent with this guide.
Threat and Risk Assessment (TRA) - A consideration of the assets and the threats to those assets in consideration of the sum of the security measures in place or anticipated. The RCMP and CSEC have jointly developed and promote the use of a formal procedure, checklists, valuation tables and associated training for conducting a TRA in the Federal Government called the Harmonized Threat and Risk Assessment (HTRA).
Vibration Detector - A system of one or more sensors to detect vibrations created by impact and powered cutting tools. Approved systems have a sensitivity / detection algorithm to ensure that ambient and incidental noises or vibrations due to normal activity will not initiate false alarms.
Zones - Defined in Reference B.
These standards are available for purchase from their respective standards associations, or from standards vendors such as IHS Standards , the ANSI Store or Techstreet
ANSI/ BHMA A156.4: Door Controls-Closers American National Standards Institute
ANSI/BHMA A156.1: Butts and Hinges American National Standards Institute / Builders Hardware Manufacturers Association
ASTM A627-03: Standard Test Methods for Tool-Resisting Steel Bars, Flats, and Shapes for Detention and Correctional facilities American Society for Testing and Materials
ASTM F1267-07: Standard Specification for Metal Expanded Steel American Society for Testing and Materials
CAN/CGSB-1.60: Interior Alkyd Gloss Enamel Paint Canadian General Standards Board
CSDMA 08 11 13: Recommended Specification for Commercial Steel Door and Frame Products Canadian Steel Door Manufacturer's Association
EMMA 557-99: Standard for Expanded Metal, Introduction, Product Selection Considerations, Terminology, Manufacturing Process, Manufacturing Tolerances and Applications. Expanded Metal Manufacturers Association
HMMA 840-07: Guide Specification for Installation and Storage of Hollow Metal Door and Frame Hollow Metal Manufacturers Association
HHMA 810-09 (NAAMM Standard): Hollow Metal Doors Hollow Metal Manufacturers Association
SSMA: Product Specifications Steel Stud Manufacturers Association
Advances in portable tool technology have changed the nature of overt force and skilled force attacks. In addition, large-capacity memory devices can now store significant amounts of information and the threat to personal information has greatly increased due to identity theft.
In light of these technological and threat evolutions, it is recommended that a TRA be conducted on all existing Secure Rooms (or similar spaces constructed using previous G1-029 version specifications) to determine if modifications are warranted.
Significant Changes introduced with the G13-01:
This Guide (particularly Part 1) is intended for use by qualified security practitioners and departmental security staff to select appropriate Secure Storage Room features and Intrusion Detection System (IDS) components and develop a Statement of Requirements (SOR) to guide the designer responsible for its design and construction.
Once the SOR is established, appropriately cleared architects, engineers or qualified builders/ designers should be engaged to develop detailed drawings and specifications. These should incorporate the features and components specified in the SOR and ensure the design conforms to overall project requirements (where part of a larger project) and all applicable codes and facility “fit-up” standards. IDS design and installation should ideally be done by departmental security personnel. Departments without alarm and intrusion system sections should engage an independent (without ties to vendors or installers) consultant to assist with developing the IDS architecture and help manage the contract and procurement process. They can also be helpful with developing commissioning criteria.
The rationale for any component or feature selection (as well as the nature of the asset and the design-basis threat) should only be divulged to the architect, designer and contractor on a need-to-know basis and only if they have the appropriate security clearance. Consideration should be given to classifying the rationale and key security features.
Note : The fact that a SSR may store classified information does not in itself imply the SSR construction details should have the same classification. It does imply the construction details (as well as purpose and name of the SSR) should be adequately protected.
Segregation of details and distribution on a need-to-know basis will often be sufficient. The architect or designer should be provided with formal guidance / direction on the preparation of drawings for tender or sub-trades to ensure that sensitive information is not inappropriately divulged. For example, the purpose or name of the room should not appear on widely disseminated drawings, specifications or other contract documents. A generic or numeric name should be used. Sub-trades should receive only enough information to perform their work (eg: partial building drawings and system schematics which do not identify adjacent activities or security-related system details). Security requirements should be incorporated into contract documents where feasible to ensure enforceability.
Purpose of the Secure Storage Room
A Secure Storage Room is intended to function as an approved storage container for open-shelf storage of a large amount of classified or highly sensitive non-national (Protected) information or assets. A Secure Storage Room is essentially a “security container” and subject to the same zoning requirements.
Unless all mandatory technical and application specifications in this Guide are met, the room does not qualify as an approved Secure Storage Room (SSR) and should not be referred to as an SSR.
Fire Protection
Fire requirements (legislation) ALWAYS supersede security requirements (policy) so good planning and early consultation with the local AHJ is very important to avoid issues which may result in the removal or modification to security features.
Sprinklers are not an integral component of a Secure Storage Room and should not be added inside an SSR unless required by the AHJ. If additional fire protection is required, records can be stored in commercial fire rated containers placed inside the Secure Storage Room. Inert gas fire suppression systems can also be used.
Additional or Type X drywall sheets can be installed to meet code requirements (or as required by the AHJ). If necessary, an appropriately labelled fire door can be used instead of the specified door. Please note that there are specific requirements for mounting locks and hardware on fire rated doors. Contact the local AHJ for assistance and guidance on fire and safety issues.
Slab-to-Slab
Secure Storage Room walls must be slab-to-slab (from the finished floor to the underside of structural concrete roof or floor) or continue across the ceiling to form a continuous secure enclosure (Secure Ceiling). Where the space above the Secure Ceiling (measured to the underside of the limiting structural component) exceeds 6 inches, the space should be closed and secured or electronically monitored. In rare cases, the floor may also need special treatment. Consult the RCMP for advice.
Secure Storage Rooms primarily protect against surreptitious attacks but also detect and delay forced entry. The SSR is designed for location in a Security Zone or High Security Zone in a federal government building (or CISD-approved equivalent in contractor facilities) in urban centres. SSR constructed in remote locations may require additional safeguards.
A Vulnerability Assessment should be conducted to determine if a potential adversary can access the perimeter (or any space above or below) of the SRR undetected and unobserved for long periods of time. If so, additional measures are required to limit access or actively monitor activity in the perimeter areas.
Floors and ceilings are assumed to be constructed of highly intrusion-resistant materials such as structural concrete, reinforced concrete block or concrete on steel (roofs and floors). Wood or steel assemblies should be steel-strengthened and vibration-monitored the same as the walls.
A vestibule was included with the original Secure Room design for two purposes: to limit the swinging motion of hand tools and to provide better sound isolation at the door. With respect to the first objective, the most viable forced entry threat to the SSR door and hardware is now from powered portable tools and a vestibule does little to reduce it. In fact, a vestibule now becomes a possible space for an adversary to hide while attacking the door (or the wall around it). The vestibule is also not needed to enhance sound isolation at the door when the SSR is used as intended – as a records storage room.
Therefore, exterior vestibules are not required (though still permitted) for construction of a SSR. Any vestibule that is built should be constructed so as to permit observation of activities within it (eg: glazed walls or door).
A “day door” function is facilitated by use of SEG-listed locks which provide this function where departmental policy accepts the practice. To be approved for this function, the electronic access controls must work only when the mechanical lock is “open” (locking the mechanical lock must mechanically disengage the electronics so that attacks by compromising the access controls are not possible).
Well-defined and enforced operating procedures are necessary when using “day doors”. Users must not be permitted to use the electronic locking mechanism in place of the mechanical lock for extended periods (especially overnight and weekends).
Intrusion Detection Systems (IDS)
While the sheet steel on the walls provides some force resistance, its main use is to transmit vibrations from force attacks to vibration sensors. The RCMP has tested and approved a vibration detector for SSR walls which is listed in the SEG. Detection systems (e.g. motion sensors) located inside the Secure Storage Room may also be employed, although they do not detect the adversary until he/she has already gained entry, thereby reducing the available response time.
The selection table suggests what type of detection system should be used for various situations. In all cases, the alarm systems must generate reliable, timely and appropriate response.
Plumbing and Electrical Pass-through Construction
Minimize plumbing and electrical pass-throughs in SSR walls where possible. Do not locate pass-throughs in the Critical Attack Area. Where pass-throughs are required, frame openings within 1 inch (25mm) of the pipe/conduit and secure to the stud framing at minimum two places. Extend the wall protection material to within ¾” (20 mm) of the edge of the opening. Extend gypsum wall board to the edge of the pipe or conduit. Seal all gaps with fire rated or acoustic sealant. Recommended product standard: ASTM E 814 (UL 1479) or CAN/ULC S115, or as required by the AHJ.
Where necessary to accommodate pipe or conduit movement or expansion, pipes and conduit may be enclosed in a close-fitting sheet metal sleeve and the sleeve mechanically fastened to the stud framing at two places (minimum). Clearance between the sleeve and pipe or conduit should be kept to a minimum and not exceed ¼”.
Steel bars should be installed to delay access of a person through a duct with a cross-sectional area greater than 96 square inches and a smallest dimension greater than 6”. They may be omitted if a TRA determines that unauthorized entry through these ducts is not a threat.
Note that Man Bars do not prevent the introduction of deleterious material (e.g. water, toxic fumes). If a TRA identifies such threats as viable, all ducts and openings may require additional mitigation measures (e.g.: filters or dampers). Contact the RCMP for advice.
A code-compliant (single motion, single action) door lock that accepts approved combination locks has been approved and is listed in the SEG.
Two-Person Integrity
Some SEG-listed electronic combination locks permit the application of a two-person integrity (both persons must dial the lock open) policy. This is one of the most effective security measures that can be applied to sensitive information storage.
Screws (including “security screws”) are not approved for attaching wall protection material (steel sheet or mesh) to steel studs. Wall protection must be attached by welding or rivets.
Standard drywall screws are permitted for attaching gypsum wall board over steel protection sheeting to metal or wood studs.
Self-tapping sheet metal screws are permitted for attaching anti-spread and cross-bracing to metal studs.
Use minimum 38mm (1-1/2”) long #7 (or larger) wood (not drywall) screws spaced at 300mm o.c. (with appropriate washers) to attach steel protection material to wood joists or wood studs.
Statement of Requirements
Where the department (client) is not also the designer, a Statement of Requirements (SOR) should be developed to tell the designer exactly what is required and to identify selected construction options from those presented in the General Specifications in Part II.
The SOR and all documentation leading to the selection of SSR specifics should be considered sensitive and treated accordingly.
Do not tell the designer why a selection has been made unless the designer has a need to know.
Advice and Guidance
Royal Canadian Mounted Police Departmental Security Branch Physical Security Section 1426 St. Joseph Boulevard Ottawa, Ontario K1A 0R2 Email: [email protected]
Sensitivity | Security Measures |
---|---|
Protected A Protected B | “Lock-Up” the information (see reference F) A storage room constructed in close conformance to this guide will greatly exceed the minimum “lock up” physical security requirements. The following are recommended alternatives for SSR for storage of Protected A/B: |
Protected C |
(exterior constructed as recommended in TRA) |
Confidential |
|
Secret |
|
Top Secret |
|
Table Notes
1 UL 687 labelled Burglar Resistant safes provide significant additional force resistance (as well as compartmentalization for need-to-know segregation). Although the Secure Storage Room provides early detection and some delay, the safe’s resistance time should closely correspond to the assured response time for an appropriate response.
2 Additional compartmentalization is recommended where the need-to-access principle is still a concern (see Reference B paragraph 7.6.7). Information can be compartmentalized by using commercial locking containers/cabinets. UL 437 high security keyed locks are recommended.
3 Procedural and/or technological mitigation measures should also be considered.
4 Consider the use of High Security cylinders with “chip technology” (e.g. CLIQ ™) for audit purposes (only).
General Notes:
A) Where a TRA determines that a particular threat is well-mitigated by other aspects of security the DSO may decide that one or more of the recommended measures are not required.
B) The Communications Security Establishment of Canada (CSEC) requires certain equipment to be placed in a Secure Room (previously the SR-2). Additional security features such as emanations protection may be required, but the RCMP can only advise on the construction of a Secure Storage Room as designed for records storage. Contact CSEC Client Services: [email protected]
Q1: Why does Protected “C” in a Secure Storage Room still require a safe?
A1: The nature of the threat to Classified information differs significantly from the threat to Protected “C” (especially Life Threatening) information. Secure Storage Rooms are an alternative to approved security containers and must provide at least the same protection. Protected “C” (especially Life Threatening) is considered susceptible to sustained force attacks by a motivated adversary and thus needs significant force resistance. This can best be assured by using UL 687 Burglar Resistant safes with at least a 1 hour rating for the additional compartmentalization. Safes also provide additional compartmentalization for need-to-know.
Q2: How do the Secure Storage Room requirements relate to those for a Secure Server Room as specified in G1-031?
A2: The functions of the rooms are different. Secure Storage Rooms are designed for the storage of records. They are not intended for the processing of information (or for occupancy). Servers are vulnerable to different threats than stored records, and server rooms generally have extensive electrical, air conditioning, vents and ducts, and other systems in the room (and through the walls).
Q3: The Operational Security Standard on Physical Security says Confidential information can be stored in an Operations Zone. Why does Table 1 recommend that the Secure Storage Room for Confidential information be in a Security Zone?
A3: The Secure Storage Room should be in a Security Zone because of the elevated risks associated with storing large amounts of information on open shelves. The “periodic monitoring” requirement for an Operations Zone does not provide assurance that an adversary will not benefit from long periods of unmonitored activity. The concern is that without effective 24/7 monitoring, an adversary could gain access and operate without detection for an extended period of time. Access might be by insecure ceiling spaces or by un-alarmed/ un-monitored exit doors or elevators. If a TRA reveals that the Operations Zone is sufficiently secure that unauthorized access is highly improbable, then the DSO may permit a Secure Storage Room to be located there.
Q4: The space assigned to us for a Secure Storage Room is adjacent to a public space or non-departmental occupant. What should we do?
A4: A Secure Storage Room should never be placed against exterior walls other than those made of reinforced concrete or reinforced concrete blocks (all voids filled). Secure Storage Rooms can normally be placed adjacent to subterranean (basement) walls and walls at least 3 storeys above an accessible surface (ground or roof) without additional safeguards.
Q5: We have an existing double steel door and would like to keep it for our Secure Storage Room as it makes it easier to use a forklift. Can we use it?
A5: If the door and frame meet the basic construction requirements of this Guide you may be able to secure one of the doors to provide satisfactory security when closed and secured. One way to do this would be to install heavy duty locking bars at the top and bottom that can be secured with padlocks (to ensure users do not open them and leave them open). The bars should have a diameter of at least 30mm and be connected to the door with two guides that are welded or riveted to the door and spaced at least 300mm apart. The bars must project at least 30mm into a pocket or guide welded or riveted to the frame or secure wall. The bars should have a design that prevents unlocking when the padlock is attached.
This approach requires strict adherence to policy and procedure and should be used with discretion. A custodian should be appointed to hold the keys to the padlocks and be responsible for ensuring the secondary door is secured.
Q6: Are there any restrictions on wall switches or outlets on Secure Storage Room walls?
A6: The Secure Storage Room walls were tested without holes or penetrations. Surface mounted fixtures should be used where possible. Where a fixture must be set into the wall, it should be located as far as possible from the door. The fixture box must be steel and welded or riveted to the steel wall sheathing. All cables and wires should be encased in steel/EMT conduit.
Through penetrations are to be avoided. Where penetrations must be made on both sides of the wall, they should be offset at least 300mm from each other.
Q7: The G13-01 uses mandatory language with words like “required” but isn’t it a ‘guide’?
A7: As Lead Agency, the RCMP is delegated the authority to design, test, evaluate and approve security equipment. Each department or agency has the authority to decide if it will use RCMP approved equipment or designs – either as approved or modified in some way. To be approved, a Secure Storage Room must be constructed to the RCMP design specifications. If all RCMP specifications are not met, it is not an RCMP approved Secure Storage Room and should not be referred to as a Secure Storage Room (SSR).
Q8: What if the AHJ requires the SSR to have two means of egress?
A8: This should not occur when the room is kept to its original design purpose as a (relatively) small records storage room since the secondary exit is determined by occupancy and floor area. If this situation arises, the second exit door should not have any locking hardware on the outside.
Q9: Can I build an SSR in a wooden building?
A9: The SSR was designed for location in a Security or High Security Zone within a typical government building in an urban environment. For other situations, conduct a TRA taking into consideration the threat, the asset and the sum of all protection measures (e.g.: location on a military base, regular patrols and fast response, etc.). While not explicit in this guide, operational security measures that are sufficient and assured can offset minor gaps in the level of physical protection afforded by wooden floor and ceiling construction. Metal protection material and vibration sensors should be installed on both the floor and ceiling of an SSR constructed in a wooden building – contact the RCMP for additional guidance.
Q10: We are putting in an enforcement unit in a warehouse bay with a main floor and a mezzanine floor that will be open to the main floor. However, there will be enclosed offices on this floor. There are plans for two evidence/secure storage rooms on the main floor underneath the mezzanine floor. The floor will not be slab concrete. What should we do?
A10: Where the roof (mezzanine floor) is made of wood (wood or composite joists with plywood sub-flooring), we recommend that the roof have expanded metal mesh (3/4" - #9F as called for in the wall construction) secured to the underside (secure side) of the roof joists and a vibration detector (sensor) installed in contact with the mesh on the secure side. The sensor mounting plate can be installed adjacent to the roof joist (preferred solution). Cabling for the roof sensor should be run on the secure side of the SR ceiling (i.e. in surface mounted conduit) to where it joins the other sensor cabling in the common conduit to the alarm control panel.
Q11: Can I install the door lock at a different height to accommodate accessibility requirements?
A11: Ordinarily installing the door lock 44 inches above floor level will accommodate accessibility requirements for all users. If the lock is being installed less than 42 inches above floor level, the anti-spread bracing (between the door frame and adjacent stud – located 48 inches above the floor) should be lowered to within 6 inches of the lock center-line, or additional anti-spread bracing installed 6 inches or less below the lock center-line.
Q12: Can I change the lock height (e.g., to accommodate a handicapped person)?
A12: Yes. If the lock height is shifted more than about 150mm (6”) we recommend also shifting the anti-spread bracing to match.
SSR General Construction and Assembly Specifications
Note : The specifications in this Part should be modified as required and incorporated into the Project Contract Documents by the Designer in accordance with client requirements (ideally outlined in a detailed SSR Statement of Requirements) and overall project and code requirements.
Extend wall partition framing slab to slab.
Top and Bottom Tracks: SSMA standard: 1- 5/8” x 6”, 18ga (600T162-43); OR Preferred: 2” x 6”, 18ga (600T200-43)
Secure top and bottom steel stud track to both slabs at 300mm oc using any expanding (preferably double expanding) mechanical fastener. Non-expanding (e.g. “Tapcon”) screws are not acceptable.
Studs: SSMA standard: 1- 5/8” x 6”, 18ga (600S162-43: 33ksi); OR Preferred: 2” x 6”, 18ga (600S200-43: 33ksi)
Space studs at 300 mm oc and secure to the top and bottom tracks with welds or rivets (not screws).
Install double (jamb) studs at the door frame opening. Install the door frame as per HMMA 840-07, part 3 A, B, C, D and E (except that screws shall be replaced with steel rivets).
Install anti-spread bracing approximately 48” from the bottom of the wall between the door frame double stud and the adjacent stud on both sides of the frame.
Construct wall corners with double studs.
Wall protection material may be one of two options:
Flattened Metal Mesh: To EMMA 557-99. Style ¾-9F: nominal strand thickness of 0.120” (0.108” to 0.132”). Diamond opening of 0.563” x 1.688”. OR Sheet Steel: 16 Ga, A1008 / A1008M (cold rolled) or A1011/ A1011M (hot rolled) or equivalent.
Mount on the outside (attack side) of the room. Support all edges by anti-spread bracing, studs or corners. Align the sheet edges at every vertical and horizontal seam on the centre line of the steel stud or anti-spread bracing and secure all sheets with welds or rivets.
Note: Screws (including “security screws”) are NOT acceptable for permanently attaching the protection material (steel or steel mesh). Screws may be used to “tack’ the sheets in place pending riveting or welding. Temporary screws do not need to be removed.
Welding (Permitted Method)
Steel mesh (Figure 2): 3mm fillet weld along the strand at 200mm oc
Steel Sheet (Figure 3): 1.5mm fillet weld 15mm long at 200mm oc OR 8mm plug weld at 200mm oc
Rivets (Preferred Method) (Figure 4):
Steel sheet: 3/16" steel rivets at 200mm o.c. Steel mesh: 3/16" steel rivets and “fender” washer (1 ½ " OD, 3/16’’ ID) at 200mm o.c.
Suggested material: Rivets: 3/16” steel pop rivet: Speaneur part #301-440 Washers: 1 ½ " OD, 3/16’’ ID “fender” washer: Fastenal part #1133204
Steelmesh Interlay Seam (Figure 5):
16 ga. (1.6 mm) steel sheet, HR Commercial quality, ASTM A366, matte finish, shall extend 1200mm around the door frame on the inside of the secure storage room and be attached as per selected rivet or welding requirements for protection material.
Note : Perforations for services, conduits or ducts are not permitted in the Critical Attack Area.
Wall Finishing Details
Install 16mm gypsum wall boards on both sides of the wall (interior is optional). Standard drywall screws are acceptable for attaching the drywall.
Apply continuous bead of fire-rated acoustic sealing on both sides of the top and bottom tracks. ASTM E814 (UL1479), ASTM E1966 (UL 2079) or CAN/ ULC S115 test standards with a fire/ smoke rating acceptable to the Authority Having Jurisdiction (AHJ).
Paint exterior surface of wall with one coat primer/sealer and one coat of gloss enamel. Primer/sealer must extend above drop ceilings to the bottom of structural ceiling. Paint must be uniform and without blemishes. Joints must not be visible. Custom colors should be considered.
Door and Frame:
Commercial Steel Door and frame compliant with section 08-11-13 of CDMA Publication: Recommended Specification for Commercial Steel Door and Frame Products.
Door may be specified as fire rated where required.
Doors wider than 900mm (36”) should be avoided. Double doors will require special measures.
Face Gauge: 16 gauge (1.6 mm) steel
Construction: Laminated core with vertical steel stiffeners at 150mm oc (stiffeners welded or laminated to each face sheet with voids between stiffeners filled with fiberglass or mineral batt type material).
Caps: ‘Flush Closing Channel’ or ‘Flush Channel’ top and bottom.
Ref: NAAMM 810-09 Part 2. A. Figures E and F for edge details.
Edges: all edges and top and bottom caps to be continuously welded and ground smooth.
Door handing: (must be specified as per client requirements).
Gauge: 16 gauge (1.6mm) steel
Frame construction: Welded or fully field welded 3-piece “knock-down” (for retrofit applications).
Anchors: “Z” shape steel wall anchors welded to frame.
Reinforcing at latch: as per lock manufacturer recommendations. Lock specifications must be provided to the supplier/manufacturer to provide necessary reinforcing requirements.
Locks: Select according to Table 1.
Hinges : to ANSI/BHMA A156.1 Grade 2 and ANSI A8112 (Steel Material Standard) Full mortise, five knuckles, ball bearings, standard weight. Three (3) hinges per door (minimum). Minimum Dimensions: 114mm (4 ½”) x 114mm (4 ½”) x 3.4mm (0.124”) thick.
Hinges mounted with barrels on the attack side (“reverse-hung” or outwards opening) must have non-removable pins (NRP), maximum security pins (MSP) or safety studs/reverse safety studs. Note that these require special ordering instructions.
Suggested products:
Door closer : Overhead style ANSI A156.4 Grade 1 Suggested product: Ingersol-Rand LCN 4040 series
Threshold : Aluminum (or other metal) interlocking style with hook strip installed on door. The SSR should qualify for exception from building code “Barrier-free path” requirements when used only to store records. However, where wheelchair accessibility is required, two recommended products are:
Door contacts: UL 634 High Security Switch - level 1 or level 2.
Door installation: The door is generally installed as regular hung (opening into the Secure Storage Room), but it can be reverse hung (opening out) in exceptional cases.
Frame reinforcement at the lock area (Figure 7): Secure a 6.4mm x 25mm x 610mm steel plate inside the frame using tack welds on every edge. Align the centre of the plate with the lock bolt.
For reverse hung doors, install a steel astragal covering the entire lock edge of the door AND the unmodified strike plate. The astragal should be at least 14 ga (2 mm) thick, should overlap the door frame by at least 25mm. Attach with minimum 6mm (1/4") diameter steel carriage bolts spaced at 250mm oc and at least 25mm from mortise lock pocket. Carriage bolt heads must be on the attack side.
Suggested product: Zero International #43STST
Note: Where superior resistance to cutting is required, man bars can be specified as tool‑resistant steel (grade 1 or 2) per ASTM A627.
Ceiling mount: (Figure 8)
Surface Mount: (Figure 9)
To read Adobe Acrobat (PDF) files, you may need to download and install the free Adobe Reader available from Adobe Systems Incorporated.
Breach Assistance
Get in touch
As more and more sophisticated crime operations spread across the globe, and as new software vulnerabilities are discovered and exploited by cyber criminals, companies have an increasing obligation to assign experts and analysts to systematically identify and remediate threats. One invaluable tool for creating and implementing an effective security program is a detailed and comprehensive Threat and Risk Assessment (TRA).
A TRA is a process used to identify, assess, and remediate risk areas. The result of this process will be to, hopefully, harden the network and help prevent (or at least reduce) attacks. Threat and Risk Assessment provides a more thorough assessment of security risk than the standard assessments, such as studying threat statistics or conducting a facility walk-through. The analyst takes information and data from many methods and then combines these pieces, forming an extensive plan for sound security management, while also assessing a company’s compliance with industry practices and applicable laws.
The main objective of Threat and Risk Assessment is to protect organizations against liabilities by identifying and understanding the various risks facing the client property and community. Threat and Risk Assessment identifies exposures by determining potential security weaknesses and taking the appropriate actions to reduce the impact of threatening events and manage the risks.
Not only does the TRA assess external threats, but it can also be effective in assessing and protecting from internal threats. If you are an organization that works with sensitive data, you should also assess the risk of insider threats. No one wants to imagine that their employees can be a security risk, but an estimate of 63% of cyber attacks are internal . There are three steps to assess the risk of insider threats:
Risk assessment is an essential part of risk management strategy. aside from being part of a regular routine, here are just a few of the times when your organization should perform an assessment:
Just as we insure our buildings and businesses for risks such as fire, theft, and natural disasters, it’s advisable to also insure your company for cyber attacks. As with most insurance, the insurance company may require an assessment before issuing the policy, and in order to help define the terms of your coverage. The risk assessment method used by insurers for analyzing an organization’s risk level includes:
There are many laws and regulations that directly involve the security of data. Whether it is dealing with PCI , HIPAA , or organisations such as ISO and NIST, assessing the risk of insider threats is mandatory. Below, we will run through a few of these regulatory requirements:
The National Institute of Standards and Technology (NIST), suggests the following steps:
The PCI Guide offers pages of guidelines and assessment values to consider. Here are just a few of the most important tips:
The Health Insurance Portability and Accountability Act (HIPAA) requires that health organisations conduct a regular risk assessment. During this assessment, auditors should check for:
In the context of cybersecurity risk mitigation, involving a diverse range of stakeholders is essential for a comprehensive threat and risk assessment. These stakeholders, including board members, executives, managers, employees, IT teams, customers, and external entities like suppliers and regulators, bring unique perspectives crucial for effective risk management. The process begins with identifying and categorizing stakeholders, followed by transparent communication of the risk strategy. Actively involving stakeholders in risk assessment, consulting them on treatment plans, and collaborating on implementation ensures a collective and informed approach. Regular updates on risk monitoring maintain transparency and foster a culture of cybersecurity awareness. To enhance stakeholder engagement, consider tailoring communication methods, addressing concerns promptly, and promoting a pervasive cybersecurity mindset across the organization.
When introducing new technology for safety risk assessments, it is important to remember that it is meant to complement and enhance existing practices, not replace them. The first step is to clearly define the goals you want to achieve with the technology. Next, choose the technology that best fits your needs. It is crucial to seamlessly integrate this technology into your current workflow. Ensure that everyone understands their role in using the technology and handle the data it produces responsibly. Once the technology is operational, regularly evaluate its performance and make any necessary adjustments and improvements. However, it is essential to remember the core principles: always act ethically and legally, and prioritize stakeholder privacy and rights.
The evolving nature of cyber threats necessitates a transition from periodic assessments to continuous monitoring. Continuous monitoring involves real-time tracking of security metrics, network activities, and potential vulnerabilities. It enables you to oversee high-risk assets and systems and promptly respond when needed. The good news is that continuous monitoring can be automated, ensuring the quality of assessments without overwhelming your team.
As we mentioned at the beginning of this article, while external threats are certainly a risk, a large number of attacks come from internal sources. Insider threats pose a significant risk to organizations, as they involve malicious or negligent actions from employees, contractors, or other insiders who have authorized access to sensitive information, systems, or assets.
An insider threat can cause significant damage to an organization, ranging from physical damage to intellectual property, financial loss, and reputation, ultimately resulting in reduced profitability and competitive advantage.
For this reason, it is vital to assess your organization’s security from the inside, as well. A threat and risk assessment program can help you to identify and address insider threats, thus reducing the overall risk to your organization and improving the effectiveness of your information security program.
A typical insider threat and risk assessment would look like this:
Source: CISA
We've broken down the threat assessment process into five key steps. Keep reading to learn more.
Risk assessment starts by distinguishing the valuable assets that insiders can compromise in an organization. It would help if you, therefore, focused on:
In this step, you need to identify the assets and data that need to be protected, and determine the potential insider threats that could compromise them and the current level of exposure of your critical assets to insider threats. You also need to define the goals and objectives of the assessment, such as identifying vulnerabilities and weaknesses, assessing the effectiveness of existing controls, and developing mitigation strategies.
A penetration test can help you determine if your current security controls are effective to protect these assets. Additionally, it can help to uncover any vulnerabilities that may be exploited by an insider.
Activities done by legitimate users but with negative connotations are referred to as insider threats. These include:
Insider threats can take many forms. According to CISA, these are the main types of insider threats:
All these threats can manifest in your organization in different ways. According to CISA, these 'expressions' of insider threats can include workplace violence, terrorism, sabotage, and espionage. Here's a chart by that illustrates the various expressions of these insider threats.
To identify potential insider threats, you need to review access logs, conduct employee interviews, and analyze past incidents. It's also important to keep an eye out for suspicious activity, or concerning behaviors in your employees that may include any of the abovementioned expressions of insider threats. This will help you identify individuals who have authorized access to your organization's systems and data, and who may pose a risk to the confidentiality, integrity, and availability of that data.
Once you've identified potential insider threats, it's time to classify and prioritize them, based on the level of risk they pose to your organization.
Here, you determine which risks most threaten your business, both in terms of profitability and customer confidence. A risk matrix can help you determine the level of each risk. Here are the four factors that you should analyze:
While evaluating the risk of possible insider threats, it is important to consider the following:
Wrap your risk assessment results into a comprehensive report. This will help to simplify the decision-making processes at the further stages of the management strategy. The report can help you to:
As per CISA's Insider Threat Mitigation Guide , the ultimate question to answer in a threat assessment is if the insider is on a path to cause harm. And if they are, how far along are they? And when can you intervene?
You should note that with time, organisations tend to change either software and tools, or expand their departments and their practices. Such changes create new vulnerabilities, and your organization should therefore conduct a risk assessment regularly.
Also remember that the threat assessment is not a one-time event and is a process that requires continuous monitoring and updating. If your initial assessments and strategies fail, revisit your threat assessment to find out why and refine your approach accordingly.
Risk assessments collect essential information and expose weak cybersecurity spots. They also provide an organization with the tools they need to evaluate the consequences of potential security incidents. Lastly, they also help an organisation improve its security practices, helping to prevent incidents in the future. While it is impossible to prevent all incidents, risk assessments are a vital tool for protecting any organization from the ever-growing threat of cyber criminals.
< Older Post
Newer Post >
Threat Intelligence | All Rights Reserved
BlueImpact Threat and Risk Assessment Methodology adopted the principles of the HTRA [1] and ISO/IES 27005 [2] and is customize specifically to the healthcare industry. The TRA methodology proposes a simple and straightforward approach to conduct TRA that can be easily communicated with the stakeholders and the staff involved in the TRA process; however, it contains all required tools and templates to facilitate the information gathering and risk assessment.
BlueImpact TRA methodology, and has 5 phases:
The key activities in each of the 5 phases are described in the following:
1 Preparation
In preparation to start the TRA project, the consultant and client project team/stakeholder will have a kickoff meeting. The agenda of the kickoff meeting includes:
By the end of Preparation Phase, the consultant will document the TRA scope and agreed-upon Approach.
2 Asset Identification
The next step is to identify and evaluate all information assets that are within scope of the assessment. People, processes and technology should all be evaluated and documented. This includes the following:
As part of the asset identification, the consultant needs to understand all the key data assets with regards to how the data flows through the application and where the data is stored. Data flow mapping is perfect technique to identify the data and determine where the data goes. Data flow mapping identifies all data flow paths from the originating point to receiving point, which will not only identify all data/information but also the data storage location. Data flow map will also be used in the next phase – Threat and vulnerability Assessment.
During the asset identification process, the assets will be rated on a list of security weights – Replacement cost if any, Confidentiality, Integrity, Availability, Impact if compromised, and Criticality to the business.
Upon completion of this phase, the consultant will develop the Statement of Sensitivity which includes all information assets identified and the rating of the assets.
3 Threat Assessment
In this phase, threats will be identified and evaluated, which have security impact to the information assets identified in previous phases.
The success of TRA relies on the identification and determination of threat; the TRA result won’t be reliable if not all threats are identified. The methodology leverages the threat list provided in Harmonized Threat and Risk Assessment (HTRA) document and other recognized sources, as well as the broad and deep knowledge and experience of the TRA consultant.
There are many effective techniques that can be used to identify and evaluate the threats.
-The data flow map developed in previous phase is extremely effective in identifying the threat to the data/information that moves between actors and system components. Following the data/information flow, it is straightforward to determine the threat to the data at a particular transmission point or location.
-Matching to known threat list is normally used to determine the threats to certain common assets that are exposed to the common threats.
-Brainstorming is a technique to discover threats to some specific assets that are unique and specific to the project, for example, personnel.
The methodology will apply different technique to different types of asset to ensure all threats are appropriately identified and evaluated.
In the risk assessment phase, vulnerabilities will be carefully identified and examined, existing safeguards and controls will be evaluated for effectiveness in the risk reduction, and residual risk will be determined. Risk assessment phase has three steps:
-Identify and evaluate the vulnerabilities
-Identify and evaluate the existing safeguards and controls
-Evaluate the residual risk
In determining risks associated with systems implementation, the consultant would classify the risks depending on the threat likelihood and the magnitude of impact on the business. In consultation with the client, threat likelihood definitions would be derived with associated consequences. (High means the threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective)
The controls selected to mitigate the risk would then be analyzed to ensure the residual risk is at an acceptable level for management. Additional security controls and practices may be identified in the recommendations and carried forward to the Security Design document.
5 Recommendation
Recommendations of additional safeguards and/or controls will be made to reduce the risk to an acceptable level. Whenever, a residual risk is not at the level that can’t be accepted based on risk appetite of the project stakeholders, additional mitigating safeguards and/or controls will be proposed to the client that if implemented properly, will further reduce the risk to an acceptable level.
An overall TRA report will then be published in a format prescribed by the client, which would also contain mitigation strategies and also review these strategies with program and I & IT Managers for function and acceptability, and obtaining agreements on recommended solutions and provide knowledge transfer to the client’s staff.
———————————————————-
[1] The federal government’s Harmonized Threat Assessment Methodology (HTRA) is a proven and well-recognized methodology for effectively determining the risks. A complete copy of the HTRA is available from the RCMP on their web site.
[2] ISO/IEC 27005:2008 Information technology — Security techniques — Information security risk management provides guidelines for information security risk management
51 Security
Learning, Sharing, Creating
Harmonized tra methodology (tra-1).
https://cyber.gc.ca/en/guidance/harmonized-tra-methodology-tra-1
RiskView H-TRA solution automates the Government of Canada Harmonized Threat and Risk Assessment model and helps organizations identify, evaluate, prioritize, and report risks. The model is summarized in the above depiction and explained below. While the solution is dynamic and allows the user to start anywhere, it follows a five step process as outlined below.
Identify Assets (e.g. data, equipment, buildings) and assign a value based on their confidentiality and their impact in terms of financial, legal, privacy, or possible injury to people. Assets are assigned a value from Very Low (1) to Very High (5) based on a threshold that can be changed for an industry or an organization depending on their risk appetite.
Threats to an organization can be external, internal, competitors, foreign governments, natural, or other. The more you identify and list such threat the better the result of your TRA. Each threat is assigned a value based on the likelihood and impact of the threat.
The third step and the most labor intensive step is the vulnerability assessment for each asset, where each vulnerability is assigned a value based on its likelihood and impact. There are many methodologies for identifying vulnerabilities and ranking them. For example, you may use RiskView’s methodology for identifying IT network and application security vulnerabilities as depicted below.
The last step is to calculate the residual risk. The risk calculation and conversion is based on the following formula. The tool helps with the automated calculation of the residual risks: Residual Risk Value = Asset Value [1..5] * Threat Risk [1..5] * Vulnerability Residual Risk [1..5]
Report and Monitor findings. The tool allows for either pre-made PDF reports, or fully customized company Word documents.
https://www.h-tra.ca/
Currently viewing this topic 1 guest.
We care about protecting your information, assessing risk – helping the smb market understand.
I remember the first risk assessment I was to complete. It was messy essay on defining the use of a specific port to allow an application through our firewall. Truthfully, it was downright ugly to get to the point that the port wasn’t vulnerable, and neither was the application. It was LOW risk.
Early Stages
When I did my first risk assessment, I didn’t realize there was methodologies (although nowhere near as mature as today) that were established by NIST, the RCMP, CSE, and other organizations out there. For some reason, my earlier years were sparse for resources when it came to risk assessments and how to develop them.
After my first risk assessment and getting approval for allowing specific traffic through the firewall, I positioned myself for training. Research this time worked for me.
In 2007 I attended the RCMP Threat and Risk Assessment 2 day course in Ottawa, Ontario. The course was eye-opening. It was an entire methodology laid out with worksheets and examples. It was here where I found out how way off I was in regards to my first assessment.
This is where I learned about Single Loss Expectancy, Annual Rate of Occurrence, and Annual Loss Expectancy. Mathematical functions that help put costs for risk in front of decision makers.
SLE (Single-loss expectancy) = AV (Asset Value) x EF (Exposure factor)
ALE (Annualized Loss Expectancy) = ARO (Annual Rate of Occurrence) x SLE (Single-loss Expectancy)
The instructor for this course was completely honest about these equations as well. He mentioned that Exposure Factor is completely subjective, which makes the entire process subjective. That being said, he mentioned that this is just a framework and like any other framework, you have to decide what works best. As long as you are assessing risk and doing something about it, you are better off than closing your eyes and hoping nothing happens.
After a few examples, it was getting clearer on modeling threats and mitigation strategies. My early practices were still much to be desired but having a basic template was working to establish the baseline to create better templates moving forward. For example, my basic template following the early RCMP templates was not much more than a Risk Register but it was a start. It allowed me to relay risk information better than essay type documents making someone read jargon for two and a half pages without immediate clear context.
information | by | $100000 | High | High | Ensure Firewall blocks Access | Medium |
Web site | Defaced by Attacker | $600 | Medium | Medium | Have a system to changes and alert | Low |
My biggest problem with this was that this was created in Excel and stayed there. At this point in my career, it didn’t mature much. I had multiple Excel files and stored them for people to view. A very static approach.
A mentor steps in
It was during my transition to work in Toronto where things became clearer on how you can adapt Risk Management frameworks to your organization. I worked with some amazing people and one specific mentor showed me how to present information to different audiences. My main learning outcome was that people like easy explanations, no jargon and especially COLOUR!
From a risk management perspective, I learned from this point on that at any time in a document where risk is High or Critical (I’ll come back to this) the test or highlight must be RED. I think everyone knows why this is a great indicator.
Along with the colouring of the risk levels, this where I said I would come back to it, the establishment of risk levels. Weirdly, I was happy to learn, you can add and remove risk levels as it applies to your business. For example;
You can range from Low to High, Very Low to Very High, anything basically.
And now, this is where heat maps started to make sense as well. I am sure most people by now saw a heat map in their lifetimes. Here is a rough example as well;
You can tailor your heat maps to your business and what is important. An SMB might only be doing $1 million in revenues a year, so a heat map that references a $1 billion dollar loss does not address risk appropriately. You also may put numbers to likelihood, or occurrence so you have a clearer definition making it more quantitative versus qualitative.
As you mature as an organization and can afford to spend time developing your heat maps, they may also include various other factors as well, such time of impact or time to restore. This is where it is important to understand your risk levels and how much of each square in that grid is relevant to your risk tolerance.
I have worked with many organizations where that grid is static and doesn’t reflect a good tolerance of risk. One example that comes to mind is the Low risk category. A lot of times, organizations see Low risk and assume that no further action is required. That depends on your current controls, your levels and that even though it is a Low risk, there is possibly still risk. Further attention may be required. As mentioned below in the comments; be aware of low risk chaining. This may take multiple Low risk vulnerabilities and combine to make them a High. An example might be a Race Condition, combined with Privilege Escalation that can cross a trust boundary.
It’s all about mitigating risks
Once you have established your heat maps, defining your templates and start getting your processes in place to assess risks, it’s time to mature even further.
Maturing around frameworks
RCMP/CSE harmonized – https://www.cse-cst.gc.ca/en/publication/tra-1
https://www.cse-cst.gc.ca/en/system/files/pdf_documents/tra-emr-1-e.pdf
NIST – http://csrc.nist.gov/groups/SMA/fisma/framework.html
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
FAIR – http://www.fairinstitute.org/fair-risk-management
OCTAVE – http://www.cert.org/resilience/products-services/octave/
COBIT 5 – https://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-5-Risk_res_Eng_1213.ppt
ISO – https://www.iso.org/standard/43170.html
As you can see, the maturity of risk around various frameworks can be intimidating. The frameworks can be free to access and use, like OCTAVE and the RCMP/CSEC harmonized or behind a paywall like ISO and COBIT.
It’s up to you as an organization to determine how you want to mature. The cookie cutter risk assessment templates are truly just a start, and from there you should customize to ensure your are finding appropriate risk because next is how you determine how money is spent.
Once you figure out your assets, the likelihood, the occurrence, the value, and other risk defining information, you have to figure out what you are going to do with that.
Are there existing controls?
Do you need to spend money on new controls?
Is it worth it to accept, defer or transfer the risk?
As you can see, this where you start expanding the ‘columns’ you need to add to your risk assessment model.
Database hosting client information | Stolen by attacker | $100000 | High | Firewall | High | IPS, HIDS | $5000 | Medium | Implement Controls |
Web site | Defaced by Attacker | $600 | Medium | Limited access | Medium | Tool for monitoringand alerting on changes | $500 | Low | Accept existing risk |
Due diligence
So as you can tell at this point the model starts to develop your template that it’s time to make it more logical and tactical.
Now it’s your specific preference and how you do your job as a risk assessor, the organizations tolerance for information, how it’s presented and what outcomes are expecting.
My personal preference is to target one system, application or service at a time. This gives me the chance to fully understand the system before getting to the bigger picture. There are a lot questions to be asked at this stage. Some people hand out a questionnaire template and ask for information back. I like to get Visio diagrams and ask people in person making notes on how specific systems work to get a visual understanding and logical flow of a system and its assets.
Questions can be so varied, so again, I dislike the cookie cutter approach. It is much easier to tailor questions once you get used to your methodology of choice.
This is a great example of one of those intimidating questionnaires , but a lot of research has gone into this and gives a great indication of risk profile when doing an assessment.
https://downloads.cloudsecurityalliance.org/assets/research/consensus-assessments/CAIQ_-_v3.0.1-12-05-2016.xlsx
The C loud Security Alliance is an absolutely amazing resource for providing guidance on assessing cloud based initiatives.
Once you have received the information needed, fill out your template and work with your teams to understand where to spend your time and effort.
To clarify, this approach is more tailored to tactical risk versus organizational risk. It is all up to your maturity model on how you address this. Thought processes work well for certain assessors versus others. For me it was understanding the systems and how they fit into an organization. This allowed me to figure out their true ‘Keys to the Kingdom’. We all know HR, Financial, Intellectual Property, and Consumer information is important but sometimes the value of reputation, brand, or other data can be more important in context.
Other resources:
https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
http://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents/Security%20Risk%20Management.pdf
Risk Assessment Software:
FixNix GRC Suite – https://www.fixnix.co/
Archer – https://www.rsa.com/en-us/products/governance-risk-and-compliance.html
SAP GRC – https://www.sap.com/canada/solution/platform-technology/analytics/grc.html
Open IT GRC – http://www.eramba.org/
SimpleRisk – https://www.simplerisk.com/
Implementation challenges, risks and mitigation efforts.
Delivering on our ambitious yet crucial strategy will not be easy. It will take the dedication of all of our employees to ensure our outcomes are achieved. In order to prepare for delivery, this section outlines six key implementation challenges to be considered going forward.
A Corporate Risk Profile has been completed for the RCMP to identify key risks that have both a high chance of occurring and high potential to affect the RCMP and its modernization efforts. The strategic plan and the associated activities and initiatives have been designed to mitigate these risks. For more information refer to the RCMP Corporate Risk Profile .
Recruitment, retention and modernized skillsets.
Risk that the RCMP will be unable to adequately attract and retain diverse groups of employees with the appropriate skills, attributes, characteristics and mindset to police the crimes of the future.
Risk that the RCMP 's commitments continue to expand without sufficient resources, impeding its ability to deliver on priorities and core services.
Risk that the RCMP 's IT infrastructure, systems and applications will become increasingly inadequate to support the administrative and operational requirements of the organization.
Risk that the RCMP may not have the technology to sufficiently combat the changing nature of crime.
Maximize opportunities to promote and optimize employee wellness as well as support employees who experience stress, trauma or serious injury as a result of the nature of policing work and the environments in which they operate.
Risk that the RCMP 's priority setting and business planning are insufficient to support strategic decisionmaking.
Risk that the RCMP will encounter resistance and obstacles in the realization of transformative efforts to support policing of the future.
Risk that a lack of clear, timely and reliable intelligence and information sharing across jurisdictions will impede the RCMP 's ability to effectively investigate crime and take appropriate actions.
Vision150 and Beyond outlines many important activities to focus on over the coming years. Delivering on these activities will lead to highly consequential, positive outcomes for the organization and our stakeholders. That said, doing so will involve challenges that should be considered in advance and mitigated where possible.
Using the Environmental Scan to shape its priority statements and refining these priorities based on the evolving operational environment will ensure that the Strategic Plan remains adaptable and relevant year over year.
Understanding that any given strategic plan is a point-in-time exercise when it is first released, it should be adequately embedded throughout the organization to ensure adherence and adaptability.
Executing the stated priorities expressed in this plan will require sufficient governance oversight, as well as appropriate implementation, ownership and accountability.
Business lines owning and executing priority statements must communicate needs or obstacles early and often to internal collaborators, contract partners and other stakeholders.
Leveraging the RCMP 's robust performance measurement frameworks in the Departmental Results Framework (DRF) and the Vision150 Outcome Model, along with associated Benefits Management will enhance execution and adaptability.
Utilizing the RCMP 's 2020 Corporate Risk Profile in execution planning will ensure key corporate risks are addressed and mitigated throughout the modernization mandate.
Law aims to prevent the torture of someone in overseas custody due to the information canada exchanges.
A federal spy watchdog says a senior RCMP official wrongly considered the importance of a strategic relationship with a foreign organization when deciding whether sharing information posed a risk of torture.
The aim of the Avoiding Complicity in Mistreatment by Foreign Entities Act is to prevent the brutalization of someone in overseas custody due to the information Canada exchanges with agencies abroad.
The RCMP and other federal agencies subject to these provisions must assess the risk of mistreatment and decide whether a risk can be managed.
In a report released Thursday, the National Security and Intelligence Review Agency (NSIRA) strongly cautions against including other considerations, such as fostering strategic relationships, in the assessment of substantial risk.
The intelligence review agency recommended that in cases where an RCMP assistant commissioner disagrees with a committee's recommendation not to share information, the case be automatically referred to the force's commissioner.
The heavily redacted report, the review agency's latest to examine the anti-torture protocol, covers the calendar year 2021.
The watchdog found the RCMP had "a robust framework" in place for the triage and processing of cases pertaining to the law aimed at avoiding complicity.
However, it raised pointed concerns about one case handled by the RCMP's foreign information risk advisory committee, an advisory body to senior management.
Details of the case, including the foreign entity involved, were stripped from the version of the report made public Thursday.
The committee concluded that there was a substantial risk of mistreatment should certain personal information be shared, and said the risk could not be managed by caveats and assurances.
As a result, the committee recommended that the information not be exchanged. It suggested exploration of additional options to reduce the potential risk of torture, so that members could reconsider the case.
However, an assistant RCMP commissioner rejected the committee's recommendation and "allowed the sharing of information," the review agency report says.
The assistant commissioner reasoned, in part, that the RCMP should consider the consequences of not sharing, as this would be detrimental for the relationship, adding that "engagement ... will give insight and influence."
Ultimately, the senior official decided the risk could be mitigated, despite the committee's view to the contrary.
However, federal instructions for implementing the law clearly state that when officials are unable to determine whether the risk can be managed adequately, the matter must go to the RCMP commissioner for a final say.
The intelligence review agency concluded that "this case should have been elevated to the Commissioner for determination."
In a response included with the report, the RCMP disagreed with the call to automatically refer such cases to the commissioner, saying the intelligence review agency had "misinterpreted the roles and responsibilities" of the assistant commissioner with respect to the process.
The RCMP agreed that the decision to share information "should not include external objectives."
But the force added that for the assessment of substantial risk, these external objectives, such as relationship-building, "have been, and will continue to be, important in the totality of the information being considered."
The review agency also found that the RCMP did not have a centralized system of documenting assurances and did not regularly monitor and update the assessment of the reliability of assurances.
In addition, the watchdog notes the Mounties had not developed mechanisms to update country and entity profiles in a timely manner. "In many cases these assessments are more than four years old and are heavily dependent on an aggregation of open source reporting."
In its response, the RCMP said the force "has an established centralized system in place to track caveats and assurances provided by foreign entities."
The RCMP's record management system is where information from any follow-ups conducted with foreign entities — including any concerns about non-compliance with caveats and assurances — is included in respective operational files, the force added.
IMAGES
VIDEO
COMMENTS
Harmonized TRA Methodology (TRA-1) From: Canadian Centre for Cyber Security. The Harmonized Threat and Risk Assessment Methodology is a set of tools designed to address all assets, employees, and services at risk. These are ready for integration with project management methodologies and system development life cycles to meet management needs ...
The RCMP's Lead Security Agency endorses the Security Centre of Excellence Facility Security Assessment and ... Tool TRA-1; The Harmonized Threat and Risk Assessment (TRA) Methodology is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC) and the Commissioner, Royal Canadian ...
TRA-1 Harmonized Threat and Risk Assessment Methodology Foreword i 2007-10-23 Foreword The Harmonized Threat and Risk Assessment (TRA) Methodology is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment (CSE) and the Commissioner, Royal Canadian Mounted Police (RCM P).
"The Harmonized Threat and Risk Assessment Methodology is designed to address all employees, assets and services at risk. Furthermore, it is easily integrated with project management methodologies and system development life cycles. Analysis may be performed at any level of granularity, from broadly based departmental risk profiles to more ...
Risk assessment - determining if existing or proposed security measures are satisfactory, and ; Recommendations - identifying what should be done. In Figure 1 the preparation and threat assessment steps establish what is at stake with the eventual compromise of sensitive information and assets to be housed within the accommodation.
Publisher - Current Organization Name: Communications Security Establishment Canada. Publisher - Organization Section Name: Canadian Centre for Cyber Security (CCCS) Licence: Open Government Licence - Canada.
As a starting point, the Harmonized Threat Risk Assessment (HTRA) , developed by the Communications Security Establishment (CSE) and the Royal Canadian Mounted Police (RCMP), was used as the baseline methodology and several processes within this baseline were used to guide the development of the TRA methodology presented here. The HTRA has been ...
Harmonized Threat and Risk Assessment Methodology, October 23, 2007, issued under the authority of the Chief, Communications Security Establishment (CSE) and the Commissioner, Royal Canadian Mounted Police (RCMP) Return to footnote [11] referrer. Footnote ftn12.
In this 3-day course, you will learn about the Threat Risk Assessment methodology using the ITSG-33 ISSIP and CSE's new ASTRA tool to help you conduct your assessments. The course will further your knowledge of ITSG-33 in a practical application for any Government IT project. Registration information. Price. $1500. Duration.
In this 3-day course, you will learn about the Threat Risk Assessment methodology using the ITSG-33 ISSIP and CSE's new ASTRA tool to help you conduct your assessments. The course will further your knowledge of ITSG-33 in a practical application for any Government IT project. ... Course 104 - IT Security Risk Management: A Lifecycle Approach ...
A Threat and Risk Assessment (TRA) is designed to be a foundational aspect of an organization's risk management program. A TRA consists of the following steps: Identifying and assigning values to critical assets. Identifying threats relevant to the identified assets. Assessing the likelihood and impact of any identified vulnerabilities.
Threat and Risk Assessment (TRA) - A consideration of the assets and the threats to those assets in consideration of the sum of the security measures in place or anticipated. The RCMP and CSEC have jointly developed and promote the use of a formal procedure, checklists, valuation tables and associated training for conducting a TRA in the ...
Threat Evaluation and Management. The Threat Evaluation and Management ( TEM) unit provides a proactive approach to preventing violence by: evaluating the potential for targeted violence; and. implementing plans to reduce or eliminate the risk of a violent act occurring. TEM can assist investigators in the allocation of resources by:
A TRA is a process used to identify, assess, and remediate risk areas. The result of this process will be to, hopefully, harden the network and help prevent (or at least reduce) attacks. Threat and Risk Assessment provides a more thorough assessment of security risk than the standard assessments, such as studying threat statistics or conducting ...
Threat and Risk Assessment. BlueImpact Threat and Risk Assessment Methodology adopted the principles of the HTRA [1] and ISO/IES 27005 [2] and is customize specifically to the healthcare industry. The TRA methodology proposes a simple and straightforward approach to conduct TRA that can be easily communicated with the stakeholders and the staff ...
In Canada, a common Threat Risk Assessment that is used is the Harmonized Threat and Risk Assessment (HTRA) Methodology developed by the Royal Canadian Mounted Police (RCMP) and the Communications Security Establishment (CSE) "The Harmonized Threat and Risk Assessment Methodology is designed to address all employees, assets and services at risk.
The HTRA Methodology is currently being used by many Government of Canada departments. The HTRA Methodology was developed by the Communications Security Establishment Canada (CSEC) and the Royal Canadian Mounted Police (RCMP) to consolidate a variety of prior guidelines with the objective of creating a consistent risk analysis methodology for ...
RiskView H-TRA solution automates the Government of Canada Harmonized Threat and Risk Assessment model and helps organizations identify, evaluate, prioritize, and report risks. The model is summarized in the above depiction and explained below. While the solution is dynamic and allows the user to start anywhere, it follows a five step process as outlined below.
Risk Assessment Methodologies. Organizations can take several approaches to assess risks—quantitative, qualitative, semi-quantitative, asset-based, vulnerability-based, or threat-based. Each methodology can evaluate an organization's risk posture, but they all require tradeoffs. Quantitative
SLEIPNIR is a tool developed by the Royal Canadian Mounted Police (RCMP) and used in criminal intelligence analysis to assist in the ranking and comparison of the threat of organized crime groups. SLEIPNIR is an example of a structured professional judgement (SPJ) tool similar to the SAVRY. By using the Sleipnir tool you can determine the level ...
In 2007 I attended the RCMP Threat and Risk Assessment 2 day course in Ottawa, Ontario. The course was eye-opening. It was an entire methodology laid out with worksheets and examples. It was here where I found out how way off I was in regards to my first assessment.
It will take the dedication of all of our employees to ensure our outcomes are achieved. In order to prepare for delivery, this section outlines six key implementation challenges to be considered going forward. 1. Commissioner's message and purpose of the Strategic Plan. 2. Organizational overview. 3. RCMP of 2023 and beyond.
A federal spy watchdog says a senior RCMP official wrongly considered the importance of a strategic relationship with a foreign organization when deciding whether sharing information posed a risk ...
time to decide whether a specific risk approach, model or methodology should be adopted for use in the S-MAP and RAMP process." (FoF 23) • Instead, the Decision indicated that the S-MAP proceeding would establish the appropriate risk assessment approach, and that subsequent RAMP filings by the utilities would be reviewed for