Thinking threat: TBS tackles risk assessment

By Richard Bray

Weigelt, senior director in the IT Security unit in Treasury Board Secretariat, says the TRA – threat risk assessment – is the cornerstone of certification and accreditation in transaction between government and citizens.

That, he told a workshop at the Lac Carling Congress, is because it establishes the threats, vulnerabilities and safeguards required for the service being provided.

Unfortunately, he conceded, TRAs have not been well received outside the security community.

“Threat risk assessments take time, and business managers often need to roll out programs quickly,” Weigelt said, adding that even TRAs that are conducted in individual departments often have different views on the threat environment.

“We’re all in the same enterprise, so we probably have a lot of the same threat actors within our environment,” he said. “They need to be related to one another.” The TRA was an iterative process that must be continually revisited.

Against this backdrop, Weigelt reported, TBS is developing a common TRA process to help improve the quality of the advice to the business managers and security practitioner alike. Generic risk assessments could provide 50 to 60 per cent reusability.

The process also promises to improve the time required to develop a TRA for a service offering, maintain the currency of the advice and provide a common reference point for all threat info across the government, Weigelt said.

“We would like the departments’ business owners to be able to go someplace online and take a look at what the impact to their environment is in real time, so we have that reasonable result and that recurring assessment.”

The first element of the common TRA is the separation of government services into common business lines. A great deal of work is being done with provinces and municipalities on defining the Government Services Reference Model (GSRM), which is a model for describing the business of government.

The GSRM “defines some common businesses, some common services that governments are in,” Weigelt said. “We want to leverage that model and define some generic service types. Maybe it’s health information self-service, or something that departments can embrace and say, ‘Yeah, that is the business we are in’ – grants and contributions, payment services and so on.”

These common business lines are to help group those services with common threats and provide opportunities for sharing a generic TRA oriented to a specific service. Some 132 transactional services have been mapped to the GSRM, “so that we have an idea of what businesses we are in. . . . From there, we can create a general Statement of Sensitivity.”

In this model, Weigelt said, each service type would be assessed “to look at common classes of assets, functionality and threats and then use those to define a threat risk assessment. Some business managers are struggling with classifying their information by its sensitivity and vulnerability.”

The common TRA process is also looked to for a statement of sensitivity for each service type, based on confidentiality, availability, integrity and dollar value. “Liability is one that is causing us a bit of consternation right now,” Weigelt said. “We are seeing some case law in the States where people are being sued for participation in Denial of Service attacks. . . . Someone has subverted their machine and it has now caused loss of revenue and they are being sued for it. So how do you deal with liability in these cases?”

A common language would define the elements of a TRA. TBS wants to evolve protection profiles from the Common Criteria, away from components like firewalls to a complete end-to-end system view. These Secure Service Profiles are to define the business requirements to allow business managers to take the information and put it directly into an RFP. Using the example of a new funding system, Weigelt showed how a business manager could find many if not most security requirements already generically defined.

“If we are successful, we can pull those Secure Service Profiles from the shelf. If you are doing a funds transfer from Industry Canada, why should it be different from Human Resources Development Canada? Why should it be different for a province or another jurisdiction?”

The major benefit is that the TRA is already done for the program or department. “You may require a delta TRA where the sensitivity of your business differs widely from the generic, but that should be much less effort.”

Another benefit: “The key thing about being able to draw this off the shelf is that you free up your security expertise to help you with your service delivery, to help you with the business requirements, to help you enable those applications. Because TRAs tend to be the big ‘sausage machine.’ You put in the threat, you turn the wheel and out it comes. There is nothing exciting about it. Where the security practitioners want to be is helping enable the business, to help get that service online, to figure out the innovative ways we can deliver that.”

After the Threat Risk Assessment, Weigelt said, comes the broader process of managing risk for a business. The next priority standard under development is a renewed Security Certification and Accreditation Standard, and in that standard, the goal is accrediting business solutions.

“We are mindful of exploits that will occur across channels,” he said. The convenience of finishing a transaction online that was started over the telephone could also be used to conduct malicious activities, he pointed out, “So we really need to look at the business solution writ large – all the elements.”

The ultimate goals are to accredit business solutions; include Threat Risk Assessments, as well as Privacy, Legal and Business Impact Assessments in accreditation; streamline the process for accrediting both internal and external services within the government of Canada; and, provide more detail for shared and common solutions.

“We are trying to get a ‘think piece’ out there for the process, and our departmental engagement has started,” he said.

Work remains to be done before going out to the business manager, he said. “We have purposely not engaged the business manager yet, because we want to make sure that our story line is correct, that we have it down pat.

“Because when you go out to the business manager to talk about security, if you don’t want to get thrown out of the office, you had better have your story straight for that five minute sound bite that you tend to get.”

Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at