Threat Risk Assessment (TRA) is the most important undertaking for a company
looking at implementing or enhancing a security protocol for their operations.
Only after a TRA has been performed professionally will senior management be
able to fully identify and assign resources to the issues of concern.
After the World Trade Center attack, many companies were forced
out of business because they could not meet their ongoing obligations.
Files were so severely damaged or destroyed that they just could not continue.
Though extreme, this case highlights the various risks that a company can face.
How fast you recover and continue to maintain your client obligations will
depend on the preparations in place before an incident occurs. A
proactive approach versus a reactive one is far less costly in the end.
TRA concerns can include the following:
- The building
- Paper documents
- Computer data and hardware
- Telephone service
- Computer backup systems
- Internet and email security
- Fire and other life safety issues
- Access to parking areas
- Surrounding property
- Workplace violence and or harassment
After the preliminary interview, management decides which items
they wish to explore and, by working with the security consultant, establish
the scope of work. If life safety issues and telephone services are currently
well taken care or are not placed high on the list, then they receive only a
brief review. Instead, the client may be very concerned about shrinkage and
workplace violence. These would then be the items that would receive the
- Theft of merchandise
- Disgruntled employees
- Breaching of the company's Internet services
- Theft of computer systems, including laptops from
the office, hotel room or from the car
- Flood (Are the backup documents/tapes in a locker
in the basement?)
- Malicious acts of vandalism
- Power failure
A TRA will often raise or revisit issues that may have been
discussed briefly before but were never fully explored, i.e. a bomb threat or
the protection of confidential personnel files.
Planning for the TRA process encompasses establishing the scope
of the project, determining the appropriate methodology, setting the time
frame, identifying the key partners and allocating the resources to perform the
The closing phase of the TRA process will indicate the threats,
the likelihood of them occurring and list the options available along with
preliminary budgets to accomplish the tasks. The recommendations are
intended to improve the security posture of the organization through risk
reduction and provide considerations for business recovery activities, should a
threat cause actual damage.