Académique Documents
Professionnel Documents
Culture Documents
Objective
The purpose of this Statement of Work (SOW) is to describe the work entailed in conducting a
threat and risk assessment (TRA) of the [name of facility/system]. [Provide a brief description of
the facility/system in the body of the SOW; all suitable plans, schematics and more detailed
material are to be relegated to an annex.] As a minimum, the TRA will include:
2.1
Preparation Phase
2.1.1 General
[Departmental authorities may wish to complete the Preparation Phase1 before issuing an SOW
for consulting services to conduct the actual TRA. In that case, this section may be omitted from
the SOW. If a contractor is engaged to perform the Initial Planning, however, the SOW should
include a general description of the Initial Planning phase and its deliverables.]
Careful planning is required before initiating a TRA to determine the scope of the assessment,
identify resource requirements and develop a realistic work plan. To achieve these goals, the
contractor must work in close cooperation with the Project Authority (PA), the Technical
Authority (TA), security officials and facility or system managers. The contractor will be provided
with all reference material, listed at Section 4 below, and any other information necessary for the
completion of this task. Information-gathering activities may include interviews with personnel at
various levels of the organization.
1
Described in Annex A.
Appendix A-5
A5-1
2007-10-23
2.2
2.2.1 General
Once the TRA Work Plan has been approved at the end of the Preparation Phase, the contractor
shall develop four mandatory deliverables to address the four-step TRA process prescribed by the
Government Security Policy (GSP):3
2
Appendix A-6 provides a Sample TRA Work Plan.
3
Described in the Management Summary.
4
Described in Annex B.
5
Appendix B-5 provides a sample Statement of Sensitivity or Asset Valuation Table.
Appendix A-5
A5-2
Sample Statement of Work for TRA Consulting Services
2007-10-23
a tabular list of real and potential threats that could injure employees or compromise
assets and services within the scope of the assessment;7 and
an assessment of the likelihood and impact of their occurrence. 8
Project Management
3.1
The PA for this TRA project is [name, position and telephone number of the overall coordinator
of the TRA project selected in accordance with section 5.4.7 of Annex A].
6
7
8
9
10
11
12
13
Described in Annex C.
Appendix C-4 provides a sample Threat Assessment Table.
Appendix C-3 amplifies the measures of likelihood and impact or gravity and their calculation.
Described in Annexes D and E.
Appendix D-4 provides a sample Vulnerability Assessment Table.
Appendix E-2 provides a sample Risk Assessment Table.
Described in Annex F.
Appendix F-3 identifies explicit Safeguard Selection Criteria while Appendix F-2 provides a
Safeguard Listing to support the Recommendations.
14
Appendix F-5 provides a sample Recommendations Table.
Appendix A-5
A5-3
2007-10-23
Sample Statement of Work for TRA Consulting Services
3.2
The TAs for this project are [names, positions and telephone numbers of designated subject
matter experts who will provide technical input to the TRA, including security authorities,
facility managers or systems administrators, and other members of the TRA Team].
3.3
TRA Methodology
The contractor shall employ the Harmonized Threat and Risk Assessment (TRA) Methodology for
this project. [Specify alternatives if applicable.]
3.4
Personnel Qualifications
The contractor shall provide personnel who have solid experience and knowledge of both the
TRA process and the subject of the assessment, normally demonstrated by the successful
completion of at least three previous TRAs on similar [facilities or systems].
3.5
Security Requirements
This SOW is [classified (state level) or categorized (state level)], the work performed under this
contract will be [security classification] and the deliverables associated with the completion of
the work detailed in this document will be [security classification]. The contractor analyst(s)
must possess valid security screening to at least the level specified for the work and the
deliverables. [Note: The Statement of Sensitivity identifies the value of employees, assets and
services while the Vulnerability Assessment lists the attributes of an asset or its environment that
may be exploited by threats to cause damage. These are major considerations when assigning a
security category (Classified or Protected) to TRA deliverables. Where the TRA involves
proprietary information from a third party, such as a product vendor, the contractor should be
required to sign an appropriate non-disclosure agreement.]
3.6
Schedule
As stipulated in Section 2.1 [if the contractor is to conduct the Initial Planning], the contractor
shall develop a TRA Work Plan with a detailed schedule showing milestones, critical activities and
dependencies for the completion of the work by [a date specified by the contracting authority].
The contractor shall complete this TRA project within [time frame cited in the TRA Work Plan]
following award of the contract, with intermediate deliverables submitted to the TA and PA in
accordance with the approved TRA Work Plan. [For greater clarity, each of the deliverables and
the associated target dates might be presented in a table or, for a very complex TRA project, a
GANTT chart].
Appendix A-5
A5-4
2007-10-23
3.7
Approval of Deliverables
All deliverables will be reviewed for quality and completeness, and signed off by the designated
TAs before proceeding to the next phase of the project. The final TRA report must be approved
by the PA before the contract may be finalized.
3.8
Progress Reporting
The contractor shall provide routine [generally weekly] progress reports to the designated TA.
Verbal progress reports are acceptable. [Where written reports are preferable, specify the format
and content].
3.9
Place of Work
All work shall be conducted at the contractors place of business, except for interviews with
departmental personnel which shall be coordinated with the designated TA. [If the TRA project
includes sensitive information, ensure that a facility security clearance with document
safeguarding capability to the appropriate level has been specified in section 3.5 above].
3.11 Handover
The contractor shall table the following at a handover meeting arranged by the TA, within two (2)
working days of the satisfactory completion of the project:
a list of all changes to the deliverables in response to comments from the TA and PA;
all final deliverables in [specify format and number of copies]; and
all proprietary information and documents provided to the contractor during the project.
A5-5
2007-10-23
References:
Government Security Policy, Treasury Board Secretariat, February 2002.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/gsp-psg_e.asp
Operational Security Standard: Asset Identification, Treasury Board Secretariat, Draft.
Operational Security Standard: Business Continuity Planning, Treasury Board Secretariat,
March 2004.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/ossbcp-nsopca_e.asp
Operational Security Standard: Management of Information Technology Security, Treasury
Board Secretariat, April 2004.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp
Operational Security Standard: Security Risk Management, Treasury Board Secretariat, Draft.
Harmonized Threat and Risk Assessment (TRA) Methodology, Communications Security
Establishment and Royal Canadian Mounted Police, August 2007.
Privacy and Data Protection Policy, Treasury Board Secretariat, December 1993.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP1_1_e.asp
Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks, Treasury Board
Secretariat, August 2002.
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld_e.asp
Privacy Impact Assessment Policy, Treasury Board Secretariat, May 2002.
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp
Risk Management Policy, Treasury Board Secretariat, April 1994.
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/riskmanagpol_e.asp
A Guide to Certification and Accreditation for Information Technology Systems (MG-4),
Communications Security Establishment, January 1996.
http://www.cse-cst.gc.ca/en/publications/gov_pubs/itsg/mg4.html
[Not all of the foregoing references may be necessary for any given TRA. Simply list what is
applicable. Add any other material specific to the subject of the TRA, such as business plans,
design documentation and relevant threat assessments].
Appendix A-5
A5-6
2007-10-23