TRA-1 Harmonized Threat and Risk Assessment Methodology

Appendix A-5 - Sample Statement of Work for TRA

Consulting Services
1

Objective

The purpose of this Statement of Work (SOW) is to describe the work entailed in conducting a
threat and risk assessment (TRA) of the [name of facility/system]. [Provide a brief description of
the facility/system in the body of the SOW; all suitable plans, schematics and more detailed
material are to be relegated to an annex.] As a minimum, the TRA will include:

a Statement of Sensitivity (SOS) to identify and categorize relevant assets according to

their confidentiality, integrity and availability values based upon the injuries that may
reasonably be expected in the event of a compromise;
an identification of deliberate threats, accidents and natural hazards that might affect these
assets adversely with an analysis of the likelihood of occurrence and gravity of impact;
an assessment of current vulnerabilities, based on an evaluation of existing or proposed
security measures and their adequacy;
an analysis of residual risks for each asset which is vulnerable to specific threats; and
where assessed residual risks exceed the [Low or Medium] level, a list of
recommendations proposing additional safeguards to achieve a [Low or Medium] target
risk level with an assessment of their effectiveness and cost.

Tasks and Deliverables

2.1

Preparation Phase

2.1.1 General
[Departmental authorities may wish to complete the Preparation Phase1 before issuing an SOW
for consulting services to conduct the actual TRA. In that case, this section may be omitted from
the SOW. If a contractor is engaged to perform the Initial Planning, however, the SOW should
include a general description of the Initial Planning phase and its deliverables.]
Careful planning is required before initiating a TRA to determine the scope of the assessment,
identify resource requirements and develop a realistic work plan. To achieve these goals, the
contractor must work in close cooperation with the Project Authority (PA), the Technical
Authority (TA), security officials and facility or system managers. The contractor will be provided
with all reference material, listed at Section 4 below, and any other information necessary for the
completion of this task. Information-gathering activities may include interviews with personnel at
various levels of the organization.

1
Described in Annex A.
Appendix A-5

A5-1

Sample Statement of Work for TRA Consulting Services

2007-10-23

TRA-1 Harmonized Threat and Risk Assessment Methodology

2.1.2 Initial Planning Deliverables

The sole deliverable for the Preparation Phase is a complete TRA Work Plan2 which includes:

2.2

a clearly stated Aim for the TRA;

a statement of Scope with a description of the [facility or system] under consideration, its
mission and concept of operation, as well as the boundaries of the assessment and any
dependencies or interconnections with other [facilities or systems];
any Limitations or restrictions on the TRA;
the Target Risk Level accepted by the responsible manager;
a list of personnel who will participate in the TRA process as Team Members or sources
of information;
all necessary Logistic Arrangements, including security screening and access
requirements, travel arrangements, administrative support and other resource
requirements;
a list of Input Documentation and TRA Deliverables; and
a detailed TRA Schedule listing all major activities, assigned resources, start and
completion dates, and any dependencies.

The Threat and Risk Assessment

2.2.1 General
Once the TRA Work Plan has been approved at the end of the Preparation Phase, the contractor
shall develop four mandatory deliverables to address the four-step TRA process prescribed by the
Government Security Policy (GSP):3

identifying the employees and assets to be safeguarded in a Statement of Sensitivity;

determining the threats to employees and assets in Canada and abroad, and assessing the
likelihood and impact of threat occurrence;
assessing risks based on the adequacy of existing safeguards and vulnerabilities; and
recommending any supplementary safeguards that will reduce the risk to an acceptable
level.

2.2.2 Asset Identification and Valuation Phase 4

In the second phase, the contractor will identify and list employees, assets and services within the
scope of the assessment, and assign values for confidentiality, availability and integrity, as
appropriate, based upon the injuries that might reasonably be expected in the event of
compromise. The results of this analysis shall be presented as a Statement of Sensitivity in a
tabular form, the one deliverable for this portion of a TRA project, and fully annotated to justify
the findings.5

2
Appendix A-6 provides a Sample TRA Work Plan.
3
Described in the Management Summary.
4
Described in Annex B.
5
Appendix B-5 provides a sample Statement of Sensitivity or Asset Valuation Table.
Appendix A-5
A5-2
Sample Statement of Work for TRA Consulting Services

2007-10-23

TRA-1 Harmonized Threat and Risk Assessment Methodology

1.2.3 Threat Assessment Phase6

The third phase of a TRA project requires the contractor to identify real and potential threats that
could reasonably be expected to affect employees, assets or services adversely. Pertinent threat
information should be obtained from departmental security authorities and the responsible lead
agencies, specifically CSIS, CSE and the RCMP. Key deliverables for this portion of the TRA
comprise:

a tabular list of real and potential threats that could injure employees or compromise
assets and services within the scope of the assessment;7 and
an assessment of the likelihood and impact of their occurrence. 8

2.2.4 Risk Assessment Phase9

In the fourth phase of a TRA project, the contractor will deliver an assessment of residual risks to
employees, assets and services identified in the second phase arising from threats analyzed in the
third phase. The two mandatory deliverables are the Vulnerability Assessment derived from an
evaluation of existing or proposed safeguards and their effectiveness,10 and the Risk Assessment
listing all residual risks to employees, assets and services within the scope of the assessment. 11
2.2.5 Recommendations Phase12
Based upon the findings of the Risk Assessment completed in previous phase, the contractor will
propose the addition, modification or removal of safeguards to achieve an acceptable level of
residual risk.13 The projected residual risk, that which remains after the recommendations have
been approved and implemented, shall be identified explicitly, as shall the costs of the
recommended changes.14

Project Management

3.1

Project Authority (PA)

The PA for this TRA project is [name, position and telephone number of the overall coordinator
of the TRA project selected in accordance with section 5.4.7 of Annex A].

6
7
8
9
10
11
12
13

Described in Annex C.
Appendix C-4 provides a sample Threat Assessment Table.
Appendix C-3 amplifies the measures of likelihood and impact or gravity and their calculation.
Described in Annexes D and E.
Appendix D-4 provides a sample Vulnerability Assessment Table.
Appendix E-2 provides a sample Risk Assessment Table.
Described in Annex F.
Appendix F-3 identifies explicit Safeguard Selection Criteria while Appendix F-2 provides a
Safeguard Listing to support the Recommendations.
14
Appendix F-5 provides a sample Recommendations Table.
Appendix A-5
A5-3
2007-10-23
Sample Statement of Work for TRA Consulting Services

TRA-1 Harmonized Threat and Risk Assessment Methodology

3.2

Technical Authorities (TA)

The TAs for this project are [names, positions and telephone numbers of designated subject
matter experts who will provide technical input to the TRA, including security authorities,
facility managers or systems administrators, and other members of the TRA Team].

3.3

TRA Methodology

The contractor shall employ the Harmonized Threat and Risk Assessment (TRA) Methodology for
this project. [Specify alternatives if applicable.]

3.4

Personnel Qualifications

The contractor shall provide personnel who have solid experience and knowledge of both the
TRA process and the subject of the assessment, normally demonstrated by the successful
completion of at least three previous TRAs on similar [facilities or systems].

3.5

Security Requirements

This SOW is [classified (state level) or categorized (state level)], the work performed under this
contract will be [security classification] and the deliverables associated with the completion of
the work detailed in this document will be [security classification]. The contractor analyst(s)
must possess valid security screening to at least the level specified for the work and the
deliverables. [Note: The Statement of Sensitivity identifies the value of employees, assets and
services while the Vulnerability Assessment lists the attributes of an asset or its environment that
may be exploited by threats to cause damage. These are major considerations when assigning a
security category (Classified or Protected) to TRA deliverables. Where the TRA involves
proprietary information from a third party, such as a product vendor, the contractor should be
required to sign an appropriate non-disclosure agreement.]

3.6

Schedule

As stipulated in Section 2.1 [if the contractor is to conduct the Initial Planning], the contractor
shall develop a TRA Work Plan with a detailed schedule showing milestones, critical activities and
dependencies for the completion of the work by [a date specified by the contracting authority].
The contractor shall complete this TRA project within [time frame cited in the TRA Work Plan]
following award of the contract, with intermediate deliverables submitted to the TA and PA in
accordance with the approved TRA Work Plan. [For greater clarity, each of the deliverables and
the associated target dates might be presented in a table or, for a very complex TRA project, a
GANTT chart].

Appendix A-5

A5-4

Sample Statement of Work for TRA Consulting Services

2007-10-23

TRA-1 Harmonized Threat and Risk Assessment Methodology

3.7

Approval of Deliverables

All deliverables will be reviewed for quality and completeness, and signed off by the designated
TAs before proceeding to the next phase of the project. The final TRA report must be approved
by the PA before the contract may be finalized.

3.8

Progress Reporting

The contractor shall provide routine [generally weekly] progress reports to the designated TA.
Verbal progress reports are acceptable. [Where written reports are preferable, specify the format
and content].

3.9

Place of Work

All work shall be conducted at the contractors place of business, except for interviews with
departmental personnel which shall be coordinated with the designated TA. [If the TRA project
includes sensitive information, ensure that a facility security clearance with document
safeguarding capability to the appropriate level has been specified in section 3.5 above].

3.10 Proprietary Information

All information and documents made available to the contractor during the course of this project
are deemed proprietary, and shall be returned upon completion of the TRA.

3.11 Handover
The contractor shall table the following at a handover meeting arranged by the TA, within two (2)
working days of the satisfactory completion of the project:

a list of all changes to the deliverables in response to comments from the TA and PA;
all final deliverables in [specify format and number of copies]; and
all proprietary information and documents provided to the contractor during the project.

Annex A to Sample Statement of Work (SOW)

Appendix A-5

A5-5

Sample Statement of Work for TRA Consulting Services

2007-10-23

TRA-1 Harmonized Threat and Risk Assessment Methodology

References:
Government Security Policy, Treasury Board Secretariat, February 2002.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/gsp-psg_e.asp
Operational Security Standard: Asset Identification, Treasury Board Secretariat, Draft.
Operational Security Standard: Business Continuity Planning, Treasury Board Secretariat,
March 2004.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/ossbcp-nsopca_e.asp
Operational Security Standard: Management of Information Technology Security, Treasury
Board Secretariat, April 2004.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp
Operational Security Standard: Security Risk Management, Treasury Board Secretariat, Draft.
Harmonized Threat and Risk Assessment (TRA) Methodology, Communications Security
Establishment and Royal Canadian Mounted Police, August 2007.
Privacy and Data Protection Policy, Treasury Board Secretariat, December 1993.
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP1_1_e.asp
Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks, Treasury Board
Secretariat, August 2002.
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld_e.asp
Privacy Impact Assessment Policy, Treasury Board Secretariat, May 2002.
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp
Risk Management Policy, Treasury Board Secretariat, April 1994.
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/riskmanagpol_e.asp
A Guide to Certification and Accreditation for Information Technology Systems (MG-4),
Communications Security Establishment, January 1996.
http://www.cse-cst.gc.ca/en/publications/gov_pubs/itsg/mg4.html
[Not all of the foregoing references may be necessary for any given TRA. Simply list what is
applicable. Add any other material specific to the subject of the TRA, such as business plans,
design documentation and relevant threat assessments].

Appendix A-5

A5-6

Sample Statement of Work for TRA Consulting Services

2007-10-23