Corporate Audit of Security
Final Summary Report
3.2 Risk Management
Risk management is a key element of the federal government’s security program. The GSP prescribes the use of two specific documents to explore and assess risks affecting a department’s business operations: the Statement of Sensitivity (SOS) and the threat risk assessment (TRA). The SOS summarizes the requirements for information by departmental business line and the extent to which that information must be protected. The TRA explores the potential threats to departmental operations and provides an assessment of these risks. The use of a standard TRA process provides a common yardstick regardless of how a department or an organizational unit implements security.
The CIC Security Policy and Procedures Manual outlines the use of the TRA for a physical facility. The application of this policy, however, is not consistent in all areas. In the majority of sites that were audited, a TRA had not been conducted recently. The need for, and usefulness of, such an assessment was not generally recognized. Corporate Security developed and provided a simplified TRA tool for local managers but it is not being used.
The draft Information Technology Security Policy outlines the requirements for an information technology TRA. A threat risk assessment had been prepared for only one-third of the existing computer systems and software used in day-to-day business operations.
The absence of a departmental TRA weakens risk management in the Department. The completion of a corporate level TRA, focusing on corporate level risks, could provide a framework for bringing more detailed analyses down to the regional and site levels.
- Date Modified:
