Threat+and+Risk+Assessment

The Threat and Risk Assessment (TRA) is the primary tool for determining the security risk posture of an organization or system. It is a well-established and mature process in government and in select commercial sectors such as banking and finance. Conducting a TRA in a complex environment is a highly specialized task that requires specialized expertise. However, in small or even mid-size organizations the basic principles of the TRA can be applied quite successfully by most health information professionals. For large organizations or very complex systems, it may be more appropriate to engage expert security resources to conduct a TRA.

The TRA is a logical and structured process that guides the security professional from an identification of those assets that may be subject to theft, destruction, unauthorized access and other perils, through to recommendations that reduce the risks to a tolerable level. Like other risk management techniques it is a management process that gives managers and executives the information needed to make informed choices about the allocation of scarce resources while minimizing risks and maximizing opportunities. While the TRA focuses exclusively on security risk, other risk issues are often identified at the same time.