For that matter is TVRA only linked to security?
Can it be used to assess, evaluate all or any situation and from there, come up with control measures?
Asked
Active
Viewed 185 times
1
schroeder
- 123,438
- 55
- 284
- 319
Jaya Anand V
- 11
- 1
-
Can you define what TVRA is? If you mean a generic Threat, Vulnerability, and Risk Assessment, then you need to define the scope of the assessment. The scope determines if it includes things like "physical security" – schroeder Oct 12 '18 at 11:15
1 Answers
1
Yes, it can and it is actually used for non-technical situations/ vulnerabilities.
You can thing at TVRA as a multi-layer procedure. There are companies who do this more thoroughly (covering each category/ layer), others do it as much as it justifies the costs, the allocated time and the urgency of it (for example if it is needed for regulations).
Most of the companies do this from business point of view, not from cyber-security point of view, even if the control measured that will be defined will be technical. So they take into account everything from who has access into the building, possible software authentication issues, human non technical mistakes and so on up to who could steal funds and how. As you said, every situation they can think of, not cyber security threats that apply. I think this is the usual approach. You think what are your assets (from business point of view, again; and then, for each of them, you can think what can go wrong with your process so it would affect that asset in each way it could be affected.
There are other companies as well, usually with more resources, who prefer to go as much in depth as possible and to have a different document for each layer, both technical and non-technical such as one document for physical security, one for application security, one for network security and so on.
rtsec
- 95
- 4