The objective of this activity is to define the methodology by which IT security threat and risks will be
assessed across the department. An IT security TRA methodology needs to be defined at this stage, as a
department will use the threat assessment portion when assessing threats to departmental business
activities. In addition, IT projects will use this methodology when performing TRA activities.
The output of this activity is a definition of the departmental IT security TRA methodology.