IT Security Guidance Dashboard

The objective of this activity is to conduct an initial departmental (i.e., organization-wide) IT security
threat assessment that will guide the selection of security controls, and that will be leveraged by IT
projects when implementing information systems1. This activity will identify and qualify threats of
relevance to the in-scope departmental business activities.
From all the potential threats, departments may specify a subset against which it wishes to protect its
business activities. This implies that some threats may have been identified and considered, but were
deemed out-of-scope for various reasons. For example, a department may find that protecting against a
threat would be too costly or too complex, or that the protection would limit too much a business
activity’s supporting functionality. Threat information, including decisions and justification for excluding
specific threats is documented in a departmental threat assessment report.
An organization-wide threat assessment is a useful tool that departments can use to define, deploy,
update, and improve their implemented security controls. The results of an organization-wide threat
assessment, along with departmental business needs for security, provide a good basis for establishing
security control objectives and developing departmental security control profiles.
More focused, domain-specific threat assessment reports may be produced during the development of
departmental security control profiles to document more detailed information concerning threats of
relevance to business domains.