The objective of this activity is to conduct an initial departmental (i.e., organization-wide) IT security
threat assessment that will guide the selection of security controls, and that will be leveraged by IT
projects when implementing information systems1. This activity will identify and qualify threats of
relevance to the in-scope departmental business activities.
From all the potential threats, departments may specify a subset against which it wishes to protect its
business activities. This implies that some threats may have been identified and considered, but were
deemed out-of-scope for various reasons. For example, a department may find that protecting against a
threat would be too costly or too complex, or that the protection would limit too much a business
activity’s supporting functionality. Threat information, including decisions and justification for excluding
specific threats is documented in a departmental threat assessment report.
An organization-wide threat assessment is a useful tool that departments can use to define, deploy,
update, and improve their implemented security controls. The results of an organization-wide threat
assessment, along with departmental business needs for security, provide a good basis for establishing
security control objectives and developing departmental security control profiles.
More focused, domain-specific threat assessment reports may be produced during the development of
departmental security control profiles to document more detailed information concerning threats of
relevance to business domains.
Departmental threat assessments are best conducted by multidisciplinary teams with the assistance of the
DSO’s office and lead GC security agencies.
A useful departmental threat assessment needs to assess and document:
• Key departmental business activities;
• The security categories of the departmental business activities;
• IT-related threats of relevance to the departmental business activities; and
• Any general exposures that could affect the business activities (e.g., physical location exposed to
earthquakes) and strategic options to address them.
The key output of this activity is a departmental threat assessment report, which documents the IT
security threats and exposures of relevance to key departmental business activities.