ROM TSIS 2 Risk Assessment
- Robert Petrie
Purpose
The purpose of a risk assessment in ROM TSIS 2 is to determine the likelihood and magnitude of harm to the information and information processing in ROM TSIS 2. This can come from an existing user, unauthorized access, or disruption. The risk assessment must be performed on a yearly basis or when a significant change is made.
Participants
One or more representatives from each of the following teams needs to participate to identify risks in ROM TSIS 2:
Business
Aviation Security (AvSec)
Intermodal Surface Security Oversight (Intermodal Surface Security Oversight)
Development
Team Lead
Technical Advisor
IT Analyst
Components
With ROM TSIS 2 being a Model-Driven Dynamics 365 app running on the Microsoft Azure Cloud, the following components need to be investigated for any risks:
Component | Description |
Security Roles | These define how different users such as inspectors, managers, application users, and administrators access different types of records. This allows only authorized access for users which are necessary to accomplish assigned tasks. |
User Accounts | These are Transport Canada Microsoft accounts that are allowed to access ROM TSIS 2. |
Application Users | These are app registrations that are created in Transport Canada’s Microsoft Azure. They have client secrets that are used by other systems to communicate with ROM TSIS 2. |
Dataverse | This is the database that ROM TSIS 2 uses which is hosted in the Microsoft Azure Cloud. |
Power BI Reports | These are reports that reference the ROM TSIS 2 database for analysts. |
Power Automate | These are automated tasks that impact records in the ROM TSIS 2. They are triggered on a schedule or when another process happens. |
Observations
Observations should be noted in an Excel file and submitted to the manager for review and follow up. Each observation should include:
Azure DevOps PBI – The number of the personal backlog item that was created in Azure DevOps to record and keep track of tasks done to address the risk.
Observation – A description of the threat that could be a risk to ROM TSIS 2
Likelihood – The likelihood the threat could happen with the current ROM TSIS 2 setup. (High, Medium, or Low)
Impact – The level of impact the threat could have to ROM TSIS 2.
Impact Description – A description on what could exactly happen to ROM TSIS 2 if the threat were to be carried out.
Actions Required – A description of what needs to be done to reduce or eliminate the threat completely.
Performed By – The name of the team responsible for performing the actions required.
Observation Report
The report should follow the below template and must include existing observations that must be inspected on a regular basis. For observations that were not eliminated completely after the required actions were performed, must be included in the template below to ensure they are inspected regularly.
Azure DevOps PBI | Observation | Likelihood | Impact | Impact Description | Actions Required | Performed By |
| TCOMs Client Secret used to communicate with ROM can expire. | High | High | TCOMs will not be able to create or update Security Incident records in ROM TSIS 2 | Implement a reminding mechanism to notify the developers to generate a new client secret. | Development Team |
| A user who is no longer employed or part of another team has access to ROM | Low | Low | User can have unnecessary access to ROM TSIS 2 and make changes. | Review the list of user accounts that currently have access to ROM and note the accounts that no longer need access. | Business Team |
| An existing user is in the wrong security role has unnecessary access to certain records. | Low | Low | User can have unnecessary access to certain records and make changes. | Review the existing security roles and ensure that it allows only authorized access for users which are necessary to accomplish assigned tasks. | Development and Business Team |