So, you've had your vulnerability assessment and you've found out what your issues are. Why would you pay the extra money for a TRA? 

The answer to this depends on what you are trying to accomplish with your assessment. If you are simply looking for a way to understand what is wrong with your system in technical terms, so that you can make technical fixes, a vulnerability assessment is what you need.  If any of these points are your goals then you should have a TRA performed:

• You need to prioritize the fixes based on impact to your business or costs.
• You need to understand what the risks are to your business processes or information.
• You need to know if your processes or management strategies are sufficient.
• You need to comply with a government or third party standard.
• Your system is complex and the impacts of vulnerabilities are not easily understood.
• You aren't sure whether it is worthwhile fixing a problem or if you should accept it as a risk.
• You need the results stated in terms of business impact.

A TRA is meant to provide you with a holistic analysis of your system that describes:

• The components of the system.
• The importance (sensitivity) of the system and its data or processes.
• Threats to the system.
• Vulnerabilities within the system or that affect the system.
•  Mitigation strategies.
• Current and mitigated risk ratings.

When you are procuring TRA services it is important that your service provider has experience with them and that they have a set process. There are several different TRA frameworks and it is important that you understand what process will be done and what to expect as an outcome. Ask them for a sample report so that you can have a comfort level with the project.

At Bulletproof, depending on the project, we will either use our internal streamlined TRA or the Harmonized TRA Methodology .

I'll go over the differences in these methods in a later post if there is interest.