Starryone’s Approach to Privacy and Security Assessments :

Although security and Threat risk assessment tools examine different aspects of the information system and data, there are a number of common components. In the context of Information Technology (IT) solutions that deal with personal information or personal health information, a TRA addresses actual or proposed security safeguards and assesses risks to security.


The goals and objectives of our Integrated PIA and TRA methodology include:


Security and Privacy Harmonization 

The goal is to minimize or avoid duplication of work, potential inconsistencies, and clear distinction between security and privacy objectives. The methodology must align and integrate security and privacy into a cohesive unified assessment.

Effective Communication and Consistency 

The report structure and format must facilitate the communication of results to various stakeholders, including senior management, line managers, and technicians. The underlying logic and approach must be simple and easy to use for both technical and non-technical audiences. Where appropriate – to enhance user-friendliness – the fundamental principles, processes, and report structure will be illustrated with charts, diagrams, examples, tables, and templates. The methodology is to support a common vocabulary for all aspects of privacy and security risk managemen

Standard based

he methodology is built upon and supported by existing standards. The TRA component will closely follow the TRA methodology approved for use by the Government of Canada (GoC). The PIA component of the methodology will be based on both legal compliance as well as the fair information practices expressed within the Canadian Standard Association (CSA) Model Privacy Code.

Flexibility 

The methodology must be able to accommodate different types and sizes of assets and systems (physical and IT assets, as well as manual processes and service delivery), at an appropriate level of detail to satisfy business objectives. It must support different levels of granularity with a roll-up capability, from finely detailed or tightly focused analyses to more broad overviews, depending upon the risk environment and the purpose of the assessment


Our Methodology

Starryone’s approach to providing deliverables, whether TRAs, PIAs or integrated reports is to:

Identify a clear accountability framework for identified issues so that they are incorporated into the roles of the project managers and sponsors.

Identify all relevant privacy and security issues and risks associated with the client initiative.

Provide recommendations on measures to mitigate the privacy and security risks associated with the initiative – whether such risks raise policy or technology issues


For TRAs, our approach is derived from the Harmonized TRA Methodology1, with substantial adjustments to encourage readability and simplification, and uses a variety of standards, including ISO 27001, 27002, NIST 800-53, and applicable government policies. Our assessments can be used to complement IT Audit, Certification, and IT Risk Management activities. While employing an integrated approach, Valencia IIP understands that clients may expect specific TRA and PIA reports as deliverables.


Threat and Risk Assessments are a core component in conducting risk management across any organization. They should be used, iteratively, in identifying security requirements, validation the effective implementation of security controls, and assessing the significant of changes to the system in considering the impact on information security. The diagrams below3 demonstrate how IT Threat Risk Assessments may be integrated into security risk management.


Starryone’s methodology is described in greater detail in the project plan table below. Preliminary considerations also involve:

  • Confirming communications and liaison protocols.
  • Reviewing the context leading up to the project’s inception.
  • Obtaining copies of relevant background documents and identifying other documents to be obtained from the various partners and stakeholders involved in the project.
  • Reviewing and using any relevant work completed to ensure consistency.
  • Confirming TRA-PIA scope and discussing upon any desired changes.
  • Confirming the list of proposed interviewees (partners, stakeholders and other key informants)
  •  Discuss any other issues of concern to the Project Authority.