ATIS members, who consist of leading service providers and vendors in the Information and Communications Technology (ICT) industry, have collaborated on a Cybersecurity Ad Hoc. Launched in July 2015, one of the group’s objectives is to create tools and practices to help organizations manage cybersecurity risk in the ICT industry. One outcome of the Cybersecurity Ad Hoc’s work has been to create a process for performing an Architectural Risk Analysis (ARA) on ICT solutions for the purpose of enabling the proactive development of cybersecurity risk management steps for these solutions. This process includes procedures to determine security goals, identify and assess potential risks, and develop proactive steps to mitigate identified risks. The ARA Process explained in this document relies upon industry cybersecurity best practices to support many of the details involved in executing the process. This document also includes an illustrative example of the use of the process for a hypothetical health monitoring device and associated services which are delivered in an ICT service provider-managed context. Finally, some potential areas for additional work are identified to broaden the scope of the ARA Process and to further simplify its application.
Cybersecurity Architectural Risk Analysis Process