Risk management is a process of identifying, assessing, and mitigating threats that can affect an organization. It involves analyzing risks, impacts, monitoring and developing strategies to minimize harm.
One way to analyze risk is using a Security Threat and Risk Assessment (STRA) and a Statement of Acceptable Risk (SoAR). CyberBC provides examples of STRAs by allowing BC public sector partners to share sanitized versions of STRAs/SoARs with each other, allowing organizations to share best practices and reduce administrative work.
Risk Register Template (Excel)
Once an STRA is complete, residual risks which still require a treatment should be transferred to a risk register, tracked, and followed-up on until at an acceptable level to the accountable individual.
Broader Public Sector – STRA SoAR Template (Docx)
STRA / SoAR Word template for Broader Public Sector organizations.
STRA Standard (PDF)
The purpose of this standard is to set requirements for efficiently assessing, defining planned treatments, and reporting security threats and risks in information systems.
STRA Specification (PDF)
Provides guidance on completing a Statement of
Acceptable Risks.
Return on Security Investment (ROSI) Calculator (Excel)
ROSI Calculator which can help when assessing security risk.
Executive Overview
In this quick 15-minute training video we provide an executive overview of how the Province of British Columbia approaches Information Security Risk Management.
What is a security risk?
In this training video we cover basic concepts around what a security risk is.
Patch Management Course
This course covers what patch management is, why it is required, OCIO patch standard, benefits, and responsibilities.