Security Threat and Risk Assessment
A Security Threat and Risk Assessment (STRA) must be conducted when developing, implementing major changes to, or acquiring an information system.
The Security Threat and Risk Assessment is a component of overall Risk Management. The STRA pertains to information, whereas the Risk Assessment covers all aspects of a project including equipment, funding, resources, etc.
B.C. Government ISP policy 10.1.1 a) states:
Information Owners must conduct a Security Threat and Risk Assessment and a Privacy Impact Assessment during the requirements phase when developing, implementing major changes to, or acquiring an information system, to:
- Identify the security requirements necessary to protect the information system; and,
- Assign a security classification to the information and the information system.
- The Information Owner must ensure that information system development or acquisition activities are done in accordance with documented requirements, standards and procedures which include:
- Testing the information system to verify that it functions as intended;
- Enforcing change control processes to identify and document modifications or changes which may compromise security controls or introduce security weaknesses; and,
- Using common government processes and services (e.g., authentication, access control, financial management).
For new or significant/major development an STRA must be substantially completed in the Requirements phase. This deliverable would be a completed STRA with as much information as available at that point with a specific focus identifying the security requirements and the security classification.
Once the STRA is approved, Security can issue a new scorecard populated with the approved data to allow for the continuation of the STRA development through the design and build phases.
This is the STRA workflow:
- Initiation Phase: STRA initiated
- Requirements Phase: STRA substantially completed and submitted (Focus: Security requirements and security classification). Upon acceptance scorecard reissued with existing data
- Design Phase: STRA refined
- Build Phase: STRA completion and sign-off
Managers make informed decisions about information security risks that are directly or indirectly under their control as part of their responsibilities. Within the context of risk management, STRAs suggest where to avoid, reduce and accept risk, as well as how to diminish the impact of threatening events, pertaining to information.
- Security Threat and Risk Assessment (STRA) Standard (PDF)
- Office of the Chief Information Officer (OCIO) IM/IT Standards
- Security Standards for Application and Web Development and Deployment (PDF)
- Cryptographic Standards for Information Protection (PDF)
The assessment tool used for all STRAs across government is the Information Security Management and Risk Tool – iSMART.
Completed STRAs reside in a central repository. Collectively, they contribute to our ability to assess our information security posture in order to highlight control areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture of all of government.
The deliverable for an STRA is a Risk Scorecard, and within the scorecard is a checklist pertaining to security controls. The minimum checklist to be used is based on the ISO 27001 standard, with questions related to 14 control areas (PDF)