Onboarding BC Services Card Authentication Service
The B.C. government Information Security Policy (ISP) improves the safety of information systems and protects people's data in the government's possession. Learn more about the Information Security Policy.
Public sector clients who want to use the BC Services Card Authentication Service to allow people access to online government services must complete the following security requirements as part of the onboarding process.
Key Control Areas Checklist
A self-assessment of potential security risks for the application that is using the BC Services Card for authentication service is required. This assessment includes 23 key security control areas relevant to the BC government information security policy. The Key Control Areas Checklist must be completed, signed, and submitted to the Provincial Identity Information Management (IDIM) Program for review: Key STRA Control Areas Checklist (241KB, docx)
As clients cannot perform their own security testing, IDIM recommends clients obtain testing from a reputable third-party vendor. Clients internal to the B.C. government can get testing from the Information Security Branch Advisory Services. IDIM requires evidence of third-party testing. Once testing is complete, clients must provide a summary of the results for review with a risk management plan to the third-party reviewer.
Types of Testing:
- Dynamic Application Security Test (DAST)
This testing exposes potential risks in the application that will be integrating with BC Services Card Authentication Service. While it is good practice to perform static source code testing as well, please note that it’s optional.
- Penetration Test of Infrastructure
This test tries to find security weaknesses that could be used by criminals to attack the host application framework. A penetration test report will detail impacts and make recommendations for corrective action.
Security Threat and Risk Assessment (STRA) Report
STRAs are a type of assessment used by the BC public service to assess digital risks. This includes any risks found with the checklist and testing. Once the assessment report is completed, clients must submit the STRA to a third-party for review. Clients can use their own or IDIM will provide a template as required.
Statement of Acceptable Risk (SoAR) Report
The SoAR documents all risks identified in the STRA, the risk ratings and improvement plans, and shows that the STRA has been reviewed and accepted. Signing this document acknowledges the risks and the acceptance of the steps to be taken. IDIM will require a copy of the completed and signed SoAR. Clients should use the OCIO standard SoAR Template (90KB, docx)
Third-Party Review of STRA and Testing
The third-party review of the STRA process provides a fair review to ensure completeness. This type of review can be provided by various third parties including OCIO Information Security Branch Advisory Services. IDIM will require the results of this review.
Keeping IDIM Informed
Clients must keep IDIM informed of any security weaknesses discovered during or after onboarding BC Services Card Authentication Service as well as any major changes to the onboarded system.