Security Threat and Risk Assessment

Security Threat and Risk Assessment (STRA) is an umbrella term found in Government of BC policy and standards.  An STRA should be completed for each new system, or significant change to a system.  A Statement of Acceptable Risk (SOAR) constitutes the completion of an STRA.  Conducting a SOAR is the bare minimum required for an STRA (SOAR guideline document here).  The SOAR documents all risks identified in the STRA, their ratings and planned action, and that appropriate reviews and acceptance has occurred.

An assessment process has been published to facilitate the collection of information required in order to successfully complete a SOAR.  It is recommended that ministries leverage this process, however, variant processes are acceptable provided that the OCIO Information Security Branch receives completed SOARs of reasonable quality and completeness with no noticeable gaps in due diligence. STRA processes will encompass the following risk assessment sub-types: 

Application Security Risk Assessment (ASRA) Focused on applications

Cloud Security Risk Assessment (CSRA)

Focused on cloud services and assets residing in the cloud

Information Security Risk Assessment (ISRA)

Focused  on services , operating systems, and systems hardware (e.g. servers, workstations, and network appliances)

Mobile Security Risk Assessment (MSRA)

Focused on mobile devices (e.g. smartphones and tablets) and mobile applications

An illustration of the sub-types of STRA. In particular, CSRA, DSRA, ISRA, and MSRA

A Security Threat and Risk Assessment (STRA) is a risk assessment aimed at identifying exposures.  Within the context of risk management, STRAs identify potential security weaknesses and help determine appropriate action to manage the risks and reduce the impact of threatening events.

 STRAs are intended to raise the awareness of risks in an organization to a level at which risk-based decisions can effectively occur on a continuous basis.  STRAs ensure that all information is protected commensurate with its sensitivity, in compliance with the OCIO Information Security Branch, Risk Management Branch, standards, Information Security Policy (ISP), Core Policy, and applicable legislation.

STRAs are mandated by the Office of the Chief Information Officer (OCIO), and are mandatory as per the government’s Information Security Policy (ISP).  Information Owners must conduct a Security Threat and Risk Assessment for new and significantly changed assets. 

The workflow of STRA iterations prior to the launch of a new asset or significant change into production includes the following stages:

  • Initiation stage: STRA initiated
  • Requirements stage: STRA substantially completed and submitted (Focus: Security requirements and security classification). Upon acceptance scorecard reissued with existing data
  • Design stage: STRA refined
  • Build stage: STRA completion and sign-off

Within the context of risk management, STRAs suggest where to avoid, reduce and accept risk, as well as how to diminish the impact of threatening events, pertaining to information.  STRAs are key to empowering management to make informed risk based decisions about information assets that are directly or indirectly under their control as part of their responsibilities.

Government of BC employees can learn more about STRAs and their sub-types on the intranet page for Security Threat and Risk Assessments.