Security Threat and Risk Assessment

What are Security Threat and Risk Assessments (STRA)?

An STRA is the overall activity of assessing and reporting security risks for an information system to help make well informed risk-based decisions. An STRA also documents risk ratings and planned treatments.

How are risks assessed in an STRA? Is there a corporate process for completing STRAs?

Each risk assessed must consider the likelihood to which a threat may leverage a weakness, the potential impact, and an acknowledgement of what this could mean to the organization. The criticality of an information system and security classification of information stored and handled by the system should be reviewed and considered when conducting an STRA. For each risk that is identified, a planned treatment or acceptance must be documented. Risk findings from the STRA activity must be recorded via an OCIO-approved Statement of Acceptable Risks (SoAR) tool.

Click here to review the STRA process.

When must an STRA be conducted?

For new or significantly modified information systems and during planning, development and implementation. A review and updated STRA must be conducted throughout the life of an existing information system for any significant or material change(s) and must also consider any previously identified risks. A review schedule must also be maintained to ensure that STRAs are periodically conducted throughout the life of an information system.

How are STRAs iterated on as a system develops?

The recommended lifecycle of STRA iterations prior to the launch of a new system or significant changes into production includes the following stages: 1) Initiation stage, 2) Requirements stage, 3) Design stage, 4) Build stage, 5) Operational review stage

What is required for an STRA to be considered complete?

At minimum, a SoAR must be reviewed and signed at an appropriate level as defined within an OCIO approved SoAR tool.   All completed and signed SoARs must be submitted to the OCIO’s Information Security Branch. Further information on this topic can be found in the STRA guidelines here.

What is the scope of an STRA?

Performed on any thing which could introduce information security risk to government. The scope is normally focused on Information Systems. An information system can be a collection of manual and automated components that manages a specific data set or information resource. (As defined in CPPM Chapter 12: IM/IT). Ministries are not authorized to accept risks with the potential for government-wide impact, this responsibility resides with the OCIO.

How long does it take to complete an STRA?

It varies and is often achievable in a short amount of time. Timeframes are reasonably commensurate to what is being assessed.   

Do contractors, vendors, and partners of core government need to complete STRAs?

Security requirements for contractors, vendors, and partners to core government are articulated by provisions in contract security schedules.

Do greater public sector entities in British Columbia, external to core government, need to complete STRAs?

It is a strongly recommended and encouraged practice. The Government of BC’s approach to STRAs can act as a good guide for greater public sector entities to model around.

What compels core government to complete STRAs?

Security Threat and Risk Assessment Standard, Information Security Policy (ISP), and Core Policy

Are there any guidelines on how to complete an STRA and SOAR?

Yes, you can find guidelines here.

Where can I find more information on STRAs?