Security Threat and Risk Assessment

Security Threat and Risk Assessment (STRA) is an umbrella term found in Government of BC policy and standards.  STRAs encompass the following risk assessment sub-types:

Cloud Security Risk Assessment (CSRA)

Focused on cloud services and assets residing in the cloud

DevOps Security Risk Assessment (DSRA)

Focused on DevOps

Information Security Risk Assessment (ISRA)

Focused on computer workstations, laptops, servers, applications, web applications and services, databases, network appliances / devices, and embedded systems

Mobile Security Risk Assessment (MSRA)

Focused on mobile devices (e.g. smartphones and tablets) and mobile applications

An illustration of the sub-types of STRA. In particular, CSRA, DSRA, ISRA, and MSRA

A Security Threat and Risk Assessment (STRA) is a risk assessment aimed at identifying exposures.  Within the context of risk management, STRAs identify potential security weaknesses and help determine appropriate action to manage the risks and reduce the impact of threatening events.

 STRAs are intended to raise the awareness of risks in an organization to a level at which risk-based decisions can effectively occur on a continuous basis.  STRAs ensure that all information is protected commensurate with its sensitivity, in compliance with the OCIO Information Security Branch, Risk Management Branch, standards, Information Security Policy (ISP), Core Policy, and applicable legislation.

STRAs are mandated by the Office of the Chief Information Officer (OCIO), and are mandatory as per the government’s Information Security Policy (ISP).  Information Owners must conduct a Security Threat and Risk Assessment for new and significantly changed assets. 

The workflow of STRA iterations prior to the launch of a new asset or significant change into production includes the following stages:

  • Initiation stage: STRA initiated
  • Requirements stage: STRA substantially completed and submitted (Focus: Security requirements and security classification). Upon acceptance scorecard reissued with existing data
  • Design stage: STRA refined
  • Build stage: STRA completion and sign-off

Within the context of risk management, STRAs suggest where to avoid, reduce and accept risk, as well as how to diminish the impact of threatening events, pertaining to information.  STRAs are key to empowering management to make informed risk based decisions about information assets that are directly or indirectly under their control as part of their responsibilities.

Government of BC employees can learn more about STRAs and their sub-types on the intranet page for Security Threat and Risk Assessments.