The primary goal of an STRA is to produce a Statement of Acceptable Risk (SOAR) which documents all risks identified as part of the STRA, their rating, and recommended follow-up action plan. The SOAR ensures that risk assessment information recommended by the primary risk evaluator (e.g. Ministry Information Security Officer) is reviewed and accepted by the accountable individual (e.g. Ministry Chief Information Officer) and is then submitted to the Chief Information Security Officer. This is required for an STRA to be considered complete. A SOAR output is required for each STRA. The OCIO Information Security Branch will store SOAR’s in a central repository for the purpose of providing tracking, follow-up, analytics, and to inform strategic corporate information security and risk management activities and initiatives.
The primary risk evaluator of an STRA should also document residual risks where they require further action, follow-up, and tracking in a risk register.
This work contributes to the Government of BC’s ability to assess its information security posture in order to highlight areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture and state of all of government.
For questions please contact: InfoSecAdvisoryServices@gov.bc.ca