The primary goal of an STRA is to produce a Statement of Acceptable Risk (SOAR) which documents all risks identified as part of the STRA, their rating, and recommended follow-up action plan. The SOAR ensures that risk assessment information recommended by Ministry Information Security Officers is reviewed and accepted by Ministry Chief Information Officers, and then submitted to the Chief Information Security Officer. This is required for an STRA to be considered complete. A SOAR is the bare minimum required for an STRA and is the required output. The OCIO Information Security Branch will store SOAR’s in a central repository for the purpose of providing tracking, follow-up, analytics, and to inform strategic corporate information security and risk management activities and initiatives.
In following through the recommended assessment process Ministry Information Security Officers should also document residual risks that require tracking and follow-up in their Ministry Information Security Risk Register (MISRR).
This work contributes to the Government of BC’s ability to assess its information security posture in order to highlight areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture and state of all of government.
Government of BC employees can learn more about STRAs and their sub-types on the intranet page for Security Threat and Risk Assessments.