The primary goal of an STRA is to document:
- Residual risks
- Accepted risks
These outputs are required for an STRA to be considered complete.
Residual risks are to be logged in ministry information security risk registers (MISRR). Risks logged in the MISRR are to be assessed to see if any are corporate in nature. If this is confirmed, these risks are to be communicated to the OCIO Information Security Branch for possible inclusion in the Corporate Information Security Risk Register (CISRR). A corporate risk is any risk that impacts more than one ministry or agency within the Government of BC.
The GCIO requires that a Statement of Acceptable Risk (SoAR) must be signed off by the Ministry’s Chief Information Officer (MCIO) and submitted to the OCIO Information Security Branch for each STRA. OCIO will store SoAR’s in a central repository for the purpose of providing follow-up, analytics, and to inform strategic corporate information security and risk management activities and initiatives.
Collectively, these contribute to the Government of BC’s ability to assess its information security posture in order to highlight areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture and state of all of government.
Government of BC employees can learn more about STRAs and their sub-types on the intranet page for Security Threat and Risk Assessments.