A SOAR is needed to complete the STRA process and is the final artefact. An STRA is conducted for new and significantly / materially changed systems. An STRA must be conducted for all information systems during planning, development and implementation. A review and update to the STRA and SOAR must be conducted throughout the life of an existing information system. In addition to other triggers, a review schedule is maintained and the STRA is reviewed and updated according to this schedule.
An STRA and SOAR are always needed when a system uses provincial government data with information technology. This is true even if provincial government data is transmitted, handled, or stored by a third party. The Province of BC is still accountable for its data.
Security risks need to be considered at every stage of a system’s lifecycle. The Information Security Policy, Information Security Standard, and Security Threat and Risk Assessment Standard define specific triggers and situations for when an STRA should be conducted.
A comprehensive STRA with its additional detail, evidence, and artefacts is not always required. The supporting activities for a lite STRA are much faster to work through and the only artefact required is the SOAR. Depending on the system to be assessed the Primary Risk Evaluator will decide if a lite or comprehensive STRA is the right choice.
For questions please contact: InfoSecAdvisoryServices@gov.bc.ca