NRM SDLC - Security

The Government of British Columbia is committed to providing services to citizens that are efficient and secure. Through the adoption of new technologies, the government seeks to provide improved services while maintaining the security of government information assets.

A STRA must be conducted when developing, implementing major changes to, or acquiring an information system.

The Security Threat and Risk Assessment is a component of overall Risk Management. The STRA pertains to information, whereas the Risk Assessment covers all aspects of a project including equipment, funding, resources, etc.

STRAs are mandated by the Office of the Chief Information Officer (OCIO), and are mandatory as per the government’s Information Security Policy (ISP).

BC Government ISP policy 8.1.1 a) states:

Information Owners must conduct a Security Threat and Risk Assessment during the requirements phase when developing, implementing major changes to, or acquiring an information system, to:

  • Identify the security requirements necessary to protect the information system; and,
  • Assign a security classification to the information and information system.

For new or significant/major development a STRA must be substantially completed in the Requirements phase. This deliverable would be a completed STRA with as much information as available at that point with a specific focus identifying the security requirements and the security classification.

Once the STRA is approved, Security can issue a new scorecard populated with the approved data to allow for the continuation of the STRA development through the design and build phases.

This is the STRA workflow:

  • Initiation Phase: STRA initiated
  • Requirements Phase: STRA substantially completed and submitted (Focus: Security requirements and security classification). Upon acceptance scorecard reissued with existing data
  • Design Phase: STRA refined
  • Build Phase: STRA completion and sign-off

Managers make informed decisions about information security risks that are directly or indirectly under their control as part of their responsibilities. Within the context of risk management, STRAs suggest where to avoid, reduce and accept risk, as well as how to diminish the impact of threatening events, pertaining to information.


Other Office of the Chief Information Officer (OCIO) IM/IT Standards that should be considered:

The assessment tool used for all STRAs across government is the Information Security Management and Risk Tool – iSMART.

Completed STRAs reside in a central repository. Collectively, they contribute to our ability to assess our information security posture in order to highlight control areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture of all of government.


The deliverable for a STRA is a Risk Scorecard (B.C. Government access only), and within the scorecard is a checklist pertaining to security controls. The minimum checklist to be used is based on the ISO 27001 standard, with questions related to 17 control areas (PDF) (B.C. Government access only).

Deliverable Requisite

An STRA is mandatory for all project complexity levels.


There is no sample currently available.