Security Threat and Risk Assessment

Definition

The Security Threat and Risk Assessment (STRA) is a component of overall Risk Management.  The STRA pertains to information, whereas the Risk Assessment covers all aspects of a project including equipment, funding, resources, etc.

STRAs are mandated by the Office of the Chief Information Officer (OCIO), and are mandatory as per the government’s Information Security Policy (ISP) (BC Gov only - info). 

Managers make informed decisions about information security risks that are directly or indirectly under their control as part of their responsibilities.  Within the context of risk management, STRAs suggest where to avoid, reduce and accept risk, as well as how to diminish the impact of threatening events, pertaining to information.

The objective when conducting a STRA is to determine the adequacy of current safeguards or controls in order to protect the availability, integrity, and confidentiality of information. Where security measures are inappropriate, your recommendations are to:  add, modify, or eliminate safeguards or controls; provide for business continuation measures; and determine the implementation priorities.

Roles and Responsibilities

• SDLC Roles and Responsibilities

Standards

The OCIO’s IM/IT Architecture & Standards Manual contains the recently approved Security Threat and Risk Assessment (STRA) Standard (BC Gov only - info).  The standard is effective January 1, 2011, and the assessment tool to be used for all STRAs across government is the information Security Management and Risk Tool – iSMART.  Completed STRAs reside in a central repository.  Collectively, they contribute to our ability to assess our information security posture in order to highlight control areas that need strengthening, as well as the OCIO’s ability to assess the overall information security posture of all of government.

The OCIO’s web site on Compliance (BC Gov only - info) contains several key documents regarding STRAs, as well as FAQs on STRAs and on iSMART, and an e-Learning module to help staff understand how to conduct STRAs using iSMART.

Templates

The deliverable for a STRA is a Risk Scorecard , and within the scorecard is a checklist pertaining to security controls.  The minimum checklist to be used is based on the ISO 27001 standard, with questions related to 17 control areas.  The three scorecards listed below can be found on the Basis of Evaluation (scorecard) Matrix (BC Gov only - info), which explains a bit about each one and contains links to the individual checklists.

• RS Risk Scorecard (BC Gov only - info)
• BCGOV FIRM 17 ISO 27001 (checklist) (BC Gov only - info)
• BCGOV FIRM 17 IRA (checklist) (BC Gov only - info)
• BCGOV FIRM 17 SoGP (checklist) (BC Gov only - info)

Samples

Due to the sensitive nature of the information recorded in STRAs, samples cannot be published on this site.