Introducing Security Threat Risk Assessments

Safeguarding sensitive information, ensuring the privacy of data, and staying ahead of potential security threats and risks have never been more critical. The Security Threat Risk Assessment (STRA) service, a collaborative effort among Cybersecurity, Safety & Risk Services and Advanced Research Computing, is in its formative phase. We recognize the dynamic nature of the threat environment and are committed to refining our services to continually meet new and evolving security challenges.

As an objective, PrISM SRS is dedicated to enhancing the existing Privacy Impact Assessment (PIA) and the maturing Security Threat Risk Assessment (STRA) process, with the aim to unifying them into a single, integrated service – the Privacy and Information Security Risk Assessment service (PISRA). At present, the PIA intake process overlooks risk assessments for projects devoid of Personal Information (PI), presenting a critical coverage gap. The PISRA service will address this shortfall by evaluating and assessing risks across all information systems, regardless of their PI content.

Your feedback and experience will play a crucial role in shaping the evolution of this service. 

What is an STRA?

A Security Threat Risk Assessment (STRA) is a comprehensive evaluation framework that methodically examines cybersecurity practices, identifies risks, analyzes them in depth, reports findings, and suggests mitigation strategies for an information system. This methodology involves a detailed review of your systems, operational procedures, and data management techniques to pinpoint potential threats and vulnerabilities. The results of an STRA integrate evaluations of the likelihood and impact of security risks. Based on these results, it recommends appropriate security measures to address these risks. The findings from an STRA are crucial for making informed risk-based decisions, enhancing awareness of threats, and ensuring accountability for each identified risk.

Why is an STRA recommended?

The recommendation for conducting STRAs is rooted in their recognition as a critical process control within the UBC Major Risk Register. Additionally, STRAs are advocated for public bodies by the Office of the Information and Privacy Commissioner (OIPC) and the provincial government, underscoring their significance in safeguarding information. The British Columbia Office of the Auditor General (OAG) reinforces this stance by advising UBC to implement STRAs across the entire lifecycle of its information systems, emphasizing the importance of continuous risk assessment and management.

When to Consider an STRA?

Drivers for an STRA include the imperative to safeguard and confirm the security of UBC Systems, and to protect the confidentiality of UBC Electronic Information. An STRA becomes particularly important under the following circumstances:

• You are deploying new information systems or making substantial modifications to existing ones.
• Your systems have been compromised by a security incident or have been subject to a data leak.
• You aim to proactively uncover and mitigate possible security vulnerabilities.
• There is a need to establish practices that align with data protection principles and meet industry benchmarks for data protection and cybersecurity, thereby maintaining compliance and securing information integrity.

Who Performs an STRA?

PrISM SRS is overseeing the execution of comprehensive STRAs by entering a Master Services Agreement with a vetted selection of security consulting firms. This oversight includes defining the scope of work, contracting, coordinating assessment tasks with project teams, managing the assessment process, ensuring consistency, examining the STRA results, and circulating the findings and recommendations to the appropriate governance levels.

For STRAs for research projects, please refer to Research Cybersecurity and Privacy resources by ARC’s Sensitive Research Team.

Are There Costs for an STRA?

The STRA service offered by PrISM SRS is structured as a cost-recovery initiative, and as such, it includes an associated fee. This fee is used to maintain and enhance the service’s quality and ensure its sustainability.

For STRAs for research projects, please refer to Research Cybersecurity and Privacy resources by ARC’s Sensitive Research Team.

How can I Initiate an STRA?

For inquiries about the STRA service, further information, or to initiate an assessment, please submit an STRA Inquiry using the UBC Self-Service Portal. We look forward to collaborating with you on this critical initiative.

For STRAs for research projects, please refer to Research Cybersecurity and Privacy resources by ARC’s Sensitive Research Team or contact them at arc.support@ubc.ca.