STRA Guidelines for BPS Clients

Provincial IDIM Program

BC Services Card Authentication Service

STRA Guidelines for BPS Clients

Document Information

Document title / STRA Guidelines for BPS Clients
Document file name / BPS STRA Guidelines.docx
Revision number / 0.6
Issued by / Identity Information Management (IDIM)
Issue Date / 2015-01-23

Document Contents

1Background

2Using the Control Questions

3STRA Quality Criterion

1Background

As part of the integration process, every onboarding client must complete a Key STRA Control Areas Checklist and a full Security Threat and Risk Assessment (STRA) for the information system(s) that will connect to the BC Services Card infrastructure.

This supplementary document is provided for the benefit of broader public sector (BPS)onboarding clientsthat may not be using Governments’ standard process for performing STRAs. BPS onboarding clients who have an internally defined STRA standard should follow their internal standard.

2Using the Control Questions

As part of the BC Government’s STRA process, every information system must be assessed against a set of “control questions”. The control questions are derived from ISO 27002, an internationally recognized standard in information security. Responses to the control questions help to ascertain whether the information system being evaluated is built and will be operated following international security standards and best practices.

An effective approach is to assess the control questions once to cover organizational and personnel issues, and then once for each portion of the information system being assessed. For example, in the simplistic information system that is comprised of a web server, an application server, and a back-end database, you would assess the control questions four times: once to address organizational and personnel questions, once regarding the web server, once regarding the application server, and once regarding the database. This gives you the opportunity to clearly focus the inquiry that the control question prompts at a more granular level, which produces more accurate reflections about the state of security of your information system.

Page 1 of 5


STRA Guidelines for BPS Clients

3STRA Quality Criterion

The following criterion helps in identifying the completeness of an STRA.

Quality / Your STRA
Methodology / Does the STRA follow a defined methodology?
Is the STRA measuring the application against an industry standard? (e.g. ISF, COBIT, ISO.)
Complete coverage / Is the target of evaluation well defined?
Are all components, systems, and processes related to the target of evaluation in scope for the STRA?
Are in scope and out of scope items clearly expressed?
Complete responses / Is there a defined list of controls that were reviewed?
If so, are all control questions answered?
Findings logged / Are findings recorded?
Is the potential impact or severity of findings recorded?
An STRA with no findings, or with only a few low severity findings, is suspicious.
Action items or a remediation plan / A remediation plan should be documented, either attached to the STRA or in a separate document. The remediation plan should include target dates for closing findings.

Page 1 of 5