SECTION A –TRACKING INFORMATION
Assessment Reference Number: #> / Business Owner: <FULL NAME & TITLE>System name: SYSTEM NAME> / Primary Risk Evaluator: <FULL NAME & TITLE>
Branch & Division: <BRANCH & DIVISION> / Start Date of Risk Assessment: <DATE>
Ministry: <MINISTRY> / End Date of Risk Assessment: <DATE>
Contains Sensitive or Personal Information? <NO / YES> / Critical System? <NO / YES>
SECTION B –REQUIREMENT
Risk assessments are required by policy and must be performed for each new system and material change to an existing system. The Statement of Acceptable Risk (SOAR) constitutes completion of a Security Threat and Risk Assessment (STRA). The SOAR documents all STRA risks, their ratings and planned action, and that appropriate reviews and acceptancehave occurred. The Ministry Information Security Officer workswith appropriate lines-of-business to document relevant risks in Section C of this form. This form is then submitted to the Ministry Chief Information Officer for review and acceptance. The form is then submitted to the Chief Information Security Officer for the risk assessment to be complete.
SECTION C –RISK ASSESSMENT TABLE
If more rows are needed copy from an existing row to keep drop-downs.RISK REF # / RISK
NAME / PRIMARY RISK
TYPE
Instruction: Choose the type that most closely matches the risk. / RISK
RATING / ACTION
PLAN
Instruction: Select a plan type. / SHORT
DESCRIPTION
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
<SELECT TYPE> / <SELECT RATING> / <SELECT PLAN>
SECTION D –ACCEPTANCE
Note on approvals:
Please use a digital signature or print and sign below. If your ministry uses eApprovals this is an acceptable method to document the required approvals on this form in lieu of signatures. Attach a copy of the eApproval when submitting to the Chief Information Security Officer. To be complete, the SOAR requires three signatures.
Signing below constitutes your recommendation of this SOAR to the Ministry Chief Information Officer.Signature: /
Name: / <ENTER FULL NAME>
/ Date: <DATE>
Signing below constitutes acceptance of the risks in Section C, their ratings, and action plans.
Signature: /
Name: / <ENTER FULL NAME>
/ Date: <DATE>
Submit this signed form as an attachment to the OCIO Information Security Branch at the following email address: or via the Information Security Risk Management Sharepoint site. Once submitted the CISO will sign to acknowledge receipt.
FOR OFFICE USE ONLYSigning below acknowledges receipt of the SOAR. This marks the completion of the risk assessment.
Signature: /
Name: / <ENTER FULL NAME>
/ Date: <DATE>
Any questions regarding this form can be directed to:
Page 1 of 2