STRA Control Areas Checklist


Provincial IDIM Program

BC Services Card Identity Assurance Service

Key Security Threat and Risk Assessment

(STRA)

Control Areas Checklist

Table of Contents

1 Key STRA Control Areas 3

1.1 Origin of the Key Controls Areas questions 3

1.2 How to Respond to Each Control 3

2 KEY STRA Control Areas Checklist 4

3 Sign-Off 6

1  Key STRA Control Areas

The Provincial IDIM Program requires all Onboarding clients connecting to the BC Services Card service to complete the checklist contained in this document. Our Onboarding Team will review the responses and will work with you should the responses not meet minimum acceptable levels.

Onboarding clients still have a responsibility to complete a full Security Threat and Risk Assessment (STRA) as a condition of connecting to Provincial IDIM Authentication Services. Onboarding clients who do not use Governments’ standard STRA process can refer to the STRA Guidelines for BPS Clients document for additional information that may be of assistance.

1.1  Origin of the Key Controls Areas questions

The BC Government has implemented government-wide information security policies. These policies are designed to enhance the security of government information systems and protect sensitive data that is in the government’s possession. The BC Government’s Information Security Policy (ISP) is modeled on the standard ISO 27002 which provides an internationally recognized framework for information security policies.

To validate whether information systems comply with the ISP, the government requires all new or changed information systems to go through an STRA process. This is a structured process that asks the information owner to identify the criticality of the information system, the harm that would be caused to the government if the information system was impacted by a security breach, and to confirm how well the information system conforms to the ISP. The latter part is accomplished by providing a list of requirements from the ISP and a set of recommendations for how to test compliance with each requirement; it is up to the information owner to assess and report their compliance.

The key controls provided in this document are a checklist of what the Provincial IDIM Program considers to be the most important controls from the security requirements as they relate to the ISP. There is a supplementary Key STRA Control Areas Checklist that Broader Public Sector (BPS) clients are required to complete and submit here: STRA Guidelines for BPS Clients

1.2  How to Respond to Each Control

Each of the key controls listed below has an area to share your status response for a key control. The status response section is answered by a single number or letter as explained in the reference table below. Controls with weak scores will require a more detailed discussion with the Onboarding Team.

STATUS RESPONSE OPTION / DESCRIPTION
1 / Controls have been tested and comply with the stated standard
2 / Controls comply with the stated standard
3 / Controls partially comply with the stated standard – more work is needed
4 / Controls do not comply with the stated standard
N / We believe that the stated standard does not apply in our case
X / Current status is not known.

\\Sfp.idir.bcgov\s177\S7743\Program Development\Onboarding Website Doc Repository\3 - PROD\Key STRA Controls Checklist 20161103.docx

6

STRA Control Areas Checklist

2  KEY STRA Control Areas Checklist

Please provide your Status Response from your iSmart STRA scorecard assessment for each item in this list. Information provided will be held in strict confidence and will be used for the purpose of integration with the BC Service Card Authentication Service.

/ CONTROL SECTION / CONTROL HEADINGS / YOUR STATUS RESPONSE
(1-4, N, X) /
☐ / CO.2.6 / CO.2.5 - Segregation of duties
☐ / CO.3.12 / CO.3.11 - Information security awareness, education and training
☐ / CO.4.4 / CO.4.3 - Inventory of assets
☐ / CO.4.14 / CO.4.13 - Classification of information[1]
☐ / CO.5.4 / CO.5.3 - Access control policy
☐ / CO.5.36 / CO.5.35 - Access control to program source code
☐ / CO.6.4 / CO.6.3 - Policy on the use of cryptographic controls
☐ / CO.7.6 / CO.7.5 - Physical entry controls
☐ / CO.8.10 / CO.8.9 - Separation of development, testing and operational environments
☐ / CO.8.14 / CO.8.13 - Controls against malware
☐ / CO.8.22 / CO.8.21 - Event Logging
☐ / CO.8.36 / CO.8.35 - Management of technical vulnerabilities
☐ / CO.9.8 / CO.9.7 - Segregation in networks
☐ / CO.10.12 / CO.10.11 - Secure development policy
☐ / CO.10.16 / CO.10.15 - Technical review of applications after operating platform changes
☐ / CO.10.20 / CO.10.19 - Secure system engineering principles
☐ / CO.10.22 / CO.10.21 - Secure development environment
☐ / CO.10.24 / CO.10.23 - Outsourced development
☐ / CO.10.26 / CO.10.25 - System security testing
☐ / CO.12.12 / CO.12.11 - Response to information security incidents
☐ / CO.13.6 / CO.13.5 - Implementing information security continuity
☐ / CO.14.10 / CO.14.9 - Privacy and protection of personally identifiable information
☐ / CO.14.16 / CO.14.15 - Independent review of information security

\\Sfp.idir.bcgov\s177\S7743\Program Development\Onboarding Website Doc Repository\3 - PROD\Key STRA Controls Checklist 20161103.docx

6

STRA Control Areas Checklist

3  Sign-Off

By signing below you agree that you:
·  Have completed the checklist with true and accurate answers;
·  Understand that unsatisfactory responses may result in delays to on-boarding;
·  Understand that the checklist provided is not a substitute for completing a full STRA;
·  Understand that as a condition of integrating with the BC Services Card Authentication Service, the Provincial IDIM Program requires assurance from you that a complete STRA has occurred;
·  Understand that if your service changes significantly that you must fill-out and re-submit a new instance of this checklist to the Provincial IDIM Program Onboarding Team.
o  Note: The expectation is that you will also update your STRA; ministries are required to do this by policy.

Signed on behalf of Onboarding client

______

Full Name, Position, and Organization (PRINTED)

______

Signature

______

Date

Submit your completed checklist to

\\Sfp.idir.bcgov\s177\S7743\Program Development\Onboarding Website Doc Repository\3 - PROD\Key STRA Controls Checklist 20161103.docx

6

[1] ISCFramework.pdf