Security threat and risk assessment

Information securityInformation security

University Systems provides security threat and risk assessments (STRA) to university faculty, staff, departments, and units on request.

The purpose of a security threat and risk assessment is to determine if network devices and network hosted applications are maintained in accordance with UVic’s Information Security Policy (IM7800).

Security threat and risk assessments can be part of a project, major system or application deployment, or operational processes.  One-time scans as well as scheduled automated scans can be requested.

The objective of a security threat and risk assessment is to identify security risks to UVic infrastructure, information, or systems.  The deliverable of this service is a report of findings with recommended remediation actions.

Process and Steps

The high-level steps of the STRA process include:

  1. Request initiated (see Request/Report Template)
  2. Develop assessment scope, plan, and schedule 
  3. Conduct assessment
    • Review security plan, documentation, controls
    • Conduct vulnerability scans
    • Perform Threat Analysis
    • Identify Risks
  4. Risk Mitigation and Recommendations
  5. Report/Results and completion

Tools and Services Utilized

This service utilizes automated network scanners to enumerate network systems or devices and identify known security vulnerabilities.  Network scanners are updated regularly to ensure the latest vulnerability information is incorporated and detected when scanning.  The current suite of network scanners include Nessus Vulnerability Scanner and nmap, as well as manual testing and verification where appropriate.

This service utilizes automated web application security and vulnerability scanners that search for software vulnerabilities within web applications. These tools check website's applications for common security problems such as cross site scripting, SQL injections, server and application misconfigurations, and remote command execution vulnerabilities. They will also check for vulnerabilities in your web server, proxy, web application server, and web services.  The current suite of web application security and vulnerability scanners include Acunetix Web Vulnerability Scanner and Burp Suite as well as manual testing and verification where appropriate.

Who can use this service?

  • Faculty
  • Staff
  • Departments

How do I request or access this service?

Email explaining what you would like to scan (the Request/Report Template may be used).  A member of the Information Security Office will review your request and develop a test plan.  Testing is normally performed against a development or pre-production version of your service to minimize the chance of service disruption.

What is the cost for this service?

This service is provided free of charge.

When is this service available?

The Information Security Office is open 8:30am to 4:30pm, Monday to Friday.

How do I get help with this service?

Contact the Computer Help Desk for help with this service:

How do I get help with this service?

For assistance with this service, please contact the Computer Help Desk:

Telephone: 250-721-7687
In person: Clearihue A037