This practice is intended for use by Sector Information Security Officers (SISOs), CISO or other security practitioners to help understand Sector/Ministry IT security risks, and conduct Security Threats and Risks Assessments (STRAs) in a timely manner as new projects are initiated. This practice provides an overview of the relationship between these three vectors (vulnerabilities, threats and controls/safeguards) as they relate to IT security risks.