Microsoft Security Assessment Tool Light (MSAT Light)

This mini Microsoft Security Assessment Tool is designed to assist you with identifying and addressing security risks in your computing environment. The tool employs a holistic approach to measuring security strategy by covering topics across people, process, and technology. Findings are coupled with recommended mitigation efforts, including links to more information for additional guidance if needed. These resources may assist you in learning more about the specific tools and methods that can help increase the security of your environment. The questions are a subset of the full MSAT toolkit.

There are three assessments that define the full Microsoft Security Assessment Tool:

• Business Risk Profile Assessment
• Defense in Depth Assessment (UPDATED)
• Mid-Market Security Core Infrastructure Operations Assessment (NEW)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

Links:

• Microsoft Security Assessment
• Microsoft Canada Security Resource Centre
• Canadian Security Partners

1. Does your company maintain a full-time connection to the Internet?
Yes
No
2. Does your company deploy anti-virus solutions throughout the environment on both the server and desktop levels?
Yes
No
3. Does your company host application services, such as a portal or a Web site, for external customers?
Yes
No
4. Does your organization allow employees or contractors to connect remotely to the internal corporate network?
Yes
No
5. Is wireless connectivity to the network available?
Yes
No
6. Do controls exist to enforce password policies on various types of accounts?
Yes
No
7. Do you have a user account management process (creation, deletion, change control)?
Yes
No
8. Does your organization have formal incident response procedures?
Yes
No
9. Does your company incorporate security in to your initial software and hardware deployment processes?
Yes
No
10. Do you feel you have adequate physical security?
Yes
No
11. Aside from backup tapes/media, does your organization have a tested backup and recovery
Yes
No
12. Does your company develop applications for internal or external use?
Yes
No
13. Does your organization restrict access to information by users based on their role?
Yes
No
14. Is logging enabled in the environment to record events on hosts and devices and are they reviewed regularly or regular reports sent out?
Yes
No
15. Does a change and configuration management process exist?
Yes
No
16. Does your organization use management tools for tasks such as alerts and patching / updating?
Yes
No
17. Do you have an individual or group in your company that is responsible for security?
Yes
No
18. Does your organization perform security assessments of the environment through independent third-parties?
Yes
No
19. Does your organization incorporate security considerations in to your human resources processes?
Yes
No
20. Does a security awareness program exist at your company including acceptable use policies etc?
Yes
No