If you haven’t already, conduct a security audit. Be sure to identify your assets; determine the probability of attacks and potential for data loss based on your existing infrastructure; and determine the acceptable level of risk within your organization. Refer to the prescriptive guidance in Microsoft's Security Risk Management Guide (SRMG) for more details on risk assessment

Quantify the likelihood and cost of security incidences in your organization. Your key objective here is to use a consistent, tested process for quantifying risk. Many organizations use the Annual Loss Expectancy (ALE) formula. ALE calculates the cost of the damage and the probability that the loss will occur to assess potential losses. If you want to learn more about ALE and other quantitative methods of assessing security risks, take a look at the Survey of Security Risk Management Practices in Chapter 2 of the SRMG.

Cultivate top-down support for your security initiatives. You must have the support and commitment of top-level executives in your organization to implement a proactive security plan. That means learning how to communicate the value of security in terms they understand. Think about the business objectives of your organization, and position your security initiatives in those terms. Typical business drivers include IT operation, cost reductions, productivity increases, increased asset protection, mandatory legislative or regulatory compliance, and competitive pressures

To determine the TCO, calculate the cost of your initial technology investment, the deployment, maintenance and operations costs, and staff training expenses.

To determine the TLB, start with the revenue that security expenditures might generate through new business enablement.

Next, look at the direct cost savings in reduced technical support, reduced network traffic, streamlined application development, and elimination of unnecessary infrastructure.

Finally, look at the indirect cost savings; that is, the way security investments can benefit your business through increased productivity, improved regulatory compliance, and risk reduction.

First, standardize on two or fewer operating systems. We believe you’ll achieve better operational efficiencies and increased security on the Windows platform. In a survey of 90 organizations, Wipro found that managing security updates for Windows Server 2003 cost 13 percent less to patch than open-source software. They also found that open-source systems, faced with high-level, critical vulnerabilities, are at risk longer than comparable Windows systems.

Second, use efficient technology to reduce the complexity of the update experience. Microsoft now offers a consistent, integrated, and reliable set of technologies to help you roll out updates more quickly with minimal costs incurred as a result of lost productivity, regressions, or attacks. Windows Server Update Services, together with the Microsoft Update Catalog, can help you assess, control, and automate the deployment of Microsoft software updates for Windows, Office, Exchange, and SQL Server. With these update services, you can better secure your environment and minimize downtime for a direct cost savings. I’ll talk more about these and other updating technologies later in the webcast.

Consider standardizing and updating all your client operating systems to Microsoft Windows XP Professional Service Pack 2 (SP2). This can reduce overall support costs and provide a more secure environment. Wipro discovered that removing clients that are three years or older from your installed base can reduce the failure rate of updates and patches by up to a third. Law firm Holland and Knight, for example, found that Windows XP SP2 enabled them to better enforce organizational security policies on user IDs, user passwords, and screen-saver passwords.

Be sure to deploy Windows XP SP2 on all your desktops and laptops. Windows XP SP2 helps to reduce critical vulnerabilities and makes the Windows operating system more resilient to attack. Our research shows that systems running Windows XP SP2 are less likely to be affected by costly malicious software attacks. This means customers running Windows XP SP2 have less pressure to patch and may decrease help desk expenditures related to attack recovery.

To help streamline testing and reduce deployment costs, download the Windows Application Compatibility Toolkit. Version 4.0 includes the latest support for Windows XP SP2.

If you haven’t already, deploy Active Directory in Windows Server 2003 to consolidate your identity infrastructure. Active Directory helps you to manage and administer your Windows user accounts, security policies, and enterprise resources and it enables you to provide your users with more secure, granular access to the resources they need to do their jobs.

Use Microsoft Identity Integration Server to integrate and synchronize identity information across disparate directory services such as Active Directory and Novell eDirectory and across applications like PeopleSoft and SAP. This integration can reduce complexity and the risk of security breaches through rogue or compromised user accounts.