Security360 October Webcast—Information Risk Management: The Checklist

Updated: October 18, 2004

Information Risk Management: The Checklist

1. Prepare Your Organization

•	Ensure executive sponsorship.
•	Define scope.
•	Clearly identify all stakeholders.
•	Provide authority to conduct activities.

2. Assess Risk

•	Identify and classify organizational assets.
•	Estimate asset exposure and probability of threats.
•	Prioritize risks using a consistent and repeatable process.

3. Conduct Decision Support

•	Define functional requirements.
•	Identify control solutions.
•	Review solutions against requirements.
•	Estimate risk reduction.
•	Estimate solution costs.
•	Select risk mitigation strategy.

4. Implement Controls

For guidance with delivering new controls, we recommend you refer to the Microsoft Solutions Framework and Microsoft Operations Framework.

5. Measure Program Effectiveness

Establish and maintain a security risk scorecard.

Related Resources

•	Microsoft Learning Security Resources Use these resources to stay up to date with the latest network security measures.

•	Windows Update Services Sign up for the open evaluation program.

•	Microsoft Security Risk Management Guide Download an essential guide to help plan and build security projects.

•	SMS Support and Guidance Understand how the new enterprise scanning tool works with SMS.