TechNet Home > TechNet Security > Library > Compliance and Policies

Security Risk Management Guide

Chapter 3: Security Risk Management Overview

Published: October 15, 2004 | Updated: March 15, 2006

This chapter is the first in this guide to provide a full summary of the Microsoft security risk management process. After this overview, the chapter discusses several topics that will assist readers as they implement the process. These topics help provide a solid foundation for a successful security risk management program and include:

•	Distinguishing risk management from risk assessment.
•	Communicating risk effectively.
•	Evaluating the maturity of your current risk management practices.
•	Defining roles and responsibilities.

It is also important to note that risk management is only one part of a larger governance program for corporate leadership to monitor the business and make informed decisions. While governance programs vary widely, all programs require a structured security risk management component to prioritize and mitigate security risks. The Microsoft security risk management process concepts may be applied to any governance program to help define and manage risks to acceptable levels.

The Four Phases of the Microsoft Security Risk Management Process

Chapter 2, "Survey of Risk Management Practices," introduced the Microsoft security risk management process and defined risk management as an ongoing process with four primary phases:

1.	Assessing Risk. Identify and prioritize risks to the business.
2.	Conducting Decision Support. Identify and evaluate control solutions based on a defined cost-benefit analysis process.
3.	Implementing Controls. Deploy and operate control solutions to reduce risk to the business.
4.	Measuring Program Effectiveness. Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.

This four-part risk management cycle summarizes the Microsoft security risk management process and is also used to organize content throughout this guide.

Before defining specific practices within the Microsoft security risk management process, however, it is important to understand the larger risk management process and its components. Each phase of the cycle contains multiple, detailed steps. The following list outlines each step to help you understand the importance of each one in the guide as a whole:

•

Assessing Risk phase

•	Plan data gathering. Discuss keys to success and preparation guidance.
•	Gather risk data. Outline the data collection process and analysis.
•	Prioritize risks. Outline prescriptive steps to qualify and quantify risks.

•

Conducting Decision Support phase

•	Define functional requirements. Define functional requirements to mitigate risks.
•	Select possible control solutions. Outline approach to identify mitigation solutions.
•	Review solution. Evaluate proposed controls against functional requirements.
•	Estimate risk reduction. Endeavor to understand reduced exposure or probability of risks.
•	Estimate solution cost. Evaluate direct and indirect costs associated with mitigation solutions.
•	Select mitigation strategy. Complete the cost-benefit analysis to identify the most cost effective mitigation solution.

•

Implementing Controls phase

•	Seek holistic approach. Incorporate people, process, and technology in mitigation solution.
•	Organize by defense-in-depth. Organize mitigation solutions across the business.

•

Measuring Program Effectiveness phase

•	Develop risk scorecard. Understand risk posture and progress.
•	Measure program effectiveness. Evaluate the risk management program for opportunities to improve.

The following figure illustrates each phase and its associated steps.

Figure 3.1: The Microsoft Security Risk Management Process
See full-sized image

Subsequent chapters in this guide describe, in sequence, each phase in the Microsoft security risk management process. There are several preliminary things to consider, however, before beginning your execution of this process.

Level of Effort

If your organization is relatively new to risk management, it may be helpful to consider which steps in the Microsoft security risk management process typically require the most effort from the Security Risk Management Team. The following figure, based on risk management activities conducted within Microsoft IT, shows relative degrees of effort throughout the process. This perspective may be helpful when describing the overall process and time commitment to organizations that are new to risk management. The relative levels of effort may also be helpful as a guide to avoid spending too much time in one point of the overall process. To summarize the level of effort throughout the process, the figure demonstrates a moderate level of effort to gather data, a lower level for summary analysis, followed by high levels of effort to build detailed lists of risks and conduct the decision support process. For an additional view of tasks and associated effort, refer to the sample project schedule in the Tools folder, SRMGTool4-Sample Project Schedule.xls. The remaining chapters in this guide further describe each step shown below.

Figure 3.2: Relative Level of Effort During the Microsoft Security Risk Management Process
See full-sized image

Laying the Foundation for the Microsoft Security Risk Management Process

Before beginning a security risk management effort, it is important to have a solid understanding of the foundational, prerequisite knowledge and tasks of the Microsoft security risk management process, which include:

•	Differentiating between risk management and risk assessment.
•	Clearly communicating risk.
•	Determining your organization's risk management maturity.
•	Defining roles and responsibilities for the process.

Risk Management vs. Risk Assessment

As Chapter 2 discussed, the terms risk management and risk assessment are not interchangeable. The Microsoft security risk management process defines risk management as the overall process to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritize risks to the business. As outlined in the previous diagram, risk management is comprised of four primary phases: Assessing Risk, Conducting Decision Support, Implementing Controls, and Measuring Program Effectiveness. Risk assessment, in the context of the Microsoft security risk management process, refers only to the Assessing Risk phase within the larger risk management cycle.

Another distinction between risk management and risk assessment is the frequency of initiation of each process. Risk management is defined as an ongoing cycle, but it is typically re-started at regular intervals to refresh the data in each stage of the management process. The risk management process is normally aligned with an organization's fiscal accounting cycle to align budget requests for controls with normal business processes. An annual interval is most common for the risk management process to align new control solutions with annual budgeting cycles.

Although risk assessment is a required, discrete phase of the risk management process, the Information Security Group may conduct multiple risk assessments independent of the current risk management phase or budgeting cycle. The Information Security Group may initiate them anytime a potentially security-related change occurs within the business, such as the introduction of new business practices, or discovered vulnerabilities, changes to the infrastructure. These frequent risk assessments are often referred to as ad-hoc risk assessments, or limited scope risk assessments, and should be viewed as complementary to the formal risk management process. Ad-hoc assessments usually focus on one area of risk within the business and do not require the same amount of resources as the risk management process as a whole. Appendix A, "Ad-Hoc Assessments," outlines and provides an example template of an ad-hoc risk assessment.

Table 3.1: Risk Management vs. Risk Assessment

	Risk Management	Risk Assessment
Goal	Manage risks across business to acceptable level	Identify and prioritize risks
Cycle	Overall program across all four phases	Single phase of risk management program
Schedule	Ongoing	As needed
Alignment	Aligned with budgeting cycles	N/A

Communicating Risk

Various people involved in the risk management process often define the term risk differently. In order to ensure consistency across all stages of the risk management cycle, the Microsoft security risk management process requires that everyone involved understand and agree upon a single definition of the term risk. As defined in Chapter 1, "Introduction to the Security Risk Management Guide," risk is the probability of an impact occurring to the business. This definition requires the inclusion of both an impact statement and a prediction of when the impact may occur, or, in other words, probability of impact. When both elements of risk (probability and impact) are included in a risk statement, the process refers to this as a well-formed risk statement. Use the term to help ensure consistent understanding of the compound nature of risk. The following diagram depicts risk at this most basic level.

Figure 3.3: Well-Formed Risk Statement
See full-sized image

It is important that everyone involved in the risk management process understand the complexity within each element of the risk definition. Only with a thorough understanding of risk will the business be able to take specific action when managing it. For example, defining impact to the business requires information about which asset is affected, what kind of damage may occur, and the extent of damage to the asset. Next, to determine the probability of the impact occurring, you must understand how each impact may occur and how effective the current control environment will be at reducing the probability of the risk.

Using terms defined in Chapter 1, "Introduction to the Security Risk Management Guide," the following risk statement provides guidance in demonstrating both elements of impact and the probability of impact:

Risk is the probability of a vulnerability being exploited in the current environment, leading to a degree of loss of confidentiality, integrity, or availability, of an asset.

The Microsoft security risk management process provides the tools to consistently communicate and measure the probability and degree of loss for each risk. The chapters in this guide walk through the process to establish each component of the well-formed risk statement to identify and prioritize risks across the business. The following diagram builds upon the basic risk statement discussed previously to show the relationships of each element of risk.

Figure 3.4: Components of the Well-Formed Risk Statement
See full-sized image

To help communicate the extent of impact and the degree of probability in the risk statement, the Microsoft security risk management process begins prioritizing risk by using relative terms such as high, moderate, and low. Although this basic terminology simplifies the selection of risk levels, it does not provide sufficient details when you conduct a cost-benefit analysis to select the most efficient mitigation option. To address this weakness of the basic qualitative approach, the process provides tools to generate a detailed level comparison of risks. The process also incorporates quantitative attributes to further aid the cost-benefit analysis for selecting controls.

A common pitfall of risk management disciplines is that they often do not consider the qualitative definitions such as high, moderate, and low risks to the business. Many risks will be identified in your security risk management program. Although the Microsoft security risk management process provides guidance to consistently apply qualitative and quantifiable risk estimates, it is the Security Risk Management Team's responsibility to define the meaning of each value in specific business terms. For example, a high risk to your business may mean a vulnerability occurring within one year, leading to the loss of integrity of your organization's most important intellectual property. The Security Risk Management Team must populate the definitions of each element of the well-formed risk statement. The next chapter provides prescriptive guidance on defining risk levels. It should assist you in defining risk levels for your unique business. The process simply facilitates the exercise, helping to achieve consistency and visibility throughout the process.

Determining Your Organization's Risk Management Maturity Level

Before an organization attempts to implement the Microsoft security risk management process, it is important that it examines its level of maturity with regard to security risk management. An organization that has no formal policies or processes relating to security risk management will find it extremely difficult to put all aspects of the process into practice at once. Even organizations with some formal policies and guidelines that most employees follow fairly well may find the process a bit overwhelming. For these reasons, it is important that you make an estimate of your own organization's maturity level. If you find that your organization is still relatively immature, than you may want to introduce the process in incremental stages over several months, perhaps by piloting it in a single business unit until the cycle has been completed several times. Having demonstrated the effectiveness of the Microsoft security risk management process through this pilot program, the Security Risk Management Team could then slowly introduce it to other business units until the entire organization is using it.

How do you determine the maturity level of your organization? As part of Control Objectives for Information and Related Technology (CobiT), the IT Governance Institute (ITGI) includes an IT Governance Maturity Model. You may want to acquire and review CobiT for a detailed method for determining your organization's level of maturity. The Microsoft security risk management process summarizes elements used in CobiT and presents a simplified approach based on models also developed by Microsoft Services. The maturity level definitions presented here are based on the International Standards Organization (ISO) Information technology—Code of practice for information security management, also known as ISO 17799.

You can estimate your organization's level of maturity by comparing it to the definitions presented in the following table.

Table 3.2: Security Risk Management Maturity Levels

Level	State	Definition
0	Non-Existent	Policy (or process) is not documented, and previously the organization was unaware of the business risk associated with this risk management. Therefore, there has been no communication on the issue.
1	Ad-Hoc	It is clear that some members of the organization have concluded that risk management has value. However, risk management efforts are performed in an ad-hoc manner. There are no documented processes or policies and the process is not fully repeatable. Overall, risk management projects seem chaotic and uncoordinated, and results are not measured and audited.
2	Repeatable	There is awareness of risk management throughout the organization. The risk management process is repeatable yet immature. The process is not fully documented; however, the activities occur on a regular basis, and the organization is working toward establishing a comprehensive risk management process with senior management involvement. There is no formal training or communication on risk management; responsibility for implementation is left to individual employees.
3	Defined Process	The organization has made a formal decision to adopt risk management wholeheartedly in order to drive its information security program. A baseline process has been developed in which there are clearly defined goals with documented processes for achieving and measuring success. Additionally, some rudimentary risk management training is available for all staff. Finally, the organization is actively implementing its documented risk management processes.
4	Managed	There is a thorough understanding of risk management at all levels of the organization. Risk management procedures exist, the process is well defined, awareness is broadly communicated, rigorous training is available, and some initial forms of measurement are in place to determine effectiveness. Sufficient resources have been committed to the risk management program, many parts of the organization are enjoying its benefits, and the Security Risk Management Team is able to continuously improve its processes and tools. There is some use of technological tools to help with risk management, but many if not most risk assessment, control identification, and cost-benefit analysis procedures are manual.
5	Optimized	The organization has committed significant resources to security risk management, and staff members are looking toward the future trying to ascertain what the issues and solutions will be in the months and years ahead. The risk management process is well understood and significantly automated through the use of tools (either developed in-house or acquired from independent software vendors). The root cause of all security issues is identified, and suitable actions are taken to minimize the risk of repetition. Training across a range of levels of expertise is available to staff.

Organizational Risk Management Maturity Level Self Assessment

The following list of assessments offers a more rigorous way to measure your organizational maturity level. The topics elicit subjective responses, but by honestly considering each of them you should be able to determine how well prepared your organization is for implementation of the Microsoft security risk management process. Score your organization on a scale of 0 to 5, using the previous maturity level definitions as a guide.

•	Information security policies and procedures are clear, concise, well-documented, and complete.
•	All staff positions with job responsibilities involving information security have clearly articulated and well understood roles and responsibilities.
•	Policies and procedures for securing third-party access to business data are well-documented. For example, remote vendors performing application development for an internal business tool have sufficient access to network resources to effectively collaborate and complete their work, but they have only the minimum amount of access that they need.
•	An inventory of Information Technology (IT) assets such as hardware, software, and data repositories is accurate and up-to-date.
•	Suitable controls are in place to protect business data from unauthorized access by both outsiders and insiders.
•	Effective user awareness programs such as training and newsletters regarding information security policies and practices are in place.
•	Physical access to the computer network and other information technology assets is restricted through the use of effective controls.
•	New computer systems are provisioned following organizational security standards in a standardized manner using automated tools such as disk imaging or build scripts.
•	An effective patch management system is able to automatically deliver software updates from most vendors to the vast majority of the computer systems in the organization.
•	An incident response team has been created and has developed and documented effective processes for dealing with and tracking security incidents. All incidents are investigated until the root cause is identified and any problems are resolved.
•	The organization has a comprehensive anti-virus program including multiple layers of defense, user awareness training, and effective processes for responding to virus outbreaks.
•	User provisioning processes are well documented and at least partially automated so that new employees, vendors, and partners can be granted an appropriate level of access to the organization's information systems in a timely manner. These processes should also support the timely disabling and deletion of user accounts that are no longer needed.
•	Computer and network access is controlled through user authentication and authorization, restrictive access control lists on data, and proactive monitoring for policy violations.
•	Application developers are provided with education and possess a clear awareness of security standards for software creation and quality assurance testing of code.
•	Business continuity and business continuity programs are clearly defined, well documented, and periodically tested through simulations and drills.
•	Programs have commenced and are effective for ensuring that all staff perform their work tasks in a manner compliant with legal requirements.
•	Third-party review and audits are used regularly to verify compliance with standard practices for security business assets.

Calculate your organization's score by adding the scores of all of the previous items. Theoretically, scores could range from 0 to 85; however, few organizations will approach either extreme.

A score of 51 or above suggests that the organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent. A score of 34 to 50 indicates that the organization has taken many significant steps to control security risks and is ready to gradually introduce the process. Organizations in this range should consider rolling out the process to a few business units over a few months before exposing the entire organization to the process. Organizations scoring below 34 should consider starting very slowly with the Microsoft security risk management process by creating the core Security Risk Management Team and applying the process to a single business unit for the first few months. After such organizations demonstrate the value of the process by using it to successfully reduce risks for that business unit, they should expand it to two or three additional business units as feasible. Continue to move slowly, though, because the changes introduced by the process can be significant. You do not want to disrupt the organization to such a degree that you interfere with its ability to effectively achieve its mission. Use your best judgment in this regard—every system that you leave unprotected is a potential security and liability risk, and your own knowledge of your own systems is best. If you think that it is urgent to move quickly and to disregard the suggestion to move slowly, do that.

You should carefully consider which business unit to use for the pilot programs. Questions to consider relate to how important security is to that business unit, where security is defined in terms of the availability, integrity, and confidentiality of information and services. Examples include:

•	Is the security risk management maturity level of that business unit above average when compared to the organization?
•	Will the owner of the business unit actively support the program?
•	Does the business unit have a high level of visibility within the organization?
•	Will the value of the Microsoft security risk management process pilot program be effectively communicated to the rest of the organization if successful?

You should consider these same questions when selecting business units for expansion of the program.

Note The (U.S.) National Institute for Standards and Technology (NIST) provides a Security Self Assessment Guide for Information Technology Systems that may be useful to help determine your maturity level; see http://csrc.nist.gov/groups/SMA/fisma/documents/Status-of-NIST-SP-800-26_v2.pdf.

Defining Roles and Responsibilities

The establishment of clear roles and responsibilities is a critical success factor for any risk management program due to the requirement for cross-group interaction and segregated responsibilities. The following table describes the primary roles and responsibilities used throughout the Microsoft security risk management process.

Table 3.3: Primary Roles and Responsibilities in the Microsoft Security Risk Management Process

Title	Primary Responsibility
Executive Sponsor	Sponsors all activities associated with managing risk to the business, for example, development, funding, authority, and support for the Security Risk Management Team. This role is usually filled by an executive such as the chief security officer or chief information officer. This role also serves as the last escalation point to define acceptable risk to the business.
Business Owner	Is responsible for tangible and intangible assets to the business. Business owners are also accountable for prioritizing business assets and defining levels of impact to assets. Business owners are usually accountable for defining acceptable risk levels; however, the Executive Sponsor owns the final decision incorporating feedback from the Information Security Group.
Information Security Group	Owns the larger risk management process, including the Assessing Risk and Measuring Program Effectiveness phases. Also defines functional security requirements and measures IT controls and the overall effectiveness of the security risk management program.
Information Technology Group	Includes IT architecture, engineering, and operations.
Security Risk Management Team	Responsible for driving the overall risk management program. Also responsible for the Assessing Risk phase and prioritizing risks to the business. At a minimum, the team is comprised of a facilitator and note taker.
Risk Assessment Facilitator	As lead role on the Security Risk Management Team, conducts the data gathering discussions. This role may also lead the entire risk management process.
Risk Assessment Note Taker	Records detailed risk information during the data gathering discussions.
Mitigation Owners	Responsible for implementing and sustaining control solutions to manage risk to an acceptable level. Includes the IT Group and, in some cases, Business Owners.
Security Steering Committee	Comprised of the Security Risk Management Team, representatives from the IT Group, and specific Business Owners. The Executive Sponsor usually chairs this committee. Responsible for selecting mitigation strategies and defining acceptable risk for the business.
Stakeholder	General term referring to direct and indirect participants in a given process or program; used throughout the Microsoft security risk management process. Stakeholders may also include groups outside IT, for example, finance, public relations, and human resources.

The Security Risk Management Team will encounter first-time participants in the risk management process who may not fully understand their roles. Always take the opportunity to provide an overview of the process and its participants. The objective is to build consensus and highlight the fact that every participant has ownership in managing risk. The following diagram, which summarizes key participants and shows their high-level relationships, can be helpful in communicating the previously-defined roles and responsibilities and should provide an overview of the risk management program.

To summarize, the Executive Sponsor is ultimately accountable for defining acceptable risk and provides guidance to the Security Risk Management Team in terms of ranking risks to the business. The Security Risk Management Team is responsible for assessing risk and defining functional requirements to mitigate risk to an acceptable level. The Security Risk Management Team then collaborates with the IT groups who own mitigation selection, implementation, and operations. The final relationship defined below is the Security Risk Management Team's oversight of measuring control effectiveness. This usually occurs in the form of audit reports, which are also communicated to the Executive Sponsor.

Figure 3.5: Overview of Roles and Responsibilities Used Throughout the Microsoft Security Risk Management Process
See full-sized image

Building the Security Risk Management Team

Before starting the risk assessment process, do not overlook the need to clearly define roles within the Security Risk Management Team. Because the risk management scope includes the entire business, non-Information Security Group members may request to be part of the team. If this occurs, outline clear roles for each member and align with the roles and responsibilities defined in the overall risk management program above. Investing in role definition early reduces confusion and assists decision making throughout the process. All members on the team must understand that the Information Security Group owns the overall process. Ownership is important to define because Information Security is the only group that is a key stakeholder in every stage of the process, including executive reporting.

Security Risk Management Team Roles and Responsibilities

After assembling the Security Risk Management Team, it is important to create specific roles and to maintain them throughout the entire process. The primary roles of the Risk Assessment Facilitator and the Risk Assessment Note Taker are described below.

The Risk Assessment Facilitator must have extensive knowledge of the entire risk management process and a thorough understanding of the business, as well as an understanding of the technical security risks that underlie the business functions. He or she must be able to translate business scenarios into technical risks while conducting the risk discussions. As an example, the Risk Assessment Facilitator needs to understand both the technical threats to and vulnerabilities of mobile workers and the business value of such workers. For example, customer payments will not be processed if a mobile worker cannot access the corporate network. The Risk Assessment Facilitator must understand scenarios such as these and be able to identify the technical risks and potential control requirements, such as mobile device configuration and authentication requirements. If possible, select a Risk Assessment Facilitator who has performed risk assessments in the past and who understands the overall priorities of the business.

If a facilitator with risk assessment experience is unavailable, enlist the assistance of a qualified partner or consultant. However, be sure to include an Information Security Group member who understands the business and the stakeholders involved.

Note Outsourcing the risk assessment facilitation role may be attractive, but beware of losing the stakeholder relationship, business, and security knowledge when the consultants leave. Do not underestimate the value that a risk management process brings to the stakeholders as well as the Information Security Group.

The Risk Assessment Note Taker is responsible for capturing notes and documenting the planning and data gathering activities. This responsibility may seem too informal for role definition at this stage; however, solid note taking skills pay off in the prioritization and decision support processes later in the process. One of the most important aspects of managing risk is communicating risk in terms that stakeholders understand and can apply to their business. A thorough note taker makes this process easier by providing written documentation when needed.

Top of page

Summary

Chapters 1-3 provide an overview of risk management and define the goals and approach to begin building the foundation for a successful implementation of the Microsoft security risk management process. The next chapter covers the first phase, Assessing Risk, in detail. Subsequent chapters follow each phase of the risk management process, Conducting Decision Support, Implementing Controls, and Measuring Program Effectiveness.