Published: October 15, 2004   |   Updated: March 15, 2006

Customers can be overwhelmed when attempting to put in place a plan for security risk management. This can be because they do not have the in-house expertise, budget resources, or guidelines to outsource. To assist these customers, the Microsoft has developed The Security Risk Management Guide. 

This guide helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.

This guide is technology agnostic and references many industry accepted standards for managing security risk. It is an important example of Microsoft's commitment to delivering quality guidance to help customers secure their Information Technology (IT) infrastructures. This guide incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.

This Guide was developed, reviewed and approved by teams of authoritative experts in security. This Guide and other security guidance topics are available at the Security Center at www.microsoft.com/technet/security. Feedback on or questions about this guide should be addressed to secwish@microsoft.com.  

This guide comprises six chapters and four appendices.

Chapter 1: Introduction to the Security Risk Management Guide

Chapter 1 introduces The Security Risk Management Guide (SRMG) and provides a brief overview of subsequent chapters. It also provides information about the following:

• Keys to succeeding with a security risk management program
• Key terms and definitions
• Style conventions in the papers
• References for further information

Chapter 2: Survey of Security Risk Management Practices

Chapter 2 lays a foundation and provides context for the SRMG by reviewing other approaches to security risk management and related considerations, including how to determine your organization's risk management maturity level.

Chapter 3: Security Risk Management Overview

Chapter 3 provides a more detailed look at the four phases of the SRMG process while introducing some of its important concepts and keys to success. The chapter also offers advice on preparing for the program by planning effectively and placing strong emphasis on building a solid Security Risk Management Team that has well defined roles and responsibilities.

Chapter 4: Assessing Risk

Chapter 4 addresses the first phase, Assessing Risk, in detail. Steps in this phase include planning, data gathering, and risk prioritization. Risk prioritization itself is comprised of summary and detailed levels, balancing qualitative and quantitative approaches in order to provide reliable risk information within reasonable trade-offs of time and effort. The output from the Assessing Risk phase is a list of significant risks with detailed analysis that the team can use to make business decisions during the next phase of the process.

Chapter 5: Conducting Decision Support

Chapter 5 addresses the second phase, Conducting Decision Support. During this phase, teams determine how to address the key risks in the most effective and cost efficient manners. Teams identify controls; estimate costs; assess the degree of risk reduction; and then determine which controls to implement. The output of the Conducting Decision Support phase is a clear and actionable plan to control or accept each of the top risks identified in the Assessing Risk phase.

Chapter 6: Implementing Controls and Measuring Program Effectiveness

Chapter 6 addresses the final two phases of the SRMG: Implementing Controls and Measuring Program Effectiveness. During the Implementing Controls phase, the Mitigation Owners create and execute plans based on the list of control solutions that emerged during the decision support process.

When the first three phases of the security risk management process are complete, organizations should estimate their progress with regard to security risk management as a whole. The final phase, Measuring Program Effectiveness, introduces the concept of a "Security Risk Scorecard" to assist in this effort.

Appendices

Appendices include:

• Appendix A: Ad-Hoc Risk Assessments
• Appendix B: Common Information System Assets
• Appendix C: Common Threats
• Appendix D: Vulnerabilities

Related Resources

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.