The Microsoft Security Assessment is an interactive session that uses the Microsoft Security Assessment Tool (MSAT) and includes an on-site questionnaire. The Microsoft Security Assessment is a self-led or partner-facilitated session lasting from one to two hours and is designed to help you gain a better understanding of your security gaps and risks.

The assessment provides you with a broad overview of your company’s IT security posture and provides you with a clearly defined map to becoming more secure through prioritized activities, solutions, and prescriptive guidance.

Upon completion of the assessment, MSAT provides a complimentary report with findings and recommendations specific to business issues identified in the assessment. This report is designed to help you understand your baseline security position and prioritize steps to mitigate identified risks.

Q: What are the goals of the Microsoft Security Assessment?

MSAT is focused on providing you with a common framework to help gain a holistic understanding of security risks and gaps, and develop a road map to help increase the security of your data immediately and as a matter of routine business discipline.

Q: Who was involved in building this tool?

MSAT was developed by an experienced team of Microsoft security professionals and security industry partners.

Q: Is the MSAT just another effort to sell only Microsoft products?

No. The goal of the MSAT is to help customers understand the business risks posed by their computing infrastructure and provide industry proven steps they can take to help mitigate defined risks.

Q: What type of guidance does the MSAT provide?

MSAT reporting provides prescriptive guidance based on industry and security standards. Suggested security resources include Microsoft, CERT, Cisco, and similar companies.

Q: Does MSAT scan my system?

No. MSAT is an interactive survey-driven process which provides reports and guidance solely based on the user’s responses. In addition to assessing technology, the MSAT is designed to evaluate people and processes, which requires human input. The MSAT has no ability to collect information about local systems or networks.

Q: What information is this tool collecting?

The MSAT only collects generic, non-identifiable information such as company size and industry, along with Business Risk Profile (BRP) and Defense-in-Depth Index (DiDI) scores. This data is used to compare customers with all other participants or with other participants within the same industry. Users can apply MSAT reports to benchmark and compare results over time. This data, however, is not collected unless you provide the survey-based answers. You can use the tool to model your environment or forecast how certain improvements would impact your infrastructure’s overall score or security posture.

Q: Why should I trust this tool?

While not a replacement for a trained consultant who knows your business, MSAT was designed to help guide companies down the road to security awareness. The questions that make up the survey portion of the tool and the associated answers are derived from commonly accepted best practices in security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from both Microsoft and external security sources.

Q: What does it mean to have a high Business Risk Profile (BRP)?

In the normal course of doing business, customers will regularly make technical and business decisions that may introduce security risks requiring mitigation. The BRP helps identify those risks and provides a baseline against which to compare the Defense-in-Depth score.

The BRP is a measure of how much risk is associated with the way a customer does business or interacts with other businesses or customers. It is focused primarily on technical and operational risk. Having a high BRP indicates that a customer is operating in a risk-intense environment, has significant competition, or is threatened by both direct and indirect attack through systems, tools, or processes it uses.

Q: My customer has a lot of defenses in place to mitigate risk. Why is the BRP still high?

The BRP is not influenced by any risk mitigation techniques in use. It should be considered a measure of the risk the organization would have without protections in place. This should be used to identify key areas where your data may be at greater risk based on the type of business that is conducted.

Q: What is Microsoft going to do with the information from this assessment if data is uploaded?

After the assessment is completed, you will be able to view the Risk-Defense Distribution chart, which compares BRP score with DiD Index score. To view the full report, data must be uploaded to the secure MSAT Web server. The upload is entirely anonymous. In addition to being able to view the full report, you will also gain access to the Compare function.

The Compare function allows you to compare two of your assessments, which will help you track progress over time. You may also compare your results–anonymously–with others who have participated in the program.

Q: Does a Microsoft partner have to assist me when I’m using the MSAT?

No. A Microsoft partner does not have to be involved in using the MSAT. The tool is freely available to anyone who wishes to use it. It may be desirable to use a security partner to help you complete the assessment or review the results of the assessment.

Partners associated with the Microsoft Security Assessment Program have received specific training in the use of the MSAT tool and understand the ideas of defense-in-depth and the strategies surrounding risk mitigation. These partners also have access to other programs and information directly from Microsoft that may be of great benefit to the security efforts of your company. You can locate a Microsoft partner at the Microsoft Resource Directory at https://solutionfinder.microsoft.com.

Top of page

Site Feedback