Chapter 1: Introduction to the Security Risk Management Guide

Published: October 15, 2004   |   Updated: March 15, 2006

Executive Summary

The Environmental Challenges

Most organizations recognize the critical role that information technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organizations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments.

Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organizations to manage their IT infrastructures more closely and effectively than in the past. Many government agencies and organizations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and whole organizations at risk due to breaches in fiduciary and legal responsibilities.

A Better Way

The Microsoft approach to security risk management provides a proactive approach that can assist organizations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organizations a consistent, clear path to organize and prioritize limited resources in order to manage risk. You will realize the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level.

The definition of acceptable risk, and the approach to manage risk, varies for every organization. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process—with a solid framework and clearly defined roles and responsibilities—prepares the organization to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the company to make significant progress toward meeting new legislative requirements.

Microsoft Role in Security Risk Management

This is the first prescriptive guide that Microsoft has published that focuses entirely on security risk management. Based on both Microsoft experiences and those of its customers, this guidance was tested and reviewed by customers, partners, and technical reviewers during development. The goal of this effort is to deliver clear, actionable guidance on how to implement a security risk management process that delivers a number of benefits, including:

• Moving customers to a proactive security posture and freeing them from a reactive, frustrating process.
• Making security measurable by showing the value of security projects.
• Helping customers to efficiently mitigate the largest risks in their environments rather than applying scarce resources to all possible risks.

Guide Overview

This guide uses industry standards to deliver a hybrid of established risk management models in an iterative four-phase process that seeks to balance cost and effectiveness. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. This approach is very detailed and leads to a thorough understanding of the most important risks. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions about risk and mitigation, following an intelligent business process.

Note   Do not worry if some of the concepts that this executive summary discusses are new to you; subsequent chapters explain them in detail. For example, Chapter 2, "Survey of Security Risk Management Practices," examines the differences between qualitative and quantitative approaches to risk assessment.

The Microsoft security risk management process enables organizations to implement and maintain processes to identify and prioritize risks in their IT environments. Moving customers from a reactive focus to a proactive focus fundamentally improves security within their environments. In turn, improved security facilitates increased availability of IT infrastructures and improved business value.

The Microsoft security risk management process offers a combination of various approaches including pure quantitative analysis, return on security investment (ROSI) analysis, qualitative analysis, and best practice approaches. It is important to note that this guide addresses a process and has no specific technology requirements.

Critical Success Factors

There are many keys to successful implementation of a security risk management program throughout an organization. Several of those are particularly critical and will be presented here; others are discussed in the "Keys to Success" section that appears later in this chapter.

First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to success. Business owners are responsible for identifying the impact of a risk. They are also in the best position to articulate the business value of assets that are necessary to operate their functions. The Information Security Group owns identifying the probability that the risk will occur by taking current and proposed controls into account. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk.

Next Steps

Investing in a security risk management program—with a solid, achievable process and defined roles and responsibilities—prepares an organization to articulate priorities, plan to mitigate threats, and address critical business threats and vulnerabilities. Use this guide to evaluate your preparedness and to guide your security risk management capabilities. If you require or would like greater assistance, contact a Microsoft account team or Microsoft Services partner.

Who Should Read This Guide

This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for planning application or infrastructure development and deployment across multiple projects. These roles include the following common job descriptions:

• Architects and planners who are responsible for driving the architecture efforts for their organizations
• Members of the information security team who are focused purely on providing security across platforms within an organization
• Security and IT auditors who are accountable for ensuring that organizations have taken suitable precautions to protect their significant business assets
• Senior executives, business analysts, and Business Decision Makers (BDMs) who have critical business objectives and requirements that need IT support
• Consultants and partners who need knowledge transfer tools for enterprise customers and partners

Scope of the Guide

This guide is focused on how to plan, establish, and maintain a successful security risk management process in organizations of all sizes and types. The material explains how to conduct each phase of a risk management project and how to turn the project into an ongoing process that drives the organization toward the most useful and cost effective controls to mitigate security risks.

Content Overview

The Security Risk Management Guide comprises six chapters, described below briefly. Each chapter builds on the end-to-end practice required to effectively initiate and operate an ongoing security risk management process in your organization. Following the chapters are several appendices and tools to help organize your security risk management projects.

Chapter 1: Introduction to the Security Risk Management Guide

This chapter introduces the guide and provides a brief overview of each chapter.

Chapter 2: Survey of Security Risk Management Practices

It is important to lay a foundation for the Microsoft security risk management process by reviewing the different ways that organizations have approached security risk management in the past. Readers who are already well versed in security risk management may want to skim through the chapter quickly; others who are relatively new to security or risk management are encouraged to read it thoroughly. The chapter starts with a review of the strengths and weaknesses of the proactive and reactive approaches to risk management. It then revisits in detail the concept that Chapter 1, "Introduction to the Security Risk Management Guide," introduces of organizational risk management maturity. Finally, the chapter assesses and compares qualitative risk management and quantitative risk management, the two traditional methods. The process is presented as an alternative method, one that provides a balance between these methodologies, resulting in a process that has proven to be effective within Microsoft.

Chapter 3: Security Risk Management Overview

This chapter provides a more detailed look at the Microsoft security risk management process and introduces some of the important concepts and keys to success. It also provides advice on how to prepare for the process by using effective planning and building a strong Security Risk Management Team with well defined roles and responsibilities.

Chapter 4: Assessing Risk

This chapter explains the Assessing Risk phase of the Microsoft security risk management process in detail. Steps in this phase include planning, facilitated data gathering, and risk prioritization. The risk assessment process consists of multiple tasks, some of which can be quite demanding for a large organization. For example, identifying and determining values of business assets may take a lot of time. Other tasks such as identifying threats and vulnerabilities require a lot of technical expertise. The challenges related to these tasks illustrate the importance of proper planning and building a solid Security Risk Management Team, as Chapter 3, "Security Risk Management Overview," emphasizes.

In the summary risk prioritization, the Security Risk Management Team uses a qualitative approach to triage the full list of security risks so that it can quickly identify the most significant ones for further analysis. The top risks are then subjected to a detailed analysis using quantitative techniques. This results in a short list of the most significant risks with detailed metrics that the team can use to make sensible decisions during the next phase of the process.

Chapter 5: Conducting Decision Support

During the Conducting Decision Support phase of the process, the Security Risk Management Team determines how to address the key risks in the most effective and cost efficient manner. The team identifies controls; determines costs associated with acquiring, implementing, and supporting each control; assesses the degree of risk reduction that each control achieves; and, finally, works with the Security Steering Committee to determine which controls to implement. The end result is a clear and actionable plan to control or accept each of the top risks identified in the Assessing Risk phase.

Chapter 6: Implementing Controls and Measuring Program Effectiveness

This chapter covers the last two phases of the Microsoft security risk management process: Implementing Controls and Measuring Program Effectiveness. The Implementing Controls phase is self-explanatory: The mitigation owners create and execute plans based on the list of control solutions that emerged during the decision support process to mitigate the risks identified in the Assessing Risk phase. The chapter provides links to prescriptive guidance that your organization's mitigation owners may find helpful for addressing a variety of risks. The Measuring Program Effectiveness phase is an ongoing one in which the Security Risk Management team periodically verifies that the controls implemented during the preceding phase are actually providing the expected degree of protection.

Another step of this phase is estimating the overall progress that the organization is making with regard to security risk management as a whole. The chapter introduces the concept of a "Security Risk Scorecard" that you can use to track how your organization is performing. Finally, the chapter explains the importance of watching for changes in the computing environment such as the addition or removal of systems and applications or the appearance of new threats and vulnerabilities. These types of changes may require prompt action by the organization to protect itself from new or changing risks.

Appendix A: Ad-Hoc Risk Assessments

This appendix contrasts the formal enterprise risk assessment process with the ad-hoc approach that many organizations take. It highlights the advantages and disadvantages of each method and suggests when it makes the most sense to use one or the other.

Appendix B: Common Information System Assets

This appendix lists information system assets commonly found in organizations of various types. It is not intended to be comprehensive, and it is unlikely that this list will represent all of the assets present in your organization's unique environment. Therefore, it is important that you customize the list during the risk assessment process. It is provided as a reference list and a starting point to help your organization get started.

Appendix C: Common Threats

This appendix lists threats likely to affect a wide variety of organizations. The list is not comprehensive, and, because it is static, will not remain current. Therefore, it is important that you remove threats that are not relevant to your organization and add newly identified ones to it during the assessment phase of your project. It is provided as a reference list and a starting point to help your organization get started.

Appendix D: Vulnerabilities

This appendix lists vulnerabilities likely to affect a wide variety of organizations. The list is not comprehensive, and, because it is static, will not remain current. Therefore, it is important that you remove vulnerabilities that are not relevant to your organization and add newly identified ones to it during the risk assessment process. It is provided as a reference list and a starting point to help your organization get started.

Tools and Templates

A collection of tools and templates are included with this guide to make it easier for your organization to implement the Microsoft security risk management process. These tools and templates are included in a Windows Installer file called Security Risk Management Guide Tools and Templates.msi, which is available on the Download Center. When you run the Security Risk Management Guide Tools and Templates.msi file, the following folder will be created in the default location:

• \%USERPROFILE%\My Documents\Security Risk Management Guide Tools and Templates. This folder contains the following Tools and Templates:
  • Data Gathering Template (SRMGTool1-Data Gathering Tool.doc). You can use this template in the Assessing Risk phase during the workshops that Chapter 4, "Assessing Risk," describes.
  • Summary Level Risk Analysis Worksheet (SRMGTool2-Summary Risk Level.xls). This Microsoft® Excel® worksheet will help your organization to conduct the first pass of risk analysis: the summary level analysis.
  • Detail Level Risk Analysis Worksheet (SRMGTool3-Detailed Level Risk Prioritization.xls). This Excel worksheet will help your organization to conduct a more exhaustive analysis of the top risks identified during the summary level analysis.
  • Sample Schedule (SRMGTool4-Sample Project Schedule.xls). This Excel worksheet shows a high-level project schedule for the Microsoft security risk management process. It includes the phases, steps, and tasks discussed throughout the guide.

Keys to Success

Whenever an organization undertakes a major new initiative, various foundational elements must be in place if the effort is to be successful. Microsoft has identified components that must be in place prior to the implementation of a successful security risk management process and that must remain in place once it is underway. They are:

• Executive sponsorship.
• A well-defined list of risk management stakeholders.
• Organizational maturity in terms of risk management.
• An atmosphere of open communication.
• A spirit of teamwork.
• A holistic view of the organization.
• Authority throughout the process.

The following sections discuss these elements that are required throughout the entire security risk management process; additional ones relevant only to specific phases are highlighted in the chapters that discuss those phases.

Executive Sponsorship

Senior management must unambiguously and enthusiastically support the security risk management process. Without this sponsorship, stakeholders may resist or undermine efforts to use risk management to make the organization more secure. Additionally, without clear executive sponsorship, individual employees may disregard directives for how to perform their jobs or help to protect organizational assets. There are many possible reasons why employees may fail to cooperate. Among them is a generalized resistance to change; a lack of appreciation for the importance of effective security risk management; an inaccurate belief that they as individuals have a solid understanding of how to protect business assets even though their point of view may not be as broad and deep as that of the Security Risk Management Team; or the belief that their part of the organization would never be targeted by potential attackers.

Sponsorship implies the following:

• Delegation of authority and responsibility for a clearly articulated project scope to the Security Risk Management Team
• Support for participation by all staff as needed
• Allocation of sufficient resources such as personnel and financial resources
• Unambiguous and energetic support of the security risk management process
• Participation in the review of the findings and recommendations of the security risk management process

A Well-Defined List of Risk Management Stakeholders

This guide frequently discusses stakeholders, which in this context means members of the organization with a vested interest in the results of the security risk management process. The Security Risk Management Team needs to understand who all of the stakeholders are—this includes the core team itself as well as the executive sponsor(s). It will also include the people who own the business assets that are to be evaluated. The IT personnel responsible and accountable for designing, deploying, and managing the business assets are also key stakeholders.

The stakeholders must be identified so that they can then join the security risk management process. The Security Risk Management Team must invest time in helping these people to understand the process and how it can help them to protect their assets and save money in the long term.

Organizational Maturity in Terms of Risk Management

If an organization currently has no security risk management process in place, the Microsoft security risk management process may involve too much change in order to implement it in its entirety, all at once. Even if an organization has some informal processes, such as ad-hoc efforts that are launched in response to specific security issues, the process may seem overwhelming. However, it can be effective in organizations with more maturity in terms of risk management; maturity is evidenced by such things as well defined security processes and a solid understanding and acceptance of security risk management at many levels of the organization. Chapter 3, "Security Risk Management Overview," discusses the concept of security risk management maturity and how to calculate your organization's maturity level.

An Atmosphere of Open Communication

Many organizations and projects operate purely on a need-to-know basis, which frequently leads to misunderstandings and impairs the ability of a team to deliver a successful solution. The Microsoft security risk management process requires an open and honest approach to communications, both within the team and with key stakeholders. A free-flow of information not only reduces the risk of misunderstandings and wasted effort but also ensures that all team members can contribute to reducing uncertainties surrounding the project. Open, honest discussion about what risks have been identified and what controls might effectively mitigate those risks is critical to the success of the process.

A Spirit of Teamwork

The strength and vitality of the relationships among all of the people working on the Microsoft security risk management process will greatly affect the effort. Regardless of the support from senior management, the relationships that are developed among security staff and management and the rest of the organization are critical to the overall success of the process. It is extremely important that the Security Risk Management Team fosters a spirit of teamwork with each of the representatives from the various business units with which they work throughout the project. The team can facilitate this by effectively demonstrating the business value of security risk management to individual managers from those business units and by showing staff members how in the long run the project might make it easier for them do to their jobs effectively.

A Holistic View of the Organization

All participants involved in the Microsoft security risk management process, particularly the Security Risk Management Team, need to consider the entire organization during their work. What is best for one particular employee is frequently not what is best for the organization as a whole. Likewise, what is most beneficial to one business unit may not be in the best interest of the organization. Staff and managers from a particular business unit will instinctively seek to drive the process toward outcomes that will benefit them and their parts of the organization.

Authority Throughout the Process

Participants in the Microsoft security risk management process accept responsibility for identifying and controlling the most significant security risks to the organization. In order to effectively mitigate those risks by implementing sensible controls, they will also require sufficient authority to make the appropriate changes. Team members must be empowered to meet the commitments assigned to them. Empowerment requires that team members are given the resources necessary to perform their work, are responsible for the decisions that affect their work, and understand the limits to their authority and the escalation paths available to handle issues that transcend these limits.

Terms and Definitions

Terminology related to security risk management can sometimes be difficult to understand. At other times, an easily recognized term may be interpreted differently by different people. For these reasons it is important that you understand the definitions that the authors of this guide used for important terms that appear throughout it. Many of the definitions provided below originated in documents published by two other organizations: the International Standards Organization (ISO) and the Internet Engineering Task Force (IETF). Web addresses for those organizations are provided in the "More Information" section later in this chapter. The following list provides a consolidated view of the key components of security risk management:

• Annual Loss Expectancy (ALE). The total amount of money that an organization will lose in one year if nothing is done to mitigate a risk.
• Annual Rate of Occurrence (ARO). The number of times that a risk is expected to occur during one year.
• Asset. Anything of value to an organization, such as hardware and software components, data, people, and documentation.
• Availability. The property of a system or a system resource that ensures that it is accessible and usable upon demand by an authorized system user. Availability is one of the core characteristics of a secure system.
• CIA. See Confidentiality, Integrity, and Availability.
• Confidentiality. The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (ISO 7498-2).
• Control. An organizational, procedural, or technological means of managing risk; a synonym for safeguard or countermeasure.
• Cost-benefit analysis. An estimate and comparison of the relative value and cost associated with each proposed control so that the most effective are implemented.
• Decision support. Prioritization of risk based on a cost-benefit analysis. The cost for the security solution to mitigate a risk is weighed against the business benefit of mitigating the risk.
• Defense-in-depth. The approach of using multiple layers of security to guard against failure of a single security component.
• Exploit. A means of using a vulnerability in order to cause a compromise of business activities or information security.
• Exposure. A threat action whereby sensitive data is directly released to an unauthorized entity (RFC 2828). The Microsoft security risk management process narrows this definition to focus on the extent of damage to a business asset.
• Impact. The overall business loss expected when a threat exploits a vulnerability against an asset.
• Integrity. The property that data has not been altered or destroyed in an unauthorized manner (ISO 7498-2).
• Mitigation. Addressing a risk by taking actions designed to counter the underlying threat.
• Mitigation solution. The implementation of a control, which is the organizational, procedural, or technological control put into place to manage a security risk.
• Probability. The likelihood that an event will occur.
• Qualitative risk management. An approach to risk management in which the participants assign relative values to the assets, risks, controls, and impacts.
• Quantitative risk management. An approach to risk management in which participants attempt to assign objective numeric values (for example, monetary values) to the assets, risks, controls, and impacts.
• Reputation. The opinion that people hold about an organization; most organizations' reputations have real value even though they are intangible and difficult to calculate.
• Return On Security Investment (ROSI). The total amount of money that an organization is expected to save in a year by implementing a security control.
• Risk. The combination of the probability of an event and its consequence. (ISO Guide 73).
• Risk assessment. The process by which risks are identified and the impact of those risks determined.
• Risk management. The process of determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.
• Single Loss Expectancy (SLE). The total amount of revenue that is lost from a single occurrence of a risk.
• Threat. A potential cause of an unwanted impact to a system or organization. (ISO 13335-1).
• Vulnerability. Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.

Style Conventions

This guide uses the following style conventions and terminology.

Getting Support for This Guide

This guide seeks to clearly describe a process that organizations can follow to implement and maintain a security risk management program. If you need assistance in implementing a risk management program, you should contact your Microsoft account team. There is no phone support available for this document.

Feedback or questions on this guide may be addressed to secwish@microsoft.com.

More Information

The following information sources were the latest available on topics closely related to security risk management at the time that this guide was published.

The Microsoft Operations Framework (MOF) provides guidance that enables organizations to achieve mission-critical system reliability, availability, supportability, and manageability of Microsoft products and technologies. MOF provides operational guidance in the form of white papers, operations guides, assessment tools, best practices, case studies, templates, support tools, and services. This guidance addresses the people, process, technology, and management issues pertaining to complex, distributed, and heterogeneous IT environments. More information about MOF is available at www.microsoft.com/mof.

The Microsoft Solutions Framework (MSF) may help you successfully execute the action plans created as part of the Microsoft security risk management process. Designed to help organizations deliver high quality technology solutions on time and on budget, MSF is a deliberate and disciplined approach to technology projects and is based on a defined set of principles, models, disciplines, concepts, guidelines, and proven practices from Microsoft. For more information on MSF, see www.microsoft.com/msf.

The Microsoft Security Center is an exhaustive and well-organized collection of documentation addressing a wide range of security topics. The Security Center is available at www.microsoft.com/security/guidance/default.mspx.

The Microsoft Windows 2000 Server Solution for Security is a prescriptive solution aimed at helping to reduce security vulnerabilities and lowering the costs of exposure and security management in Microsoft Windows® 2000 environments. Chapters 2, 3, and 4 of the Microsoft Windows 2000 Server Solution for Security guide comprise the first security risk management guidance that Microsoft published, which was referred to as the Security Risk Management Discipline (SRMD). The guide you are reading serves as a replacement for the security risk management content in the Microsoft Windows 2000 Server Solution for Security guide. The Microsoft Solution for Securing Windows 2000 Server guide is available at https://go.microsoft.com/fwlink/?LinkId=14837.

The National Institute for Standards and Technology (NIST) offers an excellent guide on risk management. The Risk Management Guide for Information Technology Systems (July 2002) is available at https://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.

NIST also offers a guide on performing a security assessment of your own organization. The Security Self-Assessment Guide for Information Technology Systems (November 2001) is available at https://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf.

The ISO offers a high-level code of practice known as the Information technology—Code of practice for information security management, or ISO 17799. It is available for a fee at www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3=.

The ISO has published a variety of other standards documents, some of which are referred to within this guide. They are available for a fee at www.iso.org.

The Computer Emergency Response Team (CERT), located in the Software Engineering Institute at Carnegie-Mellon University, has created OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM), a self-directed risk assessment and planning technique. More information about OCTAVE is available online at www.cert.org/octave.

Control Objectives for Information and Related Technology (COBIT) offers generally applicable and accepted standards for good IT security and control practices that provide a reference framework for management, users, and IS audit, control, and security practitioners. COBIT is available online for a fee from the Information Systems Audit and Control Association (ISACA) at www.isaca.org/cobit.

The IETF has published Request for Comments (RFC) 2828, which is a publicly available memo called the Internet Security Glossary which provides standard definitions for a large number of information system security terms. It is available at www.faqs.org/rfcs/rfc2828.html.