Security Response Readiness Assessment
Published: April 22, 2013
Author: David Seidman, Senior Security Program Manager, MSRC Software Security Incident Response
Microsoft Security Response Readiness Assessment is a new free tool to help your organization determine the effectiveness of your software security response processes and identify improvements to take your response capability to the next level. It covers the complete lifecycle of software security response, from preparing for and detecting an issue through remediating it and preventing it from happening again, and it covers both urgent incidents and cooperatively disclosed vulnerabilities. This assessment is focused on organizations that produce software of any kind, including internal applications. The goal is to help you understand your ability to handle a security vulnerability in that software and to improve that ability. We’ve based the information in the assessment on the experience and practices of the Microsoft Security Response Center.
The first step in taking the assessment is to answer 17 simple questions about your organization’s current capabilities. These questions ask things like “What best describes the level of security training your organization performs?” and “What best describes your organization’s ability to conduct an emergency response?”. Each question addresses a different area. Each has four options, ranging from the least developed to most developed capability. Don’t feel bad if you aren’t able to give yourself the top rating: it would be a waste of resources for every developer to have the same level of investment as a huge software company like Microsoft – not to mention unlikely!
After answering the assessment questions, enter your company name, industry and country. Your company name will only be used to store your report for you to access in the future and will not be shared with anyone. Your industry and country will be used to show you how your peers are doing, and Microsoft will also use this data at the aggregate level to determine if a particular industry or country could use a little extra help.
After you click Next, you’ll see a full report on your capabilities. The top of the screen shows you where you are today, and the bottom provides resources to improve your capabilities.
At the top right, you’ll see your results: an assessment of your overall level of capability, broken down into the areas of “Security” and “Engineering Capabilities”. “Security” measures your ability to manage technical aspects of computer security, while “Engineering Capabilities” measures other capabilities that are not specific to security but that impact your ability to respond to security issues. In addition to the assessment, concrete action items are provided that your organization can take to move to the next level. For example, an organization at the “Basic” level of capability might be told to “Secure executive support for an ongoing response program.” At the top left, you’ll see an assessment of your overall maturity, with a comparison to peers in your industry and geography.
In the bottom left you’ll find information about the transition your organization will take as it moves to a higher level of capability. This will give you a basic idea of what to expect. Just to the right, you’ll see a link to Create Custom Report. This report will provide a nice, presentation-friendly view of your assessment results. We’ve also included on this page links to a few other resources we think every IT administrator needs to know about, such as how to mitigate Pass-the-Hash attacks.
We hope that you find this tool useful!