Capability: Security Process

On This Page

Requirement: Security Policies, Risk Assessment, Incident Response, and Data Security
Checkpoint: Security Policies, Risk Assessment, Incident Response, and Data Security


Security process is a key element of infrastructure optimization, and security must be part of the design criteria for all procedures and technologies highlighted by the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Standardized level in Security Process.




Business Challenges

Systems are complex, incompatible, expensive, and provide limited services throughout the organization

IT Challenges

No consistent or secure remote or Web-based services

Lack of standard security policies

Inconsistent identification of  devices connected to the network

Few IT policies and automated processes in place


Develop consistent processes to identify and update security issues on all devices connected to the network

Develop consistent security policy compliance on all devices connected to the network

Update to recent versions of OS and infrastructure

Plan to evaluate current software to ensure it meets security requirements

Business Benefits

End users have a known service level agreement and contact for troubleshoot problems, improving workforce productivity

IT Benefits

Security risk levels are known and managed

Incident response in more predictable and efficient

Data and devices are more secure through proactive security measures

The Standardized level of optimization requires that your organization has defined procedures for risk management, incident management and response, and application testing.

Requirement: Security Policies, Risk Assessment, Incident Response, and Data Security


You should read this section if you do not have plans in place for security policies, risk assessment, incident response, and data security.


Most organizations know that it is important to protect their data and resources from loss or damage due to theft, human or computer error, malicious intent, or any number of other events. You can take steps to limit the opportunities for loss or damage to occur. You can also establish policies and procedures to respond to and minimize the effects of the loss or damage to your IT environment.

Phase 1: Assess

The Assess Phase should determine the appropriate security needs for your organization and which processes are currently in place. Security requirements can vary dramatically from company to company or institution to institution based, for example, on size, industry or field, regional laws, or regulations. Gathering the requirements of your organization will allow you to define an appropriate security process.

Phase 2: Identify

During the Identify Phase, an organization will examine the tools and procedures currently in place and determine what the security requirements are for your organization. During this phase, you will gather security policies that are currently implied or enforced, in addition to technology components already in use or at your disposal. You will also gather any external requirements, based on laws or regulations for your region or industry.

Phase 3: Evaluate and Plan

The Evaluate and Plan phase moving to the Standardized level of optimization highlights specific areas of improvement.

Security Policies

To establish an effective set of security policies and controls you need to determine the vulnerabilities that exist in your computer systems and review the security policies and controls that guard them. This review should cover areas where policies are lacking, in addition to examining current policies. Some of these areas are:

  • Physical computer security policies such as physical access controls.

  • Network security policies (for example, e-mail and Internet policies).

  • Data security policies (access control and integrity controls).

  • Contingency and disaster recovery plans and tests.

  • Computer security awareness and training.

  • Computer security management and coordination policies.

  • Compliance of acquired software.

Your organization should have a person dedicated to reviewing and maintaining the security policies and setting the security strategy of the organization.

For detailed information on developing security policies, go to

Risk Assessment

With a formal security risk management process, enterprises can operate in the most cost-efficient manner, with a known and acceptable level of business risk. A formal security risk management process also gives organizations a consistent, clear path to organize and prioritize limited resources to manage risk. You will realize the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level.

Many methodologies for prioritizing or assessing risks exist, but most are based on one of two approaches, or a combination of the two:

  • Quantitative risk assessment  

  • Qualitative risk assessment

Quantitative Risk Assessment

In quantitative risk assessments, you estimate the true value of each business asset in terms of the cost of replacing it, the cost of lost productivity, the cost in respect to brand reputation, and other direct and indirect business values. From this analysis you can derive the following:

  • Assigned monetary value for assets.

  • A comprehensive list of significant threats.

  • The probability of each threat occurring.

  • The loss potential for the company on a per-threat basis over 12 months.

  • Recommended safeguards, controls, and actions.

Qualitative Risk Assessment

Qualitative risk assessment is usually conducted through a combination of questionnaires and collaborative workshops involving people from a variety of groups within the organization; for example, information security experts, information technology managers and staff, business asset owners and users, and senior managers.

In the workshops, participants identify assets and estimate their relative value. Next they try to predict what threats each asset might be facing, and then they try to imagine what types of vulnerabilities those threats might exploit in the future. Information security experts and system administrators typically come up with controls to mitigate the risks for the group to consider and the approximate cost of each control.

Finally, the results are presented to management for consideration during a cost-benefit analysis.

For detailed information on these approaches to risk assessment, go to

Incident Response

When a security event occurs, IT professionals might feel like the only things they have time to do are to contain the situation, figure out what happened, and fix the affected systems as quickly as possible. Some might try to identify the root cause, but even that might seem like a luxury under extreme resource constraints. While this kind of reactive approach can be an effective tactic, imposing a small degree of order to the reactive approach can help organizations of all types to better use their resources. With proper planning, your organization can be proactive in addressing breaches of security.

Reactive Approach

You must address every security incident to minimize the effect on your organization and its data. The following steps can help you manage security incidents quickly and effectively.

  1. Protect human life and people’s safety.
    If the affected computers control life-support equipment, shutting them down may not be an option.

  2. Contain the damage.
    Protect important data, software, and hardware quickly. Isolating affected computers and servers may cause a disruption of computing services, but keeping the systems up may cause widespread damage. You must rely on your judgment. Having an existing risk assessment policy in place will make the decisions easier.

  3. Assess the damage.
    Immediately make a duplicate of the hard disks in any servers that were attacked and put those aside for forensic use later. Then assess the damage. You should begin to determine the extent of the damage that the attack caused as soon as possible, right after you contain the situation and duplicate the hard disks.

  4. Determine the cause of the damage.
    To ascertain the origin of the assault, it is necessary to understand the resources at which the attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Review the system configuration, patch level, system logs, audit logs, and audit trails on the systems that were directly affected and on network devices that route traffic to them.

  5. Repair the damage.
    In most cases, it is very important that the damage be repaired as quickly as possible to restore normal business operations and recover data lost during the attack. The organization's business continuity plans and procedures should cover the restoration strategy.

  6. Review response and update policies.
    After the documentation and recovery phases are complete, you should review the process thoroughly. Determine with your team the steps that were executed successfully and what mistakes were made.

Proactive Approach

Proactive security risk management has many advantages over a reactive approach. Instead of waiting for bad things to happen and then responding to them afterward, you minimize the possibility of bad things ever occurring in the first place. You make plans to protect your organization's important assets by implementing controls that reduce the risk of vulnerabilities being exploited by malicious software, attackers, or accidental misuse.

An effective proactive approach can help organizations significantly reduce the number of security incidents that arise in the future, but it is not likely that such problems will completely disappear. Therefore, organizations should continue to improve their incident response processes while simultaneously developing long-term proactive approaches.

In developing a response plan you must address reactive and proactive scenarios. The reactive steps previously listed must be supplemented with proactive planning. The main areas to address in preparing a proactive approach are:

  • Identify business assets.

  • Determine what damage an attack against an asset could cause to the organization.

  • Identify the security vulnerabilities that the attack could exploit.

  • Determine how to minimize the risk of attack by implementing appropriate controls.

Data Security

One of the most important tasks of the IT department is ensuring the security of company data. There are several steps you can take to move to the Standardized level for data security.

  • You should implement antivirus controls on all computers. (See the section "Antivirus for Desktops" earlier in this guide).

  • Your organization needs to establish consistent policies for classifying sensitive data.

  • You need consistent processes to identify security issues and threats that could compromise sensitive company data.

For a full discussion of data security, visit

Phase 4: Deploy

Evaluated and approved security process improvements are implemented in the Deploy Phase. It is important to perform usability tests as they pertain to tightening of security policy and periodic fire drills to ensure data processes are efficient.

Further Information

For more information on developing an incident response plan, go to

Checkpoint: Security Policies, Risk Assessment, Incident Response, and Data Security



Named a dedicated person for security strategy and policy.


Established a risk assessment methodology.


Established an incident response plan.


Established a process to manage user, device, and service identities.


Established consistent processes to identify security issues, including all network-connected devices.


Established consistent security policy compliance on network devices.


Established a consistent policy to classify data.

If you have completed the steps listed above, your organization has met the minimum requirement of the Standardized level for Security Policy, Risk Assessment, Incident Response, and Data Security.

We recommend that you follow additional best practices for security processes addressed at the Microsoft TechNet Security Center.

Go to the next Self-Assessment question.