Capability: Security Process

On This Page

Introduction Introduction
Requirement: Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes Requirement: Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes


Security process is a key element of infrastructure optimization, and security must be part of the design criteria for all procedures and technologies highlighted by the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Rationalized level in Security Process.




Business Challenges

No consistent risk assessment processes

An incident response plan is in place, but not fully documented

Only standard identity protection technology is used

IT Challenges

Limited PC security

The process for updating security on all network connected IT assets is undocumented


Continue optimizing defense-in-depth security policies

Develop and implement two-factor identity and access management policies

Develop a process to manage security requirement testing on all acquired or developed software  

Establish a standard and repeatable procedure for classifying sensitive data

Business Benefits

Problems and incidents are reduced and remaining occurrences are resolved faster

Improved information security and identity protection helps protect business from threats, regardless of device

IT Benefits

Automated services and tools free up resources to implement new services or optimize existing services

Proactive IT operations resolve problems earlier to avoid reducing user productivity

The Rationalized level of optimization requires that your organization has defined procedures for risk management, incident management and response, and application testing.

Requirement: Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes


You should read this section if you do not have plans in place for security policies, risk assessment, incident response, and data security.


Most organizations know that it is important to protect their data and resources from loss or damage due to theft, human or computer error, malicious intent, or any number of other events. You can take steps to limit the opportunities for loss or damage to occur. You can also establish policies and procedures to respond to and minimize the effects of the loss or damage to your IT environment. The Rationalized level in this guide deviates somewhat from the Core Infrastructure Optimization Online Self-Assessment and focuses on the following topics: two-factor user authentication, standard security review for new assets, and data classification processes.

Phase 1: Assess

The Assess phase should determine the appropriate security needs for your organization and which processes are currently in place. Security requirements can vary dramatically from company to company or institution to institution based, for example, on size, industry or field, or regional laws and regulations. Gathering the requirements of your organization will allow you to define an appropriate security process.

Phase 2: Identify

During the Identify phase, an organization will examine the tools and procedures currently in place and determine what the security requirements are for its organization. During this phase, you will gather security policies that are currently implied or enforced, in addition to technology components already in use or at your disposal. You will also gather any external requirements based on laws or regulations for your region or industry.

Phase 3: Evaluate and Plan

The Evaluate and Plan phase moving to the Rationalized level of optimization highlights specific areas of improvement.

Two-Factor Authentication

Single secrets such as passwords can be effective security controls. A long password of more than 10 characters that consists of random letters, numbers, and special characters can be very difficult to crack. Unfortunately, users cannot always remember these sorts of passwords, partly due to fundamental human limitations.

Two-factor authentication systems overcome the issues of single secret authentication by the requirement of a second secret. Two-factor authentication uses a combination of the following items:

  • Something that the user has, such as a hardware token or a smart card.

  • Something the user knows, such as a personal identification number (PIN).

Smart cards and their associated PINs are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, the user must have the smart card and know the PIN to gain access to network resources. The two-factor requirement significantly reduces the likelihood of unauthorized access to an organization’s network.

Smart cards provide particularly effective security control in two scenarios: to secure administrator accounts and to secure remote access. This guide concentrates on these two scenarios as the priority areas in which to implement smart cards.

Because administrator-level accounts have a wide range of user rights, compromise of one of these accounts can give an intruder access to all network resources. It is essential to safeguard administrator-level access because the theft of domain administrator-level account credentials jeopardizes the integrity of the domain, and possibly the entire forest, together with any other trusting forests. Two-factor authentication is essential for administrator authentication.

Organizations can provide an important additional layer of security if they implement smart cards for users who require remote connectivity to network resources. Two-factor authentication is particularly important with remote users because it is not possible to provide any form of physical access control for remote connections. Two-factor authentication with smart cards can increase security on the authentication process for remote users who connect through virtual private network (VPN) links.

For detailed information on two-factor authentication, go to

Standard Security Review for New Software Acquisitions

At the Rationalized level, all software acquisitions in your organization should follow a program to enable standard security review. Best practice processes for performing security reviews of IT systems are outlined in the ISO/IEC 17799:2005 Information technology -- Security techniques -- Code of practice for information security management standard. ISO/IEC 17799:2005 establishes guidelines and general principles for information systems acquisition, development, and maintenance, including:

  • Security requirements of information systems.

  • Correct processing in application systems.

  • Cryptographic controls.

  • Security of system files.

  • Security in development and support processes.

  • Technical vulnerability management.

For more information about the standard and to obtain the documentation, visit the ISO/IEC 17799:2005 Information technology -- Security techniques -- Code of practice for information security management Web site.

Data Classification Processes

Data classification and protection deals with how to apply security classification levels to the data either on a system or in transmission. This solution category also deals with data protection in terms of providing confidentiality and integrity to data that is either at rest or in transmission. Cryptographic solutions are the most common method that organizations use to provide data protection.

Compliance Impact

Data classification is important to compliance because it informs users about what levels indicate the relative importance of the data, how they must handle the data, and how they must safeguard and dispose of it. High, medium, and low are typical data classification examples that indicate the relative impact of the data on business. The military classification system of Top Secret, Secret, Confidential, and Un-Classified may also apply in some organizations.

All compliance guidelines require file protection and encryption of sensitive information, whether at rest or in transit. The compliance process creates enormous amounts of sensitive data, primarily in nonstructured applications such as Microsoft Office Word and Office Excel files. Control and protection of this compliance data is very important because it contains complete details of an organization's known weaknesses and vulnerabilities.

Microsoft Resources

Microsoft provides several resources for data classification and data protection. For example, the combined use of Information Rights Management (IRM), which extends the Windows Rights Management Services in Microsoft Office 2003 applications and in Microsoft Internet Explorer, as well as Windows Rights Management Services (RMS) technologies help you to both classify and protect the data in your organization. RMS applies encryption-based, policy-driven protection that travels with the information wherever it goes.

Additional data protection technology solution examples include Internet Protocol security (IPsec) and Encrypting File System (EFS). IPsec provides data integrity and encryption to IP traffic, whereas EFS encrypts files stored in the file systems of Microsoft Windows 2000 Server, Windows XP Professional, and Windows Server 2003. Microsoft provides the following guidance on these data classification and protection solutions:

Phase 4: Deploy

Evaluated and approved security process improvements are implemented in the Deploy phase. It is important to perform usability tests as they pertain to tightening of security policy and periodic fire drills to ensure data processes are efficient.

Further Information

For more information on developing security operations and process standards, go to the Security Guidance Portal on Microsoft TechNet at

Checkpoint: Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes



Developed and implemented two-factor identity and access management policies.


Developed a process to manage security requirement testing on all acquired or developed software.  


Established a standard and repeatable procedure for classifying sensitive data.

If you have completed the steps listed above, your organization has met the minimum requirement of the Rationalized level for Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes.

We recommend that you follow additional best practices for security processes addressed at the Microsoft TechNet Security Center.

Go to the next Self-Assessment question.