Security Risk Management Guide

Published: October 15, 2004   |   Updated: March 15, 2006

 

Download this Solution Accelerator

Click here to get the Security Risk Management Guide from the Microsoft Download Center.

About This Solution Accelerator

The Security Risk Management Guide is a technology-agnostic solution that provides a four-phased approach to risk management. The guide references many industry accepted standards for managing security risk, and incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners. This guide helps organizations of all types plan, build, and maintain a successful security risk management program.

Included in the Download

The Security Risk Management Guide includes the following components:

  • Security_Risk_Management_Guide_v1.2.zip. This file extracts the following files to the computer location that you specify.
    • Security Risk Management Guide.doc

    • **Release Notes                                                                                                                         **

    • Readme

    • Security Risk Management Guide Tools and Templates.msi. This file installs the following tools and templates on your computer:

      - SRMGTool1-Data Gathering Tool.doc

      - SRMGTool2-Summary Risk Level.xls

      - SRMGTool3-Detailed Level Risk Prioritization.xls

      - SRMGTool4-Sample Project Schedule.xls

      - Microsoft Software License Terms.doc

In More Detail

Organizations can be overwhelmed when attempting to put in place a plan for security risk management, primarily because they do not have the in-house expertise, budget resources, or guidelines to outsource. To assist organizations like these, Microsoft has developed the Security Risk Management Guide (SRMG). 

This guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level. It was developed, reviewed, and approved by teams of authoritative experts in security and comprises the following six chapters and four appendices:

  • Chapter 1: Introduction to the Security Risk Management Guide. This chapter provides brief overviews of the guide's chapters. It also provides information about the following:

    • Keys to succeeding with a security risk management program
    • Key terms and definitions
    • Style conventions
    • References for additional information
  • Chapter 2: Survey of Security Risk Management Practices. This chapter lays a foundation and provides context for the SRMG by reviewing other approaches to security risk management and related considerations, including how to determine your organization's risk management maturity level.

  • Chapter 3: Security Risk Management Overview. This chapter provides a more detailed look at the four phases of the SRMG process while introducing some of its important concepts and keys to success. The chapter also offers advice on preparing for the program by planning effectively and placing strong emphasis on building a solid Security Risk Management Team that has well defined roles and responsibilities.

  • Chapter 4: Assessing Risk. This chapter addresses the first phase, Assessing Risk, in detail. Steps in this phase include planning, data gathering, and risk prioritization. Risk prioritization itself is comprised of summary and detailed levels, balancing qualitative and quantitative approaches in order to provide reliable risk information within reasonable trade-offs of time and effort. The output from the Assessing Risk phase is a list of significant risks with detailed analysis that the team can use to make business decisions during the next phase of the process.

  • Chapter 5: Conducting Decision Support. This chapter addresses the second phase, Conducting Decision Support. During this phase, teams determine how to address the key risks in the most effective and cost efficient manners. Teams identify controls; estimate costs; assess the degree of risk reduction; and then determine which controls to implement. The output of the Conducting Decision Support phase is a clear and actionable plan to control or accept each of the top risks identified in the Assessing Risk phase.

  • Chapter 6: Implementing Controls and Measuring Program Effectiveness. This chapter addresses the final two phases of the SRMG: Implementing Controls and Measuring Program Effectiveness. During the Implementing Controls phase, the Mitigation Owners create and execute plans based on the list of control solutions that emerged during the decision support process.

    When the first three phases of the security risk management process are complete, organizations should estimate their progress with regard to security risk management as a whole. The final phase, Measuring Program Effectiveness, introduces the concept of a "Security Risk Scorecard" to assist in this effort.

  • Appendices include:

    • Appendix A: Ad-Hoc Risk Assessments
    • Appendix B: Common Information System Assets
    • Appendix C: Common Threats
    • Appendix D: Vulnerabilities

Related Resources

See the following resources on the Microsoft Web site for more information about this and other Solution Accelerators:

Community and Feedback

  • Want to know what’s coming up next? Check out our Security Guidance Blog.
  • E-mail your feedback to the following address: SecWish@microsoft.com
  • If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment
  • Operations & Management

Download this Solution Accelerator

Click here to get the Security Risk Management Guide from the Microsoft Download Center.