Microsoft Security Risk Management Guide - Worth a look?
The Security Risk Management Guide by Microsoft assists to place a plan for security risk management. This guide is technology agnostic and references many industry accepted standards for managing security risk.
According to Microsoft [1]:
This guide helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.
The guide consists of 6 chapters + appendices which are an introduction to the Security Risk Management Guide, a survey of Security Risk Management Practices, the Security Risk Management Overview, a chapter on how to Assess Risk, how to conduct Decision Support and finally the chapter Implementing Controls and Measuring Program Effectiveness. The appendices deal with Ad-Hoc Risk Assessments, Common Information System Assets, Common Threats and Vulnerabilities.
The guide can be downloaded directly at [2].
This guide uses industry standards to deliver a hybrid of established risk management models in an iterative four-phase process that seeks to balance cost and effectiveness. The Microsoft security risk management process enables organizations to implement and maintain processes to identify and prioritize risks in their IT environments. This guide seeks to clearly describe a process that organizations can follow to implement and maintain a security risk management program.
Chapter 1 - Introduction
This chapter introduces the guide and provides a brief overview of each chapter. There is not much to point out at this chapter. However it identifies several touchpoints such as the need for a well-defined list of risk management stakeholders and the organizational maturity in terms of risk management. For all this an atmosphere of open communication and the spirit of teamwork should exists in the target organization. Despite the fact that this should be standard in any organization I am not very impressed by these two touchpoints. This is the same for the points that a holistic view of the organization gives benefits and authority throughout the process.
Chapter 2 - Survey of Security Risk Management Practices
This chapter starts with a review of the strengths and weaknesses of the proactive and reactive approaches to security risk management. For this it compares approaches to risk management such as the reactive and the proactive approach. For those not familiar with traditional risk management this is a very rough overview about the topic. There are many different methodologies for prioritizing or assessing risks, but most are based on one of two approaches or a combination of the two: quantitative risk management or qualitative risk management. For this the guide points out again to a rough overview of quantitative and qualitative risk assessment. Important terms such as Annual Loss Expectancy (ALE), Annual Rate of Occurrence (ARO) and similar are explained. The following figure illustrates the four phases of the Microsoft security risk management process.
Image Source: Microsoft
The Microsoft security risk management process consists of four phases. The first, the Assessing Risk phase, combines aspects of both quantitative and qualitative risk assessment methodologies. A qualitative approach is used to quickly triage the entire list of security risks. The most serious risks identified during this triage are then examined in more detail using a quantitative approach. The result is a relatively short list of the most important risks that have been examined in detail.
Chapter 3 - Security Risk Management Overview
This chapter is the first in this guide to provide a full summary of the Microsoft security risk management process. After this overview, the chapter discusses several topics that will assist readers as they implement the process. It gives the first rough overview about the 4 phases of its cyclus which are:
- Assessing Risk. Identify and prioritize risks to the business.
- Conducting Decision Support. Identify and evaluate control solutions based on a defined cost-benefit analysis process.
- Implementing Controls. Deploy and operate control solutions to reduce risk to the business.
- Measuring Program Effectiveness. Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.
As well the guide explains the correlation between security and effort. The relative levels of effort may also be helpful as a guide to avoid spending too much time in one point of the overall process. The Microsoft security risk management process defines risk management as the overall process to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritize risks to the business. Communication is important that everyone involved in the risk management process understand the complexity within each element of the risk definition. An explanation on how to determine the Organization’s Risk Management Maturity Level and how to do a self-assessment in given as well. The maturity stages are next to the one given by SSE-CMM, SPICE or CMMI. Important roles and responsibilities are defined even this should be adopted to your own company needs.
Chapter 4 - Assessing Risk
This chapter is a long explanation on how to assess risk using the steps planning, facilitated data gathering and risk prioritization. The chapter is detailed enough to understand the process and how to step through all activities. Using an example one learns on how to use the assessment. The Assessing Risk phase of the risk management cycle is required to manage risks across the organization. When you conduct the planning, facilitated data gathering, and prioritization steps, remember that the intent of the Assessing Risk phase is not only to identify and prioritize risks, but to do so in an efficient and timely manner. This chapter is a nice to read!
Chapter 5 - Conducting Decision Support
When comparing the value of a particular control to that of another, there are no simple formulas. The process can be challenging for a variety of reasons. Therefore this chapter deals with on how to conduct the decision support. Similar to chapter 4 this is a nice reading, quite complete and gives a nice example to understand this phase. During the Conducting Decision Support phase, the Security Risk Management Team gathers several key pieces of additional information about each of the top risks identified during the Assessing Risk phase. For each risk, it determines whether the organization should choose to control, accept, transfer, or avoid it.
Chapter 6 - Implementing Controls and Measuring Program Effectiveness
This chapter explains the last two phases of the Microsoft security risk management process: Implementing Controls and Measuring Program Effectiveness. During this phase, the Mitigation Owners employ the controls that were specified during the previous phase. The Measuring Program Effectiveness phase allows the Security Risk Management Team to formally document the current state of risk to the organization. As the business continues along the risk management cycle, this phase also helps demonstrate the progress of managing risk to an acceptable level over time.
This chapter is too rough in any kind. I am missing important information on how to conduct measurement or on how to gain specific metrics.
Conclusion
The Microsoft Security Risk Management Guide is worth a look. It provides a good introduction and overview into the topic. In my opinion it lacks providing more details and has too many distance from being a real standard. However, having a look at it is not a bad idea and can help to manage security risks at organizational level at least at a base.
References
[1] Microsoft Security Risk Management Guide
[2] LINK
Sphere: Related ContentComments
Leave a Reply