Microsoft Solutions for Security and Compliance
Microsoft Security Center of Excellence
The Security Risk Management Guide
© 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
Chapter 1: Introduction to the Security Risk Management Guide Executive Summary
The Environmental Challenges
Most organizations recognize the critical role that information technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organizations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organizations to manage their IT infrastructures more closely and effectively than in the past. Many government agencies and organizations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and whole organizations at risk due to breaches in fiduciary and legal responsibilities. A Better Way
The Microsoft approach to security risk management provides a proactive approach that can assist organizations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organizations a consistent, clear path to organize and prioritize limited resources in order to manage risk. You will realize the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level. The definition of acceptable risk, and the approach to manage risk, varies for every organization. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process—with a solid framework and clearly defined roles and responsibilities—prepares the organization to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the company to make significant progress toward meeting new legislative requirements. Microsoft Role in Security Risk Management
This is the first prescriptive guide that Microsoft has published that focuses entirely on security risk management. Based on both Microsoft experiences and those of its customers, this guidance was tested and reviewed by customers, partners, and technical reviewers during development. The goal of this effort is to deliver clear, actionable guidance on how to implement a security risk management process that delivers a number of benefits, including: Moving customers to a proactive security posture and freeing them from a reactive, frustrating process. Making security measurable by showing the value of security projects. Helping customers to efficiently mitigate the largest risks in their environments rather than applying scarce resources to all possible risks. Guide Overview
This guide uses industry standards to deliver a hybrid of established risk management models in an iterative...
Please join StudyMode to read the full document