Escolar Documentos
Profissional Documentos
Cultura Documentos
Paula Kiernan
Ward Solutions
Session Prerequisites
Basic understanding of network security fundamentals
Basic understanding of security risk management
concepts
Level 300
Target Audience
This session is primarily intended for:
Systems architects and planners
Members of the information security team
Security and IT auditors
Senior executives, business analysts, and
business decision makers
Consultants and partners
Session Overview
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Proactive
approach
Benefits
Drawbacks
Quantitative
Qualitative
Measuring Program
Effectiveness
Assessing Risk
Implementing
Controls
Conducting
Decision Support
Risk Assessment
Goal
Cycle
Schedule
Scheduled activity
Continuous activity
Alignment
Not applicable
Communicating Risk
Asset
Threat
Vulnerability
Mitigation
What is currently
reducing the
risk?
Impact
What is the impact to the
business?
Probability
How likely is the threat given the
controls?
IT Governance Institute
International Standards
Organization
State
Non-existent
Ad hoc
Repeatable
Defined process
Managed
Optimized
Information
Security Group
Prioritize risks
IT Group
Best control solution
Determine
acceptable risk
Assess risks
Define security
requirements
Measure security
solutions
Operate and
support security
solutions
Assessing Risk
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Measuring Program
Effectiveness
Implementing
Controls
1 Assessing Risk
2
Conducting
Decision Support
Organizational assets
Asset description
Build support
Security threats
Vulnerabilities
Current control environment
Proposed controls
Build goodwill
Be prepared
Medium
exposure
Low
exposure
Minor or no loss
Medium
threat
Low threat
Start risk
prioritization
Conduct
summarylevel risk
prioritization
Summary
level risk
prioritization
Review with
stakeholders
Conduct
detailed-level
risk
prioritization
Detailed
level risk
prioritization
End of risk
prioritization
1
2
3
4
Quantifying Risk
The following tasks outline the process to determine
the quantitative value:
1 Assign a monetary value to each asset class
2 Input the asset value for each risk
3 Produce the single-loss expectancy value (SLE)
4 Determine the annual rate of occurrence (ARO)
5 Determine the annual loss expectancy (ALE)
Measuring Program
Effectiveness
Implementing
Controls
Assessing Risk
Conducting
Decision Support
1.
2.
3.
4.
5.
6.
Mitigation owner
Identifies potential control solutions
Determines types of costs
Security risk
management team
Estimates level of risk reduction
Security steering
committee
Final list of control solutions
Mitigation
owner
Security
steering
committee
Define
functional
requirements
Identify control
solutions
Review
solutions against
requirements
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Mitigation
owner
2 Identify control
Security
steering
committee
Define
functional
requirements
Review
solutions against
requirements
solutions
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Mitigation
owner
Security
steering
committee
Define
functional
requirements
Identify control
solutions
Review
solutions against
requirements
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Mitigation
owner
Security
steering
committee
Define
functional
requirements
Identify control
solutions
Review
solutions against
requirements
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Mitigation
owner
Security
steering
committee
Define
functional
requirements
Identify control
solutions
Review
solutions against
requirements
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Mitigation
owner
Security
steering
committee
Define
functional
requirements
Identify control
solutions
Review
solutions against
requirements
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Implementing Controls
Measuring Program
Effectiveness
3 Implementing
Controls
Seek a holistic approach
Organize by defense-in-depth
1
2
Assessing Risk
Conducting
Decision Support
Organizing by Defense-in-Depth
Physical
Network
Host
Application
Data
Develop scorecard
Measure control effectiveness
Measuring Program
Effectiveness
Implementing
Controls
1 Assessing Risk
2
Conducting
Decision Support
FY05 Q2
Physical
Network
Host
Application
Data
FY05 Q3
FY05 Q4
Session Summary
One common thread between most risk management methodologies
tools and templates to assist with the entire risk management process
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance