Many of the smaller organisations I come into contact with are keen to improve their information security, but lack either the in-house knowledge or the funds to bring in a specialist advisor.
The guide gives a solid introduction to security risk management, including terms and definitions, and a review of the different approaches to security risk management. It also explains how to determine your organisation's risk management maturity level.
While standards such as ISO 27001 lay down requirements for current best practices in information security, they don't provide much guidance on how to go about applying it, particularly in some of the key areas, such as risk assessments. To be most relevant, a risk assessment should be conducted by a security professional. But what if the organisation can't afford one or wants to know more about the subject before engaging a specialist?
One free kit that can help in both situations is the Microsoft Security Risk Management Guide. The free document explains how to plan, build and maintain a successful security risk management programme to measure security risks and drive them down to acceptable levels. It isn't aimed solely at Microsoft-based systems either. The guide references many accepted industry standards for managing security risks. Although it hasn't been updated since 2006, it is still a relevant and useful tool, though some of the information contained in the appendices is somewhat out of date.
The guide consists of the 123-page Security Risk Management Guide, a data-gathering template, risk analysis and risk prioritisation tools and a sample project. The guide gives a solid introduction to security risk management, including terms and definitions, and a review of the different approaches to security risk management. It also explains how to determine your organisation's risk management maturity level.
Following an overview, the guide takes you through its four phases of security risk management: assessing risk, conducting decision support, implementing controls and measuring program effectiveness.
The product of the conducting decision support phase should be a clear and actionable plan to control or accept each of the top risks identified in the assessing risk phase. It balances qualitative and quantitative approaches to risk prioritisation, focusing on achieving reasonable trade-offs of time and effort. This makes it a practical and realistic approach for many smaller or cash-strapped businesses. When the first three phases of the security risk management process are complete, the final phase -- measuring program effectiveness -- introduces the concept of a security risk scorecard, which allows the organisation to estimate the progress made with regard to security risk management as a whole.
This guide and its accompanying tools and templates mentioned above do a good job of covering the issues and areas of ambiguity and concern that many organisations have when it comes to implementing a structured approach to information security, and there are plenty of useful links to further related material. Anyone tasked with improving information security in his or her organisation and who needs to conduct a risk assessment should start with this guide.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in May 2011