How to use the free Microsoft Security Risk Management Guide

Tip

How to use the free Microsoft Security Risk Management Guide

Many of the smaller organisations I come into contact with are keen to improve their information security, but lack either the in-house knowledge or the funds to bring in a specialist advisor.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

The guide gives a solid introduction to security risk management, including terms and definitions, and a review of the different approaches to security risk management. It also explains how to determine your organisation's risk management maturity level.

While standards such as ISO 27001 lay down requirements for current best practices in information security, they don't provide much guidance on how to go about applying it, particularly in some of the key areas, such as risk assessments. To be most relevant, a risk assessment should be conducted by a security professional. But what if the organisation can't afford one or wants to know more about the subject before engaging a specialist?

One free kit that can help in both situations is the Microsoft Security Risk Management Guide. The free document explains how to plan, build and maintain a successful security risk management programme to measure security risks and drive them down to acceptable levels. It isn't aimed solely at Microsoft-based systems either. The guide references many accepted industry standards for managing security risks. Although it hasn't been updated since 2006, it is still a relevant and useful tool, though some of the information contained in the appendices is somewhat out of date.

The guide consists of the 123-page Security Risk Management Guide, a data-gathering template, risk analysis and risk prioritisation tools and a sample project. The guide gives a solid introduction to security risk management, including terms and definitions, and a review of the different approaches to security risk management. It also explains how to determine your organisation's risk management maturity level.

Following an overview, the guide takes you through its four phases of security risk management: assessing risk, conducting decision support, implementing controls and measuring program effectiveness.

The product of the conducting decision support phase should be a clear and actionable plan to control or accept each of the top risks identified in the assessing risk phase. It balances qualitative and quantitative approaches to risk prioritisation, focusing on achieving reasonable trade-offs of time and effort. This makes it a practical and realistic approach for many smaller or cash-strapped businesses. When the first three phases of the security risk management process are complete, the final phase -- measuring program effectiveness -- introduces the concept of a security risk scorecard, which allows the organisation to estimate the progress made with regard to security risk management as a whole.

This guide and its accompanying tools and templates mentioned above do a good job of covering the issues and areas of ambiguity and concern that many organisations have when it comes to implementing a structured approach to information security, and there are plenty of useful links to further related material. Anyone tasked with improving information security in his or her organisation and who needs to conduct a risk assessment should start with this guide.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in May 2011

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.