SlideShare a Scribd company logo

Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

Download as PPT, PDF
C
chaudhryzunair4

The document outlines a comprehensive approach to security risk management, detailing concepts, prerequisites, methodologies for assessing risk, and strategies for implementation. It emphasizes the importance of executive sponsorship, stakeholder involvement, and structured communication in the risk management process, while also comparing reactive and proactive strategies. Additionally, it provides specific scenarios and examples for risk assessment and prioritization, including quantitative and qualitative methods of evaluating risks and their potential impacts on organizational assets.

Education
1 of 72
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia
Session Overview • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Why Develop a Security Risk Management Process? • Security risk management – A process for identifying, prioritizing and managing risk to an acceptable level within the organization • A formal security risk management process can address the following: – Threat response time – Regulatory compliance – Infrastructure management costs – Risk prioritization and management
Critical Success Factors • Executive sponsorship • Well defined list of stakeholders • Organizational maturity • Open communication and teamwork • Holistic view of the organization • Security risk management team authority
Risk Management Strategies • Reactive – A process that responds to security events as they occur • Proactive – A process that reduces the risk of new vulnerabilities in your organization
Risk Assessment Methodologies Benefits Drawbacks Quantitative • Risks prioritized by financial impact; assets prioritized by their financial values • Results facilitate management of risk by return on security investment • Results can be expressed in management-specific terminology • Impact values assigned to risks are based upon subjective opinions of the participants • Very time-consuming • Can be extremely costly Qualitative • Enables visibility and understanding of risk ranking • Easier to reach consensus • Not necessary to quantify threat frequency • Not necessary to determine financial values of assets • Insufficient granularity between important risks • Difficult to justify investing in control as there is no basis for a cost-benefit analysis • Results dependent upon the quality of the risk management team that is created
Microsoft Security Risk Management Process Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1
Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Risk Management vs. Risk Assessment Risk Management Risk Assessment Goal • Manage risks across business to acceptable level • Identify and prioritize risks Cycle • Overall program across all four phases • Single phase of risk management program Schedule • Scheduled activity • Continuous activity Alignment • Aligned with budgeting cycles • Not applicable
Communicating Risk Well-Formed Risk Statement (Exposure) Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Threat What are you afraid of happening? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk?
Starting Points • NIST http://www.nist.gov – Security Self-Assessment Guide for Information Technology Systems (SP-800-26) • IT Governance Institute http://www.isaca.org – Control Objectives for Information and Related Technology (CobiT) • ISO http://www.iso.org – ISO 17799 - ISO Code of Practice for Information Security Management • SAI Global http://www.standards.com.au – AS/NZS 4360:2004 - Risk Management – AS/NZS 7799.2:2003 - Information Security Management • Microsoft Security Risk Management Guide – http://www.microsoft.com/technet/security/guidance/secrisk
Risk Management Maturity Self- Assessment Level State 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized
Executive Sponsor “What's important?” IT Group “Best control solution” Information Security Group “Prioritize risks” Roles and Responsibilities Operate and support security solutions Design and build security solutions Define security requirements Measure security solutions Assess risks Determine acceptable risk
Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Overview of the Assessing Risk Phase Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 • Plan risk data gathering • Gather risk data • Prioritize risks
Understanding the Planning Step • The primary tasks in the planning step include the following: – Alignment – Scoping – Stakeholder acceptance – Setting expectations
Facilitated Data Gathering • Elements collected during facilitated data gathering include: – Organizational assets – Asset description – Security threats – Vulnerabilities – Current control environment – Proposed controls • Keys to successful data gathering include: – Meet collaboratively with stakeholders – Build support – Understand the difference between discussing and interrogating – Build goodwill – Be prepared
Identifying and Classifying Assets • An asset is anything of value to the organization and can be classified as one of the following: – High business impact – Moderate business impact – Low business impact
Organizing Risk Information • Use the following questions as an agenda during the facilitated discussions: – What asset are you protecting? – How valuable is the asset to the organization? – What are you trying to avoid happening to the asset? – How might loss or exposures occur? – What is the extent of potential exposure to the asset? – What are you doing today to reduce the probability of the extent of damage to the asset? – What are some actions that you can take to reduce the probability in the future?
Estimating Asset Exposure • Exposure: The extent of potential damage to an asset • Use the following guidelines to estimate asset exposure: – High exposure: severe or complete loss of the asset – Medium exposure: limited or moderate loss – Low exposure: minor or no loss
Estimating Threat Probability • Use the following guidelines to estimate probability for each threat and vulnerability identified: – High threat: Likely—one or more impacts expected within one year – Medium threat: Probable—impact expected within two to three years – Low threat: Not probable—impact not expected to occur within three years
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task One: Determining Organizational Assets and Scenarios • Interest Calculation Systems • Customer Personally Identifiable Information (PII) • Reputation • Consumer financial data—High Business Impact (HBI)
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Two: Identifying Threats • Threat of a loss of integrity to consumer financial data
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Three: Identifying Vulnerabilities • Theft of financial advisor credentials by trusted employee abuse using non-technical attacks, for example, social engineering or eavesdropping • Theft of financial advisor credentials off local area network (LAN) hosts through the use of outdated security configurations • Theft of financial advisor credentials off remote, or mobile, hosts as a result of outdated security configurations
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Four: Estimating Asset Exposure • Breach of integrity through trusted employee abuse: – Damaging, but not severe. Each financial advisor can only access customer data that he/she manages. • Breach of integrity through credential theft on LAN hosts: – May result in a severe, or high, level of damage. • Breach of integrity through credential theft on mobile hosts: – Could have a severe, or high, level of damage. The discussion group notes that the security configurations on remote hosts often lag behind LAN systems.
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Five: Identifying Existing Controls and Probability of Exploit • Agreement that their remote hosts, or mobile hosts, do not receive the same level of management as those on the LAN.
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Six: Summarizing the Risk Discussion • Risk Assessment Facilitator summarizes the discussion and highlights the assets, threats, and vulnerabilities discussed.
Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task One: Determining Organizational Assets and Threats – Task Two: Identifying Threats – Task Three: Identifying Vulnerabilities – Task Four: Identifying Asset Exposure – Task Five: Identifying Existing Controls and Probability of Exploit – Task Six: Summarizing the Risk Discussion
Defining Impact Statements • Impact data includes the following information:
Scenario 2: Defining an Impact Statement For Woodgrove Bank Asset Name Asset Class DID Level Threat Description Vulnerability Description ER (H,M,L) IR (H,M,L) Consumer financial investment data HBI Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials of managed LAN client via outdated security configurations H H Consumer financial investment data HBI Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials off managed remote client via outdated security configurations H H Consumer financial investment data HBI Data Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials by trusted employee abuse, via non-technical attacks L M
Understanding Risk Prioritization End of risk prioritization Detailed level risk prioritization Conduct detailed- level risk prioritization Review with stakeholders Summary level risk prioritization Conduct summary- level risk prioritization Start risk prioritization
Conducting Summary-Level Risk Prioritization • The summary-level prioritization includes the following: 1. Determine impact level 2. Estimate summary-level probability 3. Complete the summary-level risk list 4. Review with stakeholders 1 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years 2 4 3
Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact Level – Trusted Employee Theft Impact • HBI asset class *Low Exposure = Moderate Impact – LAN Host Compromise Impact • HBI asset class *High Exposure = High Impact – Remote Host Compromise Impact • HBI asset class *High Exposure = High Impact
Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Two: Estimate Summary-Level Probability – Trusted Employee Theft Probability • Low – LAN Host Compromise Probability • Medium – Remote Host Compromise Probability • High
Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Three: Complete the Summary-Level Risk List – Trusted Employee Theft Risk • Moderate Impact *Low Probability = Low – LAN Host Compromise Risk • High Impact *Medium Probability = High – Remote Host Compromise Risk • High Impact *High Probability = High – Enter Results in the Impact Statement Spreadsheet
Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Four: Review With Stakeholders – Trusted Employee abuse risk is rated as Low in the summary level risk list and does not need to graduate to the detailed level risk prioritization step – LAN and remote host compromise risks are both rated as high and so are then prioritized at the detailed level
Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact Level • Task Two: Estimate Summary Level Probability • Task Three: Complete the Summary-Level Risk List • Task Four: Review With Stakeholders
Conducting Detailed-Level Risk Prioritization • The following four tasks outline the process for building a detailed-level list of risks: 1. Determine impact and exposure 2. Identify current controls 3. Determine probability of impact 4. Determine detailed risk level • Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)
Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact and Exposure – LAN Host Compromise Exposure Rating: 4 (80%) • HBI = 10 • Impact Rating: 10 *80% = 8 – Remote Host Compromise Exposure Rating: 4 (80%) • HBI = 10 • Impact Rating: 10 *80% = 8 – Impact Range = Between 7-10 which compares to High
Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Two: Identify Current Controls – Financial Advisors can only access accounts they own; thus, the exposure is less than 100 percent. – E-mail notices to patch or update hosts are proactively sent to all users. – Antivirus and patch updates are measured and enforced on the LAN every few hours. This control reduces the time window when LAN hosts are vulnerable to attack.
Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Three: Determine Probability of Impact – LAN and remote hosts: Likely that all vulnerability attributes in the High category will be seen inside and outside Woodgrove’s LAN environment in the near future. Vulnerability value = 5 for both risks – Control Effectiveness: • LAN: Result of Control Effectiveness Questions = 1 • Remote: Result of Control Effectiveness Questions = 5 – Total Probability Rating: (Sum of Vulnerability and Control Effectiveness) • LAN = 6 • Remote = 10
Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Four: Determine Detail Risk Level – Impact Rating *Probability Rating • LAN: 8 *6 = 48 • Remote Hosts: 8 *10 = 80 • Both rate an overall risk of High
Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact and Exposure • Task Two: Identify Current Controls • Task Three: Determine Probability of Impact • Task Four: Determine Detail Risk Level
Quantifying Risk • The following tasks outline the process for determining the quantitative value: – Assign a monetary value to each asset class – Input the asset value for each risk – Produce the single-loss expectancy value (SLE) – Determine the annual rate of occurrence (ARO) – Determine the annual loss expectancy (ALE)
Scenario Five: Quantifying Risk For Woodgrove Bank • Task One: Assign Monetary Values to Asset Classes – Using 5% Materiality Guideline for valuing assets – Net Income: $200 Million annually – HBI Asset Class: $10 Million (200 *5%) – MBI Asset Class: $5 Million (based on past spending) – LBI Asset Class: $1 Million (based on past spending)
Scenario Five: Quantifying Risk For Woodgrove Bank • Task Two: Identify the Asset Value – Consumer financial data = HBI Asset Class – HBI = $10 Million – Asset Value = $10 Million
Scenario Five: Quantifying Risk For Woodgrove Bank • Task Three: Produce the Single Loss Expectancy Value (SLE) 80% 80% Exposure Value $8 $8 SLE 4 4 Exposure Rating $10 $10 Asset Class Value LAN Host Risk ($ in millions) Remote Host Risk ($ in millions) Risk Description High Business Impact Value = $M Exposure Rating Exposure Factor % 5 100 Asset Class 4 80 HBI Value $ M 3 60 MBI Value $ M / 2 2 40 LBI Value $ M / 4 1 20
Scenario Five: Quantifying Risk For Woodgrove Bank • Task Four: Determine the Annual Rate of Occurrence (ARO) – LAN Host ARO: Based on the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is 5. – Remote Host ARO: Based on the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. Qualitative Rating Description ARO range Description Examples High Likely >=1 Impact once or more per year Medium Probable .99 to .33 At least once every 1-3 years Low Not probable .33 At least once greater than 3 years
Scenario Five: Quantifying Risk For Woodgrove Bank • Task Five: Determine the Annual Loss Expectancy (ALE) (SLE *ARO) Risk Description Asset Class Value Exposure Rating Exposure Value SLE ARO ALE LAN Host Risk ($ in millions) $10 4 80% $8 0.5 $4 Remote Host Risk ($ in millions) $10 4 80% $8 1 $8
Scenario Five: Quantifying Risk For Woodgrove Bank • Task One: Assign Monetary Values to Asset Classes • Task Two: Identify the Asset Value • Task Three: Produce the Single Loss Expectancy Value (SLE) • Task Four: Determine the Annual Rate of Occurrence (ARO) • Task Five: Determine the Annual Loss Expectancy (ALE) (SLE *ARO)
Assessing Risk: Best Practices • Analyze risks during the data gathering process • Conduct research to build credibility for estimating probability • Communicate risk in business terms • Reconcile new risks with previous risks
Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Overview of the Decision Support Phase Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 1. Define functional requirements 2. Identify control solutions 3. Review solution against requirements 4. Estimate degree of risk reduction 5. Estimate cost of each solution 6. Select the risk mitigation strategy
Identifying Output for the Decision Support Phase • Key elements to gather include: – Decision on how to handle each risk – Functional requirements – Potential control solutions – Risk reduction of each control solution – Estimated cost of each control solution – List of control solutions to be implemented
Considering the Decision Support Options • Options for handling risk: ATAM – Accept – Transfer – Avoid – Mitigate
Security risk management team Security steering committee Step 1: Define Functional Requirements Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Step 2: Identify Control Solutions Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Step 3: Review Solutions Against Requirements Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Step 4: Estimate Degree of Risk Reduction Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Step 5: Estimate Cost of Each Solution Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Step 6: Select the Risk Mitigation Strategy Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
Conducting Decision Support: Best Practices • Assign a security technologist to each risk • Set reasonable expectations • Build team consensus • Focus on the amount of risk after the mitigation solution
Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 Implementing Controls • Seek a holistic approach • Organize by Defense- in-Depth
Organizing the Control Solutions • Critical success determinants to organizing control solutions include: – Communication – Team scheduling – Resource requirements
Organizing by Defense-in-Depth Network Host Application Data Physical
Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 Measuring Program Effectiveness • Develop scorecard • Measure control effectiveness
Developing a Security Risk Scorecard for Your Organization • A simple security risk scorecard organized by the Defense-in-Depth layers: FY05 Q1 FY05 Q2 FY05 Q3 FY05 Q4 Physical H M Network M M Host M M Application M H Data L L Risk Levels (H, M, L)
Measuring Control Effectiveness • Methods for measuring the effectiveness of implemented controls include: – Direct testing – Submitting periodic compliance reports – Evaluating widespread security incidents
Summary • Decide on risk management methodology • Determine your maturity level • Conduct risk assessment • Conduct decision support • Implement controls & measure effectiveness
Next Steps • Australia Security Portal http://www.microsoft.com/australia/security • Microsoft Security Risk Management Guide http://www.microsoft.com/technet/security/guidance/secrisk • MOF - Security Management http://www.microsoft.com/technet/itsolutions/cits/mo/smf/mofsmsmf.mspx • Additional security tools and content http://www.microsoft.com/security/guidance

More Related Content

PDF
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
PPTX
Cyber Security # Lec 3
Kabul Education University
 
PPT
Risk Based Security and Self Protection Powerpoint
randalje86
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
PPT
Security risk management
brijesh singh
 
PPT
Review of Enterprise Security Risk Management
Rand W. Hirt
 
PPTX
Your cyber security webinar
Intergen
 
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
Cyber Security # Lec 3
Kabul Education University
 
Risk Based Security and Self Protection Powerpoint
randalje86
 
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Security risk management
brijesh singh
 
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Your cyber security webinar
Intergen
 

Similar to Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (20)

PPTX
Your cyber security webinar
Empired
 
PPTX
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
PDF
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
Nathan Anderson
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
PDF
CISSP 8 Domains.pdf
dotco
 
PPT
Risk Management (1) (1).ppt
AjjuSingh2
 
PPTX
An Introduction to Risk Management Process
Bhanu Yadav
 
PPT
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
PPT
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
PPT
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
PPTX
Mastering Information Technology Risk Management
Goutama Bachtiar
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
PPTX
How to assess and manage cyber risk
Stephen Cobb
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
PDF
Security-Brochure
Prahlad Reddy
 
PDF
Security-Brochure
Tyler Carlson
 
PPTX
Risk Mitigation
primeteacher32
 
PPTX
Introduction to Ethical Hacking
UK Defence Cyber School
 
PPT
Cyber RM - Process - Module 4 Powerpoint Presentation
trevor501353
 
PDF
Information Security 20- Risk Assessment.pdf
faiziikanwal47
 
Your cyber security webinar
Empired
 
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
Nathan Anderson
 
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
CISSP 8 Domains.pdf
dotco
 
Risk Management (1) (1).ppt
AjjuSingh2
 
An Introduction to Risk Management Process
Bhanu Yadav
 
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
Security Manager - Slides - Module 5 Powerpoint Presentation
trevor501353
 
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
How to assess and manage cyber risk
Stephen Cobb
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Security-Brochure
Prahlad Reddy
 
Security-Brochure
Tyler Carlson
 
Risk Mitigation
primeteacher32
 
Introduction to Ethical Hacking
UK Defence Cyber School
 
Cyber RM - Process - Module 4 Powerpoint Presentation
trevor501353
 
Information Security 20- Risk Assessment.pdf
faiziikanwal47
 
Ad

Recently uploaded (20)

PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Pre independence Education in Inndia.pdf
goofy5603
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Ad

Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

  • 1. Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia
  • 2. Session Overview • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 3. Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 4. Why Develop a Security Risk Management Process? • Security risk management – A process for identifying, prioritizing and managing risk to an acceptable level within the organization • A formal security risk management process can address the following: – Threat response time – Regulatory compliance – Infrastructure management costs – Risk prioritization and management
  • 5. Critical Success Factors • Executive sponsorship • Well defined list of stakeholders • Organizational maturity • Open communication and teamwork • Holistic view of the organization • Security risk management team authority
  • 6. Risk Management Strategies • Reactive – A process that responds to security events as they occur • Proactive – A process that reduces the risk of new vulnerabilities in your organization
  • 7. Risk Assessment Methodologies Benefits Drawbacks Quantitative • Risks prioritized by financial impact; assets prioritized by their financial values • Results facilitate management of risk by return on security investment • Results can be expressed in management-specific terminology • Impact values assigned to risks are based upon subjective opinions of the participants • Very time-consuming • Can be extremely costly Qualitative • Enables visibility and understanding of risk ranking • Easier to reach consensus • Not necessary to quantify threat frequency • Not necessary to determine financial values of assets • Insufficient granularity between important risks • Difficult to justify investing in control as there is no basis for a cost-benefit analysis • Results dependent upon the quality of the risk management team that is created
  • 8. Microsoft Security Risk Management Process Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1
  • 9. Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 10. Risk Management vs. Risk Assessment Risk Management Risk Assessment Goal • Manage risks across business to acceptable level • Identify and prioritize risks Cycle • Overall program across all four phases • Single phase of risk management program Schedule • Scheduled activity • Continuous activity Alignment • Aligned with budgeting cycles • Not applicable
  • 11. Communicating Risk Well-Formed Risk Statement (Exposure) Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Threat What are you afraid of happening? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk?
  • 12. Starting Points • NIST http://www.nist.gov – Security Self-Assessment Guide for Information Technology Systems (SP-800-26) • IT Governance Institute http://www.isaca.org – Control Objectives for Information and Related Technology (CobiT) • ISO http://www.iso.org – ISO 17799 - ISO Code of Practice for Information Security Management • SAI Global http://www.standards.com.au – AS/NZS 4360:2004 - Risk Management – AS/NZS 7799.2:2003 - Information Security Management • Microsoft Security Risk Management Guide – http://www.microsoft.com/technet/security/guidance/secrisk
  • 13. Risk Management Maturity Self- Assessment Level State 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized
  • 14. Executive Sponsor “What's important?” IT Group “Best control solution” Information Security Group “Prioritize risks” Roles and Responsibilities Operate and support security solutions Design and build security solutions Define security requirements Measure security solutions Assess risks Determine acceptable risk
  • 15. Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 16. Overview of the Assessing Risk Phase Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 • Plan risk data gathering • Gather risk data • Prioritize risks
  • 17. Understanding the Planning Step • The primary tasks in the planning step include the following: – Alignment – Scoping – Stakeholder acceptance – Setting expectations
  • 18. Facilitated Data Gathering • Elements collected during facilitated data gathering include: – Organizational assets – Asset description – Security threats – Vulnerabilities – Current control environment – Proposed controls • Keys to successful data gathering include: – Meet collaboratively with stakeholders – Build support – Understand the difference between discussing and interrogating – Build goodwill – Be prepared
  • 19. Identifying and Classifying Assets • An asset is anything of value to the organization and can be classified as one of the following: – High business impact – Moderate business impact – Low business impact
  • 20. Organizing Risk Information • Use the following questions as an agenda during the facilitated discussions: – What asset are you protecting? – How valuable is the asset to the organization? – What are you trying to avoid happening to the asset? – How might loss or exposures occur? – What is the extent of potential exposure to the asset? – What are you doing today to reduce the probability of the extent of damage to the asset? – What are some actions that you can take to reduce the probability in the future?
  • 21. Estimating Asset Exposure • Exposure: The extent of potential damage to an asset • Use the following guidelines to estimate asset exposure: – High exposure: severe or complete loss of the asset – Medium exposure: limited or moderate loss – Low exposure: minor or no loss
  • 22. Estimating Threat Probability • Use the following guidelines to estimate probability for each threat and vulnerability identified: – High threat: Likely—one or more impacts expected within one year – Medium threat: Probable—impact expected within two to three years – Low threat: Not probable—impact not expected to occur within three years
  • 23. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task One: Determining Organizational Assets and Scenarios • Interest Calculation Systems • Customer Personally Identifiable Information (PII) • Reputation • Consumer financial data—High Business Impact (HBI)
  • 24. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Two: Identifying Threats • Threat of a loss of integrity to consumer financial data
  • 25. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Three: Identifying Vulnerabilities • Theft of financial advisor credentials by trusted employee abuse using non-technical attacks, for example, social engineering or eavesdropping • Theft of financial advisor credentials off local area network (LAN) hosts through the use of outdated security configurations • Theft of financial advisor credentials off remote, or mobile, hosts as a result of outdated security configurations
  • 26. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Four: Estimating Asset Exposure • Breach of integrity through trusted employee abuse: – Damaging, but not severe. Each financial advisor can only access customer data that he/she manages. • Breach of integrity through credential theft on LAN hosts: – May result in a severe, or high, level of damage. • Breach of integrity through credential theft on mobile hosts: – Could have a severe, or high, level of damage. The discussion group notes that the security configurations on remote hosts often lag behind LAN systems.
  • 27. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Five: Identifying Existing Controls and Probability of Exploit • Agreement that their remote hosts, or mobile hosts, do not receive the same level of management as those on the LAN.
  • 28. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task Six: Summarizing the Risk Discussion • Risk Assessment Facilitator summarizes the discussion and highlights the assets, threats, and vulnerabilities discussed.
  • 29. Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank • Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project – Task One: Determining Organizational Assets and Threats – Task Two: Identifying Threats – Task Three: Identifying Vulnerabilities – Task Four: Identifying Asset Exposure – Task Five: Identifying Existing Controls and Probability of Exploit – Task Six: Summarizing the Risk Discussion
  • 30. Defining Impact Statements • Impact data includes the following information:
  • 31. Scenario 2: Defining an Impact Statement For Woodgrove Bank Asset Name Asset Class DID Level Threat Description Vulnerability Description ER (H,M,L) IR (H,M,L) Consumer financial investment data HBI Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials of managed LAN client via outdated security configurations H H Consumer financial investment data HBI Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials off managed remote client via outdated security configurations H H Consumer financial investment data HBI Data Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials by trusted employee abuse, via non-technical attacks L M
  • 32. Understanding Risk Prioritization End of risk prioritization Detailed level risk prioritization Conduct detailed- level risk prioritization Review with stakeholders Summary level risk prioritization Conduct summary- level risk prioritization Start risk prioritization
  • 33. Conducting Summary-Level Risk Prioritization • The summary-level prioritization includes the following: 1. Determine impact level 2. Estimate summary-level probability 3. Complete the summary-level risk list 4. Review with stakeholders 1 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years 2 4 3
  • 34. Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact Level – Trusted Employee Theft Impact • HBI asset class *Low Exposure = Moderate Impact – LAN Host Compromise Impact • HBI asset class *High Exposure = High Impact – Remote Host Compromise Impact • HBI asset class *High Exposure = High Impact
  • 35. Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Two: Estimate Summary-Level Probability – Trusted Employee Theft Probability • Low – LAN Host Compromise Probability • Medium – Remote Host Compromise Probability • High
  • 36. Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Three: Complete the Summary-Level Risk List – Trusted Employee Theft Risk • Moderate Impact *Low Probability = Low – LAN Host Compromise Risk • High Impact *Medium Probability = High – Remote Host Compromise Risk • High Impact *High Probability = High – Enter Results in the Impact Statement Spreadsheet
  • 37. Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task Four: Review With Stakeholders – Trusted Employee abuse risk is rated as Low in the summary level risk list and does not need to graduate to the detailed level risk prioritization step – LAN and remote host compromise risks are both rated as high and so are then prioritized at the detailed level
  • 38. Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact Level • Task Two: Estimate Summary Level Probability • Task Three: Complete the Summary-Level Risk List • Task Four: Review With Stakeholders
  • 39. Conducting Detailed-Level Risk Prioritization • The following four tasks outline the process for building a detailed-level list of risks: 1. Determine impact and exposure 2. Identify current controls 3. Determine probability of impact 4. Determine detailed risk level • Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)
  • 40. Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact and Exposure – LAN Host Compromise Exposure Rating: 4 (80%) • HBI = 10 • Impact Rating: 10 *80% = 8 – Remote Host Compromise Exposure Rating: 4 (80%) • HBI = 10 • Impact Rating: 10 *80% = 8 – Impact Range = Between 7-10 which compares to High
  • 41. Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Two: Identify Current Controls – Financial Advisors can only access accounts they own; thus, the exposure is less than 100 percent. – E-mail notices to patch or update hosts are proactively sent to all users. – Antivirus and patch updates are measured and enforced on the LAN every few hours. This control reduces the time window when LAN hosts are vulnerable to attack.
  • 42. Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Three: Determine Probability of Impact – LAN and remote hosts: Likely that all vulnerability attributes in the High category will be seen inside and outside Woodgrove’s LAN environment in the near future. Vulnerability value = 5 for both risks – Control Effectiveness: • LAN: Result of Control Effectiveness Questions = 1 • Remote: Result of Control Effectiveness Questions = 5 – Total Probability Rating: (Sum of Vulnerability and Control Effectiveness) • LAN = 6 • Remote = 10
  • 43. Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task Four: Determine Detail Risk Level – Impact Rating *Probability Rating • LAN: 8 *6 = 48 • Remote Hosts: 8 *10 = 80 • Both rate an overall risk of High
  • 44. Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank • Task One: Determine Impact and Exposure • Task Two: Identify Current Controls • Task Three: Determine Probability of Impact • Task Four: Determine Detail Risk Level
  • 45. Quantifying Risk • The following tasks outline the process for determining the quantitative value: – Assign a monetary value to each asset class – Input the asset value for each risk – Produce the single-loss expectancy value (SLE) – Determine the annual rate of occurrence (ARO) – Determine the annual loss expectancy (ALE)
  • 46. Scenario Five: Quantifying Risk For Woodgrove Bank • Task One: Assign Monetary Values to Asset Classes – Using 5% Materiality Guideline for valuing assets – Net Income: $200 Million annually – HBI Asset Class: $10 Million (200 *5%) – MBI Asset Class: $5 Million (based on past spending) – LBI Asset Class: $1 Million (based on past spending)
  • 47. Scenario Five: Quantifying Risk For Woodgrove Bank • Task Two: Identify the Asset Value – Consumer financial data = HBI Asset Class – HBI = $10 Million – Asset Value = $10 Million
  • 48. Scenario Five: Quantifying Risk For Woodgrove Bank • Task Three: Produce the Single Loss Expectancy Value (SLE) 80% 80% Exposure Value $8 $8 SLE 4 4 Exposure Rating $10 $10 Asset Class Value LAN Host Risk ($ in millions) Remote Host Risk ($ in millions) Risk Description High Business Impact Value = $M Exposure Rating Exposure Factor % 5 100 Asset Class 4 80 HBI Value $ M 3 60 MBI Value $ M / 2 2 40 LBI Value $ M / 4 1 20
  • 49. Scenario Five: Quantifying Risk For Woodgrove Bank • Task Four: Determine the Annual Rate of Occurrence (ARO) – LAN Host ARO: Based on the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is 5. – Remote Host ARO: Based on the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. Qualitative Rating Description ARO range Description Examples High Likely >=1 Impact once or more per year Medium Probable .99 to .33 At least once every 1-3 years Low Not probable .33 At least once greater than 3 years
  • 50. Scenario Five: Quantifying Risk For Woodgrove Bank • Task Five: Determine the Annual Loss Expectancy (ALE) (SLE *ARO) Risk Description Asset Class Value Exposure Rating Exposure Value SLE ARO ALE LAN Host Risk ($ in millions) $10 4 80% $8 0.5 $4 Remote Host Risk ($ in millions) $10 4 80% $8 1 $8
  • 51. Scenario Five: Quantifying Risk For Woodgrove Bank • Task One: Assign Monetary Values to Asset Classes • Task Two: Identify the Asset Value • Task Three: Produce the Single Loss Expectancy Value (SLE) • Task Four: Determine the Annual Rate of Occurrence (ARO) • Task Five: Determine the Annual Loss Expectancy (ALE) (SLE *ARO)
  • 52. Assessing Risk: Best Practices • Analyze risks during the data gathering process • Conduct research to build credibility for estimating probability • Communicate risk in business terms • Reconcile new risks with previous risks
  • 53. Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 54. Overview of the Decision Support Phase Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 1. Define functional requirements 2. Identify control solutions 3. Review solution against requirements 4. Estimate degree of risk reduction 5. Estimate cost of each solution 6. Select the risk mitigation strategy
  • 55. Identifying Output for the Decision Support Phase • Key elements to gather include: – Decision on how to handle each risk – Functional requirements – Potential control solutions – Risk reduction of each control solution – Estimated cost of each control solution – List of control solutions to be implemented
  • 56. Considering the Decision Support Options • Options for handling risk: ATAM – Accept – Transfer – Avoid – Mitigate
  • 57. Security risk management team Security steering committee Step 1: Define Functional Requirements Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 58. Step 2: Identify Control Solutions Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 59. Step 3: Review Solutions Against Requirements Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 60. Step 4: Estimate Degree of Risk Reduction Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 61. Step 5: Estimate Cost of Each Solution Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 62. Step 6: Select the Risk Mitigation Strategy Security risk management team Security steering committee Select the risk mitigation strategy 6 Mitigation owner Identify control solutions 2 Define functional requirements 1 Estimate cost of each solution 5 Estimate degree of risk reduction 4 Review solutions against requirements 3
  • 63. Conducting Decision Support: Best Practices • Assign a security technologist to each risk • Set reasonable expectations • Build team consensus • Focus on the amount of risk after the mitigation solution
  • 64. Agenda • Security Risk Management Concepts • Security Risk Management Prerequisites • Assessing Risk • Conducting Decision Support • Implementing Controls and Measuring Program Effectiveness
  • 66. Organizing the Control Solutions • Critical success determinants to organizing control solutions include: – Communication – Team scheduling – Resource requirements
  • 68. Implementing Controls 3 Conducting Decision Support 2 Measuring Program Effectiveness 4 Assessing Risk 1 Measuring Program Effectiveness • Develop scorecard • Measure control effectiveness
  • 69. Developing a Security Risk Scorecard for Your Organization • A simple security risk scorecard organized by the Defense-in-Depth layers: FY05 Q1 FY05 Q2 FY05 Q3 FY05 Q4 Physical H M Network M M Host M M Application M H Data L L Risk Levels (H, M, L)
  • 70. Measuring Control Effectiveness • Methods for measuring the effectiveness of implemented controls include: – Direct testing – Submitting periodic compliance reports – Evaluating widespread security incidents
  • 71. Summary • Decide on risk management methodology • Determine your maturity level • Conduct risk assessment • Conduct decision support • Implement controls & measure effectiveness
  • 72. Next Steps • Australia Security Portal http://www.microsoft.com/australia/security • Microsoft Security Risk Management Guide http://www.microsoft.com/technet/security/guidance/secrisk • MOF - Security Management http://www.microsoft.com/technet/itsolutions/cits/mo/smf/mofsmsmf.mspx • Additional security tools and content http://www.microsoft.com/security/guidance