Security Risk Management

Paula Kiernan
Ward Solutions

Session Prerequisites
Basic understanding of network security fundamentals
Basic understanding of security risk management
concepts

Level 300

Target Audience
This session is primarily intended for:
Systems architects and planners
Members of the information security team
Security and IT auditors
Senior executives, business analysts, and
business decision makers
Consultants and partners

Session Overview
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Security Risk Management Concepts

Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Why Develop a Security Risk

Management Process?
Security risk management: A process for identifying, prioritizing,
and managing risk to an acceptable level within the organization
Developing a formal security risk management process
can address the following:
Threat response time
Regulatory compliance
Infrastructure management costs
Risk prioritization and management

Identifying Success Factors That Are Critical to

Security Risk Management
Key factors to implementing a successful security risk
management program include:
Executive sponsorship
Well-defined list of risk management stakeholders
Organizational maturity in terms of risk management
An atmosphere of open communication and teamwork
A holistic view of the organization
Security risk management team authority

Comparing Approaches to Risk Management

Many organizations have approached security risk
management by adopting the following:
Reactive
approach

A process that responds to security events as

they occur

Proactive
approach

The adoption of a process that reduces the

risk of new vulnerabilities in your organization

Comparing Approaches to Risk Prioritization

Approach

Benefits

Drawbacks

Quantitative

Risks prioritized by financial impact;

assets prioritized by their financial
values
Results facilitate management of risk
by return on security investment
Results can be expressed in
management-specific terminology

Impact values assigned to risks

are based upon subjective
opinions of the participants
Very time-consuming
Can be extremely costly

Qualitative

Enables visibility and understanding

of risk ranking
Easier to reach consensus
Not necessary to quantify threat
frequency
Not necessary to determine financial
values of assets

Insufficient granularity between

important risks
Difficult to justify investing in
control as there is no basis for
a cost-benefit analysis
Results dependent upon the
quality of the risk management
team that is created

Introducing the Microsoft Security Risk

Management Process

Measuring Program
Effectiveness

Assessing Risk

Implementing
Controls

Conducting
Decision Support

Identifying Security Risk Management

Prerequisites
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Risk Management vs. Risk Assessment

Risk Management

Risk Assessment

Goal

Manage risks across

business to acceptable
level

Identify and prioritize

risks

Cycle

Overall program across all

four phases

Single phase of risk

management program

Schedule

Scheduled activity

Continuous activity

Alignment

Aligned with budgeting

cycles

Not applicable

Communicating Risk
Asset

Threat

Vulnerability

Mitigation

What are you

trying to protect?

What are you

afraid of
happening?

How could the

threat occur?

What is currently
reducing the
risk?

Impact
What is the impact to the
business?

Probability
How likely is the threat given the
controls?

Well-Formed Risk Statement

Determining Your Organizations Risk

Management Maturity Level
Publications to help you determine your organizations risk
management maturity level include:
National Institute of
Standards and Technology

Security Self-Assessment Guide for

Information Technology Systems
(SP-800-26)

IT Governance Institute

Control Objectives for Information and

Related Technology (CobiT)

International Standards
Organization

ISO Code of Practice for Information

Security Management (ISO 17799)

Performing a Risk Management Maturity

Self-Assessment
Level

State

Non-existent

Ad hoc

Repeatable

Defined process

Managed

Optimized

Defining Roles and Responsibilities

Executive
Sponsor
What's
important?

Information
Security Group
Prioritize risks

IT Group
Best control solution

Determine
acceptable risk

Assess risks

Define security
requirements

Measure security
solutions

Design and build

security solutions

Operate and
support security
solutions

Assessing Risk
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Overview of the Assessing Risk Phase

Measuring Program
Effectiveness

Implementing
Controls

Plan risk data gathering

Gather risk data
Prioritize risks

1 Assessing Risk
2

Conducting
Decision Support

Understanding the Planning Step

The primary tasks in the planning step include the
following:
Alignment
Scoping
Stakeholder acceptance
Setting expectations

Understanding Facilitated Data Gathering

Elements collected
during facilitated data
gathering include:

Keys to successful data

gathering include:

Organizational assets

Meet collaboratively with

stakeholders

Asset description

Build support

Security threats

Understand the difference

between discussing
and interrogating

Vulnerabilities
Current control environment
Proposed controls

Build goodwill
Be prepared

Identifying and Classifying Assets

An asset is anything of value to the organization and can
be classified as one of the following:
High business impact
Moderate business impact
Low business impact

Organizing Risk Information

Use the following questions as an agenda during
facilitated discussions:
What asset are you protecting?
How valuable is the asset to the organization?
What are you trying to avoid happening to the asset?
How might loss or exposures occur?
What is the extent of potential exposure to the asset?
What are you doing today to reduce the probability or the
extent of damage to the asset?
What are some actions that you can take to reduce the
probability in the future?

Estimating Asset Exposure

Exposure: The extent of potential damage to an asset
Use the following guidelines to estimate asset exposure:
High
exposure

Severe or complete loss of the asset

Medium
exposure

Limited or moderate loss

Low
exposure

Minor or no loss

Estimating Probability of Threats

Use the following guidelines to estimate probability for each
threat and vulnerability identified:
High threat

Likelyone or more impacts expected

within one year

Medium
threat

Probableimpact expected within two

to three years

Low threat

Not probableimpact not expected to

occur within three years

Facilitating Risk Discussions

The facilitated risk discussion meeting is divided into
the following sections:
1 Determining Organizational Assets and Scenarios
2 Identifying Threats
3 Identifying Vulnerabilities
4 Estimating Asset Exposure
5 Estimating Probability of Exploit and Identifying
Existing Controls
6 Meeting Summary and Next Steps

Defining Impact Statements

Impact data includes the following information:

Understanding Risk Prioritization

Start risk
prioritization

Conduct
summarylevel risk
prioritization

Summary
level risk
prioritization

Review with
stakeholders

Conduct
detailed-level
risk
prioritization

Detailed
level risk
prioritization

End of risk
prioritization

Conducting Summary-Level Risk Prioritization

High. Likelyone or more impacts expected within one year

Medium. Probableimpact expected within two to three years
Low. Not probableimpact not expected to occur within three years

The summary-level prioritization process includes the following:

1
2
3
4

Determine impact level

Estimate summary-level probability
Complete the summary-level risk list
Review with stakeholders

Conducting Detailed Level Risk Prioritization

The following four tasks outline the process to build a
detailed-level list of risks:
1 Determine impact and exposure
2 Identify current controls
3 Determine probability of impact
4 Determine detailed risk level
Use the Detailed-Level Risk Prioritization template
(SRJA3-Detailed Level Risk Prioritization.xls)

Quantifying Risk
The following tasks outline the process to determine
the quantitative value:
1 Assign a monetary value to each asset class
2 Input the asset value for each risk
3 Produce the single-loss expectancy value (SLE)
4 Determine the annual rate of occurrence (ARO)
5 Determine the annual loss expectancy (ALE)

Assessing Risk: Best Practices

Analyze risks during the data gathering process

Conduct research to build credibility for estimating
probability
Communicate risk in business terms
Reconcile new risks with previous risks

Conducting Decision Support

Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Overview of the Decision Support Phase

Measuring Program
Effectiveness

Implementing
Controls

Assessing Risk

Conducting
Decision Support
1.
2.
3.
4.
5.
6.

Define functional requirements

Identify control solutions
Review solution against requirements
Estimate degree of risk reduction
Estimate cost of each solution
Select the risk mitigation strategy

Identifying Output for the Decision Support Phase

Key elements to gather include:
Decision on how to handle each risk
Functional requirements
Potential control solutions
Risk reduction of each control solution
Estimated cost of each control solution
List of control solutions to be implemented

Considering the Decision Support Options

Options for handling risk:
Accepting the current risk
Implementing controls to reduce risk

Overview of the Identifying and Comparing

Controls Process

Mitigation owner
Identifies potential control solutions
Determines types of costs

Security risk
management team
Estimates level of risk reduction

Security steering
committee
Final list of control solutions

Step 1: Define Functional Requirements

Security risk
management
team

Mitigation
owner

Security
steering
committee

Define
functional
requirements

Identify control
solutions

Review
solutions against
requirements

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Step 2: Identify Control Solutions

Security risk
management
team

Mitigation
owner

2 Identify control

Security
steering
committee

Define
functional
requirements

Review
solutions against
requirements

solutions

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Step 3: Review Solutions Against Requirements

Security risk
management
team

Mitigation
owner

Security
steering
committee

Define
functional
requirements

Identify control
solutions

Review
solutions against
requirements

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Step 4: Estimate Degree of Risk Reduction

Security risk
management
team

Mitigation
owner

Security
steering
committee

Define
functional
requirements

Identify control
solutions

Review
solutions against
requirements

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Step 5: Estimate Cost of Each Solution

Security risk
management
team

Mitigation
owner

Security
steering
committee

Define
functional
requirements

Identify control
solutions

Review
solutions against
requirements

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Step 6: Select the Risk Mitigation Strategy

Security risk
management
team

Mitigation
owner

Security
steering
committee

Define
functional
requirements

Identify control
solutions

Review
solutions against
requirements

Estimate
degree of risk
reduction

Estimate
cost of
each solution

Select the risk

mitigation
strategy

Conducting Decision Support: Best Practices

Consider assigning a security technologist to each

identified risk
Set reasonable expectations
Build team consensus
Focus on the amount of risk after the mitigation
solution

Implementing Controls and Measuring

Program Effectiveness
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness

Implementing Controls

Measuring Program
Effectiveness

3 Implementing
Controls
Seek a holistic approach
Organize by defense-in-depth

1
2

Assessing Risk

Conducting
Decision Support

Organizing the Control Solutions

Critical success determinants to organizing control
solutions include:
Communication
Team scheduling
Resource requirements

Organizing by Defense-in-Depth

Physical
Network
Host
Application
Data

Measuring Program Effectiveness

Develop scorecard
Measure control effectiveness

Measuring Program
Effectiveness

Implementing
Controls

1 Assessing Risk
2

Conducting
Decision Support

Developing Your Organizations Security

Risk Scorecard
A simple security risk scorecard organized by the
defense-in-depth layers might look like this:
FY05 Q1

FY05 Q2

Physical

Network

Host

Application

Data

FY05 Q3

Risk Levels (H, M, L)

FY05 Q4

Measuring Control Effectiveness

Methods to measure the effectiveness of implemented
controls include:
Direct testing
Submitting periodic compliance reports
Evaluating widespread security incidents

Session Summary
One common thread between most risk management methodologies

is that each is typically based on quantitative risk management,

qualitative risk management, or a combination of the two

Determining your organizations maturity level will help focus on the

appropriate implementation and timeframe for your risk management
strategy
Risk assessment consists of conducting a summary-level risk

prioritization, and then conducting a detailed-level risk prioritization

on high-impact risks

The Microsoft Security Risk Management Guide provides a number of

tools and templates to assist with the entire risk management process

tools and templates to assist with the entire risk management process

The Microsoft defense-in-depth approach organizes controls into

several broad layers that make up the defense-in-depth model
several broad layers that make up the defense-in-depth model

Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance

Questions and Answers