Security Risk Management
Paula Kiernan
Ward Solutions
Session Prerequisites
Basic understanding of network security fundamentals
Basic understanding of security risk management
concepts
Level 300
Target Audience
This session is primarily intended for:
 Systems architects and planners
 Members of the information security team
 Security and IT auditors
 Senior executives, business analysts, and
business decision makers
 Consultants and partners
Session Overview
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Security Risk Management Concepts
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Why Develop a Security Risk
Management Process?
Security risk management: A process for identifying, prioritizing,
and managing risk to an acceptable level within the organization
Developing a formal security risk management process
can address the following:
Threat response time
Regulatory compliance
Infrastructure management costs
Risk prioritization and management
Identifying Success Factors That Are Critical to
Security Risk Management
Key factors to implementing a successful security risk
management program include:
 Executive sponsorship
 Well-defined list of risk management stakeholders
 Organizational maturity in terms of risk management
 An atmosphere of open communication and teamwork
 A holistic view of the organization
 Security risk management team authority
Comparing Approaches to Risk Management
Many organizations have approached security risk
management by adopting the following:
Reactive
approach
A process that responds to security events as
they occur
Proactive
approach
The adoption of a process that reduces the
risk of new vulnerabilities in your organization
Comparing Approaches to Risk Prioritization
Approach
Benefits
Drawbacks
Quantitative
Risks prioritized by financial impact;
assets prioritized by their financial
values
Results facilitate management of
risk by return on security investment
Results can be expressed in
management-specific terminology
Impact values assigned to risks
are based upon subjective
opinions of the participants
Very time-consuming
Can be extremely costly
Qualitative
Enables visibility and understanding
of risk ranking
Easier to reach consensus
Not necessary to quantify threat
frequency
Not necessary to determine financial
values of assets
Insufficient granularity between
important risks
Difficult to justify investing in
control as there is no basis for
a cost-benefit analysis
Results dependent upon the
quality of the risk management
team that is created
Introducing the Microsoft Security Risk
Management Process
4
3
Measuring Program
Effectiveness
1
Assessing Risk
Implementing
Controls
2
Conducting
Decision Support
Identifying Security Risk Management
Prerequisites
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Risk Management vs. Risk Assessment
Goal
Risk Management
Manage risks across
business to acceptable
level
Risk Assessment
Identify and prioritize
risks
Cycle
Overall program across all
four phases
Single phase of risk
management program
Schedule
Scheduled activity
Continuous activity
Alignment
Aligned with budgeting
cycles
Not applicable
Communicating Risk
Asset
Threat
Vulnerability
Mitigation
What are you
trying to protect?
What are you
afraid of
happening?
How could the
threat occur?
What is currently
reducing the
risk?
Impact
What is the impact to the
business?
Probability
How likely is the threat given the
controls?
Well-Formed Risk Statement
Determining Your Organization’s Risk
Management Maturity Level
Publications to help you determine your organization’s risk
management maturity level include:
National Institute of
Standards and Technology
Security Self-Assessment Guide for
Information Technology Systems
(SP-800-26)
IT Governance Institute
Control Objectives for Information and
Related Technology (CobiT)
International Standards
Organization
ISO Code of Practice for Information
Security Management (ISO 17799)
Performing a Risk Management Maturity
Self-Assessment
Level
State
0
Non-existent
1
Ad hoc
2
Repeatable
3
Defined process
4
Managed
5
Optimized
Defining Roles and Responsibilities
Executive
Sponsor
“What's
important?”
Information
Security Group
“Prioritize risks”
IT Group
“Best control solution”
Determine
acceptable risk
Assess risks
Define security
requirements
Measure security
solutions
Design and build
security solutions
Operate and
support security
solutions
Assessing Risk
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Overview of the Assessing Risk Phase
• Plan risk data gathering
• Gather risk data
• Prioritize risks
4
Measuring Program
Effectiveness
3
Implementing
Controls
1 Assessing Risk
2
Conducting
Decision Support
Understanding the Planning Step
The primary tasks in the planning step include the
following:
 Alignment
 Scoping
 Stakeholder acceptance
 Setting expectations
Understanding Facilitated Data Gathering
Elements collected
during facilitated data
gathering include:
Keys to successful data
gathering include:
Organizational assets
Meet collaboratively with
stakeholders
Asset description
Build support
Security threats
Understand the difference
between discussing
and interrogating
Vulnerabilities
Current control environment
Proposed controls
Build goodwill
Be prepared
Identifying and Classifying Assets
An asset is anything of value to the organization and can
be classified as one of the following:
 High business impact
 Moderate business impact
 Low business impact
Organizing Risk Information
Use the following questions as an agenda during
facilitated discussions:
What asset are you protecting?
How valuable is the asset to the organization?
What are you trying to avoid happening to the asset?
How might loss or exposures occur?
What is the extent of potential exposure to the asset?
What are you doing today to reduce the probability or the
extent of damage to the asset?
What are some actions that you can take to reduce the
probability in the future?
Estimating Asset Exposure
Exposure: The extent of potential damage to an asset
Use the following guidelines to estimate asset exposure:
High
exposure
Severe or complete loss of the asset
Medium
exposure
Limited or moderate loss
Low
exposure
Minor or no loss
Estimating Probability of Threats
Use the following guidelines to estimate probability for each
threat and vulnerability identified:
High threat
Likely—one or more impacts expected
within one year
Medium
threat
Probable—impact expected within two
to three years
Low threat
Not probable—impact not expected to
occur within three years
Facilitating Risk Discussions
The facilitated risk discussion meeting is divided into
the following sections:
1 Determining Organizational Assets and Scenarios
2 Identifying Threats
3 Identifying Vulnerabilities
4 Estimating Asset Exposure
5 Estimating Probability of Exploit and Identifying
Existing Controls
6 Meeting Summary and Next Steps
Defining Impact Statements
Impact data includes the following information:
Understanding Risk Prioritization
Start risk
prioritization
Conduct
summarylevel risk
prioritization
Summary
level risk
prioritization
Review with
stakeholders
Conduct
detailed-level
risk
prioritization
Detailed
level risk
prioritization
End of risk
prioritization
Conducting Summary-Level Risk Prioritization
1
2
3
High. Likely—one or more impacts expected within one year
Medium. Probable—impact expected within two to three years
Low. Not probable—impact not expected to occur within three years
4
The summary-level prioritization process includes the following:
1
2
3
4
Determine impact level
Estimate summary-level probability
Complete the summary-level risk list
Review with stakeholders
Conducting Detailed Level Risk Prioritization
The following four tasks outline the process to build a
detailed-level list of risks:
1 Determine impact and exposure
2 Identify current controls
3 Determine probability of impact
4 Determine detailed risk level
Use the Detailed-Level Risk Prioritization template
(SRJA3-Detailed Level Risk Prioritization.xls)
Quantifying Risk
The following tasks outline the process to determine
the quantitative value:
1 Assign a monetary value to each asset class
2 Input the asset value for each risk
3 Produce the single-loss expectancy value (SLE)
4 Determine the annual rate of occurrence (ARO)
5 Determine the annual loss expectancy (ALE)
Assessing Risk: Best Practices
 Analyze risks during the data gathering process
 Conduct research to build credibility for estimating
probability
 Communicate risk in business terms
 Reconcile new risks with previous risks
Conducting Decision Support
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Overview of the Decision Support Phase
4
Measuring Program
Effectiveness
3
Implementing
Controls
1
2
Assessing Risk
Conducting
Decision Support
1.
2.
3.
4.
5.
6.
Define functional requirements
Identify control solutions
Review solution against requirements
Estimate degree of risk reduction
Estimate cost of each solution
Select the risk mitigation strategy
Identifying Output for the Decision Support Phase
Key elements to gather include:
Decision on how to handle each risk
Functional requirements
Potential control solutions
Risk reduction of each control solution
Estimated cost of each control solution
List of control solutions to be implemented
Considering the Decision Support Options
Options for handling risk:
 Accepting the current risk
 Implementing controls to reduce risk
Overview of the Identifying and Comparing
Controls Process
Mitigation owner
Identifies potential control solutions
Determines types of costs
Security risk
management team
Estimates level of risk reduction
Security steering
committee
Final list of control solutions
Step 1: Define Functional Requirements
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 2: Identify Control Solutions
Security risk
management
team
1
Mitigation
owner
2 Identify control
Security
steering
committee
Define
functional
requirements
3
Review
solutions against
requirements
4
5
solutions
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 3: Review Solutions Against Requirements
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 4: Estimate Degree of Risk Reduction
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 5: Estimate Cost of Each Solution
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 6: Select the Risk Mitigation Strategy
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Conducting Decision Support: Best Practices
 Consider assigning a security technologist to each
identified risk
 Set reasonable expectations
 Build team consensus
 Focus on the amount of risk after the mitigation
solution
Implementing Controls and Measuring
Program Effectiveness
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Implementing Controls
4
Measuring Program
Effectiveness
3
Implementing
Controls
• Seek a holistic approach
• Organize by defense-in-depth
1
2
Assessing Risk
Conducting
Decision Support
Organizing the Control Solutions
Critical success determinants to organizing control
solutions include:
 Communication
 Team scheduling
 Resource requirements
Organizing by Defense-in-Depth
Physical
Network
Host
Application
Data
Measuring Program Effectiveness
• Develop scorecard
• Measure control effectiveness
4
Measuring Program
Effectiveness
3
Implementing
Controls
1 Assessing Risk
2
Conducting
Decision Support
Developing Your Organization’s Security
Risk Scorecard
A simple security risk scorecard organized by the
defense-in-depth layers might look like this:
FY05 Q1
FY05 Q2
Physical
H
M
Network
M
M
Host
M
M
Application
M
H
Data
L
L
FY05 Q3
Risk Levels (H, M, L)
FY05 Q4
Measuring Control Effectiveness
Methods to measure the effectiveness of implemented
controls include:
 Direct testing
 Submitting periodic compliance reports
 Evaluating widespread security incidents
Session Summary
One common thread between most risk management methodologies
 is that each is typically based on quantitative risk management,
qualitative risk management, or a combination of the two
Determining your organization’s maturity level will help focus on the
 appropriate implementation and timeframe for your risk management
strategy
Risk assessment consists of conducting a summary-level risk
 prioritization, and then conducting a detailed-level risk prioritization
on high-impact risks
Microsoft Security Risk Management Guide provides a number of
 The
tools and templates to assist with the entire risk management process
Microsoft defense-in-depth approach organizes controls into
 The
several broad layers that make up the defense-in-depth model
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Questions and Answers