Microsoft Security Risk Management Process
The Microsoft security risk management process is a hybrid approach that joins elements of the quantitative and qualitative approaches. In a quantitative risk assessment, the goal is to try to calculate objective numeric values for each component.
When you use a qualitative risk management approach, you do not try to assign hard financial values to assets, expected losses, and cost of controls. Instead, you calculate relative values. Combining the simplicity and elegance of the qualitative approach with some of the rigor of the quantitative approach presents a process for managing security risk that is both effective and usable.
Microsoft security risk management consists of four phases:
Assessing Risk. This phase combines aspects of both quantitative and qualitative risk assessment methodologies. A qualitative approach is used to quickly triage the entire list of security risks. The most serious risks identified are then examined in more detail using a quantitative approach. The result is a relatively short list of the most important risks that have been examined in detail.
Conducting Decision Support. The list created during the risk assessment phase is used during the decision support phase to propose and evaluate potential control solutions, and the best ones for mitigating the top risks are then recommended to the organization’s Security Steering Committee.
Implementing Controls. During this third phase, the mitigation owners actually put control solutions in place.
- Measuring Program Effectiveness. The fourth phase is used to verify that the controls are actually providing the expected degree of protection, and to watch for changes in the environment, such as new business applications or attack tools that might change the organization’s risk profile. Additionally, current controls should be reevaluated for newer, similar controls that are more effective because of changes in technology and other advancements in security protection.
Because security risk management is an ongoing process, the cycle restarts with each new risk assessment. The frequency with which the cycle recurs will vary from one organization or project to another.