MCSE Boot Camp

Facilitating Risk Discussions

This section outlines risk discussion meeting preparations and defines the five tasks within the data gathering discussion (determining organizational assets and scenarios, identifying threats, identifying vulnerabilities, estimating asset exposure, identifying existing controls and the probability of an exploit).

Meeting Preparations

One subtle yet important success factor is the order in which risk discussions are held. Experience within Microsoft shows that the more information the Security Risk Management Team has going into each meeting, the more productive the meeting's outcome. One strategy is to build a knowledge base of risks across the organization to leverage the experience of the information security and IT teams. Meet with the Information Security Group first and then the IT teams in order to update your knowledge about the environment. This allows the Security Risk Management Team to have a greater understanding of each stakeholder's area of the organization. This also allows the Security Risk Management Team to share progress of the risk assessment with stakeholders as appropriate. Following this best practice, conduct any executive management risk discussions toward the end of the data gathering process. Executives often want an early view of the direction that the risk assessment is taking. Do not confuse this with executive sponsorship and support. Executive participation is required at the beginning and throughout the risk assessment process.

Invest time in building the list of invitees for each risk discussion. A best practice is to conduct meetings with groups of stakeholders with similar responsibilities and technical knowledge. The goal is to make attendees feel comfortable with the technical level of discussion. While a diverse set of stakeholders may benefit from hearing other views on organization risk, the risk assessment process must remained focused to collect all relevant data in the time allotted.

After you schedule risk discussions, research each stakeholder's area of the organization to become familiar with the assets, threats, vulnerabilities, and controls. As noted above, this information allows the Risk Assessment Facilitator to keep the discussion on track and at a productive pace.

Facilitating Discussions

The facilitated discussion should have an informal tone; however, the Risk Assessment Facilitator must keep the discussion moving in order to cover all relevant material. Experience shows that discussion often strays from the agenda. Likely pitfalls are when stakeholders initiate technical discussions surrounding new vulnerabilities or have preconceived control solutions. The Risk Assessment Facilitator should use the pre-meeting research and his or her expertise to capture a summary of the technical discussion and keep the meeting moving forward. With sufficient preparation, a meeting with four to six stakeholders should last approximately 60 minutes.

Invest a few minutes in the beginning to cover the agenda and highlight the roles and responsibilities across the risk management program. Stakeholders must clearly understand their roles and expected contributions. Another best practice is to provide all stakeholders with a sample risk discussion worksheet for personal note taking. This also provides a reference as the Risk Assessment Facilitator conducts the risk discussion. Another best practice is to arrive early and sketch the risk template on a white board to record data throughout the meeting. For a 60-minute meeting, the meeting timeline should resemble the following:

• Introductions and Risk Management Overview – 5 minutes
• Roles and Responsibilities – 5 minutes
• Risk Discussion – 50 minutes

The risk discussion is divided into the following sections:

• Determining Organizational assets and Scenarios 
• Identifying Threats 
• Identifying Vulnerabilities 
• Estimating Asset Exposure 
• Estimating Probability of Threats 
• Proposed Control Discussions 
• Meeting Summary and Next Steps 

The actual flow of the meeting varies according to the group of participants, number of risks discussed, and experience of the Risk Assessment Facilitator. Use this as a guide in terms of the relative time investment for each task of the assessment. Also, consider sending the data gathering template before the meeting if stakeholders have previous experience with the risk assessment process.

Note   The remaining sections of this chapter incorporate example information to help demonstrate the use of the tools referenced in the Assessing Risk phase. The example company is fictitious, and the risk related content represents only a fraction of the data required for a completed risk assessment. The focus of the example is simply to show how information can be collected and analyzed by using the tools provided with this guide. A full demonstration of all aspects of the Microsoft security risk management process produces significant amounts of data and is out of scope for this guide. The fictitious company is a consumer retail bank called Woodgrove Bank. Content related to the example can be identified by the "Woodgrove Example" heading preceding each example topic.

Task One: Determining Organizational Assets and Scenarios

The first task is to collect stakeholder definitions of organizational assets within the scope of the risk assessment. Use the data gathering template, shown below, to populate tangible, intangible, or IT service assets as appropriate. (SRMGTool1-Data Gathering Tool.doc is also included as a tool with this guide.) For each asset, assist stakeholders in selecting an asset class and recording it in the template. As appropriate, also record the asset owner. If stakeholders have difficulty in selecting an asset class, verify that the asset is defined at a detailed level in order to facilitate discussion. If stakeholders continue to have difficulty, skip this task and wait until the threat and vulnerability discussions. Experience shows that stakeholders may have an easier time classifying assets when they realize the potential threats to the asset and the overall business.

The discussion surrounding organizational assets can be limited to a few simple questions. For example, is the asset critical to the success of the company, and can the asset have a material impact on the bottom line? If yes, the asset has the potential to cause a high impact to the organization.