The Four Phases of the Microsoft Security Risk Management Process

Chapter 2, "Survey of Risk Management Practices," introduced the Microsoft security risk management process and defined risk management as an ongoing process with four primary phases:

1. Assessing Risk — Identify and prioritize risks to the business.
2. Conducting Decision Support — Identify and evaluate control solutions based on a defined cost-benefit analysis process.
3. Implementing Controls — Deploy and operate control solutions to reduce risk to the business.
4. Measuring Program Effectiveness — Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.

This four-part risk management cycle summarizes the Microsoft security risk management process and is also used to organize content throughout this guide.

Before defining specific practices within the Microsoft security risk management process, however, it is important to understand the larger risk management process and its components. Each phase of the cycle contains multiple, detailed steps. The following list outlines each step to help you understand the importance of each one in the guide as a whole:

• Assessing Risk phase
  • Plan data gathering — Discuss keys to success and preparation guidance.
  • Gather risk data — Outline the data collection process and analysis.
  • Prioritize risks — Outline prescriptive steps to qualify and quantify risks.
• Conducting Decision Support phase
  • Define functional requirements — Define functional requirements to mitigate risks.
  • Select possible control solutions — Outline approach to identify mitigation solutions.
  • Review solution — Evaluate proposed controls against functional requirements.
  • Estimate risk reduction — Endeavor to understand reduced exposure or probability of risks.
  • Estimate solution cost — Evaluate direct and indirect costs associated with mitigation solutions.
  • Select mitigation strategy — Complete the cost-benefit analysis to identify the most cost effective mitigation solution.
• Implementing Controls phase
  • Seek holistic approach — Incorporate people, process, and technology in mitigation solution.
  • Organize by defense-in-depth — Organize mitigation solutions across the business.
• Measuring Program Effectiveness phase
  • Develop risk scorecard — Understand risk posture and progress.
  • Measure program effectiveness — Evaluate the risk management program for opportunities to improve