MCSE Boot Camp

Tools Provided for the Assessing Risk Phase

During this risk assessment process you will gather data about risks and then use this data to prioritize the risks. Four tools, available in the companion download copy of this guide that is available from the Download Center, will assist in this phase. You can find the tools in the Tools and Templates folder that was created when you unpacked the download archive containing this guide and its related files.

• Data Gathering Template (SRMGTool1-Data Gathering Tool.doc). You can use this template in the Assessing Risk phase during the workshops that this chapter describes.
• Summary Level Risk Analysis Worksheet (SRMGTool2-Summary Risk Level.xls). This Microsoft Excel worksheet will help your organization to conduct the first pass of risk analysis: the summary level analysis.
• Detail Level Risk Analysis Worksheet (SRMGTool3-Detailed Level Risk Prioritization.xls). This Excel worksheet will help your organization to conduct a more exhaustive analysis of the top risks identified during the summary level analysis.
• Sample Schedule (SRMGTool4-Sample Project Schedule.xls). This Excel worksheet shows a high-level project schedule for the Microsoft security risk management process. It includes the phases, steps, and tasks discussed throughout this guide.

You may also want to review Appendix B: Common Information System Assets.

Required Output for the Assessing Risk Phase

The output of the Assessing Risk phase is a prioritized list of risks, including qualitative ranking and quantitative estimates used in the Conducting Decision Support phase that the next chapter describes.

Planning

The planning step is arguably the most important to ensure stakeholder acceptance and support throughout the risk assessment process. Stakeholder acceptance is critical, because the Security Risk Management Team requires active participation from other stakeholders. Support is also critical because the assessment results may influence stakeholder budgeting activities if new controls are required to reduce risk. The primary tasks in the planning step are to properly align the Assessing Risk phase to business processes, accurately scope the assessment, and gain stakeholder acceptance. The following section examines these three tasks in more detail and covers success factors related to those tasks.

Alignment

It is ideal to begin the Assessing Risk phase prior to your organization's budgeting process. Alignment facilitates executive support and increases visibility within the organization and IT groups while they develop budgets for the next fiscal year. Proper timing also aids in building consensus during the assessment because it allows stakeholders to take active roles in the planning process. The Information Security Group is often viewed as a reactive team that disrupts organization activity and surprises business units with news of control failures or work stoppages. Sensible timing of the assessment is critical to build support and helping the organization understand that security is everyone's responsibility and is engrained in the organization. Another benefit of conducting a risk assessment is demonstrating that the Information Security Group can be viewed as a proactive partner rather than a simple policy enforcer during emergencies. This guide provides a sample project timeline to aid in aligning the risk assessment process to your organization. Obviously, the Security Risk Management Team should not withhold risk information while waiting for the budgeting cycle. Alignment of the timing of the assessment is simply a best practice learned from conducting assessments in Microsoft IT.

Note   Proper alignment of the risk management process with the budget planning cycle may also benefit internal or external auditing activities; however, coordinating and scoping audit activities are outside the scope of the this guide.  

Scoping

During planning activities, clearly articulate the scope of the risk assessment. To effectively manage risk across the organization, the risk assessment scope should document all organization functions included in the risk assessment. If your organization's size does not allow an enterprise wide risk assessment, clearly articulate which part of the organization will be in scope, and define the associated stakeholders. As discussed in Chapter 2, if your organization is new to risk management programs, you may want to start with well-understood business units to practice the risk assessment process. For example, selecting a specific human resources application or IT service, such as remote access, may help demonstrate the value of the process and assist in building momentum for an organization-wide risk assessment.

Note   Organizations often fail to accurately scope a risk assessment. Clearly define the areas of the organization to be evaluated and gain executive approval before moving forward. The scope should be discussed often and understood at all stakeholder meetings throughout the process.

In the planning step you must also define the scope of the risk assessment itself. The information security industry uses the term assessment in many ways that may confuse non-technical stakeholders. For example, vulnerability assessments are performed to identify technology-specific configuration or operational weaknesses. The term compliance assessment may be used to communicate an audit, or measurement of current controls against formal policy. The Microsoft security risk management process defines risk assessment as the process to identify and prioritize enterprise IT security risks to the organization. You may adjust this definition as appropriate for your organization. For example, some Security Risk Management Teams may also include personnel security in the scope of their risk assessments.

Stakeholder Acceptance

Risk assessment requires active stakeholder participation. As a best practice, work with stakeholders informally and early in the process to ensure that they understand the importance of the assessment, their roles, and the time commitment asked of them. Any experienced Risk assessment Facilitator can tell you that there is a difference between stakeholder approval of the project verses stakeholder acceptance of the time and priority of the project. A best practice to enlist stakeholder support is to pre-sell the concept and the activities within the risk assessment. Pre-selling may involve an informal meeting with stakeholders before a formal commitment is requested. Emphasize why a proactive assessment helps the stakeholder in the long run by identifying controls that may avoid disruptions from security events in the future. Including past security incidents as examples in the discussion is an effective way to remind stakeholders of potential organization impacts.

Note   To help stakeholders understand the process, prepare a short summary communicating the justification and value of the assessment. Share the summary as much as possible. You will know that you have been effective when you hear stakeholders describing the assessment to each other. This guide's executive summary provides a good starting point to communicate the value of the risk assessment process.