MCSE Boot Camp

Planning

Proper risk assessment planning is critical to the success of the entire risk management program. Failure to adequately align, scope, and gain acceptance of the Assessing Risk phase diminishes the effectiveness of the other phases in the larger program. Conducting risk assessments can be a complicated process that requires significant investment to complete. Tasks and guidance critical to the planning step are covered in the next section of this chapter.

Facilitated Data Gathering

After planning, the next step is to gather risk related information from stakeholders across the organization; you will also use this information in the Conducting Decision Support phase. The primary data elements collected during the facilitated data gathering step are:

• Organizational assets — Anything of value to the business.
• Asset description — Brief explanation of each asset, its worth, and ownership to facilitate common understanding throughout the Assessing Risk phase.
• Security threats — Causes or events that may negatively impact an asset, represented by loss of confidentiality, integrity, or availability of the asset.
• Vulnerabilities — Weaknesses or lack of controls that may be exploited to impact an asset.
• Current control environment — Description of current controls and their effectiveness across the organization.
• Proposed controls — Initial ideas to reduce risk.

The facilitated data gathering step represents the bulk of the cross-group collaboration and interaction during the Assessing Risk phase. The third section in this chapter covers data gathering tasks and guidance in detail.

Risk Prioritization

During the facilitated data gathering step, the Security Risk Management Team begins sorting the large amount of information collected to prioritize risks. The risk prioritization step is the first one within the phase that involves an element of subjectivity. Prioritization is subjective in nature because, after all, the process essentially involves predicting the future. Because the Assessing Risk output drives future Information Technology (IT) investments, establishing a transparent process with defined roles and responsibilities is critical to gain acceptance of the results and motivate action to mitigate risks. The Microsoft security risk management process provides guidance to identify and prioritize risks in a consistent and repeatable way. An open and reproducible approach helps the Security Risk Management Team to reach consensus quickly, minimizing potential delays caused by the subjective nature of risk prioritization. The fourth section in this chapter covers prioritization tasks and guidance in detail.

Required Inputs for the Assessing Risk Phase

Each step in the Assessing Risk phase contains a specific list of prescriptive tasks and associated inputs. The phase itself requires a well-built foundation as opposed to specific inputs. As outlined in Chapter 1, the Assessing Risk phase requires security leadership in the form of executive support, stakeholder acceptance, and defined roles and responsibilities. The following sections address these areas in detail.

Participants in the Assessing Risk Phase

Assessing risk requires cross-group interaction and for different stakeholders to be held responsible for tasks throughout the process. A best practice to reduce role confusion throughout the process is to communicate the checks and balances built into the risk management roles and responsibilities. While you are conducting the assessment, communicate the roles that stakeholders play and assure them the Security Risk Management Team respects these boundaries. The following table summarizes the roles and primary responsibilities for stakeholders in this phase of the risk management process.