Security Risk Management Webcast
June 13, 2005
Computer Emergency Response Team (CERT)
This guide can be accessed at http://csrc.nist.gov/publications/nistpubs/
IT Governance Institute (ITGI): Control Objectives for Information and Related Technology (CobiT), which includes the IT Governance Maturity Model. This document can be purchased from http://www.itgi.org
International Standards Organization (ISO) ISO Code of Practice for Information Security Management (ISO 17799).
This can be purchased from http://www.iso.org.
For additional information on defining and categorizing information and information systems, refer to National Institute of Standards and Technology (NIST) Special Publication 800-60 workshops, and the Federal Information Processing Standards (FIPS) Publication 199.
17 Questions to Assess Your Organization’s Security Risk Management Maturity
Answer the following 17 questions and score each answer on a scale of 0 to 5 as illustrated in the table following the set of questions. These questions and the score levels help to determine the overall maturity level of your organization.
- Information security policies and procedures are clear, concise, well documented, and complete.
- All staff positions with job responsibilities involving information security have clearly articulated and well-understood roles and responsibilities.
- Policies and procedures for securing third-party access to business data are well documented. For example, offshore vendors performing application development for an internal business tool have sufficient access to network resources to effectively collaborate and complete their work, but they have only the minimum amount of access that they need.
- An inventory of IT assets such as hardware, software, and data repositories is accurate and up-to-date.
- Suitable controls are in place to protect business data from unauthorized access by both outsiders and insiders.
- Effective user-awareness programs are in place, such as training and newsletters regarding information security policies and practices.
- Physical access to the computer network and other information technology assets is restricted through the use of effective controls.
- New computer systems are provisioned following organizational security standards in a standardized manner using automated tools such as disk imaging or build scripts.
- An effective update management system is able to automatically deliver software updates from most vendors to the vast majority of the computer systems in the organization.
- An incident response team has been created and has developed and documented effective processes for dealing with and tracking security incidents. All incidents are investigated until the root cause is identified and any problems are resolved.
- The organization has a comprehensive antivirus program that includes multiple layers of defense, user-awareness training, and effective processes for responding to virus outbreaks.
- User-provisioning processes are well documented and at least partially automated so that new employees, vendors, and partners can be granted an appropriate level of access to the organization’s information systems in a timely manner. These processes should also support the timely disabling and deletion of user accounts that are no longer needed.
- Computer and network access is controlled through user authentication and authorization, restrictive access control lists on data, and proactive monitoring for policy violations.
- Application developers are provided with education and possess a clear awareness of security standards for software creation and quality assurance testing of code.
- Business continuity and business continuity programs are clearly defined, well documented, and periodically tested through simulations and drills.
- Effective programs are underway for ensuring that all staff perform their work tasks in a manner compliant with legal requirements.
- Third-party reviews and audits are used regularly to verify compliance with standard practices for securing business assets.
Answer and score each of the 17 questions using one of these values from 0 to 5:
Policy (or process) is not documented, and previously the organization was unaware of the business risk associated with this risk management.
1 Ad hoc
It is clear that some members of the organization have concluded that risk management has value. However, risk management efforts are performed in an ad hoc manner. There are no documented processes or policies, and the process is not fully repeatable. Risk management projects seem chaotic and uncoordinated, and results are not measured and audited.
There is awareness of risk management throughout the organization. The risk management process is repeatable yet immature. The process is not fully documented, but the activities occur on a regular basis, and the organization is working toward establishing a comprehensive risk management process.
3 Defined process
The organization has made a formal decision to adopt risk management wholeheartedly to drive its information security program. A baseline process has been developed that includes clearly defined goals with documented processes for achieving and measuring success. The organization is actively implementing its documented risk management process.
There is a thorough understanding of risk management at all levels of the organization. Risk management procedures exist, the process is well defined, awareness is broadly communicated, rigorous training is available, and some initial forms of measurement are in place to determine effectiveness. There is some use of technological tools to help with risk management, but many—if not most—risk assessment, control identification, and cost-benefit analysis procedures are manual.
The organization has committed significant resources to security risk management, and staff members are looking toward the future to ascertain what the issues and solutions will be in the months and years ahead. The risk management process is well understood and significantly automated through the use of tools (either developed in-house or acquired from independent software vendors).
Scoring your Organization’s SRM Maturity Results:
Calculate your organization’s score by adding up the score level of each statement. The following table provides information for each score range:
51 or above
Your organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent.
Your organization has taken many significant steps to control security risks and is ready to gradually introduce the security risk management process. You should consider rolling out the process to a few business units over a few months before exposing the entire organization to its benefits.
33 or below
Consider starting the security risk management process slowly by creating the core security risk management team and applying the process to a single business unit for the first few months. After demonstrating the value of the process, expand it to two or three additional business units. As the process is accepted as demonstrating value, continue adding business units.
Description of Tools Included in the
Microsoft Security Risk Management Guide
Data Gathering template (SRJA1-Data Gathering Tool.doc).
A template to assist in facilitating discussions about gathering risk data.
Risk Prioritization template (SRJA2-Summary_Risk_Level.xls).
A Microsoft Office Excel template to assist in prioritizing summary-level risks.
Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls).
An Excel template with a number of worksheets, all relating to the detail-level risk prioritization process.
Sample schedule (SRJA4-Sample Project Schedule.xls).
This schedule can assist you in planning activities for this phase.
For prescriptive guidance on securing perimeter networks with firewalls, see the Microsoft Systems Architecture Perimeter Firewall Service Design for the CDC Scenario, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20ik/vmhtm57.mspx
For additional prescriptive guidance, see Chapter 15, “Securing Your Network,” in Improving Web Application Security: Threats and Countermeasures, at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh15.asp
For prescriptive guidance on implementing secure wireless LANs (WLANs) using EAP and digital certificates, see Securing Wireless LANs: A Windows Server 2003 Certificate Services Solution, at http://go.microsoft.com/fwlink/?LinkId=14843
For information about securing wireless LANs (WLANs) with PEAP and passwords, see http://go.microsoft.com/fwlink/?linkid=23481
For prescriptive guidance on using network segmentation to improve security and performance, see the MSA Enterprise Design, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm11.mspx
For prescriptive guidance on securing internal networks with firewalls, see the Microsoft Systems Architecture Internal Firewall Service Design for the CDC Scenario, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20ik/vmhtm59.mspx
The Microsoft Patch Management Web site includes tools and guides to help organizations more effectively test, deploy, and support software updates. See: http://www.microsoft.com/technet/security/topics/patch/default.mspx
Step-by-Step Guide to Securing Windows XP Professional in Small and Medium Businesses is at http://go.microsoft.com/fwlink/?linkid=19453
For prescriptive guidance on securing Microsoft Windows® XP, see the Windows XP Security Guide, at http://go.microsoft.com/fwlink/?LinkId=14839
For prescriptive guidance on securing Microsoft Windows Server™ 2003, see the Windows Server 2003 Security Guide, at http://go.microsoft.com/fwlink/?LinkId=14845.
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP is a reference guide for the major security settings and features included with Windows Server 2003 and Windows XP. It is available at http://go.microsoft.com/fwlink/?LinkId=15159
For prescriptive guidance on securing Windows 2000 Server, see the Windows 2000 Security Hardening Guide, at http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en
The Exchange 2003 Hardening Guide provides information about securing Microsoft Exchange 2003 Server. It is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4aef-9a44-504db09b9065&displaylang=en
The Security Operations Guide for Exchange 2000 provides guidance on securing Microsoft Exchange 2000 Server. It is available at http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/default.mspx
Chapter 18, “Securing Your Database Server,” of the Improving Web Application Security: Threats and Countermeasures solution guide includes prescriptive information about securing SQL Server™. It is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh18.asp
The Improving Web Application Security: Threats and Countermeasures solution guide provides a solid foundation for designing, building, and configuring secure ASP.NET Web applications. It is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
The Building Secure ASP.NET Applications guide presents a practical, scenario-driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the Microsoft .NET Framework. It is available at http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true
For information about backing up data on Windows 2000 networks, refer to the Backup and Restore Solution for Windows 2000–based Data Centers guide at http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/backuprest/default.mspx
For step-by-step instructions on how to implement EFS, refer to the Step-by-Step Guide to Encrypting File System (EFS), which is available at http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp