This is a good tool for mid-sized organizations. The Microsoft Security Assessment Tool 3.5 is the revised version of the original Microsoft Security Risk Self-Assessment Tool (MSRSAT), released in 2004 and the Microsoft Security Assessment Tool 2.0 released in 2006. The MSAT is comprised of three assessments:
· Business Risk Profile
· Defense in Depth Assessment
· Mid-Market Security Core Infrastructure Operations
These assess the range of potential business risk and the areas where defense in depth measures have been taken. (Defense in depth is the implementation of layered defenses that include technical, organizational, and operational controls.) At the end of the assessments, MSAT provides you with a comprehensive report detailing findings and recommendations, a scorecard that shows the priority of areas that need to be addressed, best practices, and a long list of additional resources. You can see a sample report I ran with MSAT here (the data I provided in my test run was fictional, and any resemblance to any existing individuals or corporations is purely coincidental, no animals were harmed, etc. etc. etc.).
You can download MSAT at Microsoft Security Assessment Tool 3.5 (International).
– Andrea Weiss