Kevin Remde's IT Pro Weblog
IT Pro Resources
TechNet EventsMicrosoft Security Response CenterMicrosoft Virtual AcademyKevin’s Evaluation Download Center
IT Pro Evangelist Blogs
Blain Barton Blain Barton's Blog@BlainBar
Brian LewisMy Thoughts on IT...@BrianLewis_
Dan Stolts IT Pro Guru Blog@ITProGuru
Jennelle Crothers TechBunny@jkc137
Kevin RemdeFull of I.T.@KevinRemde
Tommy PattersonVirtually Cloud 9@Tommy_Patterson
Yung Chou Yung Chou on Hybrid Cloud@YungChou
June 13, 2005
Presented by Kevin Remde
Microsoft’s Security Risk Management Guide
Computer Emergency Response Team (CERT)
National Institute of Standards and Technology (NIST) Security Self-Assessment Guide for Information Technology Systems (SP-800-26).
This guide can be accessed at http://csrc.nist.gov/publications/nistpubs/
IT Governance Institute (ITGI): Control Objectives for Information and Related Technology (CobiT), which includes the IT Governance Maturity Model. This document can be purchased from http://www.itgi.org
International Standards Organization (ISO) ISO Code of Practice for Information Security Management (ISO 17799).
This can be purchased from http://www.iso.org.
For additional information on defining and categorizing information and information systems, refer to National Institute of Standards and Technology (NIST) Special Publication 800-60 workshops, and the Federal Information Processing Standards (FIPS) Publication 199.
Answer the following 17 questions and score each answer on a scale of 0 to 5 as illustrated in the table following the set of questions. These questions and the score levels help to determine the overall maturity level of your organization.
Answer and score each of the 17 questions using one of these values from 0 to 5:
Policy (or process) is not documented, and previously the organization was unaware of the business risk associated with this risk management.
1 Ad hoc
It is clear that some members of the organization have concluded that risk management has value. However, risk management efforts are performed in an ad hoc manner. There are no documented processes or policies, and the process is not fully repeatable. Risk management projects seem chaotic and uncoordinated, and results are not measured and audited.
There is awareness of risk management throughout the organization. The risk management process is repeatable yet immature. The process is not fully documented, but the activities occur on a regular basis, and the organization is working toward establishing a comprehensive risk management process.
3 Defined process
The organization has made a formal decision to adopt risk management wholeheartedly to drive its information security program. A baseline process has been developed that includes clearly defined goals with documented processes for achieving and measuring success. The organization is actively implementing its documented risk management process.
There is a thorough understanding of risk management at all levels of the organization. Risk management procedures exist, the process is well defined, awareness is broadly communicated, rigorous training is available, and some initial forms of measurement are in place to determine effectiveness. There is some use of technological tools to help with risk management, but many—if not most—risk assessment, control identification, and cost-benefit analysis procedures are manual.
The organization has committed significant resources to security risk management, and staff members are looking toward the future to ascertain what the issues and solutions will be in the months and years ahead. The risk management process is well understood and significantly automated through the use of tools (either developed in-house or acquired from independent software vendors).
Calculate your organization’s score by adding up the score level of each statement. The following table provides information for each score range:
51 or above
Your organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent.
Your organization has taken many significant steps to control security risks and is ready to gradually introduce the security risk management process. You should consider rolling out the process to a few business units over a few months before exposing the entire organization to its benefits.
33 or below
Consider starting the security risk management process slowly by creating the core security risk management team and applying the process to a single business unit for the first few months. After demonstrating the value of the process, expand it to two or three additional business units. As the process is accepted as demonstrating value, continue adding business units.
Data Gathering template (SRJA1-Data Gathering Tool.doc).
A template to assist in facilitating discussions about gathering risk data.
Risk Prioritization template (SRJA2-Summary_Risk_Level.xls).
A Microsoft Office Excel template to assist in prioritizing summary-level risks.
Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls).
An Excel template with a number of worksheets, all relating to the detail-level risk prioritization process.
Sample schedule (SRJA4-Sample Project Schedule.xls).
This schedule can assist you in planning activities for this phase.
For prescriptive guidance on securing perimeter networks with firewalls, see the Microsoft Systems Architecture Perimeter Firewall Service Design for the CDC Scenario, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20ik/vmhtm57.mspx
For additional prescriptive guidance, see Chapter 15, “Securing Your Network,” in Improving Web Application Security: Threats and Countermeasures, at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh15.asp
For prescriptive guidance on implementing secure wireless LANs (WLANs) using EAP and digital certificates, see Securing Wireless LANs: A Windows Server 2003 Certificate Services Solution, at http://go.microsoft.com/fwlink/?LinkId=14843
For information about securing wireless LANs (WLANs) with PEAP and passwords, see http://go.microsoft.com/fwlink/?linkid=23481
For prescriptive guidance on using network segmentation to improve security and performance, see the MSA Enterprise Design, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm11.mspx
For prescriptive guidance on securing internal networks with firewalls, see the Microsoft Systems Architecture Internal Firewall Service Design for the CDC Scenario, which is part of the Microsoft Systems Architecture Version 2.0 Solution, at http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20ik/vmhtm59.mspx
The Microsoft Patch Management Web site includes tools and guides to help organizations more effectively test, deploy, and support software updates. See: http://www.microsoft.com/technet/security/topics/patch/default.mspx
Step-by-Step Guide to Securing Windows XP Professional in Small and Medium Businesses is at http://go.microsoft.com/fwlink/?linkid=19453
For prescriptive guidance on securing Microsoft Windows® XP, see the Windows XP Security Guide, at http://go.microsoft.com/fwlink/?LinkId=14839
For prescriptive guidance on securing Microsoft Windows Server™ 2003, see the Windows Server 2003 Security Guide, at http://go.microsoft.com/fwlink/?LinkId=14845.
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP is a reference guide for the major security settings and features included with Windows Server 2003 and Windows XP. It is available at http://go.microsoft.com/fwlink/?LinkId=15159
For prescriptive guidance on securing Windows 2000 Server, see the Windows 2000 Security Hardening Guide, at http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en
The Exchange 2003 Hardening Guide provides information about securing Microsoft Exchange 2003 Server. It is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4aef-9a44-504db09b9065&displaylang=en
The Security Operations Guide for Exchange 2000 provides guidance on securing Microsoft Exchange 2000 Server. It is available at http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/default.mspx
Chapter 18, “Securing Your Database Server,” of the Improving Web Application Security: Threats and Countermeasures solution guide includes prescriptive information about securing SQL Server™. It is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh18.asp
The Improving Web Application Security: Threats and Countermeasures solution guide provides a solid foundation for designing, building, and configuring secure ASP.NET Web applications. It is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
The Building Secure ASP.NET Applications guide presents a practical, scenario-driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the Microsoft .NET Framework. It is available at http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true
For information about backing up data on Windows 2000 networks, refer to the Backup and Restore Solution for Windows 2000–based Data Centers guide at http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/backuprest/default.mspx
For step-by-step instructions on how to implement EFS, refer to the Step-by-Step Guide to Encrypting File System (EFS), which is available at http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp