MCITP MCSE Boot Camp

Preparing for Success

Prioritizing risks to the organization is not a simple proposition. The Security Risk Management Team must attempt to predict the future by estimating when and how potential impacts may affect the organization, and it then must justify those predictions to stakeholders. A common pitfall for many teams is "hiding" the tasks involved with determining probability and using calculations to represent probability in terms of percentages or other bottom-line figures to which they assume Business Owners will more readily respond. But experience in developing the Microsoft security risk management process has proven that stakeholders are more likely to accept the Security Risk Management Team's analyses if the logic is clear during the prioritization process. The process maintains focus on stakeholder understanding throughout the process. You should keep the prioritization logic as simple as possible in order to reach consensus quickly while minimizing misunderstandings. Experience conducting risk assessments within Microsoft IT and other enterprises shows the following best practices also help the Security Risk Management Team during the prioritization process:

• Analyze risks during the data gathering process. Because risk prioritization can be time intensive, try to anticipate controversial risks and start the prioritization process as early as possible. This shortcut is possible because the Security Risk Management Team is the sole owner of the prioritization process.
• Conduct research to build credibility for estimating probability. Use past audit reports and consider industry trends and internal security incidents as appropriate. Revisit stakeholders as needed to learn about the current controls and awareness of specific risks in their environments.
• Schedule sufficient time in the project to conduct research and perform analysis of the effectiveness and capabilities of the current control environment.
• Remind stakeholders that the Security Risk Management Team has the responsibility of determining probability. The executive sponsor must also acknowledge this role and support the analysis of the Security Risk Management Team.
• Communicate risk in business terms. Avoid any tendency to use language related to fear or technical jargon in the prioritization analysis. The Security Risk Management Team must communicate risk in terms that the organization understands while resisting any temptation to exaggerate the degree of danger.
• Reconcile new risks with previous risks. While creating the summary level list, incorporate risks from previous assessments. This allows the Security Risk Management Team to track risks across multiple assessments and provides an opportunity to update previous risk elements as needed. For example, if a previous risk was not mitigated due to high mitigation costs, revisit the probability of the risk occurring and review and reconsider any changes to the mitigation solution or costs.

Prioritizing Security Risks

The following section explains the process of developing the summary and detailed level risk lists. It may be helpful to print out the supporting templates for each process located in the tools section.

Conducting Summary Level Risk Prioritization

The summary level list uses the impact statement produced during the data gathering process. The impact statement is the first of two inputs in the summary view. The second input is the probability estimate determined by the Security Risk Management Team. The following three tasks provide an overview of the summary level prioritization process:

• Task one — Determine impact value from impact statements collected in the data gathering process.
• Task two — Estimate the probability of the impact for the summary level list.
• Task three — Complete the summary level list by combining the impact and probability values for each risk statement.