ThesecurityRiskMangementGuide资源-CSDN文库

网络安全

需积分: 8 93 浏览量 2009-09-05 06:42:29 上传评论收藏 1.9MB PDF 举报

资源推荐

资源详情

资源评论

Microsoft Solutions for Security and

Compliance

and

Microsoft Security Center of

Excellence

The Security Risk Management Guide

The Security Risk Management Guide iii

Contents

Chapter 1: Introduction to the Security Risk Management Guide .................... 1

Executive Summary .....................................................................................1

The Environmental Challenges .................................................................1

A Better Way .........................................................................................1

Microsoft Role in Security Risk Management ...............................................1

Guide Overview .....................................................................................2

Critical Success Factors ...........................................................................2

Next Steps ............................................................................................3

Who Should Read This Guide .........................................................................3

Scope of the Guide ......................................................................................3

Content Overview ..................................................................................3

Chapter 1: Introduction to the Security Risk Management Guide .............3

Chapter 2: Survey of Security Risk Management Practices ......................4

Chapter 3: Security Risk Management Overview ...................................4

Chapter 4: Assessing Risk ..................................................................4

Chapter 5: Conducting Decision Support ..............................................4

Chapter 6: Implementing Controls and Measuring Program

Effectiveness ...................................................................................5

Appendix A: Ad-Hoc Risk Assessments .................................................5

Appendix B: Common Information System Assets .................................5

Appendix C: Common Threats ............................................................5

Appendix D: Vulnerabilities ................................................................5

Tools and Templates ...............................................................................6

Keys to Success ..........................................................................................6

Executive Sponsorship ............................................................................6

A Well-Defined List of Risk Management Stakeholders .................................7

Organizational Maturity in Terms of Risk Management .................................7

An Atmosphere of Open Communication ....................................................7

A Spirit of Teamwork ..............................................................................8

A Holistic View of the Organization ...........................................................8

Authority Throughout the Process .............................................................8

Terms and Definitions ..................................................................................8

Style Conventions ...................................................................................... 10

Getting Support for This Guide .................................................................... 10

More Information ...................................................................................... 10

iv Table of Contents

Chapter 2: Survey of Security Risk Management Practices ........................... 13

Comparing Approaches to Risk Management .................................................. 13

The Reactive Approach ......................................................................... 13

The Proactive Approach ........................................................................ 15

Approaches to Risk Prioritization .................................................................. 16

Quantitative Risk Assessment ................................................................ 16

Details of the Quantitative Approach ................................................. 17

Qualitative Risk Assessment .................................................................. 19

Comparing the Two Approaches ............................................................. 20

The Microsoft Security Risk Management Process ........................................... 21

Chapter 3: Security Risk Management Overview ........................................... 23

The Four Phases of the Microsoft Security Risk Management Process ................. 23

Level of Effort ................................................................................ 25

Laying the Foundation for the Microsoft Security Risk Management

Process ......................................................................................... 25

Risk Management vs. Risk Assessment .................................................... 25

Communicating Risk ............................................................................. 26

Determining Your Organization's Risk Management Maturity Level ............... 28

Organizational Risk Management Maturity Level Self Assessment ........... 30

Defining Roles and Responsibilities ......................................................... 31

Building the Security Risk Management Team ..................................... 33

Summary ................................................................................................. 34

Chapter 4: Assessing Risk ............................................................................. 35

Overview .................................................................................................. 35

Required Inputs for the Assessing Risk Phase ........................................... 36

Participants in the Assessing Risk Phase .................................................. 37

Tools Provided for the Assessing Risk Phase ............................................. 37

Required Output for the Assessing Risk Phase .......................................... 38

Planning ................................................................................................... 38

Alignment ........................................................................................... 38

Scoping .............................................................................................. 38

Stakeholder Acceptance ........................................................................ 39

Preparing for Success: Setting Expectations ............................................. 39

Embracing Subjectivity ......................................................................... 39

Facilitated Data Gathering .......................................................................... 40

Data Gathering Keys to Success ............................................................. 40

Building Support ............................................................................. 41

Discussing vs. Interrogating ............................................................. 41

The Security Risk Management Guide v

Building Goodwill ............................................................................ 41

Risk Discussion Preparation ................................................................... 41

Identifying Risk Assessment Inputs ................................................... 41

Identifying and Classifying Assets ........................................................... 42

Assets ........................................................................................... 43

Asset Classes ................................................................................. 43

Organizing Risk Information .................................................................. 45

Organizing by Defense-in-Depth Layers ............................................. 45

Defining Threats and Vulnerabilities................................................... 46

Estimating Asset Exposure ............................................................... 47

Estimating Probability of Threats ....................................................... 47

Facilitating Risk Discussions ................................................................... 48

Meeting Preparations ...................................................................... 48

Facilitating Discussions ......................................................................... 49

Task One: Determining Organizational Assets and Scenarios ................. 50

Task Two: Identifying Threats .......................................................... 50

Task Three: Identifying Vulnerabilities ............................................... 51

Task Four: Estimating Asset Exposure ............................................... 51

Task Five: Identifying Existing Controls and Probability of Exploit .......... 51

Summarizing the Risk Discussion ...................................................... 52

Defining Impact Statements .................................................................. 52

Data Gathering Summary ...................................................................... 53

Risk Prioritization ...................................................................................... 54

Primary Tasks and Deliverables .............................................................. 55

Preparing for Success ........................................................................... 56

Prioritizing Security Risks ...................................................................... 56

Conducting Summary Level Risk Prioritization ..................................... 56

Conducting Detailed Level Risk Prioritization ....................................... 60

Quantifying Risk .................................................................................. 67

Task One: Assign Monetary Values to Asset Classes ............................. 68

Using Materiality for Guidance .......................................................... 69

Task Two: Identify the Asset Value ................................................... 70

Task Three: Produce the Single Loss Expectancy Value (SLE) ................ 70

Task Four: Determine the Annual Rate of Occurrence (ARO) ................. 71

Task Five: Determine the Annual Loss Expectancy (ALE) ...................... 71

Summary ................................................................................................. 72

Facilitating Success in the Conducting Decision Support Phase .................... 72

剩余129页未读，继续阅读

评论收藏

内容反馈

madinis

粉丝: 0
资源: 4

The security Risk Mangement Guide

最新资源

The security Risk Mangement Guide

The Security Risk Management Guide

The.Security.Consultants.Handbook.

CISSP All-in-One Exam Guide, 8th Edition.zip

Cloud.Computing.Security.Foundations.and.Challenges

Cyber.Security.Engineering

A SysAdmin’s Essential Guide to Linux Workstation Security

Developing Cybersecurity Programs and Policies, 3rd Edition

NIST SP800-137 Final.pdf

Microsoft.Azure.Security.Infrastructure

Developing Cybersecurity Programs and Policies

Learning.iOS.Security

ISO/IEC 27005:2011-EN

CISSP All-in-One Exam Guide, 6th Edition（cissp 认证考试指南 英文 第六版）

Learning.iOS.Security.1783551747

英文原版-Climate Health Risks in Megacities 1st Edition

Architecting Cloud Computing Solutions

Introduction.to.Android.Application.Development(4th,2013.12) pdf

解决Win 10与不兼容VirtualBox操作过程文档+（附带软件）.zip

计算机网络知识点总结(谢希仁第八版).pdf

Xshell软件(配色方案&amp;高亮关键字/突出显示集)的相关文件

湖南科技大学《计算机网络》配套课件（PDF版）

《计算机网络自顶向下方法第7版》中文PDF+复习题问题中文版答案

计算机网络自顶向下方法第八版答案

H3C-iNode-PC-7.3-E0630

hevc视频扩展免费2.0.53348.0x64

matlab输入到abaqus

quickping下载

postman 离线登录版

企业业务内外网隔离场景-FTTR-B典型组网应用场景V0.8

最新资源

CISSP All-in-One Exam Guide, 6th Edition（cissp 认证考试指南英文第六版）

Xshell软件(配色方案&高亮关键字/突出显示集)的相关文件