没有合适的资源?快使用搜索试试~ 我知道了~
The security Risk Mangement Guide
需积分: 8 3 下载量 93 浏览量
2009-09-05
06:42:29
上传
评论
收藏 1.9MB PDF 举报
温馨提示
试读
130页
Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence The Security Risk Management Guide
资源推荐
资源详情
资源评论
Microsoft Solutions for Security and
Compliance
and
Microsoft Security Center of
Excellence
The Security Risk Management Guide
© 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial
License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to
Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
The Security Risk Management Guide iii
Contents
Chapter 1: Introduction to the Security Risk Management Guide .................... 1
Executive Summary .....................................................................................1
The Environmental Challenges .................................................................1
A Better Way .........................................................................................1
Microsoft Role in Security Risk Management ...............................................1
Guide Overview .....................................................................................2
Critical Success Factors ...........................................................................2
Next Steps ............................................................................................3
Who Should Read This Guide .........................................................................3
Scope of the Guide ......................................................................................3
Content Overview ..................................................................................3
Chapter 1: Introduction to the Security Risk Management Guide .............3
Chapter 2: Survey of Security Risk Management Practices ......................4
Chapter 3: Security Risk Management Overview ...................................4
Chapter 4: Assessing Risk ..................................................................4
Chapter 5: Conducting Decision Support ..............................................4
Chapter 6: Implementing Controls and Measuring Program
Effectiveness ...................................................................................5
Appendix A: Ad-Hoc Risk Assessments .................................................5
Appendix B: Common Information System Assets .................................5
Appendix C: Common Threats ............................................................5
Appendix D: Vulnerabilities ................................................................5
Tools and Templates ...............................................................................6
Keys to Success ..........................................................................................6
Executive Sponsorship ............................................................................6
A Well-Defined List of Risk Management Stakeholders .................................7
Organizational Maturity in Terms of Risk Management .................................7
An Atmosphere of Open Communication ....................................................7
A Spirit of Teamwork ..............................................................................8
A Holistic View of the Organization ...........................................................8
Authority Throughout the Process .............................................................8
Terms and Definitions ..................................................................................8
Style Conventions ...................................................................................... 10
Getting Support for This Guide .................................................................... 10
More Information ...................................................................................... 10
iv Table of Contents
Chapter 2: Survey of Security Risk Management Practices ........................... 13
Comparing Approaches to Risk Management .................................................. 13
The Reactive Approach ......................................................................... 13
The Proactive Approach ........................................................................ 15
Approaches to Risk Prioritization .................................................................. 16
Quantitative Risk Assessment ................................................................ 16
Details of the Quantitative Approach ................................................. 17
Qualitative Risk Assessment .................................................................. 19
Comparing the Two Approaches ............................................................. 20
The Microsoft Security Risk Management Process ........................................... 21
Chapter 3: Security Risk Management Overview ........................................... 23
The Four Phases of the Microsoft Security Risk Management Process ................. 23
Level of Effort ................................................................................ 25
Laying the Foundation for the Microsoft Security Risk Management
Process ......................................................................................... 25
Risk Management vs. Risk Assessment .................................................... 25
Communicating Risk ............................................................................. 26
Determining Your Organization's Risk Management Maturity Level ............... 28
Organizational Risk Management Maturity Level Self Assessment ........... 30
Defining Roles and Responsibilities ......................................................... 31
Building the Security Risk Management Team ..................................... 33
Summary ................................................................................................. 34
Chapter 4: Assessing Risk ............................................................................. 35
Overview .................................................................................................. 35
Required Inputs for the Assessing Risk Phase ........................................... 36
Participants in the Assessing Risk Phase .................................................. 37
Tools Provided for the Assessing Risk Phase ............................................. 37
Required Output for the Assessing Risk Phase .......................................... 38
Planning ................................................................................................... 38
Alignment ........................................................................................... 38
Scoping .............................................................................................. 38
Stakeholder Acceptance ........................................................................ 39
Preparing for Success: Setting Expectations ............................................. 39
Embracing Subjectivity ......................................................................... 39
Facilitated Data Gathering .......................................................................... 40
Data Gathering Keys to Success ............................................................. 40
Building Support ............................................................................. 41
Discussing vs. Interrogating ............................................................. 41
The Security Risk Management Guide v
Building Goodwill ............................................................................ 41
Risk Discussion Preparation ................................................................... 41
Identifying Risk Assessment Inputs ................................................... 41
Identifying and Classifying Assets ........................................................... 42
Assets ........................................................................................... 43
Asset Classes ................................................................................. 43
Organizing Risk Information .................................................................. 45
Organizing by Defense-in-Depth Layers ............................................. 45
Defining Threats and Vulnerabilities................................................... 46
Estimating Asset Exposure ............................................................... 47
Estimating Probability of Threats ....................................................... 47
Facilitating Risk Discussions ................................................................... 48
Meeting Preparations ...................................................................... 48
Facilitating Discussions ......................................................................... 49
Task One: Determining Organizational Assets and Scenarios ................. 50
Task Two: Identifying Threats .......................................................... 50
Task Three: Identifying Vulnerabilities ............................................... 51
Task Four: Estimating Asset Exposure ............................................... 51
Task Five: Identifying Existing Controls and Probability of Exploit .......... 51
Summarizing the Risk Discussion ...................................................... 52
Defining Impact Statements .................................................................. 52
Data Gathering Summary ...................................................................... 53
Risk Prioritization ...................................................................................... 54
Primary Tasks and Deliverables .............................................................. 55
Preparing for Success ........................................................................... 56
Prioritizing Security Risks ...................................................................... 56
Conducting Summary Level Risk Prioritization ..................................... 56
Conducting Detailed Level Risk Prioritization ....................................... 60
Quantifying Risk .................................................................................. 67
Task One: Assign Monetary Values to Asset Classes ............................. 68
Using Materiality for Guidance .......................................................... 69
Task Two: Identify the Asset Value ................................................... 70
Task Three: Produce the Single Loss Expectancy Value (SLE) ................ 70
Task Four: Determine the Annual Rate of Occurrence (ARO) ................. 71
Task Five: Determine the Annual Loss Expectancy (ALE) ...................... 71
Summary ................................................................................................. 72
Facilitating Success in the Conducting Decision Support Phase .................... 72
剩余129页未读,继续阅读
资源评论
madinis
- 粉丝: 0
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 青岛大学人工智能实验二 利用α-β搜索的博弈树算法编写一字棋游戏
- ### 1、项目介绍 本项目Scrapy进行数据爬取,并使用Django框架+PyEcharts实现可视化大屏 效果如下:
- # 微信小程序-健康菜谱 基于微信小程序的一个查找检索菜谱的应用 ### 效果 !动态图(./res/gif/demo
- zabbix-get命令包资源
- 289ssm-mysql-jsp 计算机课程实验管理系统.zip(可运行源码+数据库文件+文档)
- 毕业设计,基于PyQt5实现的可视化界面的Python车牌自动识别系统源码
- 20-天天果园项目.rar
- 26-朴素贝叶斯分类.rar
- 没有安Matlab 也可以 生成FIR抽头系数工具.py
- 自助购药小程序源代码含文档
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功