Guia de riesgos de seguridad
Páginas: 190 (47425 palabras)
Publicado: 12 de mayo de 2011
Microsoft Solutions for Security and Compliance
and
Microsoft Security Center of Excellence
The Security Risk Management Guide
© 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5thFloor, San Francisco, California, 94105, USA.
Contents
Chapter 1: Introduction to the Security Risk Management Guide 1
Executive Summary 1
The Environmental Challenges 1
A Better Way 1
Microsoft Role in Security Risk Management 1
Guide Overview 2
Critical Success Factors 2
Next Steps 3
Who Should Read This Guide 3
Scope of the Guide 3Content Overview 3
Chapter 1: Introduction to the Security Risk Management Guide 3
Chapter 2: Survey of Security Risk Management Practices 4
Chapter 3: Security Risk Management Overview 4
Chapter 4: Assessing Risk 4
Chapter 5: Conducting Decision Support 4
Chapter 6: Implementing Controls and Measuring Program Effectiveness 5Appendix A: Ad-Hoc Risk Assessments 5
Appendix B: Common Information System Assets 5
Appendix C: Common Threats 5
Appendix D: Vulnerabilities 5
Tools and Templates 6
Keys to Success 6
Executive Sponsorship 6
A Well-Defined List of Risk Management Stakeholders 7
Organizational Maturity in Terms of Risk Management 7
An Atmosphere of OpenCommunication 7
A Spirit of Teamwork 8
A Holistic View of the Organization 8
Authority Throughout the Process 8
Terms and Definitions 8
Style Conventions 10
Getting Support for This Guide 10
More Information 10
Chapter 2: Survey of Security Risk Management Practices 13
Comparing Approaches to Risk Management 13
The Reactive Approach 13
TheProactive Approach 15
Approaches to Risk Prioritization 16
Quantitative Risk Assessment 16
Details of the Quantitative Approach 17
Qualitative Risk Assessment 19
Comparing the Two Approaches 20
The Microsoft Security Risk Management Process 21
Chapter 3: Security Risk Management Overview 23
The Four Phases of the Microsoft Security Risk Management Process 23Level of Effort 25
Laying the Foundation for the Microsoft Security Risk Management Process 25
Risk Management vs. Risk Assessment 25
Communicating Risk 26
Determining Your Organization's Risk Management Maturity Level 28
Organizational Risk Management Maturity Level Self Assessment 30
Defining Roles and Responsibilities 31
Buildingthe Security Risk Management Team 33
Summary 34
Chapter 4: Assessing Risk 35
Overview 35
Required Inputs for the Assessing Risk Phase 36
Participants in the Assessing Risk Phase 37
Tools Provided for the Assessing Risk Phase 37
Required Output for the Assessing Risk Phase 38
Planning 38
Alignment 38
Scoping 38
Stakeholder Acceptance 39Preparing for Success: Setting Expectations 39
Embracing Subjectivity 39
Facilitated Data Gathering 40
Data Gathering Keys to Success 40
Building Support 41
Discussing vs. Interrogating 41
Building Goodwill 41
Risk Discussion Preparation 41
Identifying Risk Assessment Inputs 41
Identifying and Classifying Assets 42Assets 43
Asset Classes 43
Organizing Risk Information 45
Organizing by Defense-in-Depth Layers 45
Defining Threats and Vulnerabilities 46
Estimating Asset Exposure 47
Estimating Probability of Threats 47
Facilitating Risk Discussions 48
Meeting Preparations 48
Facilitating Discussions 49
Task One: Determining...
and
Microsoft Security Center of Excellence
The Security Risk Management Guide
© 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5thFloor, San Francisco, California, 94105, USA.
Contents
Chapter 1: Introduction to the Security Risk Management Guide 1
Executive Summary 1
The Environmental Challenges 1
A Better Way 1
Microsoft Role in Security Risk Management 1
Guide Overview 2
Critical Success Factors 2
Next Steps 3
Who Should Read This Guide 3
Scope of the Guide 3Content Overview 3
Chapter 1: Introduction to the Security Risk Management Guide 3
Chapter 2: Survey of Security Risk Management Practices 4
Chapter 3: Security Risk Management Overview 4
Chapter 4: Assessing Risk 4
Chapter 5: Conducting Decision Support 4
Chapter 6: Implementing Controls and Measuring Program Effectiveness 5Appendix A: Ad-Hoc Risk Assessments 5
Appendix B: Common Information System Assets 5
Appendix C: Common Threats 5
Appendix D: Vulnerabilities 5
Tools and Templates 6
Keys to Success 6
Executive Sponsorship 6
A Well-Defined List of Risk Management Stakeholders 7
Organizational Maturity in Terms of Risk Management 7
An Atmosphere of OpenCommunication 7
A Spirit of Teamwork 8
A Holistic View of the Organization 8
Authority Throughout the Process 8
Terms and Definitions 8
Style Conventions 10
Getting Support for This Guide 10
More Information 10
Chapter 2: Survey of Security Risk Management Practices 13
Comparing Approaches to Risk Management 13
The Reactive Approach 13
TheProactive Approach 15
Approaches to Risk Prioritization 16
Quantitative Risk Assessment 16
Details of the Quantitative Approach 17
Qualitative Risk Assessment 19
Comparing the Two Approaches 20
The Microsoft Security Risk Management Process 21
Chapter 3: Security Risk Management Overview 23
The Four Phases of the Microsoft Security Risk Management Process 23Level of Effort 25
Laying the Foundation for the Microsoft Security Risk Management Process 25
Risk Management vs. Risk Assessment 25
Communicating Risk 26
Determining Your Organization's Risk Management Maturity Level 28
Organizational Risk Management Maturity Level Self Assessment 30
Defining Roles and Responsibilities 31
Buildingthe Security Risk Management Team 33
Summary 34
Chapter 4: Assessing Risk 35
Overview 35
Required Inputs for the Assessing Risk Phase 36
Participants in the Assessing Risk Phase 37
Tools Provided for the Assessing Risk Phase 37
Required Output for the Assessing Risk Phase 38
Planning 38
Alignment 38
Scoping 38
Stakeholder Acceptance 39Preparing for Success: Setting Expectations 39
Embracing Subjectivity 39
Facilitated Data Gathering 40
Data Gathering Keys to Success 40
Building Support 41
Discussing vs. Interrogating 41
Building Goodwill 41
Risk Discussion Preparation 41
Identifying Risk Assessment Inputs 41
Identifying and Classifying Assets 42Assets 43
Asset Classes 43
Organizing Risk Information 45
Organizing by Defense-in-Depth Layers 45
Defining Threats and Vulnerabilities 46
Estimating Asset Exposure 47
Estimating Probability of Threats 47
Facilitating Risk Discussions 48
Meeting Preparations 48
Facilitating Discussions 49
Task One: Determining...
Leer documento completo
Regístrate para leer el documento completo.