Contents Overview 1 Lesson: Introduction to Risk Management 2 Lesson: Creating a Risk Management Plan 9 Lab A: Analyzing Security Risks 19 Module 4: Analyzing Security Risks Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 4: Analyzing Security Risks iii Instructor Notes This module teaches students how to determine the resources in their organization that require protection and how to prioritize those resources based on value. Students will then learn how to develop a risk management plan, based on the Microsoft Operations Framework (MOF) risk model. They will also learn to identify and analyze risks proactively and to determine an appropriate level of protection for each resource. After completing this module, students will be able to:  Explain the purpose and operation of risk management.  Draft the elements of a risk management plan. To teach this module, you need Microsoft ® PowerPoint ® file 2830A_04.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 45 minutes Lab: 45 minutes Required materials Important Preparation tasks iv Module 4: Analyzing Security Risks How to Teach This Module This section contains information that will help you to teach this module. Lesson: Introduction to Risk Management This module, and Module 3, “Identifying Threats to Network Security,” combine to give students the information that they will use to justify to upper management the need to allocate time and resources on security. Risk management in particular enables IT professionals to document realistic needs based on threats and the likelihood and impact of those threats occurring. Students will likely debate the categories of the examples provided in the slide. Explain that the categories are relative and are intended as a starting point for beginning to prioritize the vast collection of assets on a typical network. Emphasize that business decision-makers often require financial justification for expenditures. Calculating asset values and performing quantitative risk analysis are two ways to use numbers to estimate risk. Acknowledge that the calculations are only as good as the original numbers used, so ensure that students do not rely too heavily on the numbers. Explain the term exposure in the context of this page; it is simply part of a more precise measurement of probability. The following lesson describes probability and impact in greater detail. Use the practices as an opportunity for discussion. Lesson: Creating a Risk Management Plan Be sure to read the white paper, MOF Risk Management, under Additional Reading on the Web page on the Student Materials CD, before teaching this module. Explain that risk statements are a useful way to state clearly what is at risk and why. Risk analysis can become complicated. This page lists examples of both qualitative and quantitative risk analysis. Explain the similarities between the two. Also emphasize that quantitative analysis can be performed in many different ways, and that the method shown on this page is intended as a very basic example. Students may confuse avoidance and mitigation. Avoidance seeks to remove the cause of the threat, sometimes by drastically restricting business operations. Mitigation seeks to minimize probability and impact through proactive efforts. In this context, avoidance is a form of severe mitigation. When discussing answers to lab and review questions, remember the distinction and allow for class discussion on the topic. Use the practices as an opportunity for discussion. Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. How to Categorize Assets How to Calculate the Value of Assets Practice: Categorizing Assets How to Identify Risks to Assets How to Analyze Risks to Assets How to Plan for the Mana gement of Risks Practice: Analyzing a Risk Mana gement Plan Module 4: Analyzing Security Risks v Lab A: Analyzing Security Threats To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. In this lab, students must perform both qualitative and quantitative risk analysis. The qualitative analysis is comprised of a list of risk statements regarding portable computers and a threat model of the portable computers. Have students use the risk statements to enter probability and impact values in the threat model spreadsheet in order to calculate the relative risks involved. Explain to students that portable computers include laptops, and for the purpose of the labs, are synonymous. For the qualitative risk analysis in this lab, students open a Microsoft Excel spreadsheet named R&D Portable Computer Threat Model.xls and add information to it. They may use this spreadsheet in a subsequent lab. Ensure that students rename the file and save the spreadsheet to the Lab Answers folder on their desktops for discussion. When discussing the qualitative answers, we included best estimates. If the numbers prove too confusing during lab discussion, use a low-medium-high range of ranking. Use discrepancies or disagreements among students to generate discussion. If some students believe that everything is a risk, play the part of a manager and respond by saying something like, “All of the risks may be important, but I can only afford to protect against five of them. Which ones are most important?” The answers to the qualitative risk analysis are located in the spreadsheet Lab 4 R&D Portable Computer Threat Model_Suggested Answers.xls, located in the Answers folder under Webfiles on the Student Materials CD. Be sure to print the answers out and study them before you conduct the lab. For the qualitative risk analysis, students use the values in the e-mails from Helmut Hornig to calculate the potential savings gained by each of the security measures listed. Ensure that students do not become hindered by the vagueness of the scenario. Acknowledge that several details, such as annual asset depreciation, and the value of the data on the laptops, have been omitted for the sake of brevity, and tell students to use the information provided to guide their efforts. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Important Important General lab suggestions vi Module 4: Analyzing Security Risks Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. Important Module 4: Analyzing Security Risks 1 Overview ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** In this module, you will learn how to determine what resources in your organization require protection and how to prioritize those resources based on their value. You will then develop a risk management plan, based on the Microsoft Operations Framework (MOF) risk model, to identify and analyze risks proactively and to determine an appropriate level of protection for each resource. After completing this module, you will be able to:  Explain the purpose and operation of risk management.  Draft the elements of a risk management plan. Introduction Ob jectives 2 Module 4: Analyzing Security Risks Lesson: Introduction to Risk Management ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Risk management is the act of examining the relative value of your assets and then allocating your security resources based on the likelihood of the risk occurring and the value of the asset. Risk management helps you prioritize your efforts and spending to secure your network. After completing this lesson, you will be able to:  Describe the different elements of risk management.  Explain why risk management is important.  Identify common assets to protect.  Categorize assets according to type.  Calculate the value of an asset. Introduction Lesson ob jectives Module 4: Analyzing Security Risks 3 Elements of Risk Management ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** A risk is the possibility of suffering a loss, and the impact or extent of damage that would result if the loss occurs. Risk management is the process of identifying risks, analyzing the risks, and creating a plan to manage the risks. There are two types of risk analysis:  Qualitative. Ranks risks according to their relative impact on business operations. Qualitative analysis often requires you to estimate the probability of a threat and the impact of the threat occurring on a scale of 1 to 10. You then multiply the two numbers for the probability and impact and use the product to rank the risk relative to other risks.  Quantitative. Places actual values on the probability and impact of threats to determine how to allocate security resources. Although quantitative risk analysis uses advanced financial accounting skills, it remains an inexact science. Neither qualitative nor quantitative risk analysis is necessarily superior to the other. Both are essential parts of a risk management strategy. For more information about managing risk, see:  Risk Management Guide for Information Systems, from the National Institute of Standards and Technology (NIST), at http://csrc.ncsl.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.  The Microsoft white paper, Risk Model for Operations, under Additional Reading on the Web page on the Student Materials CD. Key points Note Additional reading 4 Module 4: Analyzing Security Risks Why Risk Management Is Important ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Risk management helps ensure that your security plan is rational and that you apply your resources to maximize results. By assessing risks and creating a risk management plan, you can:  Prioritize security risks. You can rank security risks to your organization relative to other risks. This helps your organization determine how to allocate resources to secure the network.  Determine the appropriate amount of security. You can discover the point at which incremental improvements to security become inefficient and costly.  Justify costs. You can use a quantitative risk analysis to justify the expense of security personnel, hardware, and software.  Document all potential security issues. Risk management requires a thorough assessment of threats to your network and their potential impacts. An organization that chooses to respond to security threats randomly may overlook critical security issues on its network.  Create metrics. Risk management uses metrics that help you judge the success of your security plan. You can also use metrics to prepare compensation plans for executives and security personnel. For more information about risk management, watch the 25-minute presentation, Building a Business Case for IT Investments using REJ, at: http://www.microsoft.com/seminar/mmcfeed/ mmcdisplay.asp?lang=en&product=103346&task=100006. Also see the white paper, Rapid Economic Justification, at: http://www.microsoft.com/technet/ittasks/plan/sysplan/wwww.asp. Key points Additional readin g [...]... are: 1 Identify risks 2 Analyze risks 3 Plan for the management of risks 4 Develop methods to track changes to risks 5 Respond to risk management controls Additional reading For more information about MOF and risk management, see the white paper, MOF Risk Management, under Additional Reading on the Web page on the Student Materials CD Module 4: Analyzing Security Risks 11 How to Identify Risks to Assets... the customer Web site compromises your customer database, the attacker could steal your customer lists and sell them to other criminals or to your competitors Mitigate Module 4: Analyzing Security Risks 19 Lab A: Analyzing Security Risks *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to perform risk management... network resources change, the risks to those resources may change Be sure to update your risk management plan accordingly Use the risk management plan to assign ownership and allocate resources The risk management plan can act as a guide so that each risk has an owner, and you can track how much you spend to manage each risk 18 Module 4: Analyzing Security Risks Practice: Analyzing a Risk Management... Model.xls, and add information to it You may use this spreadsheet in subsequent labs Rename the file, and save it to the Lab Answers folder on your desktop for discussion 20 Module 4: Analyzing Security Risks Lab A: Analyzing Security Threats Lab Questions and Answers Answers may vary The following are possible answers 1 What is your qualitative ranking of the top ten threats to the Research and Development.. .Module 4: Analyzing Security Risks 5 Common Assets to Protect *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In addition to protecting physical assets listed in the table, a large part of the role of security is protecting public confidence and the trust of business partners... occurs to an asset The effects are also known as the mode of failure Financial and business impact Describes the effects on the organization of a threat that occurs to an asset 12 Module 4: Analyzing Security Risks How to Analyze Risks to Assets *****************************ILLEGAL FOR NON-TRAINER USE****************************** Qualitative analysis After you create risk statements for each risk, you... probability and impact on a scale of 1 to 10 and multiplying the two numbers, a relative rank of 45 is obtained This information can help security designers prioritize threats, although the value placed on probability and impact is subject to debate Module 4: Analyzing Security Risks Quantitative analysis 13 A quantitative risk analysis yields more precise results than a qualitative analysis, but it is more... Transfer is becoming an increasingly important strategy for security Avoid You avoid risk by eliminating the source of the risk or the asset’s exposure to the risk This is an extreme reaction to risk and should only be done when the severity of the impact of the risk outweighs the benefit that is gained from the asset Module 4: Analyzing Security Risks 15 How to Track Changes to a Risk Management Plan... a regularly scheduled basis, such as bimonthly or quarterly Ad hoc Evaluate risk at nonscheduled intervals Ad hoc monitoring is often done in response to a major security incident or change to the network 16 Module 4: Analyzing Security Risks Risk Management Controls *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Risk management controls define when... results in a more efficient use of resources over time Use design controls to update: Risk statements Risk analyses Risk management strategies Contingency plans Processes for monitoring security Module 4: Analyzing Security Risks 17 Guidelines for Creating a Risk Management Plan *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Guidelines include: Obtain . Lesson: Creating a Risk Management Plan 9 Lab A: Analyzing Security Risks 19 Module 4: Analyzing Security Risks Information in this document, including. Preparation tasks iv Module 4: Analyzing Security Risks How to Teach This Module This section contains information that will help you to teach this module. Lesson: