Microsoft Four Phases of Risk Management

457 Words2 Pages
Microsoft’s Four Phases of Risk Management Microsoft’s stance on security and risk management is that it should be integrated into the general management of an organization so that the organization can “make better, more informed decisions.” (Whitman & Mattord, 2010). Risk management exists to examine the many security risks, and then prioritize and manage them. To that end, Microsoft developed four phases for managing risk: assessing risk, conducting decision support, implementing controls and finally, measuring program effectiveness (Whitman & Mattord, 2010). The first phase, Assessing Risk, involves first planning how to collect risk data, then actually gathering the data. Finally, prioritizing the risks; using both qualified and quantifiable measurements to prioritize the risks collected. In the second phase, Conducting Decision Support, the action items are identifying and evaluating the organization’s available controls. Microsoft highlights the use of the cost-benefit analysis as a good quantitative method (Whitman & Mattord, 2010). The second phase has several steps to it: 1. Defining the functional requirements – what is necessary to mitigate the risks? 2. Choose potential control solutions. 3. Evaluate potential solutions in light of requirements. 4. Estimate how the proposed solution will reduce risk. 5. Estimate the direct and indirect costs with the proposed solution. 6. “Complete a cost-benefit analysis to identify the most cost-effective mitigation solution.” (Whitman & Mattord, 2010). The third phase is Implementing Controls. This step takes the controls and other factors from the previous steps and integrates people, technology and policy and processes into the solution. (Whitman & Mattord, 2010). Lastly, Measuring Program Effectiveness is the last phase in Microsoft’s Four Phases of Risk Management. The final phase is an

More about Microsoft Four Phases of Risk Management

Open Document