• Illustration: Security Risk Self-Assessment Tool

As Microsoft prepares to release security improvements for Windows XP, many of which will appear in the next service pack, the company is also releasing improved documentation and tools to help customers proactively uncover, rank, and mitigate security issues. For example, some Microsoft Certified Partners with security expertise are offering free risk assessments. Such assessments benefit the partner and Microsoft as they will likely uncover the need for additional work or products. But for such assessments to help customers, they must do more than merely scratch the surface—they must help the customer mitigate the greatest threats.

Risk Assessments

A risk assessment typically begins by identifying the processes, resources, and technologies that an organization uses to implement security and privacy. This helps the organization evaluate its implementation against a known standard. A risk assessment then helps the organization triage the results so that it can mitigate the greatest risks or threats first.

Microsoft and its partners are offering a variety of risk assessment programs:

Microsoft Self-Assessment Tool. For small to mid-size businesses that would like to conduct a risk assessment without outside help, Microsoft offers a free self-assessment tool that guides the customer through a series of questions to help the organization create a business risk profile, and then analyze its infrastructure, applications, operations, and personnel with regard to security. (For an illustration, see "Security Risk Self-Assessment Tool".) The results are available as a report that provides a comparison against standards and a comparison against the results of other users of the tool (organizations must choose to submit their results.)

Microsoft Risk Assessment (MSRA). Microsoft Consulting Services is partnering with @stake, Hewlett-Packard (HP), PriceWaterhouseCoopers, and Unisys to use the MSRA methodology—a standardized, repeatable framework—to assess and provide guidance to Microsoft customers on security risks across their networks, applications, operations, and personnel. These assessments are delivered in the form of a two-week consulting agreement.

Microsoft Certified Security Partners. Microsoft's sales force for the southeastern district of the United States has partnered with Blackstone and Cullen and Internet Security Systems to offer free risk assessments to some of its enterprise customers in the district. Other Microsoft Certified Partners are offering both per-fee and free introductory risk-assessment programs based on their own risk assessment tools and expertise. Security is one of 11 competencies that Microsoft introduced for Certified Partners in 2004.

Resources

Microsoft Certified Partners with expertise in the security arena can be located at directory.microsoft.com/resourcedirectory/Services.aspx.

Background on the changes to the Certified Partner program are described in "Partner Program Gets Major Redesign" on page 23 of the Dec. 2003 Update.

Microsoft’s Security Risk Self-Assessment Tool for small and mid-size businesses can be downloaded from www.securityguidance.com.

More complete background on risk assessments is described in a series of documents beginning at www.microsoft.com/technet/security/guidance/secmod133.mspx.