Term Paper on "Security Risk Management Process Microsoft Company"

Term Paper 13 pages (3314 words) Sources: 1+

[EXCERPT] . . . .

Security Risk Management Process - Microsoft Company

Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Value Risk Management

Risk Management Procedures and Processes

Key Success Factors For Security Risk Management

Risk Management Approaches

Risk Management Failure Reduction

An Analytical Review of Security Risk Management The Microsoft Way

Security risk management is a vital tool ensuring the continued success, productivity and stability of organizations across the globe. It is vital in an ever increasingly technology driven and global marketplace that organizations find ways to mitigate the increased risks associated with doing business in their environment. The purpose of this research paper is an analysis of the critical success factors related to security risk management at Microsoft Corporation. Specifically the researcher will attempt to understand what critical success factors Microsoft uses to successfully manage risk, and whether those practices might be useful or practical for other companies to adopt.

In recent years researchers and organizations have given security risk management more attention, in part because the level of risk has increased in recent years (Kimball, 2000). Multiple trends have contributed to an increased risk including globalization of trade and production and corporate investments in "volatile emerging markets" (Kimball, 3).

Risk management unfortunately however fails in many companies. In fact there are reputed and "well publicized failures associated with its implementation" (Kimball, 3). It is important that organizations recognize what factors contribute to failure as much as it is to recognize what factors contribute to success so adequate measures may be taken to improve risk management in the future and reduce errors associated with implementation and maintenance.

Background to Problem

Historically as organizations have grown technologically new security risks have become imminent that must be addressed. Today organizations are connected through IT infrastructures that operate in an environment considered "increasingly hostile" where "attacks are being mounted with increasing frequency" and occurring over shorter periods of time (Microsoft, 2004). There are many factors that contribute to increased risk including higher levels of volatility within financial markets, rapid advances in technology and increasing globalization in the marketplace (Simons, 1996). The rise in transaction volume in markets has also contributed to increased threats and risk, though many risks can be calculated and prepared for (Simons, 1996).

Unfortunately in the past many organizations have been slow to respond to security threats, resulting in increased impact on business processes and procedures. Microsoft has concerned itself among other things with managing the security and safety of its infrastructure to ensure business values to customers both internal and external.

Significance of Study

Microsoft notes that a 'failure to proactively manage security may put executives and whole organizations at risk" because breaches in both fiduciary and legal responsibilities to internal and external customers become apparent when security is lacking (Microsoft, 1).

Corporations must learn to not only identify what risk is acceptable, but also learn to manage the risk. What works for one company may not necessarily work for another, based on the complexity of an organizations infrastructure, an organizations resources and management responsibilities (Microsoft, 2004).

Literature Review: Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Microsoft has developed a security risk management process based on customer experience and the companies own experiences. This guide provides "actionable guidance" which promises to delivery corporations multiple benefits including (1) providing customers a "proactive security base" (2) allowing companies to measure security and place a value on risk management and (3) enabling customers to minimize large risks without deflating all possible resources in the process (Microsoft, 2004).

Barrese & Scordis (2003) suggest that risk management be viewed "as the management of the operations and activities of a corporation and its financing practices" to develop a collection of risks that "yield a corresponding average payoff" (26). Risk according to the researchers has the ability to impact all aspects of business function and personal activity (Barresse & Scordis, 2003). Risk management includes measuring the "variation of actual outcomes around an expected outcome" (Barresse & Scordis, 26).

Kimball (2000) defines risk as "the existence of uncertainty about future outcomes" and suggests it is a key factor in economic transactions because firms make real investments each day without understanding whether their investments will result in debt or improved capital (Kimball, 2000).

Value Risk Management

Risk involves negative consequences whether financial or otherwise. Risk management practices are worthwhile because they may mitigate side effects of a volatile business environment, protect future investments, prevent "erosion of the firm's finance" and ensure the productivity and success value of a corporation (Barrese & Scordis, 26).

While corporations recognize the inherent value in managing risk, many spend too little resources on risk management in part because they lack information regarding "the nature of vulnerabilities, potential loses or options to upgrade security" (Manila, 2005). Simons (1996) points out that risk management can mitigate substantial concerns and potential losses within an organization particularly with respect to an organizations value portfolio.

Risk Management Procedures and Processes

Barrese & Scordis (2003) define risk management as a process. There are many models of risk management including Microsoft's. The number of steps involved will vary from company to company, but there should be core inclusions such as (1) establishing "risk return goals," (2) identifying and valuing root causes of future revenue fluctuations or instabilities, (3) balancing loss control and assessing and implementing financial tools used to mitigate risk and (4) implementation of final processes, maintenance, monitoring and ultimately review (Barresse & Scordis, 2003). A company's exposure to risk varies with time thus it is vital corporations review and consistently update risk management processes to resolve unexpected risks that may arise with time (Miller, 1992).

Simons (1996) supports an approach to risk management called "value at risk" or VAR, which suggests organizations, determine how much money they will lose over a defined period of time if risk is not managed. More precisely the researcher asks, "how much could the value of the portfolio of an organization decline" (Simons, 3). The need to place value on risk management is confirmed by numerous other researchers who note that value helps translate ideas into reality.

Simon's ideas are in line with Microsoft's security risk management approach that suggests organizations must assign value to assets and calculate risks. To do so Microsoft suggest the organization asses the "immediate financial impact" that will be realized if an asset is lost" as well as indirect impacts of a lost asset (Microsoft, 2004). In addition to assessing the total revenue that an organization might lose during a single incident, an organization must also determine how likely a risk is to re-occur during a given year and the amount of money that an organization may lose if no action is taken to mitigate risk (Microsoft, 2004). Likewise the cost of managing a particular risk must be assessed.

Key Success Factors For Security Risk Management

Microsoft (2004) had identified multiple critical success factors that allow implementation of a successful security risk management program. These include: (1) executive and management support of risk management processes, (2) clearly defined roles and responsibilities with respect to security risk management, (3) proper identification of the impact of risk by business owners and (4) identification of risk probability by information security teams. In addition the company uses their information technology team to implement controls to minimize any unacceptable risk within the organization (Microsoft, 2004).

For a risk management program to succeed it also must be well defined with regard to roles and responsibilities; it must be well planned; it must address "critical business threats and vulnerabilities" and it must "articulate" organizational priorities (Microsoft, 2004).

Barresse & Scordis (2003) confirm Microsoft's approach to risk management. The researchers state that multiple elements contribute to the success of a risk management program. The key elements defined by the researchers including (1) management buy in, particularly senior management buy in, (2) an organizational culture that supports risk management, (3) direct communication that moves up and down as well as across hierarchical boundaries in an organization, (4) common language to define risk management and lastly (5) a "company wide responsibility center" accountable for risk management processes and procedures (Barresse & Scordis, 26). Organizations must ensure that risk management ideals, objectives, goals and processes are ingrained in every day affairs and that employees are adequately trained with respect to risk management procedures (Barrese & Scordis, 2003).

Risk Management Approaches

Microsoft identifies multiple risk management approaches including a reactive and a proactive approach. The reactive approach occurs in response to an identified threat where most efforts are concentrated at resolving a problem or threat that is already imminent (Microsoft, 2004). While this approach may be effective as a 'tactical approach to security risks that have been exploited" typically organizations can find better ways of managing risk without succumbing to risk in the first place (Microsoft, 2004). The reactive approach however does allow managers to assess an organizations risk history in an attempt to predict future security risk threats and take action to prevent them (Microsoft,… READ MORE

How to Reference "Security Risk Management Process Microsoft Company" Term Paper in a Bibliography

Related Term Papers:

Vendor Management IT Management Process Research Paper

Vendor Management

IT management process under the Vendor management system is a recent trend used by various organizations. Many organizations are using this centralized program to control their staffing. According… read more

Research Paper 15 pages (4065 words) Sources: 15 Topic: Management / Organizations

---

Inventory Management a in an Importer Industry Case Study

Inventory Management

The raw materials, goods in process, and finished products represent different forms of inventory. Every stage of production of commodity represents money tied up until the inventory finds… read more

Case Study 40 pages (12443 words) Sources: 40 Topic: Management / Organizations

---

Risk Assessment Document Term Paper

Risk Assessment

In the past thirty years there has been a sharp increase about the potential dangerous impacts, which from inadequate information security. But the scale of the problem has… read more

Term Paper 15 pages (5965 words) Sources: 1+ Topic: Management / Organizations

---

Top Cyber Security Risks Term Paper

Risk Management in Top Cyber Security Risks

The Top Cyber Security Risks

The process of identifying, assessing, and prioritizing of risks is referred to as risk management. After identifying risks,… read more

Term Paper 4 pages (1242 words) Sources: 4 Topic: Computers / IT / Internet

---

Distributed Order Management Systems Term Paper

Management

Distributed Order Management Systems

Theoretical or Conceptual framework

Questions addressed

Data analysis, discussion and results

Including discussion of any limitation(s))

DDSN Characteristics

SPSS Regression Statistics on DOM Investment by… read more

Term Paper 11 pages (4856 words) Sources: 1+ Topic: Management / Organizations

---

View 100+ more related papers  >>