IT Security at Microsoft

1. IT Security at Microsoft Overview Published: April 2004

5. Security Strategy Corporate Security Mission and Vision Security Operating Principles Risk-Based Decision Model Tactical Prioritization

6. Mission Assess Risk Define Policy Monitor Audit Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets

9. Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

10. Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

11. Components of Risk Assessment Asset Threat Impact Vulnerability Mitigation Probability + = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset? Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

12. Risk Management Process and Roles Cross-IT Teams Corporate Security Tactical Prioritization Security Solutions & Initiatives Sustained Operations Prioritize Risks Security Policy Compliance 1 Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization 2 5 3 4

13. Tactical Prioritization by Environment Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prioritized Risks Data Center Client Unmanaged Client Remote Access Mobile Policies and mitigation tactics appropriate for each environment

14. Representative Risks and Tactics Enterprise Risks Unpatched Devices Unmanaged Devices Remote and Mobile Users Single-Factor Authentication Focus Controls Across Key Assets Tactical Solutions Secure Environmental Remediation Network Segmentation Through IPSec Secure Remote User Two-Factor for Remote Access and Administrators Managed Source Initiatives Embody Trustworthy Computing

15. Corporate Security Group Organization Corporate Security Group Threat, Risk Analysis, and Policy Assessment and Compliance Monitoring, Intrusion Detection, and Incident Response Shared Services Operations Threat and Risk Analysis Policy Development Product Evaluation Design Review Structure Standards Security Management Security Assessment Compliance and Remediation Monitoring and Intrusion Detection Rapid Response and Resolution Forensics Physical and Remote Access Certificate Administration Security Tools Initiative Management IT Investigations

18. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.