NSWE "We bring you the world."
Home Internet Services Home Services Business Services Bookkeeping Services NSWE Store Partner & Affiliate Links About Us Contact Us

Security Assessment

 

What is a Microsoft Security Assessment?

The Microsoft® Security Assessment is an interactive session that uses the Microsoft Security Assessment Tool (MSAT) and includes an on-site questionnaire. The Microsoft Security Assessment, a customer self-led or partner-facilitated session lasting from one to two hours, is designed to help customers gain a better understanding of their security gaps and risks.

The assessment provides a customer with a broad overview of its company and IT organization and results in a clearly defined map to becoming more secure through prioritized activities, solutions, and prescriptive guidance. The MSAT is a repeatable, scalable, and predictable tool focused on core solutions and services that leverages partner skill sets and demonstrates value to customers.

Upon completion of the assessment, customers receive a complimentary report with findings and recommendations specific to business issues addressed in the assessment. This report is designed to help the customer understand a baseline of security and prioritize steps to mitigate identified risks through Microsoft products and partner solutions.

What are the goals of the Microsoft Security Assessment?

The MSAT is focused on providing customers with a common framework to help customers gain a holistic understanding of security risks and gaps, develop a road map to becoming more secure, and develop recurring opportunities to offer relevant Microsoft products and partner solutions.

Who was involved in building this tool?

The MSAT development team included Microsoft, Symantec, and Ziff Davis Media.

Is the MSAT just another effort to sell only Microsoft products?

No. The goal of the MSAT is to help customers understand the risks that their business is exposed to by their computing infrastructure, and the steps that they can take to help mitigate these risks.

What type of guidance does the MSAT provide?

MSAT reporting provides prescriptive guidance based on industry and security standards.

Does MSAT scan my customer's system?

No. The MSAT is a survey-based security questionnaire. In addition to assessing technology, the MSAT is designed to evaluate people and processes, which requires human input. The MSAT has no ability to collect information about local systems or networks.

What information is this tool collecting?

The MSAT only collects generic, nonidentifiable information: company size and industry, along with BRP and DiDI scores. This data is used to compare customers with all other participants or with other participants within the same industry. The data is also used to benchmark and compare a customer's results over time. This data, however, is not collected unless you provide the survey-based answers. You can use the tool to model your customer's environment or forecast how certain improvements would impact the customer's overall score or security posture.

What do Symantec and Ziff Davis Media know about security?

Symantec was responsible for designing the questions, answers, and scoring of the tool. Ziff Davis Media programmed the tool and hosts it on SecurityGuidance.com. Symantec is much more than the company behind Norton AntiVirus. The Symantec staff who worked on the MSAT were formerly employed by @stake and joined Symantec as part of an acquisition. Well-regarded as one of the premier security consulting firms in the world, @stake brought extensive experience and understanding of midmarket companies to the MSAT.

Why should I trust this tool?

While not a replacement for a trained consultant who knows your customer's business, the MSAT was designed to help guide companies down the road to security awareness. The questions that make up the survey portion of the tool and the associated answers are derived from commonly accepted best practices in security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from both Microsoft and external security sources.

What does it mean to have a high Business Risk Profile (BRP)?

In the normal course of doing business, customers will regularly make technical and business decisions that may introduce security risks that need to be mitigated. The Business Risk Profile (BRP) helps identify those risks and provides a baseline against which to compare the Defense-in-Depth score.

The BRP is a measure of how much risk is associated with the way a customer does business or interacts with other businesses or customers. It is focused primarily on technical and operational risk. Having a high BRP indicates that a customer is operating in a risk-intense environment, has significant competition, or is threatened by both direct and indirect attack through systems, tools, or processes it uses.

My customer has a lot of defenses in place to mitigate risk. Why is the BRP still high?

The BRP is not influenced by any risk mitigation techniques in use. It should be considered a measure of the risk the organization would have without protections in place. This should be used to identify key areas where the customer may be at greater risk based on the type of business that is conducted.

What is Microsoft going to do with the information from this assessment if data is uploaded?

After the assessment is completed, you will be able to view the Risk-Defense Distribution chart, which compares BRP score with DiD Index score. To view the full report, data must be uploaded to the secure MSAT Web server. The upload will be entirely anonymous. In addition to being able to view the full report, you will also gain access to the Compare function.

The Compare function allows you to compare two of your customer's assessments, which will help the customer track progress over time. You may also compare the customer's results with others who have participated in the program.

For prices and other services click here.