Appendix U: SDL-LOB Risk Assessment Questionnaire

  • Article

This sample document provides some criteria to consider when you build a risk assessment security questionnaire. It is not an exhaustive list and should not be treated as such. The weight assigned to an individual question depends on your business needs. Every question in each category can be mapped to a numeric score value, and all scores are then added together to identify the bucket that the application belongs to.

On This Page

Introduction
Risk Assessment Questionnaire
Determine Your Security Impact Rating

Introduction

The following questions are designed to help determine the risk rating of line-of-business (LOB) applications. The application team completes this questionnaire to assist in the determination of the risk rating. You can arrange these questions in categories, such as Architecture or Data Classification.

Risk Assessment Questionnaire

Audience

• What type of user access does your application offer (internal, external [Internet-facing], both, or neither)?

_____________________________________________

• What is the basic authentication and authorization for the external-facing (Internet) portion of your application?

_____________________________________________

• Are there anonymous users?

_____________________________________________

• Is there a secure channel? What is that channel?

_____________________________________________

Data Classification

• What type of data is contained in your application?

_____________________________________________

• Does your application contain personal data?

_____________________________________________

• How business-sensitive is the data managed by your application?

_____________________________________________

Functionality

• What function does your application fulfill? How critical is its role?

_____________________________________________

Architecture

• What is the authentication mechanism used by the client population?

_____________________________________________

• Does your application have multiple user roles (for example, user and admin)?

_____________________________________________

• Is code executed on the client machine (for example, ActiveX control, assembly)?

_____________________________________________

• Where will your application be deployed?

_____________________________________________

Process Control

• What type of source control do you use for your application?

_____________________________________________

Privacy Release Issues

• Will the privacy statement or legal notice that was used in the existing application version change for this release? Is there a new privacy statement or legal notice available?

_____________________________________________

Security Release Issues

• Does this version include changes to the authentication mechanism?

_____________________________________________

• Does this web application or service provide functionality to other applications?

_____________________________________________

Determine Your Security Impact Rating

The risk assessment is a quick way to determine your security impact rating and to estimate the work required to be compliant. The rating (High, Medium, Low) represents the degree of risk your LOB application presents from a security perspective. You need to complete only the steps that apply to your rating. For more detail, see the Line-of-Business section in the main Microsoft Security Development Lifecycle document.

Each company needs to define risk for their business and industry.

  • Does this application handle personal information (employees, customers, business partners)?
  • Does this application handle business sensitive data?
  • Is this application key to providing a service or generating a product?
  • Is this application key to running the business (finances, for example)?

Who will have access to this application?

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported