Understand risk identification and risk assessment

  • 3 minutes

Risk identification

Microsoft 365 risk management begins with risk identification. Risk identification emphasizes discovery activities to identify sources of known risks for all key control areas, internal and external threats, and vulnerabilities in the Microsoft 365 environment. The Microsoft 365 Trust team conducts interviews with Microsoft 365 service teams to identify new risks related to Microsoft 365 services and dependencies. The expertise of service team subject matter experts (SMEs) provides insights into risks that may be introduced incrementally as services grow, add new features, or leverage new dependencies.

In addition to SME interviews, the risk identification process incorporates data from continuous monitoring, including vulnerability scanning, Red Team/Blue Team attack simulation, independent audit findings, and incident management activities. For example, if Red Team attack simulations have indicated a vulnerability with an existing control implementation, that information would be included in the risk identification process. Reviews of previous year audit findings and trends in findings that expose gaps in controls are other examples of sources included in risk identification. The identification process also includes a review of decision logs, active security and compliance exceptions, mitigation work, and risks identified during previous risk assessments.

The Microsoft 365 Trust team uses SME interviews and continuous monitoring data to identify risks to the Microsoft 365 environment. Throughout this process, the Microsoft 365 Trust team works with service teams and risk owners to validate the accuracy and completeness of identified risks. Once all relevant risks have been identified, the Microsoft 365 Trust team proceeds to risk assessment.

Risk assessment

The Microsoft 365 Trust team assesses each identified risk using the ERM risk assessment methodology of impact, likelihood, and control deficiency. Impact addresses the negative ramifications of a risk being realized, such as loss of data confidentiality, customer trust, or compliance certifications. Likelihood identifies the probability that a potential risk will be realized. Likelihood is calculated by examining the frequency of any past occurrences along with the probability of future occurrences. Finally, control deficiency is calculated by analyzing the effectiveness of implemented security controls in mitigating the identified risk. These metrics are used to calculate a residual risk score that represents the severity of each risk after accounting for mitigating controls.

After risk scores have been calculated, the Microsoft 365 Trust team categorizes risks by severity. These categories align with the ERM risk assessment methodology and provide an aggregate view of high-level risks facing Microsoft 365. Risks can fall into one of four severity categories:

  • Severe: Areas of very high risk exposure that do not have adequate controls in place, or controls that are not operating as intended, and require remediation to mitigate the existing risk.
  • High: Areas of high risk exposure that do not have adequate controls in place, or controls that are not operating as intended, and require remediation to mitigate the existing risk.
  • Medium: Areas of medium risk exposure where there are moderate control deficiencies, inadequate controls in place, or controls that are not operating as intended.
  • Low: Areas of low risk exposure where there are minor deficiencies in implemented controls or policies.

Once the Microsoft 365 Trust team has assessed and categorized all identified risks, they meet with stakeholders from each service team to ensure their assessment accurately represents Microsoft 365's risk posture. Results of the assessment are reviewed by Microsoft 365 management.