Risk management
Managing risk within our datacenters is a continuous process, with formal assessments occurring throughout the lifecycle of a facility. To identify and mitigate the impact of physical and environmental threats to Microsoft datacenters, a Threat, Vulnerability, and Risk Assessment (TVRA) is conducted annually for all datacenters hosting customer data. In addition to following Microsoft Enterprise Risk Management's Framework, Microsoft leverages requirements defined in the Technology Risk Management Guidelines initially published in June 2013 by the Monetary Authority of Singapore. TVRAs reflect Microsoft's best professional judgment based on accepted risk assessment methods and the information currently available to the company.
Microsoft facilitates the TVRA process following these steps:
Risk Identification: TVRAs consider a wide range of threat scenarios arising from natural and human-created (including accidental) hazards. The results will vary depending on datacenter location, design, scope of services, and other factors. The TVRA selects the threat scenarios to highlight in the TVRA document based on customer requirements, an independent country/region, city, and site-level assessment of the risk environment provided by 3rd-party, and 1st-party risk information. For regions that have multiple datacenters, TVRA ratings are aggregated to ensure a holistic view of the physical and environmental threats, vulnerabilities, and risks for the locations being assessed.
Types of threat scenarios assessed for datacenter TVRAs include:
- External threats – incidents resulting from external intentional or accidental human activities. For example, civil disorder, terrorism, criminal activity, external theft, improvised explosive devices, armed attacks, arson, unauthorized entry, and airplane crashes.
- Internal threats – incidents resulting from internal intentional or accidental human activities. For example, internal theft and sabotage.
- Natural hazards – a natural process or phenomenon that could negatively impact datacenters. For example, tropical storms, cyclones, floods, landslides, drought, wildfire, earthquakes, volcanic activity, and severe storms with lightning, hail, strong winds, or heavy rain.
- Environmental threats – environmental conditions that could negatively impact datacenters. For example, water stress, heat stress, and pandemics.
Risk Analysis: Threats are evaluated based on an assessment of their inherent risk; inherent risk is calculated as a function of inherent impact of a threat and inherent likelihood of the threat occurrence in the absence of management action and controls. These assessments are informed by both internal subject-matter expert (SME) feedback and using external risk indices.
Residual Risk: Residual risk is determined as a measure of remaining risk levels after consideration of control effectiveness. Control effectiveness is evaluated as a measure of current management actions and controls designed to prevent or detect threats while assessing the likelihood that the controls will have their desired effect as designed and implemented. These assessments are informed by an aggregation of internal SME feedback on control effectiveness for the datacenter locations addressed in the TVRA.
Report: Once the assessment is completed, a TVRA report is generated for management approval and to support our overall efforts related to risk management.
Microsoft is committed to continuously updating its risk assessments and methodologies to incorporate improvements and account for changing conditions. As a result, our analysis and conclusions are subject to change.