Very, very cool doc.
From the document “Overview discussion on what the Microsoft Corporate Security group does to prevent malicious or unauthorized use of digital assets at Microsoft. This asset protection takes place through a formal risk management framework, risk management processes, and clear organizational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described can be employed to manage risk at any organization. Other areas of corporate security, such as security in software design and physical security, are not covered.”
InternetNews carries some commentary on the paper.