From the Executive Summary:
Microsoft is committed to sharing its internal IT security practices in order to help its customers successfully secure their environments. This paper describes what the Microsoft Corporate Security Group does to prevent malicious or unauthorized use of digital assets at Microsoft. This asset protection takes place through a formal risk management framework, risk management processes, and clear organizational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described in this paper can be employed to manage risk at any organization.
I want to read this when I have more time.