RSA 2012: Rationalise security compliance obligations for greater efficiency, says Microsoft

IT security

RSA 2012: Rationalise security compliance obligations for greater efficiency, says Microsoft

Warwick Ashford

Meeting compliance obligations, passing audits and dealing with false alarms can distract information security professionals from keeping data secure, but Microsoft has found ways of managing the noise.

Organisations need to have some form of information security management system, Mark Estberg, senior director at Microsoft, told attendees of RSA Conference 2012 in San Francisco.

A key element is a compliance framework which takes into consideration all the compliance obligations across the organisation and breaks them down into security control objectives.

Microsoft has defined each control objective and designed associated control activities to cover as many security compliance obligations as possible.

"This is essential, otherwise the security organisation would be crushed by the huge number of obligations if they were each handled individually," said Estberg.

In this way, Microsoft has been able to rationalise all security compliance obligations to a manageable set of security controls.

The company has also set up an operations centre that handles all initial security alerts, said John Howie, senior director of technical security services at Microsoft.

The team handles alerts using trouble-shooting guides, escalating only genuine security alerts to the incident response team.

"This reduces the stress on the incident response team, enabling them to handle qualified incidents more effectively and respond to other issues that require a higher level of expertise," said Howie.

These principles applied at Microsoft could be used in any organisation to meet security compliance obligations without affecting their ability to maintain the security and privacy of data, he said.


Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy