Meeting compliance obligations, passing audits and dealing with false alarms can distract information security professionals from keeping data secure, but Microsoft has found ways of managing the noise.
Organisations need to have some form of information security management system, Mark Estberg, senior director at Microsoft, told attendees of RSA Conference 2012 in San Francisco.
A key element is a compliance framework which takes into consideration all the compliance obligations across the organisation and breaks them down into security control objectives.
Microsoft has defined each control objective and designed associated control activities to cover as many security compliance obligations as possible.
"This is essential, otherwise the security organisation would be crushed by the huge number of obligations if they were each handled individually," said Estberg.
Read more RSA Conference coverage
- RSA 2012: RSA takes market-leader position seriously, says Heiser
- RSA issues security industry call to arms
- IT security industry in challenging position
- Trustworthy computing more important than ever, says Microsoft
- Special Conference Coverage
- SSL certificate authority security takes a beating
- RSA Conference 2012 keynote prescribes intelligence-driven security
- International cloud computing security standards needed
In this way, Microsoft has been able to rationalise all security compliance obligations to a manageable set of security controls.
The company has also set up an operations centre that handles all initial security alerts, said John Howie, senior director of technical security services at Microsoft.
The team handles alerts using trouble-shooting guides, escalating only genuine security alerts to the incident response team.
"This reduces the stress on the incident response team, enabling them to handle qualified incidents more effectively and respond to other issues that require a higher level of expertise," said Howie.
These principles applied at Microsoft could be used in any organisation to meet security compliance obligations without affecting their ability to maintain the security and privacy of data, he said.