Hi all, I’m Tom Easthope, Sr. Program Manager on the Enterprise Business Continuity team at Microsoft. This blog entry is a companion to the video featuring my colleagues Phil Sodoma and Traci Bishop. In their video they talked about the several aspects...

InfoSec recently released their Assessment & Protection (A&P) Suite . To get the details of this suite, you can check out my last blog . Anil Revuru (RV) from the IST ( Information Security Tools ) team in his recent blog discusses how Web...

The Information Security Tools (IST) team has released the InfoSec Assessment & Protection (A&P) Suite . The suite is made up of a technology stack of protection and assessment tools.  Anil Revuru (RV) and Mark Curphey in their recent podcast...

Hi Mark Smith here. I’m a senior program manager on the Microsoft Information Security . I’m kicking off our blog series providing you a glimpse into how Microsoft’s IT Information Security (InfoSec) dogfoods. When launching a new product naturally there...

I’ve been discussing the Risk Tracker v1.0 application built on the CISF (Connected Information Security Framework) developed by our own team, Microsoft Information Security Tools (IST) team . Organizations who would like to deploy Risk Tracker in their...

Recently I shared with you the release of the CISF (Connected Information Security Framework) and Risk Tracker version 1.0 application developed by the Microsoft Information Security Tools (IST) team .  Risk Tracker built on CISF framework will help...

The Microsoft Information Security Tools (IST) team has released the latest Microsoft Anti-Cross Site Scripting (Anti-XSS) Library version 3.1 . How does a cross-site scripting (XSS) vulnerability occur? An example is when a web application does not encode...

I’m excited to announce the release of the Connected Information Security Framework (CISF) developed by our own Microsoft Information Security Tools (IST) team. This software development framework comprises of API’s and reusable components that is designed...

In my last 2 posts on Information Security Awareness, I provided a little overview of the program and then discussed our framework around socializing security . I’d like to now discuss some of the things we’ve learned from driving awareness over the years...

In my last post on Awareness , I discussed an overview of our Awareness program and how we break up our initiative into breadth campaigns and depth programs to cover both the generic and the specific. In this post, I’d like to discuss a little bit about...

It’s well understood that security is a 3-pronged problem covering people, process and technology. Any solution devised to manage a given information security risk must effectively harmonize the people, the processes and the technologies to optimize the...

Risk analysis is an intimidating topic for security risk management organizations. Analysis takes precious time and can be complicated. Many times identified risks are vague and there are not a lot of facts to put around the risks. Organizations want...

Mark Curphey , who also leads our Information Security Tools team , contributed a chapter in a security book that was recently released. It’s a great book and you can get his chapter online for free… read more here . -Todd

Over the weekend, I had an opportunity to visit a few orphanages around Hyderabad. It’s an incredibly humbling experience. A little while back, I read a fantastic book titled “ Three Cups of Tea ” which really gets you thinking about the importance of...

I had a chance to play Cricket with the InfoSec India team this week. It was a great blast and it helped me frame an example I like to use to promote team work. Cricket, like a lot of sports, has many different roles that come together to make up a team...

I arrived in Hyderabad earlier this week and am underway meeting with the team members here. As I mentioned in the previous post , we realized early on how important it was to the overall success of InfoSec that we have presence in India. After we started...

Next week I’m going to be in India to visit our team in Hyderabad. Outside of Redmond, USA, Hyderabad is our largest presence that makes up about 20% of our overall globally distributed Information Security team. It’s always a blast for me to visit India...

I’m very excited to announce the recently released SDL-LOB. You can read more here and be sure to check back regularly on www.msinfosec.com as we will be highlighting various aspects of SDL-LOB. -Todd

There is little doubt that information is fast becoming ubiquitous. In its digital form, you can have access to information over your desktop PC at home or work, your mobile laptop, your phone or even your entertainment system in your living room. The...

Information security risk management serves organizations best when it is proactive versus reactive. A reactive risk management program identifies a risk after the organization has been affected by the risk and has possibly experienced a risk event. This...

Information Security’s core function includes managing information security risk. Now there is a lot of content on the topic of “risk management” from both the academic world and the professional world that you can easily find on the internet. While we...

Our mission in Information Security is to enable secure & reliable business . In going about our mission, we’ve constantly tried to take a very deliberate service-oriented view of information security rather than a purely enforcement approach. Like...

Welcome… My name is Todd Kutzke and I help lead the Information Security group within Microsoft. Organizationally, we sit inside Microsoft IT and together with our business partners, we help manage information security risk for Microsoft. The intent of...