Announcing the Connected Information Security Framework (CISF) and Risk Tracker

I’m excited to announce the release of the Connected Information Security Framework (CISF) developed by our own Microsoft Information Security Tools (IST) team. This software development framework comprises of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions. Built on the Microsoft core technology stack including SQL Server 2008 and .NET 3.5 it can be described as a loosely coupled framework (or “glue framework”) for software developers to create and connect a wide array of disparate information security related data, systems and business processes into a common software architecture. In this new video, “CISF: Build Your Own Custom Security Applications,” Mark Curphey, Product Unit Manager, and Marius Grigoriu, Solution Manager, from Microsoft Information Security Tools (IST) team provides an overview of the first version of CISF.

Along with this release of CISF, we’re also releasing our first custom application using CISF called Risk Tracker version 1.0 which captures and tracks high level security risks through manual input and via direct feeds from upstream systems (application provisioning and security review scheduling). Watch the video, “Risk Tracker: Reducing Risks at Microsoft,” as Sarah Pickard, Senior Security Program Manager from Microsoft Information Security team and Mark Curphey, Product Unit Manager from Microsoft Information Security Tools (IST) team discuss Risk Tracker, the new custom information security application built on CISF. They share how the business will use the application and how it will manage risk.


Similar to other companies, to support our evolving business needs we continue to develop custom applications to address business requirements. At the end of the day, we end up with a portfolio of different applications. Eventually we want to move toward the approach of building solutions where all applications can work well together on one framework. Having one framework allows us to build many applications on top of each other.

In information security at an enterprise, there are many different risks to track. Our risk management team expressed a business need for one simple, central system that has the ability to: 1) identify risk 2) log risk 3) measure risk and 4) track risk. Ultimately we needed a risk management system that lets us effectively reduce risk at Microsoft. To address this need the IST team built Risk Tracker, our first custom application using CISF.


With our one framework approach, CISF is a development framework made up of reusable components specifically designed to create custom security tools that are highly specialized, change frequently and are usually highly unique to specific scenarios or businesses. These tools are often those where the requirements are emerging and are expected to change rapidly as the emerging business problem becomes better understood. Companies can use and extend the framework to create new applications, port their current custom applications to use it, update existing applications to consume framework services like controls and either use or extend sample applications we create, for instance, Risk Tracker.

Risk Tracker is the first custom sample application and the start of more applications built on CISF. This application will help organizations manage, track, report, associate, as well as assign risk to an entity. Eventually this system will allow us to develop a plan and tag milestones to ultimately see how we’ve reduced risk over time for Microsoft.

Business Value


Building applications on one framework, CISF provides the following business values to an enterprise:

  • The framework provides software developers the ability to create and connect a wide array of disparate information security related data, systems and business processes into a common software architecture.
  • Custom applications can be integrated together with one core business infrastructure, connecting to the same data sources.
  • Security controls service can be consumed by humans and tools.
  • The framework can provide a central customized reporting and analytics.

Risk Tracker

Using one risk management system can be valuable to a business, below describes some business values for the Risk Tracker application:

  • Having one central system, all risks can be consolidated into one central repository for easy tracking and reporting, also providing a tracking change history made by the user or the system.
  • Deadlines can be driven without human intervention through streamline notifications.
  • Risk Tracker can help drive accountability to risk managers, ensuring that risks are addressed in a timely fashion.
  • Using one system to consolidate risks, Risk Tracker can provide organizations visibility to the “high” impact risks where time and resources can be prioritized effectively.

CISF is a big project spanning over several years. Initially we will be releasing a CTP (Community Technology Preview); providing quarterly code drops, as we add more functionality and re-factor the existing framework driven from what we learn from our user feedback. We’re building this framework for ourselves, testing it within Microsoft, but we want other Microsoft customers to share in our work and partner with us. We want to hear from people that are interested in this framework and share with us ideas and feedback--we’ll be setting up some user groups to hear and share technical details. Risk Tracker is our first custom application on CISF, we hope it will be the beginning of many more applications. The vision for Risk Tracker, we eventually want the system to help us predict risk based on historical data which ultimately lends to effective risk planning and mitigation.


Both CISF and Risk Tracker will be released open source on CodePlex using an MS-PL license, essentially meaning our customers and ISV’s can take the code and use it as they see fit. The IST team will be providing quarterly releases and updates for CISF.

CISF CTP download

Risk Tracker v1.0 download

Stay up to date on the latest news by visiting the IST blog.