4-page Case Study
Posted: 7/13/2012
Rate This Evidence:

Microsoft Global Security Operations Center Microsoft Uses Enterprise Incident Management Processes to Improve Security at Its Facilities

In early 2011, in the wake of civil unrest and political instability in Tunisia, Egypt, Libya, and other Middle East hot spots, the Microsoft Global Security Operations Center (GSOC) in the Europe/Middle East/Africa (EMEA) region activated local and enterprise Incident Management Teams (IMTs). Working closely with the GSOC EMEA, local IMTs maintained constant communication with their personnel and provided security guidance for all affected staff and travelers. Microsoft employees were kept safe and informed, and assets were protected.

Protesters took to the streets of Tunisia, Egypt, and Libya, clashing with government forces and, in some cases, pro-government demonstrators or militias. Violence, property damage, and casualties ensued, leading to more uprisings and government crackdowns. Within Libya, armed clashes occurred between rival militias that had once fought together against pro-Qaddafi forces. In Egypt, fresh protests erupted over the pace of reform, and sectarian tensions fueled violence. Throughout the region, Microsoft employs 304 people across 64,000 square feet of office space in five buildings.

The Microsoft Global Security Operations Center (GSOC) in the Europe/Middle East/Africa (EMEA) region (located in the United Kingdom) activated Incident Management Teams (IMTs) in the early days of the protests to manage their local effects and to limit the overall impact on Microsoft. To mitigate risk to assets and help personnel on the ground stay safe and informed, the IMTs started processes for:
  • Managing communications 
  • Locating travelers 
  • Providing security services
The IMTs provided background information, daily situation briefings, and security advisories. The teams used several tools to reach and collaborate with key decision makers and staff, regardless of their location and network access:

  • Visual Command Center software from IDV Solutions unites data from internal security systems and external data feeds in a common operating picture. Users can interact with and analyze the data on a map and timeline. The software was used to check the proximity of Microsoft offices to the center of the demonstrations. Custom maps were disseminated with situation updates.
  • Microsoft InfoPath 2010 information gathering program enabled the IMTs to quickly gather information in a consistent and efficient manner via a centrally accessible portal.
  • Microsoft Lync 2010 connected IMT members in live meetings through laptops. It was the preferred communication tool, because it brought together voice, video, and documents and was not affected by landline disruptions. “The software created a virtual war room,” says Mike Foynes, Senior Director of Operations for Microsoft Global Security. “With Lync, I could communicate with GSOC EMEA, help them set a course, and pass along instructions and other information. InfoPath helped us share data about all our facilities in the region, so we could reach out to them directly.
  • AtHoc, a partner messaging tool that uses Short Message Service (SMS), a text messaging service, was used to quickly alert IMT members and senior leadership of upcoming meetings, situation changes, and advisories.

Figure 1.
Visual Command Center synthesizes internal and external information in real time to
provide situational awareness to Security Leadership.

Traveler Location

GSOC EMEA worked to make sure that all visitors who were in or traveling to the region received timely updates and relevant security guidance. Microsoft Global Security relied on key technologies to successfully manage the situation.

  • Mobile Travel Assistant (MTA), from partner ConTgo, helped GSOC EMEA confirm the location of all Microsoft travelers. Those en route to or already in the area were told of the unfolding situation via an alert message. That message required a response from the traveler to verify their well-being. “Within minutes, we could tell who was where and what facilities were near the dangers,” says Mike Howard, Chief Security Officer for Microsoft Global Security. “We could determine how many travelers we had in the country and ping them quickly.”
  • Inca X, a partner product that leverages Windows Azure and provides web-accessible GPS location data was installed on the mobile phones of deployed Regional Security Advisors to provide on-the-ground support and detailed threat information. Advisors’ physical locations were tracked by using Inca X as long as satellite coverage remained available.

Security Services
GSOC EMEA provided security advice, support, and facilities to all personnel affected by the unrest. Several software tools were used:

  • Microsoft SharePoint Server 2010 extranet pages of the Global Security website were used to publish travel restrictions and office closure infor-mation. Use of the extranet meant that personnel did not need access to the corporate network to obtain information.
  • Lenel, the access control system used to monitor all Microsoft campuses and buildings, demonstrated its durability by remaining fully operational throughout the events.
Enterprise Collaboration
The Tunisian, Egyptian, and Libyan IMTs fostered the internal coordination necessary to monitor the impact of the political instability and to serve Microsoft personnel during those critical months.

Global Security sent a Regional Security Advisor to Egypt and Tunisia to provide detailed threat information to Global Security and local IMTs and to assist on the ground. Hotel rooms were obtained by local IMTs as safe havens for any staff and family members threatened by the escalating violence.

In Libya, a third-party security company successfully evacuated Microsoft employees and dependents to neighboring Tunisia. Other Microsoft groups that provided input and support to the regional security team included:

  • Global Security Intelligence Group, which provided counsel on raising individual country risk ratings to High and Extreme. The group also monitored the rapidly changing situations on the ground and reported findings to enterprise and security leadership. This information enabled key decision makers to effectively deal with safety threats and potential impact to the business.
  • EMEA Communications Team, which published advisories and individual employee guidance.
  • GSOC EMEA, which provided all outreach, event notifications, and situation updates. GSOC EMEA activated all IMT calls, located travelers, issued formal communications, and monitored access to all Microsoft facilities as long as the IMTs operated.

By early April 2011, all local IMTs had moved to a monitoring status.

* With the right tools and planning, we were able to scale up quickly to manage multiple incidents with a small number of staff. *

Mike Foynes
Senior Director of
Operations, Microsoft
Global Security

In all three countries, the former leaders were forced from power. Elections have just completed in Egypt and are planned in Tunisia and Libya.

For Microsoft, the political unrest tested the GSOC and IMTs to the fullest. Working collaboratively with GSOC EMEA, the local IMTs provided continuous communication with affected personnel to help ensure their safety and access to help.

Microsoft and partner technologies played a critical role in the success of the IMTs. Microsoft staff used Lync to communicate through voice and instant messaging and to share screens and documents. Staff also used Lync to join meetings from landline phones, mobile devices, and laptops. InfoPath and the IMT portal enabled staff to easily and immediately access relevant documents, regardless of location or format.

Staff members were able to communicate by using the AtHoc and ConTgo tools, which helped ensure that all personnel were accounted for. Finally, as governments often shut off corporate network access during political crises, the use of extranet pages on the Global Security website provided timely and relevant communication with the people who needed it most, regardless of network disruptions.

Keys to Success
Howard names the following as vital parts of the enterprise response to the political upheaval:

  • Planning and strategy. The response was not a spontaneous reaction. The enterprise was prepared and had a written plan.
  • Connecting technology to planning and strategy.The effort ran on off-the-shelf software from Microsoft and its partners. Users set up the solutions on their own, without excessive customization.
  • Exercise and practice. The teams practiced their roles in advance and improved the plans as needed.
  • Alignment with executive goals. The executive overseeing the response shared vetted information with enterprise leaders, ascertained their priorities, and ensured that resources were available to help the IMTs do their work.

Microsoft Office System
Microsoft Office is the business world’s chosen environment for information work, providing the programs, servers, and services that help you succeed by transforming information into impact.

For more information about the Microsoft Office system, go to:

For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:

For more information about Microsoft Global Security, visit:

The Microsoft GSOC team uses a range of customizable, off-the-shelf solutions for physical security, including Microsoft technologies integrated with third-party products. This strategy helps create an enterprise security solution that reduces costs and improves customer service. For more information, visit:

Solution Overview

Organization Size: 37 employees

Organization Profile
Headquartered at the Microsoft campus in Redmond, Washington, Microsoft Global Security manages all aspects of physical security at Microsoft facilities worldwide.

Business Situation
In early 2011, protesters and government forces clashed in Tunisia, Egypt, and Libya. The resulting civil unrest led to mass arrests, violence, and international involvement. The safety of Microsoft people and property was at high risk.

launched local Incident Management Teams in Tunisia, Egypt, and Libya to manage communications, coordinate security assistance, and manage risk to personnel traveling to and within the affected areas.

Close collaboration between the local IMTs and the GSOC minimized harm to Microsoft people and assets. All personnel were accounted for, and campus security was maintained throughout the crises. Microsoft and partner technologies facilitated the vital teamwork.

Third Party Software
  • AtHoc messaging tool
  • ConTgo Mobile Travel Assistant
  • IDV Solutions Visual Command Center
  • Inca X geocasting

Software and Services
  • Bing Maps
  • Microsoft Lync 2010
  • Microsoft Office 2010 Suites
  • Microsoft SharePoint Server 2010
  • Microsoft SQL Server 2008

Vertical Industries
  • Public Safety & Justice
  • Defense

  • Egypt
  • Libya
  • Tunisia

Business Need
Cloud & Server Platform