AIG’s Global Identity Governance Implementation
Executive Sponsor: Paul de Graaff, Global Information Security Officer, AIG
Project Team: Paul de Graaff, Robert Mazzocchi, David Cornelius, John Gillis, Scott Goldman, Steve Miskovitz, Ed Mona, Joseph Koodray, Joe Tutela, Thomas Waldron
In 2009, one of AIG’s biggest IT challenges was the complexity of managing worker access privileges globally, across a varied and complex technology infrastructure. The situation was exacerbated by corporate restructuring, including large-scale consolidations of people and IT assets, and layoffs. AIG’s IT department turned to identity governance to manage the company’s access privileges for 45,000 employees across 35 high-risk applications. The project allowed the company to put in place stronger and more consistent controls over user access to sensitive applications and data in order to address those challenges, comply with regulatory mandates and better manage operational risk.
Global Risk Management & Compliance Program
Executive Sponsor: Matthew Archibald, Managing Director Information Security & Risk Management
Project Team: Robin Carriere, Kannan Perumal, Kerry Bryan, Mark Valade, Luciana Rubinsky, Robert Ackerbom, Tom Austin, Bill Roman, Karen Murphy, Andrew Monk, Tom Scocca, Jack Gross, Andy Wall, Ben Hipp, Sujoy Sur
Introduced the Program Risk Management methodology developed by the Information Security & Risk Management group to our Corporate Business "Risk Vertical Partners" as well as Business Project Managers in conjunction with a major companywide transformation program. The tools, process and methodology were used simultaneously by 12 business & IT projecct managers on 12 major global programs, consisting of 95 projects and 240 initiatives managers globally. A permanent Centralized Program Risk Office as well as a Global Risk Management & Compliance Committee was established to manage, track and mitigate risk across projects and programs.
The Voltage Project
Project Team: Joe Bentfield, Janet Kerns, Dan Madsen, Daniel Schulte, Mike Sterner, Larry Abram
The Voltage Project at AT&T enables these information security objectives: (a) do the right thing by the corporation, employees, business customers and consumers, vendors and suppliers; (b) meet internal corporate and security policies; (c) meet a broad set of legislative regulatory compliance mandates and other external initiatives such as PCI, GLBA, HIPPA, etc.; (d) satisfy business customer contracts; and (e) enable business efficiency. It involves two key initiatives: End-to-end Information Protection and Data Leakage Prevention. It utilizes approaches that are game-changing in securing information from end to end, and leverage breakthrough technologies in innovative solutions that remove barriers.
Security In the Cloud
Executive Sponsor: Christopher Rence, CIO/VP
Project Team: Vickie Miller, Scott Charleston
2009 Network Access Control Project The project was chartered to install network port security that would proactively keep unauthorized people off the internal corporate network to prevent possible internal cyber attacks while providing limited guest access to the Internet for day to day vendor presentations.
Project Team: Steve Elefant, Sarah McCrary, Larry Godfrey, Paul Minutillo, Dustin Francis
E3™, Heartland Payment Systems’ end-to-end encryption solution, is designed to protect all stakeholders in the payments industry — including merchants and consumers — with the highest degree of security available … with no extra fees. Only E3 technology safeguards cardholder information from the moment of card swipe — and through the Heartland network — not just at certain points of the transaction flow.
The I Campaign
Project Team: Ty Christopher, Cheryl Conley, Bob Davidson, Trent Flood, Phil Nicholas, Scott Rush, Debbie Stuckey, Christina Valecillos
Lockheed Martin launched an internal communications' program called The I Campaign in October 2009. The campaign is focused on educating employees about how to protect the Corporation’s information assets and minimize cyber security risks through proper behaviors. In addition to helping mitigate several real cyber attacks, employee testing has shown the campaign has driven significant improvement in employee response to known adversarial tactics used in targeted e-mails.
Product Risk Management for the Enterprise (PRiME)
Executive Sponsor: Michael Wilson, VP, CISO, McKesson Corporation
Team Members: John B. Sapp Jr., Michael Wilson, Sharen Bond , Marian Reed
With the large number of mature security technologies available for the Network layer, the Application layer has become the “new perimeter” and the majority of the technology industry is focused on web-based application security. However, the healthcare industry has a much different and more difficult challenge as the bulk of applications deployed within hospitals, clinics and ambulatory surgery centers are legacy thick-client applications that suffer from many of the same security vulnerabilities as web applications.
High Assurance OneBadge
Executive Sponsor: Tim McKnight, VP, Information Systems Security
Project Team: Russell Koste, Charles Marttila, Barbara Lawrence, Amy Daniels, Gus Pilarte, Tim Powell, Mark Burns, Gary Trexler, Marv Jackson, James Ryan, Carol Spain, Chuck Schwartz, Elizabeth Taylor, Jennifer Hensley, Lynn Massengale, John Clark, Carla Seaborn, Ken Sprinkle, April Martinez, Mary Hicks, Aiko Woods, Bobbie Helbringer, Kimberlee Hendricks, Rita Kohn, Bill Goodhand, Dennis D’Alessio, Greg Ewing, Bob Fraser, Jim Vreeland, Marcia Bradley, Ed Clark, Anne Swanson, Doug Wickman
The Northrop Grumman High Assurance OneBadge project developed, implemented and deployed smart card technology across the corporation providing enhanced protection from unauthorized access to company facilities, networks and data. The OneBadge implementation standardizes employee logical and physical access controls and is aligned to Homeland Security Presidential Directive (HSPD) 12, the identification standard for government employees and contractors. Northrop Grumman’s new identity badge is the first corporate credential to be accepted by the Department of Defense (DoD) and the Federal Public Key Infrastructure (PKI) Bridge to enable secure collaboration with Northrop Grumman’s government and commercial customers and partners.
Information Technology Governance, Risk and Compliance (IT GRC)
Executive Sponsor: Lee Parrish, Director, Information Assurance
Project Team: Judy Kiser, Mark Beck, Wail Jastaniah, Alexandra Pichardo, Anthony Carr, Jeffrey Nix, Wes McLain, Mark Leary
The Information Technology Governance, Risk and Compliance (IT GRC) project created a multi-function risk and compliance application to facilitate the planning, execution, and tracking of risk assessments conducted at Northrop Grumman. The project team implemented the Archer Technologies solution, integrating data feeds from various corporate asset systems, entity policies and procedures, threat and incident information sources, and commercial vulnerability databases. The application environment set a foundation for strategic integration of the Archer framework by moving disparate, siloed, manual security processes onto a single automated platform, providing greater efficiencies and visibility to stakeholders and those responsible for managing IT security risk.
Implementation of IT Controls
Executive Sponsor: Pamela Rucker, Vice President of IT
Project Team: Lloyd Dawson, Frank Duke, Beth Wilcox, Hassan Hakam, Ida Joiner
Although PSC is a privately-held organization, executive management has instituted a control-based philosophy of how PSC will design and conduct business processes, including IT. The initial IT control environment, including Sarbanes-Oxley (SOX) controls, was based on an operational perspective instead of using a risk-based approach. Initial control testing results validated that using a risk-based approach addressed key compliance requirements, including detecting high risks and discovering vulnerabilities across all critical IT systems, both of which are required for publicly held corporations. PSC IT management implemented a new SOX and monitoring control environment in early 2009 and subsequently received positive results from an external audit of IT systems.
VCR (Virtual Clean Room) San Diego
Executive Sponsor: Joshua Davis, Director, Information Security and Risk Management
Project Team: Bruce Rosendahl, Kevin Larson, Kevin Dalfonzo, Zhen Chen, William Wu, Keith Ritlop, Matt Swanson, Matt Martin, Shahid Shafi, Prabakar Thiyagarajah, Anabel Avelino, Sean Callahan, Zeeshan Sabir, John Goebel, Jeff Overbey
The Virtual Clean Room is a network enclave designed to protect a high performance build environment while meeting stakeholder requirements of minimal build ecosystem system performance impact or business process change. The project team’s solution achieved a balance between operations and security needs by working with stake holders to obtain a clear understanding of the environment, then engineering a solution using principles of "Defense in Depth". The Virtual Clean Room increases security by creating a secure network perimeter, implementing standards and improving monitoring without impacting the build environment systems or its users.
TXU Energy Roles Rebuild
Executive Sponsor: Christopher Holm, Director IT Risk, Security and Controls
Project Team: Mike Hill, Glenn Baker, Sabrina Dyer, Casey Davis, Blake Elder, Phillip Henderson, Javed Husain, Kevin Jackson, Yoganathan Sivapragasam, Sai Vallurupalli, Chris Vanderbosch, Jon Wise, Tanner Simmons
The Roles Rebuild team successfully completed rebuilding individual user roles for SAP security for IT and then every functional organization at TXU Energy. The endeavor touched every employee at TXU Energy and was completed on schedule and within budget. In addition, Role Security Rule sets were developed for Separation of Duties compliance for every role. Subsequent controls exception remediation efforts were completed on schedule.
USAA Info Sec Authentication Program
Executive Sponsor: Gary McAlum, SVP/Chief Security Officer
Project Team: James Ravizee, Jack Key, Richard Davey, Tammy Sanclemente, Thomas Buckingham, Betty Del Valle, Ryan Johnson, Mary Beth Block, David Row, Ashley Brown, Wil Bennett
USAA is a leader in the industry through innovation of unique methods for strengthening its authentication across many channels (.com, speech, member service representatives, and mobile). For example: USAA gave its mobile users faster, more secure mobile logon access to their banking, insurance and investment accounts through its new quick logon and authentication security software. This simplifies account access for USAA members while strengthening the logon security for its popular USAA Mobile App which allows bank deposit functionality from the iPhone and Androids platforms. Almost 1.3 million of USAA's 7.4 million members access USAA's mobile platforms to conduct financial transactions.
Academic/Public Sector Category
Kellogg Center PCI-DSS
Executive Sponsor: Michael Dawisha
Project Team: Gene Willacker, Paul Heberlein, Brian Pillar, Ryan Finn, Kirti Singh, Jill Respecki
Complete all requirements in order to achieve compliance with Payment Card Industry Data Security Standards. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures when handling credit cards. The compliance with PCI DSS for the Kellogg Hotel and Conference Center at Michigan State University required redesigning the network, updating applications, changing business practices, writing and disseminating policies and procedures for all 200+ items required to be considered compliant. We added 15 additional servers, installed a new firewall appliance, installed Citrix and RSA tokens for external access to the credit card environment as well as replacing all 60 computers int the Hotel. Over 6000 hours of labor were spent by the Hotel staff and the Information Services team to achieve compliance.