ISE® North America Project Award Nominees 2014

Commercial Category

AES Global Advanced Threat Protection Solution
Executive Sponsor: Scott Goodhart
Location: Arlington, VA

At AES, we recognize that as a Fortune 200 global power company with a diverse portfolio of distribution businesses and thermal and renewable generation facilities spanning across 20 countries, we have become a major focus for targeted cyberattacks and are among the top five most targeted sectors worldwide. As part of our implementation of the NIST Cybersecurity Framework, we identified an opportunity to improve our defense in depth architecture by piloting and then implementing a global advanced threat protection solution to complement our existing defenses and better protect against both email and web-based cyberattacks.

Baker Hughes
Security Transformation Program
Executive Sponsor: Annessa McKenzie, Chief Information Security Officer, Baker Hughes
Location: Houston, Texas

Annessa McKenzie’s appointment to Chief Information Security Officer in August 2013 came with a strong focus on execution to close significant security gaps. In her short time in this role she has already done an outstanding job of rapid risk analysis, prioritization of gaps, building a team with the right talent, and executing on 25+ projects that significantly improved the security risk profile at Baker Hughes. Her team has delivered a comprehensive security program, aligning within IT and with the business to drive global improvement.

Implementation of Identity and Access Management at Brown-Forman
Executive Sponsor: Darrell Keeling, Director, IT Security & Quality, Brown-Forman
Project Team: Darrell Keeling, Todd Werner, Robin Nicholson, Kelly Lewis, Gloria Nusz, Jeff Brown, Clay Colwell. Rick Hopkins, Kathy Phillips and Jim Robinson.
Location: Louisville, KY

Brown-Forman launched the Identity Management project in order to support the company’s rapid global expansion into new countries and the need to provision entitlements and identities to new users. The goals of the project were to deliver efficiencies in security administration due to centralized identities and entitlements; obtain complete visibility into all active users within all systems, achieve improvements to security processes and controls through automated and uniform process repetition; reduce costs associated with processing entitlement requests; and significantly reduce SLAs due to self-service entitlement provisioning.

Perimeter Redesign
Executive Sponsor: William Worthington, Director of Security Operations & Engineering, Caesar’s Entertainment
Location: Las Vegas, NV

This project completely redesigned the in/out bound internet traffic for all Caesars Entertainment. The design leveraged new next generation firewalls, load balancers leveraging SSL decryption, malware detection devices, forensics and logging devices, IDS/IPS’s, and new web proxies all with high availability and redundancy. Additional the devices were configured in blocking mode and a “Deny All” rule was deployed on the Web Proxy to ensure only categorized sites were allowed.

IT Security Analytics (ITSA)
Executive Sponsor: Charles Hudson, Executive Director, National Governance, Risk & Compliance, Comcast
Project Team: Kallol Ray, Venkat Paruchuri, Laura Whitt-Winyard and Luis Colon.
Location: Philadelphia, PA

The ITSA solution at Comcast solves a problem that practically all security organizations deal with – numerous security tools with individual dashboards, reports (many of which are aesthetically unappealing), remediation portals – all working independent of one another and requiring manual analysis to uncover enterprise risk. Comcast’s ITSA program extends beyond the boundaries of a typical IT Analytics program by creating an end-to-end centralized capability that consolidates numerous security tool reports, provides real-time contextual security analysis, produces stunning visual interactive security metrics, generates behavioral analytics, initiates orchestrated automated remediation and facilitates manual remediation workflows.

Comcast Just-in-Time Sensitive Information Training
Executive Sponsor: Charles Hudson, Executive Director, National Governance, Risk & Compliance, Comcast
Project Team: Robert Irwin, Kallol Ray, Paul Fournier, Patrick McGranaghan, Venkat Paruchuri and Laura Whitt-Winyard.
Location: Philadelphia, PA

The Comcast Just-in-Time Sensitive Information Training project is designed to provide real-time, automated, task specific, interactive and media-rich security awareness training to individuals who trigger a policy violation within the Bay Dynamics’ Risk Fabric solution. Examples of such incidences include Data Loss Prevention events, non-compliance to stated policies, and deviations from their own user baseline or the baseline of their peer groups.

By tracking the Just-in-Time training’s effectiveness against a user’s future activities, Comcast can now measure how the program is influencing organization-wide behavior and its impact in meeting a vast array of corporate and regulatory mandates.

Advanced Attack Response and Mitigation (AARM)
Executive Sponsor: Myrna Soto, CISO, Comcast
Project Team: Myrna Soto, John Kelly, Glen Pirrotta, John Roskoph, Dan Phan, Jeff Stoklosa and Andrew Perry.
Location: Philadelphia, PA

Internet access and reliable publicly routable network transport are critical to the health of both Domestic U.S. and Global Economic, Commercial and National Defense interests. Loss of ISP resources can have serious if not catastrophic effects on national and international markets, disrupt transportation and other essential infrastructure, and result in major degradation in brand and reputation of competitive service operators. With ever-rising demand of high-speed and high-availability networks the threat of disrupting or even targeting this infrastructure increases. In response to the evolving threat landscape we embarked on a very aggressive effort to more effectively protect our infrastructure, services and consumers from network borne attacks. This project succeeded in meeting that objective.

Elsevier Security Maturity Model
Executive Sponsor: David Cass, SVP & Chief Information Security Officer, Elsevier
Project Team: David Cass, Philip Ramey and the teams from Risk & Assurance, Software Security and Training & Awareness.
Location: Philadelphia, PA

The team created an information security maturity model that aligned the business, information technology, and information security teams. The model created a risk based approach, based on 5 tiers allowing for rapid assessment of the application portfolio, and based on the security maturity rating created a clear path to remediation.

Tokenization of PII Data in ERP Systems
Executive Sponsor: Ashley Ferguson, Manager, IT Risk Management
Project Team: Chris Wingard, Ram Thundena, Kiran Machavarapu, Sriram Sagi, Calvin Laurance, Immanuel Dhanasingh, Tammy Holiness, Pawan Racha, Rodney Brown, Ashley Ferguson, Joy Barron, David Brisco, Christopher Gagliano and Kristi Doughty.
Location: Birmingham, AL

The Tokenization of PII Data in ERP Systems project was completed to enable Energen Corporation to become the first corporation to fully tokenize all PII data for both customers and employees utilizing a newly developed smart flex-token in our Alagasco ERP system. Phase I of the project consisted of a new customer website, IVR and tokenization of all credit card numbers. In Phase II we worked with the vendor to develop the first flex-token available in the industry to fully tokenize all PII data regardless of length and identifier location to enable tokenization of all PII data types.

GE Oil & Gas
Project SAND
Executive Sponsor: Amolak Gosal, Director, IT Security, Risk & Networks, GE Oil & Gas
Project Team: Patrick Sullivan, John Moore, Gabor Koltai, Aaron Hoy, Robert Blake, Miriam Pastrana, Mike Stephens and Bob Wysocki.
Location: Houston, TX

GE Oil & Gas is positioning itself today to counter the information security threats of tomorrow. Project SAND is a global information security program designed to increase GE Oil & Gas’ ability to embrace new technology and the new mobile workforce.

SAND is comprised of 3 key objectives:

  1. Secure third party connections
  2. Harden internet facing application infrastructure
  3. Simplify the complex Active Directory landscape

By hardening and simplifying the core IT infrastructure, SAND has enabled the secure integration of $3B+ of acquisitions into GE Oil & Gas. In addition, SAND has provided an improved platform for secure collaboration between employees,suppliers, and customers.

Enabling HireRight Security Teams with Advanced Risk Analysis and Vulnerability Management Solutions
Executive Sponsor: David Barton, Sr. Director, Head of Security, HireRight, Inc.
Location: Nashville, TN

David Barton of HireRight was looking to implement new technologies to enable his information security and IT operations teams to execute vulnerability assessments of housed customer data more efficiently. Protection of customer data is paramount at HireRight, and there was a need for a solution that was responsive to the changing threat landscape, providing visibility into the security gaps within the organization. The goal was to deploy a technology and security program that provided best of breed analytics and reporting of vulnerability data in order to proactively patch flaws, fix configurations and automate several operations for ease of compliance. Mr. Barton partnered with security vendor BeyondTrust, launching a new risk analysis and vulnerability management solution called Retina CS. This in effect allowed the HireRight security team to make smart decisions, effectively communicate risk, and report vulnerability management progress to executives and compliance auditors.

Employee Access EcoSystem
Executive Sponsor: Gary Cantrell, Chief Information Officer, Jabil Corp.
Project Team: Erik Collasius, John Graham, Mike Ring, Mike Theriault, Walther Ardon, Greg Fisher, Troy Riley, Pierre Joseph, Mike Lamphier and Gabriella Nelms.
Location: St. Petersburg, FL

Jabil’s global customer base is highly competitive regarding intellectual property, cutting edge innovation, and the secrecy surrounding new product launches. Losing this data would result in millions of dollars in contract fines, as well as, major loss of existing and future business. To minimize customer and Jabil risk, Jabil created and adopted a portfolio of security-as-a-service solutions in order to better protect and secure the company’s critical information. The security-as-a-service initiative spanned three areas: application access, data loss prevention and external threats. This project enables Jabil to close security gaps, have an accelerated rapid time to value, leverage its security technology and practices as a market differentiator and create a competitive business advantage in the marketplace.

Mac for the Enterprise
Executive Sponsor: Mikhael Felker, Director of Infrastructure & Compliance, ReachLocal
Team Members: Mikhael Felker, Dan Anthony, Austin Pittman, Andrew Lai, Chris Hoff and Matt Martinez.
Location: Woodland Hills, CA

The project goal was to increase the security and usability of company owned Macs; providing uniformity of security controls across all end-user workstation systems. Implementing Centrify enabled identity and access control, adherence to workstation policies (such as password complexity and screensaver lock), and enforcement of full-disk encryption (via key management for native OS X FileVault 2 encryption). Completing this project met a multitude of business needs including reducing the risk of lost and stolen Macs, progress towards meeting enterprise Single Sign On standards, and fulfilling contractual requirements for our customers in regulated verticals (i.e., healthcare and financial).

Acquisition Security
Executive Sponsor: Zachary Powers, Senior Director of Enterprise Security
Team Members: Zach Powers and Garrett Held.
Location: San Francisco, CA

In recent years, Salesforce acquired more than a dozen innovative startups whose technologies were cloud-native. Customer trust is a deeply ingrained part of the Salesforce values and culture. Rapidly ensuring security and compliance for acquired startups was a critical enabler of integrating new acquisition into Salesforce and unlocking their value for existing and new Salesforce customers. The Salesforce Trust organization’s project was to establish strategies and supporting technologies enabling them to centrally manage security and compliance for the acquired companies across an incredibly diverse set of technical, operational, and regulatory environments.

Executive Sponsor: Daniel Thanos, Director Advanced Cybersecurity & Strategic Programs, TELUS Communications
Location: Toronto, ON

TELUS’ Argus project is named after and inspired by the multi-eyed giant of Greek mythology, to represent an all-seeing system designed to intelligently and automatically detect everything from the most mundane to the most advanced forms of system and network intrusions, and then automate and monitor their containment and remediation. Argus is both a functional system and extensible architecture using advanced software technologies built upon Hadoop clusters, streams, and complex event processing with integrations into security event management and incident response tools. Argus embeds the best of Security Monitoring Analytics to build a game-changing technology with capabilities beyond those offered by off-the-shelf platforms.

DMARC Wide Deployment
Executive Sponsors: Josh Aberant, Postmaster, Twitter; Franck Martin, Postmaster, LinkedIn
Location: San Francisco, CA

The DMARC protocol provides an effective means for combating phishing and email spoofing. However the newish of the DMARC protocol meant that certain key Internet email systems were incompatible. Twitter & LinkedIn’s Postmaster Groups teamed up to work with key Internet organizations to achieve DMARC compatibility.

Put Yourself in the (Information Security) Picture Training & Awareness
Executive Sponsor: Patricia Weedon, VP, Information Security & Compliance, Warner Bros.
Team Members: Patricia Weedon, Jessica Fernandez, Gene Yoo, Andrew Sutherland, Christopher Bolton, Robert Carrillo, Cantrell Harris, Young Le and Sunny Young.
Location: Burbank, CA

The “Put Yourself in the (Information Security) Picture” security awareness campaign is a comprehensive communications effort that was designed to engage and train a global workforce. At the heart of the program are the fictional characters of Barclay and Fisk, two employees on the Warner Bros. Information Security team who aspire to teach their fellow employees about information security. The program was launched with a series of three film shorts. With a blend of humor and substance, the videos created initial awareness and familiarity among employees on the topic of information security. These likeable characters put a story and face on the topic of information security and helped to solidify a brand for the department. The program successfully put the topic of information security on employees’ radar.

Academic/Public Sector Category

Internal Revenue Service
The IRS Affordable Care Act (ACA) Alternate Site Recovery Team
Executive Sponsor: Mary Hernandez, Deputy Associate Chief Information Officer, Enterprise Operations, Internal Revenue Service
Project Team: John Taylor, Joe Baguio, Karen Bossert, Abdul Fouzi, Susan Bonner, Wilma Toney, Yang Ke, Steve Corder, Orlando Carter, Stan Hawkins, Aaron Francesconi, Thomas Mobley and Roger Barnett.
Location: Lanham, MD

The Affordable Care Act, signed into law in 2010, impacts every aspect of healthcare for individuals, employers, insurers, hospitals and medical personnel, health and tax practitioners and health advocacy groups. More than 40 of ACA’s 500 provisions added to or amended the Internal Revenue Code. The Internal Revenue Service was tasked with implementing and administering these tax law changes. The IRS’s ACA Alternate Site Recovery Team deployed a complex system wide continuity of operations plan for use in the event of unforeseen circumstances or events. The solution they developed seamlessly moves ACA processing between IRS data centers and ensures continued delivery and high availability. This project ensures that ACA production systems can be fully recovered in the event that IS contingency or disaster recovery plans must be activated. The ACA Alternate Site Recovery Team implemented critical standards and guidelines compliance with the Federal Information Security Management Act (FISMA) of 2002 to protect ACA information.

Government of New Brunswick
Security Event Management Centre (SEMC)
Executive Sponsor: Christian Couturier, Chief Information Officer, Government of New Brunswick, Executive Council Office
Project Team: Jamie Rees, Grant Streeter, Todd Legere and Blair Nason.
Location: Fredericton, New Brunswick

In 2012 GNB created a Security Event Management Centre (SEMC) in the Office of the CIO. Its main purpose was to improve the Government’s cyber-infrastructure security posture. SEMC program staff continually monitors and reports suspected cyber incidents to appropriate stakeholders and recommends mitigating actions. This includes near real-time emergency response and longer-term security posture reports. SEMC’s objective was to achieve uniform and consistent security event management across all of government and break even within two years, considering the cost of set-up against the cost of productivity saved.

The Software Assurance Marketplace (SWAMP)
The Software Assurance Marketplace (SWAMP)
Executive Sponsor: Kevin Greene, Software Assurance Manager of The Department of Homeland Security Science and Technology Directorate, Software Assurance Marketplace
Project Team: Kevin Greene, Miron Livny, Barton Miller, Von Welch, Jim Basney, Patrick Beyer and Irene Landrum.
Location: Madison, WI

SWAMP is a no-cost, high performance computing platform for continuous software assurance. Global customers use an array of open-source and commercial software security testing tools to conduct software security testing. A results viewer consolidates, normalizes and prioritizes weaknesses detected by disparate analysis tools into a central platform to ensure critical weaknesses are remediated. SWAMP also offers a library of almost 400 applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own testing tools to advance cybersecurity, protect critical infrastructures, and improve software resiliency by integrating security into the software development lifecycle (SDLC).

Texas CISO Council
Texas CISO Council – Security Program Essentials
Executive Sponsor: Brian Engle, Chief Information Security Officer, State of Texas
Project Team: Philip Beyer, Joel Scambray, Joe Krull, Mario Chiock, Mary Dickerson, John South, Brian Wrozek, Jack Key, Tim Youngblood, Parrish Gunnels, Jay McLaughlin, Shawn Irving, Cary Moore, Patsy Boozer and Dan Glass.
Location: Austin, TX

The Texas CISO Council seeks to create a comprehensive reference describing the core essentials of a modern information security program. There are six proposed focus areas which would constitute a Security Program Essentials framework. When ratified by members of the Texas CISO Council, this framework would be offered at no cost or obligation to any organization that seeks to build or improve their security program. The working group effort to advance this comprehensive reference will consist of products in Governance and Organization, Information Security Strategy, Information Security Framework, Security Risk Management, Metrics and Measures, Diagram and Illustration.

University of Connecticut
Comcast Center of Excellence for Computer Security Innovation & Center for Hardware Assurance, Security, and Engineering at the University of Connecticut
Executive Sponsor: Mark Tehranipoor, Professor, University of Connecticut
Project Team: Professors John Chandy, Laurent Michel and Jerry Shi.
Location: Storrs, CT

CSI research covers the following domains – Authentication, Hardware Security, Theft Prevention, Software Security, Anti-Tampering, Broadband Security, and Supply Chain and a layered approach to security in the age of “Internet of Things”. The center’s research initiatives focus on addressing broadband security starting from the customer’s home to the infrastructure used for transporting data to the equipment on the service provider’s premise. The goal is for a holistic approach to providing supply chain assurance of equipment starting from manufacturing to distribution to placement in customer homes. One of the main charters of CSI is to train and develop the next-generation security engineers through research opportunities, security contests/challenges and other relevant activities.

Financial Category

Global Security Awareness Campaign 2013
Executive Sponsor: Roland Cloutier, Chief Security Officer, ADP, Inc.
Project Team: Anthony Morton, Samantha Aldridge Taylor, Caroline Rouhier, Debbie Cieslick, Mike Minwell, Jim Carpenter, Colleen O’Neil, Carolyn Munoz, Prasad Bhallamudi and Joanna Huisman.
Location: Alpharetta, GA

ADP’s Global Security Awareness Campaign was designed to drive associate behavior and knowledge of ADP security policies, standards and practices. The theme of the campaign, “Security is Our Shared Responsibility,” was selected to reinforce the knowledge that every associate is charged with protecting the sensitive and confidential information of our 600K+ clients, their employees, ADP’s assets and associates. The awareness material was delivered via various information sessions, lunch & learns, town hall meetings, and informational videos. Events were coordinated globally and were launched jointly by ADP’s Chief Security Officer, Roland Cloutier, and Chief Financial Officer, Jan Siegmund.

Compliance Risk Management Program
Executive Sponsor: Roland Cloutier, CSO, ADP
Project Team: Xavier Macarrilla, Ian Sparrow, Digna Penha, Daniel Sanchez, Irina Lescure and Marc Aguilar.
Location: Roseland, NJ

ADP Streamline business utilizes an international network of specialist payroll processing partners (subcontractors) providing services to multinational companies, with a sustained growth rate of 30% revenue on average during the last 6 years and with an increasing international presence from 30+ countries in 2008 up to 100+ countries in 2014. While ADP Streamline has the overall liability as primary contractor for the payroll service by coordinating the partner network, the ADP Streamline partners are responsible for the delivery of local services in more than 100 countries.

Processing payroll involves handling highly confidential and proprietary information. To ensure ADP’s security standards are met, ADP created the Compliance Risk Management program to provide assurances that:

  • Partners are compliant with Payroll Service standards as part of ADP obligations, according to ISAE 3402 and SOX frameworks.
  • Information Security and Business Continuity has been applied, according to the ISO27002 framework.

The Compliance Risk Management program is an on-going project with a very well defined lifecycle. All ADP Streamline partners have to be assessed on-site at least once every 3 years, which means that at least 30 of them have to be audited on a yearly basis. Improvement and risk reduction is assessed continuously following a risk-based approach.

The Compliance Risk Management program is led by 4 experienced international auditors with strong background and knowledge on IT, Security, Compliance and Audit, with proven experience in the “Big Four” audit firms and international banking institutions.

The Compliance Risk Management program is an ongoing program that was launched in 2009, initially focused on IT and Security, and enhanced in 2013 including Payroll Compliance and Business Governance controls. The effectiveness and success of this program is assessed on an annual basis, so the latest metrics cover the period July 2013 – June 2014.

An ounce of security response is worth a pound of prevention: Shifting the security paradigm
Executive Sponsor: Jay Leek, CISO, Blackstone
Project Team: Jay Leek, Adam Mattina, Mauricio Velazco and Padma Menon.
Location: New York, NY

In response to the constantly evolving threat landscape, Blackstone has overhauled its security program by upending the traditional security paradigm – prevent, detect and react – and embracing an information risk & security approach that balances prevention with enhanced visibility, intelligence and response. We’ve shifted the goal from “not getting hacked” to being able to identify a compromise and remove it from the environment before it creates any harm to the organization.

A tailored solution for access entitlements
Executive Sponsor: Jay Leek, CISO, Blackstone
Project Team: Jay Leek, Adam Mattina and Lena Licata.
Location: New York, NY

The objective of this project was to give business data owners and the security team real-time visibility into access provisioning of the firm’s most sensitive data. With the proper technology and process in place, our team was able to give comfort to businesses and external parties that the right people had the right access at the right time. Using a creative approach to log management and reporting, we improved the transparency of our business processes. Additionally, our team was able to meet audit and regulatory requirements without purchasing expensive software while materially improving the protection of our confidential information.

CitiNAC (Network Access Control)
Executive Sponsor: Dan Tigar, Managing Director, Citigroup Architecture and Technology Engineering (CATE) CitiSecure Platform
Project Team: John R. Miller, Bill Sztabnik, Carl Froggett, Dave Tirado, Brian Firlein, Patricia Davis, Howard Chang, Vincent D’Onofrio and Steve Chang.
Location: Melville, NY

The thrust of the CitiNAC (Network Access Control) project lay in the profound urgency to aggressively develop and deploy a proactive security solution that would: dynamically yield real time intelligence of all users, devices, systems and applications requesting access to or on Citi’s protected network; provide Enterprise-wide management and enforcement of security policies across Windows and non-Windows systems; block rogue and non-compliant devices; and assess endpoint compliance states allowing Citi to more efficiently remediate endpoint threats and violations. Citi now has one of the largest active global commercial deployments of Network Access Control (NAC) technology.

CNA’s Enterprise Risk Register – Enterprise Adoption
Executive Sponsor: Robert Allen, VP, Service Management & CISO, CNA
Project Team: Mark Verheven, Larry Lidz, Greg Allen, John Sternberg
Location: Chicago, IL

The adoption rate of CNA’s Enterprise Risk Register has reached a tipping point, and is full embraced by the Enterprise Risk Management group as the de-facto risk repository and reporting tool for the company. The multi-tier risk register comprises a holistic risk management solution, directly tied to the new enterprise risk hierarchy, providing end-to-end risk information management from the detailed operational aspect to the balanced aggregate executive view. Each tier of the risk register offers the ability to fully evaluate risk components, substantiating the risk statements. The register is continuously active through ongoing evaluation of risk control effectiveness.

Dun and Bradstreet
Dun and Bradstreet Brand Protection Project
Executive Sponsor: Elliott Glazer, CSO, Dun and Bradstreet
Project Team: Elliott Glazer, Topher Newman, Rich Manz, Drew Beebe, Rasheed Chambers, Brian Ellis, Richard Sepcic, Kevin Flynn, Patrick Peterson, Agari Founder & CEO, and Michael Kiefer, Brand Protect.
Location: Short Hills, NJ

Like most major brands in the market place today bad guys, cybercriminal “Phishers”, attempt to use commonly recognized brands to get victims to infect themselves with malware through malicious links or attachments in the form of email. D&B was one of these brands so attacked. Starting in February 2013, Phishers started sending massive amounts of email across the globe to unsuspecting victims using the D&B brand with a malicious attachment. As the problem continued and increased a solution was necessary to protect the brand. Implementation of critical email technologies such as SPF, DKIM and DMARC were identified as the way forward. The D&B global Security team initiated a project in May 2013 with the goal of reducing calls to the D&B Call Center by 50% through this implementation.

MIAX options
Enterprise-wide Risk Dashboard and Alerting
Executive Sponsor: John Masserini, CSO, MIAX Options Exchange
Project Team: Philip Varughese and Chaz Pulmeri.
Location: Princeton, NJ

The goal of the Enterprise-wide Risk Dashboard and Alerting project was to deploy a best-of-breed solution that would be used by every single operations team to monitor, alert, and report on corporate-wide risks. The cutting-edge solution, based upon the correlation, aggregation, and risk scoring functions of IBM’s QRadar platform provides custom, individualized dashboards to the entire Operation’s Center as well as concise, risk-centric dashboards and reports to executive management. Additionally, with the integration of our real-time threat intelligence feeds, we are able to proactively alert on known bad actors that are using new attack vectors which otherwise go unnoticed.

Next Generation Identity & Access Management
Executive Sponsor: Jack Key, Chief Information Security Officer & Privacy Officer, USAA
Project Team: BJ Hicks, Patrick Landry, Bradley Machicek, Paul Manz, Brandon Esplin, Randy Jenschke, Carla Rosas, Rudy Castro, Charles Smith, Ruth Shropshire, Christina Marin, Sherry Rakowitz, David Allen, Tammy O’Neal, Diana Teneyuca, Tim Crawford, Elizabeth Williams, Estevan Perez, Gary Pullen, Jediah Logiodice, Jeff Lewis, Jeff Speer, Laura Moran, Letty Sifuentes, Lionel Franklin, Marcie Swonson, Maria Flack, Martin Palmer, Michael Morris, Michael Wood, Pamela Strzelczyk
Location: San Antonio, TX

The Next Generation Identity & Access Management (NexGen IAM) Program is comprised of more than 30 complex interdependent projects aimed at efficiently enabling USAA’s business while creating a world class secure access management capability that meets the needs of USAA’s dynamic and growing business. The projects are developed and deployed by a dedicated highly skilled IAM Information Security team (with integrated IT and Consultant support) in an agile infrastructure development lab. The program has delivered on-time and on-budget since 2011. NexGen IAM projects are delivering exceptional security and business results aligned with the goals of the effort and the mission of the company.

Health Care Category

Aetna Trusted eMail Program
Executive Sponsor: Jim Routh, CISO, Aetna
Project Team: Jim Routh, David Corris, Lee Rodriguez, Peter Haines and Tim Tompkins.
Location: Hartford, CT

The Aetna Trusted eMail Program was designed to protect Aetna’s customers from malicious email purporting to be from Aetna, to significantly improve customers’ email experience and Aetna’s marketing effectiveness, and to prevent Aetna’s brands from being abused in fraudulent email messages. Since the project rollout began, Aetna has blocked more than 10 million malicious emails from being sent to Aetna customers, dramatically reducing the amount of phishing and malware incidents.

Software Security Program Implementation
Executive Sponsor: Jim Routh, CISO, Aetna
Project Team: Tim Tompkins, Brian Heemsoth, Jay Marehalli, Mark Willis, Sara Dunnack and Derek Swift.
Location: Hartford, CT

Aetna’s Software Security Program integrates security controls into the enterprise’s software delivery methodologies to improve developer productivity in producing resilient software while also fundamentally reducing security risk in Aetna’s software assets. During the first year of a three-year plan, the Software Security Group (SSG) successfully implemented an enterprise-wide training and security champion program, integrated new processes, technology, and services to scale risk-based preventative controls across Aetna’s entire software portfolio, and implemented practical techniques to enable effective governance through reporting of key performance indicators. The success of the program positions Aetna as a software security leader in the health care industry.

BCBS Michigan
Insider Threat/B-Secure
Executive Sponsor: Tonya Byers, Director II, Information Security, BCBS Michigan
Project Team: Tonya Byers, Angela Williams, Damon Stokes and Danielle Majors.
Location: Detroit, MI

The B-Secure program involves the information security team performing a walkthrough security assessment to gauge the current security posture of our environment. The results of the security assessment are rated and distributed in a formalized report to leadership and metrics are captured by the information security team. In addition the B-Secure program aids our information security team with identifying areas of improvement to continuously educate the workforce on security awareness practices and insider threat concepts. After an assessment has been performed, the appropriate areas participate in a security awareness remediation training to improve workforce security awareness and assessment rating.

BCBS Michigan
Vendor Risk Management (VRM) Program
Executive Sponsor: Tonya Byers, Director II, Information Security, BCBS Michigan
Project Team: Tonya Byers, Damon Stokes, Cecilia Burger, Shannon Robinson, Joe Dylewski and John Becker.
Location: Detroit, MI

The Vendor Risk Management program standardized assessment process gauges each vendor’s capability delivery services adhering to HIPAA/HITECH requirements and information security industry standards which provides a view into all BCBSM/BCN information where it may be processed, transmitted or reside.

  • Identify risks of new/existing vendors who connect to BCBSM/BCN infrastructure, access BCBSM/BCN data, develop or maintain BCSM/BCN’s software
  • Track remediation plans
  • Execute on-site visits or desktop assessments, based on detailed questionnaires, to ensure security measures are implemented
  • Monitor and reassess vendors per contractual agreement • Risk-based approach to vendor risk ranking and scorecard (part of HITRUST Certification)

Cigna HealthSpring
Enterprise HR System Consolidation and Controls Integration Project
Executive Sponsor: Kyle Duke, CISO, Cigna-HealthSpring
Project Team: Anthony Mannarino, Chris Fuller, Michael Parrish, Chris Kornmann
Location: Nashville, TN

This project was intended to bridge the control and process gaps in the SoX landscape for Cigna and Cigna-Healthspring and ensure that all Cigna-Healthspring resources would be able to access Cigna HR resources.

Enterprise SIEM: Locally Hosted Security Information & Event management & Co-Managed Security Services
Executive Sponsor: Scott Pettigrew, VP, Chief Security Officer, HMS
Project Team: Scot Miller, Joe Mobisa
Location: Irving, TX

The HMS SIEM and managed services project is centered on a need to meet the strict compliance requirements for HMS customers. With constantly evolving threats, the project needed to be started quickly and efficiently. After completing and RFP including Verizon, Secureworks, Solutionary, Symantec, McAfee, and Q1Labs, HMS decided on QRadar’s SIEM for its ease of use and compatibility with the company’s current infrastructure. As part of the project, HMS determined that a co-managed, locally hosted solution would be the best support model for the organization. HMS chose Accuvant as its managed services provider. Through Accuvant’s services, HMS was able to offload the 24x7 monitoring responsibility and refocus their internal resources on Security management as opposed to product administration.

eDiscovery Automation
Executive Sponsor: James Carpenter, CSO, Parkland Health & Hospital System
Project Team: Shibu Thomas, David Schorpp, Brenda Hight, Carolyn Foster, James Carpenter, Mary Beth Langston, John Zapata, Sampath Gorantla, Shelby Angel and Mari Martinez.
Location: Dallas, TX

Automation of eDiscovery across the HR system, the Identity Management System, Active Directory, and the IT ticketing system to ensure litigation holds for data and assets are logged, accurate, and performed in a timely manner.

quest diagnostics
Data Loss Prevention (DLP)
Executive Sponsor: Vito Sardanopoli, Director of IT Security Technical Services, Quest Diagnostics
Project Team: Mark Douches, Dino Scrivanich, Krishna Meruga, Richard Menta and Al Matahen.
Location: Lyndhurst, NJ

We realized something significant when Quest Diagnostics launched a DLP initiative to protect confidential data as it flows within and out of the organization. As we examined data-in-motion, in use, and at rest it became apparent that employees are active participants in the DLP process. We also realized that automated DLP notifications offered the core of a targeted awareness campaign, built right in and waiting for more compelling content than “warning, you violated policy”. So we turned the notifications into a teaching tool that went out specifically to those staff that triggered a DLP event. The end result is our staff became more sensitive to the handling of data in electronic form, which manifested into a change in the behaviors that exposed our data in the first place.

Pillars of Security Program
Executive Sponsor: Robert Rice, Director, Security Services, St. Joseph Health
Team Members: Robert Rice, Bobbie Tinkler, Chris Martin, Louis Tillis, Roberto Perez, Alek Boyarov, Dan King, Jayanth Panuganti, Michel Isenberg, Shawn Kelly, Victor Allen and Marshall Gibson.
Location: Anaheim, CA

The Pillars of Security program was initiated to establish a model to assess, track and monitor all security risks and initiatives empirically, and allow St Joseph Health (SJH) to be confident that we are focused on the right things at the right times, and can add and align new security risks and initiatives with the proper emphasis and investment. At its core the Pillars of Security is an Enterprise Risk Management (ERM) model, but expands upon the basic ERM model by incorporating a holistic framework of approach, with a strict emphasis on empirically support statements. This allows SJH leadership to have very specific and targeted discussions regarding risk and impact with defensible data to support key decisions.