ISE® North America Project Award Nominees 2016

Commercial Category

The SATraining Program
Executive Sponsor: David Rooker, Chief Security Officer
Project Team: Rob Walsh, Caesar Candelaria, David Wood, Rosemary Ramon and Wesley Wilson
Location: Seneca, SC

Security awareness training programs have traditionally been little more than yearly training to check off a requirement for compliance. These programs change very little in protecting individuals or the company and do not improve the protection of the organization’s intellectual property. Actian Corporation’s SATraining program establishes a detailed security awareness strategy across the enterprise globally. Emphasizing how security begins at home, the program stresses training the team on how to protect their family, friends & significant others’ computers and information, creating a “culture change” in the home first.

AT&T Identity and Access Management Platform
Executive Sponsor: Bill O’Hern, CSO, AT&T
Project Team: David Hulsey, Johannes Jaskolski, and Pete Galanis
Location: Dallas, Texas

AT&T security experts have built a proprietary technology that helps simplify and secure the authentication process. It is smartphone-centric, allowing one’s device to function as a key to gain access to both digital content and physical building access, instead of IDs, passwords, and badges. This technology can authenticate a user based on their location, their network, or even their physical characteristics, like fingerprints. These capabilities minimize both the work a user has to do to authenticate and the possible risk of an attacker being able to mimic an approved user to gain access to proprietary information.

best western
Best Western Business Transformation Project
Executive Sponsor: Harold Dibler, Managing Director, Business Technology, Best Western Hotels and Resorts
Project Team: Denise Tedeschi, Director, and Boyan Vassilev,Senior Manager
Location: Phoenix, Arizona

Best Western Hotels & Resorts (BW) upgraded its identity and access management capabilities from a home-grown account management system and an outdated SSO implementation to an industry leading Identity Management Suite and SSO/Web Access Management solution. Creating accounts is now streamlined and our members are getting the correct access right away which means they can run their operations without needing any account help from our IT department. BW put in place an industry-leading multi-factor authentication solution to protect one of its most important applications. BW can now able to see patterns in users' behaviors and tailor security policies around them in order to make it easier for its loyalty members to gain access to its services and be better protected at the same time.

Comcast Assets at Risk Program
Executive Sponsor: Myrna Soto, SVP, GCISO, Comcast
Project Team: Myrna Soto, SVP, GCISO, Ramesh Sepehrrad, VP, Charles R. Hudson, Executive Director, Kallol Ray, Director, Joseph Gallagher, Director
Location: Philadelphia, PA

Comcast’s Assets at Risk Program, powered by Bay Dynamics’ Risk Fabric Cyber Risk Analytics platform, is an innovative risk based asset-centric program that protects high-value assets (data, systems, and applications) from threats and vulnerabilities. The program enables Comcast to measure, communicate and reduce cyber risk. It engages Line-of-Business application owners in an innovative way to provide asset value and business context which is used for prioritized investigation and remediation. By involving the right users, understanding the assets at risk, and focusing on the metrics that matter, the program decentralizes risk from the security organization and effectively communicates cyber risk to key stakeholders.

PCI “Connected Systems” Project
Executive Sponsor: Ramesh Sepehrrad, VP of Cybersecurity Governance, Risk and Compliance, Comcast
Project Team: Ramesh Sepehrrad, VP of Cybersecurity Governance, Risk and Compliance, Tim Sheehan, Sr. Manager, Technical Regulatory GRC, Mark Ruiz, Executive Director, Cybersecurity Governance, Risk & Compliance, Leon Li, Executive Director, Cyber Security Engineering & Operations, and Kallol Ray, Director, Cybersecurity Governance, Risk and Compliance
Location: Philadelphia, PA

Payment Card Industry’s Data Security Standard (PCI DSS) now states, the security requirements apply to all system components included in or “connected to” the Cardholder Data Environment (CDE). Traditional approaches to solve this new requirement involve complex network projects to segment “connected systems”. Instead, Comcast reduced the complexity and costs of meeting the requirement by engaging PWC to create policies with Symantec Data Center Security (DCS). Comcast had previously deployed DCS for File Integrity Monitoring and system hardening. The team was able to extend DCS host based capabilities to reduce the scope to only CDE systems, and meet the PCI requirement.

cox automotive
Rugged DevOps
Executive Sponsor: John Sewall, Senior Manager Information Technology
Project Team: John Sewall, CAI, Manager Security Engineering, Scott Thole, CAI, Senior Security Engineer, Joe Aranbayev, CAI, Senior Security Engineer, Raj Rajagopalan, CAI, Quality Assurance Architect, Todd Bussey, Kelley Blue Book, Manager Production Engineering, Todd Grotenhuis, NextGear Capital, Senior Security Engineer, Brian Popiliski, VinSolutions, Director Production Engineering, Darren Ayre, CAI United Kingdom, Security Manager, David Hearns,, Director of Development, Scott Andrews, Australia, Director of Production Engineering
Location: Atlanta, GA

Cox Automotive implemented a comprehensive application security program, integrating cloud-based static application security testing and in-house dynamic application security testing with its agile software development lifecycle (SDLC). As a result, Cox Automotive reduced application security vulnerabilities by 20% in the first year while cutting the amount of application rework by 60% to accelerate more secure solutions into production. This also enabled the company to strengthen its competitive advantage and lower costs.

Informatica Cloud Hosting Service (ICHS)
Executive Sponsor: Mohan Sankaran, VP of Product R&D, Informatica
Team Members: Ravi Murugan, Director, Cloud Ops, Scott Webber, Sr Manager, Cloud Hosting, Joel Mauldin, Sr Cloud Infrastructure Engineer, Ken Thomas, Solutions Architect, Lukasz Durlak, Lead Unix Systems Engineer, Ajit Varahala, Principal Cloud Operations Engineer, Sanjath, Shringeri, Member of Technical Staff, Sarav Jagadeesan, Principal Cloud Operations Engineer, Cody Mercer, Information Security Engineer, Howard Lu, Information Security Engineer
Location: Redwood City, CA

ICHS has been developed as a singularly managed cloud platform to support Informatica in their mission to expand service offerings of best-in-class data management software to a public cloud and PaaS model. Through singular management, they have been able to keep cost to a minimum and maximize the functional releases to customers leveraging products hosted on ICHS. A single platform enables consistent enforcement of security and compliance policies and allows customers to expand their use of Informatica cloud solutions with minimal effort or consideration.

Security Program Transition to Address Cloud First IT Strategy
Executive Sponsor: Joseph DiBiase, Director Global Information Security
Project Team: Tom Farmer – Security Manager, Mark Hall - Security Engineer , Scott Stanfield – Security Administrator, Adrian Apps –Security Engineer, and Edwin Goes – Security Engineer
Location: Atlanta, GA

Interface IT has adopted a Cloud First strategy. This required a transition in how the security team thinks about the cloud and then a development of a security strategy to address “Cloud First.” The goals of the project are to sufficiently protect Interface’s information assets and systems and do this in the most efficient way possible.

NCR Enterprise GRC
Executive Sponsor: Bob Varnadoe, CISO
Project Team: Alok Kumar, Security Architect; Ken Duong, Developer; and Garima Vashishtha and Reema Raheja, Risk & Compliance.
Location: Duluth, GA

Managing IT risk at NCR, a software and technology centric company, was quite a challenging effort as IT risk is managed throughout the enterprise without a means of centralized oversight. NCR’s CISO Bob Varnadoe established an initiative to centralize Risk Management and replace the old system based on manual processes. A selection committee chose the GRC module within ServiceNow. The ServiceNow GRC tool allowed for the replacement of manual efforts prone to error with repeatable processes leveraging efficiencies. Security functions managed by GRC include: Risk Application Inventory, Application Risk Review, Risk Acceptance, Risk Registry, Asset Management, Vendor Risk Management and Controls Mapping.

Analyzing and Responding to Web Threats
Executive Sponsor: Jason Abraham, Associate Director, Verizon
Project Team: Vinod Iyer
Location: Lowell, Massachusetts

Verizon uses various tools to monitor and mitigate malicious use of its web properties. Web security events from various sources, including WAF and WTD tools, are gathered into central Splunk system and data science is applied to them. The result is actionable threat intelligence, which is then pumped back into the security infrastructure (web and network firewalls) in an automated manner (via APIs) to further mitigate the threats.

Academic/Public Sector Category

Columbia University
Perimeterless Network Security
Executive Sponsor: Medha Bhalodkar, Chief Information Security Officer & AVP, Columbia University
Project Team: Chuck Eigen, Security Program Director, Alan Eiland, AVP, Portfolio Management Office, Joel Rosenblatt, Sr. Director Network Security, Anthony Johnson, Director, Infrastructure Engineering, Joseph Rini, Sr. Director, Infrastructure & Network Support Services, Frank O'Donnell, Mgr, Systems Administration, Aziz Usmani, Sr. Systems Engineer, Martin Wren, Sr. Security Systems Developer, James Bossio, AVP, Infrastructure Services, Alan Crosswell, AVP, Chief Technical Officer
Location: New York City, NY

Our “Perimeter less Network Security project” provides the University Network Infrastructure with Enterprise Zone architecture with Micro-Domain segmentation. This project achieved our prime goal of providing information security where needed, at the same time support the basic mission of the University of sharing of information in an open network to promote exchange of ideas and research. Columbia University is a blend of Corporate and ISP elements that as such, requires a security structure that covers these requirements. We also have strict security requirements for protecting our intellectual property and also applications such as payroll, human resources, financial and student records. Our goal in implementing this project was to improve our security posture by leveraging implementation of CUIT’s Converged Infrastructure project, while it was being designed, developed, and deployed, and support university mission to allow free exchange of information.

University of Mass
Massachusetts Advanced Secure Technologies (MAST) Cybersecurity Services
Executive Sponsor: Lawrence Wilson, Chief Information Security Officer, University of Massachusetts President’s Office
Project Team: Keith Moran – Chief Technology Officer UMass President’s Office, Larry Wilson – Chief Information Security Officer UMass President’s Office, Gene Kingsley – Security Operations Lead UMass President’s Office, Dan Galvin – Senior Security Analyst UMass President’s Office, Dave Snigier – Security Architect UMass President’s Office, Fran Brian – Senior Business Engagement Analyst UMass President’s Office, Xinwen Fu – Associate Professor UMass Lowell, Larry Wilson – Adjunct Professor UMass Lowell, Nicholas Galang – UMass Student Intern UMass President’s Office, Joseph Newton – UMass Student Intern UMass President’s Office, Artem Holyshevskyi – UMass Student Intern UMass President’s Office
Location: Shrewsbury, Massachusetts

MAST Cybersecurity Services is a new initiative for the University of Massachusetts (UMass). The initiative started in May 2015, when the UMass CISO was approached by The Boston Consortium with a request to provide Cybersecurity Services to under-resourced academic institutions in New England. Key representatives of the UMass President’s Office met with the management team from The Boston Consortium to discuss how UMass could assist consortium members with the design, implementation and operations of their cybersecurity programs. After a detailed discussion and review of the key UMass capabilities, a pilot program was initiated. The pilot program has since expanded to a fully managed offering under MAST Cybersecurity Services.

Financial Services Category

Global End-user Micro-Virtualization
Executive Sponsor: Roland Cloutier, Staff Vice President, Chief Security Officer, ADP
Project Team: V.Jay LaRosa, Vice President, Global Security Architecture, Dustin VanWinkle, Director, Global Security Architecture, Toby Cruz, Senior Project Manager, Robert Novak, Design Engineer III, Emmanuel Maroulis, Senior Service Manager, Dennis Baluh, Tech & Apps Mgmt Spec. III, Phil Debruno, Tech & Apps Mgmt Spec. III, Debbie Schwagler-Kuhn, Tech. & Apps Mgmt Spec. Lead, Brian M Davis, Tech. & Apps Mgmt Spec. Lead, Aman Afroz, Bromium Solutions Architect
Location: Roseland, NJ

ADP endpoints are now being protected by a micro-virtualization technology that is designed to prevent attackers from compromising endpoints and stealing client data or funds through the industries’ number one vector of compromise―phishing and drive-by attacks. The technology involves the instantiation of a virtualized micro computer technology that creates a “separate image” each time for untrusted operations (like surfing a web page or getting an email). All functions and validations happen in this “zone”, and are never allowed to communicate directly to the kernel. Once the session is done, the virtual session is “flushed,” as well as all malicious code.

Global Enterprise Behavioral Profiling
Executive Sponsor: Roland Cloutier, Staff Vice President, Chief Security Officer, ADP
Project Team: V.Jay LaRosa, Vice President, Global Security Architecture, Dustin VanWinkle, Director Security Architecture, Daniel Reznick, Lead Consultant Architect, Daniel Sherry, Senior Security Analyst, James Carter, Senior Security Engineer, Craig Butler, Lead Security Analyst, Christophe Gerard, Lead CIRC Analyst, Brian Wippich, Senior Director, Security Engineering and Operations, Chris Olsen, Vice President, Global Technical Security Services, Josh Sowers, VP Threat & Incident Management
Location: Roseland, NJ

Current tools provide alerts for known bad “events”, but do not consider historical behavior. It is difficult to detect targeted threat actors without taking into account historical behavior through automated mechanisms. In order to solve for this, ADP developed an advanced approach to gain deeper insight into the long-term behavior of associate’s user accounts, systems used, and “act as” functionality of users by implementing a global user behavioral analysis technology.

Enterprise Immune System
Executive Sponsor: Neil Singer, CIO, Billtrust
Project Team: Laura Whitt-Winyard (Win Yard), Director – Information Security; Craig Woodley, Security Engineer
Location: Hamilton, NJ

The Enterprise Immune System project is an intelligence-led behavioral cyber defense solution that uses new machine learning techniques based on biological principles of the human immune systems and Bayesian mathematical probability theory. It is designed to operate on any network data without any pre-configuration or specific data types resulting in a unique behavioral model that defines the pattern of life for each device, user and the network as a whole. Billtrust is now able to detect, classify and investigate, in real-time, the subtlest of cyber-threats without any rules or signatures.

Clarient Entity Hub 1.0
Executive Sponsor: Stephen Scharf, Corporate Security Officer, DTCC
Project Team: Natalia Kory, Chief Technology Officer, Ajoy Kumar, BISO, David Frankauski, Executive Director, Donald Barlow-Kearsley, Director, Andrew Moore, , Technology Risk Analyst, Gu Quianjun, Executive Director, Jaime Rodriguez, Technology Risk Analyst, Andrew DeMann, Project Manager
Location: Jersey City, New Jersey

Clarient Entity Hub is a secure, centralized entity data and document utility that addresses global financial market participants’ needs for greater control, transparency, and cost reduction in response to evolving risk management and regulatory requirements. Clarient Entity Hub collects, maintains and allows for the sharing of legal entity information with counterparties, through one centralized interface. This integrated, global entity data management platform permits granular access controls, fosters standardization and ensures accuracy and data privacy for client data and documents required throughout the client life cycle. The Clarient Entity Hub also streamlines interactions between market participants and their clients, and allows critical data to become digitized and dynamic.

Executive Sponsor: Phil Agcaoili, SVP
Project Team: Tom Phillips, Jason Witty, Michelle Stewart, Mark Gelhardt, James Edgar, Brent Comstock, Shane Cruze, Osiris Martinez, Clint Garrison, Michael Varno, Doug Dement, Andrew Kalat, Rodney Strader, and Shelbi Rombout.
Location: Atlanta, GA

SecurityON is a multi-year endeavor and consists of multiple projects to establish world class security, transform corporate culture to the culture of security, and to leverage a rich startup culture with the financial backing of the 4th largest bank in the United States. Borrowing from Elavon’s 2014 branding, BusinessON, and sharing the word “ON” from ElavON, the name SecurityON was chosen to inspire the organization towards a common shared vision to be world class.

Enterprise Vulnerability Management Program
Executive Sponsor: Jenna Gallagher, Senior Manager: Vulnerability Manager and Operational Assurance, PayPal
Location: Phoenix, AZ

Supporting the high-profile $50B eBay and PayPal split necessitated creating a fully self-contained infrastructure. To ensure worldwide data integrity and a secure environment, a decision was taken to implement a comprehensive vulnerability management process to minimize risk for the organization both during and after the transition. Blending technology and business considerations, the project culminated in the creation of a set of tiered remediation processes, full governance protocols, compensating controls, and SLAs. Deployed across a 130,000+ IP address infrastructure that was still being built, the project was completed on time despite executives slicing the time allocated to the phase by 70%.

Vendor Governance & Oversight Program
Executive Sponsor: Rini Fredette, SVP & Enterprise Risk Officer
Project Team: Rini Fredette- SVP & Enterprise Risk Officer, Joy Anderson- VP Vendor Relations & Governance, Jackie Keenan- Sr. Specialist Vendor Strategy, Cathy Pandrock- Specialist Vendor Relations, Cheryl Lawrence- Specialist Vendor Relations , Jean Graham- VP Internal Controls & Compliance, Lori Lucas- Manager, Information Security, David Duncan- Principal Accounting Policy & Controls, Steve Salzer- SVP Corporate Counsel, Jim Krems- Program Manager Vendor Audit, Greg Clark- Principal Enterprise Risk Management, and James Green - Business Continuity Program Manager.
Location: St. Petersburg, FL

In the world we live in today, we are seeing more and more data breaches at the hands of third party providers. Due to the increase in third party provider risk, PSCU undertook a project to overhaul vendor governance and oversight. The initiative included formalizing PSCU’s third party onboarding process and elevated the criteria of our potential partners. In addition, the project team re-engineered the third party provider risk scorecard. Finally, the capstone of the project was the development and execution of an ongoing oversight program to include executive level reporting and dashboards.

Identity and Access Governance Establishment
Executive Sponsor: Steve Jensen, CISO, Scottrade
Project Team: Jennifer Segura – AVP Identity and Access (IAG) Governance, Jason Mayer – Privileged Access Management (PAM) Supervisor, Brittany Pipes – IAG Supervisor, Jason Ragan – Sr. PAM Analyst, Brajesh Moni – Sr. PAM Analyst, Lucinda Cook – PAM Analyst L3, Angela Wheeler – IAG Analyst L3 , Stephany Crocker –IAG Analyst L3, Kolby Tackett – Enterprise Applications Analyst, James Hill – Sr. IAM Analyst, Kevin Zhou – Sr. Enterprise Applications Developer, Lynn Nienkemper – Sr. Enterprise Applications Analyst, Debbie Denny – Sr. Business Systems Analyst, Marlissa Brawner – QA Engineer, Greg Teakert – Sr. Application Support Engineer, Ryan Drafall – Sr. Windows Support Engineer and Joey Ringuette – Windows Support Analyst
Location: St. Louis, Missouri

Scottrade built from the ground up a comprehensive Identity and Access Governance program to proactively address internal threats. This consisted of a series of implementations to establish an identity warehouse, develop a centralized lifecycle management function, define toxic combinations of access and perform multiple cycles of access certifications for more than 115 applications. Additionally, we installed a solution for privileged/shared account management. This included comprehensively discovering and managing privileged accounts including the network, server, endpoint, application and database levels. This allowed us to enforce policies for usage, record and monitor account activities and react to potential threats.

NIST Cybersecurity Framework Implementation
Executive Sponsor: Steve Jensen, CISO, Scottrade
Project Team: Jennifer Segura – AVP Identity and Access (IAG) Governance, Gina Stucke – Information Security Manager, Paul Nickelson – AVP, Threat and Vulnerability Management, Bhavana Lahoti – IT Risk Governance Manager, and Lara Knebel – Business Continuity Manager
Location: St. Louis, Missouri

In March 2015, Scottrade hired its first CISO. Upon joining the firm, his first initiative was to structure the cybersecurity program to be based on the NIST Cybersecurity Framework. As these efforts were ongoing, we were informed of a data breach which had occurred in 2013/2014. In response, we resolved some immediate vulnerabilities and continued implementing planned enhancements based on NIST guidance. Controls included APT, DLP (all egress points), Data Tamper, IAG establishment, establishment of a comprehensive cyber-breach response plan, comprehensive metric analysis, updated program documentation, and a revamped IS policy.

DR Next Project
Project Team: Mike Cook – Delivery Manager, Mary Simpkins – Project Manager, Mike Patel – BCRS Program Manager, and Richard McClure – BCDR Program Manager
Location: Atlanta, GA

DR Next supports a 5 year Business Continuity Program (BCP) Renovation roadmap addressing key deficiencies in response to a 2011 Federal MRA. The program was renovated to effectively comply with required supervisory guidance and provide assurance of essential recovery capabilities. It also heightens the recovery preparedness and operational excellence through broader testing, infrastructure flexibility, and administration optimization. DR Next key elements, including end-to-end transactional testing capabilities, consolidation of standards, application level recovery, and extended accessibility to DR environments were delivered. The bank’s overall risk management posture significantly improved resulting in closure of the 2011 MRA following an August 2015 Federal ECM audit.

U.S. Bank Enterprise Tokenization Integration Project
Executive Sponsor: Jason Witty, CISO, U.S. Bancorp
Project Team: Michelle Guckeen, Project Manager, Thoralf Symreng, Manager Information Security Risk & Compliance, Carol Stennett, Information Security, Risk & Compliance Location: Naperville, IL

The goal of the Tokenization Project was to reduce the amount of sensitive cardholder data stored in U.S. Bank’s network, using tokenization technology that replaces the primary account number (PAN) with a surrogate value--the “token.” This was a highly complex development project that required mapping of data-flows between applications, partnership with multiple CIOs who had to change applications in specifically orchestrated sequences, and business process re-engineering to remove or reduce use-cases where business processes were formerly using real data that required significant protective controls around it. The result was a dramatic reduction in data that required protection.

Health Care Category

Assessment Security Knowledgebase (ASK)
Executive Sponsor: Jim Routh,Chief Security Officer, VP of Global Security, Aetna
Project Team: Mignona Cote – SR Director, Information Security, Jeannette Rosario, Director, Information Security, Jimmy Doctor, Manager, Information Security. James Ciampo , Information Security Engineer, and Glenda Lopez, SR Information Security Analyst
Location: Hartford, Connecticut

Aetna provides over 1,000 control responses weekly to regulators, auditors and customers. Constant hacks with increased media attention stimulate angst among stakeholders expecting protected health records. Over the past three years, Aetna has seen an 85% increase in security audit requests with each asking the same questions. To keep pace with the increase in requests, Aetna created the Assessment Security Knowledgebase (ASK). ASK is based on two critical parts: the Security Portal, an internet accessible portal presenting Aetna’s security capabilities, and the Audit Locker, an automated internal tool for auditors to validate security controls.

Aetna Skycure Implementation
Executive Sponsor: Brian Heemsoth, Director; Software & Mobile Security, Aetna
Project Team: Derek Swift; Senior Security Engineer
Location: Hartford, Connecticut

Enterprises are under increasing pressure from their employees to allow access to greater amounts of enterprise resources and systems from mobile devices in an effort to improve productivity and foster collaboration. Thus, the market has responded by developing numerous technologies designed to “mobile-ize” enterprise resources. However, at the same time mobile malware and threats to the integrity of mobile devices and networks are increasing at alarming rates. Recognizing this risk, Aetna embarked on an ambitious plan to appropriately manage this significant risk across it’s BYOD and corporate device portfolio by deploying the Skycure Mobile IDS to 9,158 BYOD & Corporate owned devices in 4 months.

Inbound Email Protection
Executive Sponsor: Jim Routh, CSO, Aetna
Project Team: Susan Koski, Chief Data Protection Officer, Dave Crawford, Architect Advisor, Dave Corris, Engineer Advisor, Sean Kallaugher, Information Security Advisor, Peter Haines and Leesandro Rodriguez
Location: Hartford, Connecticut

Aetna created a breadth of solutions to greatly reduce inbound malicious email. At Aetna, we drove successive prevention layers that instituted efficiency and efficacy measures for each layer of control. As an example of success, Aetna’s own phishing campaign was thwarted by these solutions. Most companies rely on a standard solution (mail gateway to detect SPAM and malware. The second layer of control performed deeper inspection for suspicious links (URLs) or malicious attachments and blocked them. The third layer of control established policies to reject emails from invalid sending sources using DMARC (Domain-based Message Reporting and Conformance). The fourth layer of control blocked messages from newly observed domains. And, the fifth layer is in monitoring mode and providing deep analysis of the messages with trust scores that are continuously reviewed to establish future policy for blocking.

change healthcare
TITAN - Threat Intelligence Tactical Analysis Network
Executive Sponsor: Haddon Bennett, CISO
Project Team: Jason Jones – VP Cyber Threat and Response, John Fellers – Cyber Threat Hunter, Robert Landry - InfoSec Engineer, Russ Lieneman- InfoSec Engineer, and Craig Ray- InfoSec Analyst
Location: Nashville, TN

Change Healthcare’s TITAN is a threat intelligence and analysis network which enables pro-active, threat-based defense, threat analysis, identification, and tracking. TITAN pulls threat intelligence from a variety of sources, stores incident data in a centralized repository, and enables research and analysis to help determine if seemingly isolated incidents are components of advanced persistent threats. When new threats are identified, TITAN disseminates this information to Change Healthcare’s internal security tools automatically. TITAN provides the context between threat intelligence and security incidents identified and logged to our SIEM. TITAN publishes threats identified internally to NH-ISAC, thus helping other member organizations consume targeted threat intelligence.

Physical Access, Surveillance, and Access Governance Program
Executive Sponsor: George Macrelli, Sr. Director, Security Assurance, HMS
Project Team: Kyra Hawkins, Kevin Shamlin
Location: Irving, Texas

This program was the designed, development, and integrated for the Management and surveillance of physical access to our Data Centers, and 26 Business offices. It entailed the migration from an antiquated electronic access control system to a more robust system that would bring together, Video, Burglar Alarm, Access monitoring, Access Control, Emergency Control, and Access Governance across the entire HMS Business Enterprise.

Building Security Risk Management with HITRUST CSF
Executive Sponsor: George Macrelli, Sr. Director, Security Assurance, HMS
Project Team: Daryl Hykel, Sean Miller
Location: Irving, Texas

HMS Security has established a Security Risk Management Program using the HITRUST Common Security Framework. The initiative included the design and development of a Security Risk Management & Assurance Program that sits on the HITRUST CSF, and is mapped to our Policies, Controls Standards, and Procedures. We use the HITRUST Control catalog to assess, monitor, remediate, and report risk to our Executive and Board members. The program was developed using the RSA Archer Tool, which supports our, Policy, Vendor, Business Continuity, T&V, and Audit, Compliance, and Issues Management programs.

lake health
Total Activity Visibility Enhancement (TAVE)
Executive Sponsor: Keith Deumling, Information Security Officer
Project Team: Jerry Peters, Chief Information Officer & VP of Information Technology, Joyce Taylor, Chief Privacy Officer , Christopher Kaija, Information Security Analyst, David Adams, Manager of Programming Systems, and Sherri Adams, Network Engineer
Location: Concord, OH

TAVE has transformed information security for Lake Health by providing a holistic view of activity across all entry and exit points in its infrastructure, including physical context of where user actions are occurring. TAVE was initiated after several incidents revealed the need to detect activity from multiple data systems collectively rather than individually. TAVE now allows Lake Health to convert large amounts of raw data into actionable information, enabling the security team to identify threats in real time and determine the exact point of infiltration. This allows threats to be effectively contained and controlled without impacting patient services.

Capture the Flag Hacker Challenge
Executive Sponsor: Vito Sardanopoli, Director of Cybersecurity Services and Governance, Quest Diagnostics
Project Team: Richard Menta –IT Security Communications and Training Manager, John Bennett – Manager of Application Security and Vulnerability Management, and Kyle Moyer - Application Security and Vulnerability Management
Location: Lyndhurst, New Jersey

In the past when we sat developers in a room for two days and trained them on secure coding techniques we found that improvement was modest. Not all of the developers used what was taught them and those that did slipped into old habits soon enough. We needed a creative, novel approach to engage developers to get them to both retain and continually use the techniques taught them. The solution was a Capture the Flag (CTF) event with a little something added. Many people like to play armchair quarterback and real quarterbacks get competitive live in front of a big crowd. Leveraging this fact we orchestrated a two-week Capture the Flag Challenge, where contestants try to break into a simulated web site under an added Super Bowl-like atmosphere. Each day, 835 IT staff received a sports update of scores and humorous “expert” analysis cheering on 63 developers competing for glory. Turning the competition into a water cooler event spurred the contestants, who reacted to the spotlight by pushing even harder for that extra edge. When you find out that the search for that extra edge drove 9 out of 10 of contestants to do additional outside research you know something is working.