ISE® North America Project Award Nominees 2018

Academic/Public Sector Category

Rebuilding Identity Access Management for the 21st Century
Executive Sponsor: Medha Bhalodkar, CISO
Project Team: Chuck Eigen (IT Security & IAM Program Director), Chris Dowden (Director, IAM Management), R. Andrew Johnston (Mgr. IAM Technical Team), Jeff Eldredge (Mgr. IAM Lenel & Functional Team), Neil Meyer (Functional team & BA), Dan Ellentuck (Developer), August Visco (Developer), Ben Beecher (Developer), Mohammed Rahman (Developer), Mike Morales (Lenel Systems Lead), Steve Cramer (Lenel Systems Lead), Charlie Wu (Enterprise Active Directory Engineering), Marly Miller (Business Analyst), Phil Blake (Mgr, Client Device Engineering), Niles Patel (Mgr, Email Systems), Dan DeStefano (Email Systems Lead)
Location: New York, NY

At Columbia University, with history of 264 years, IAM had evolved as needed. IAM included Open LDAP, 880,000 users in Kerberos for authentication, 28 Active Directories at schools, and Lenel physical access system across campus, all operating in silos making it difficult to ensure secure, synchronized IAM across Columbia. In the last 18 months, in this project, we built secured Enterprise Active Directory (EAD) consolidating individual ADs with unified authentication, added MFA, implemented web applications SSO, provided group management, supported Shibboleth (SAML) for industry SSO, linked IAM to physical access management system Lenel, and achieved InCommon “SIRTFI” ID flag status.

georgia dor
CISO Sentinel Security and Compliance Risk Management Platform
Executive Sponsor: Wes Knight, CISO
Project Team: Chris Austin, Information Security Analyst, Larry Faulkner, Information Security Analyst, Jan Gaines, Information Security Analyst, Tavaris Lundy, Information Security Analyst, Joe Bellott, Information Security Analyst, Wes Knight, Chief Information Security Officer, and Steve Hodges, Chief Disclosure Officer
Location: Atlanta, GA

The Georgia Department of Revenue Office of Information Security is responsible for securing a threat and regulatory landscape that encompasses multiple Federal mandates and 3rd Party Information Service providers. This project implemented a security and compliance risk management platform, CISO Sentinel, to capture operating efficiencies in management of the program. Using continuous monitoring and management, the platform enables greater control of cybersecurity risks by effectively managing the processes associated with obtaining, identifying, processing and aggregating key information. Significant elements of the project focused upon prioritizing the review of critical security alerts, automating governance processes, eliminating redundant silos, and streamlining compliance and management reporting.

Global Monthly Patching
Executive Sponsor: Ian White, Vice President, Cloud, Hosting & Network Operations
Project Team: Grant Strom (Senior Manager Hosting Operations), Steven Telfer (Global Patching Program Manager), Joseph Hobson (Business Analyst), Scott Ficek (Onboarding Project Manager), John Purvinis (Senior Systems Engineer), Sanjeewa Wijesinghe (Senior Systems Engineer), Cathy Pitt (Vice President Information Security), Dennis Stetzel (Vice President Engineering & Delivery), Ryan Munson (Vice President Service Operations), and Lahiru Perera (Senior Manager Hosting Operations)
Location: Centennial, CO

The Team at Pearson implemented this project to put together to build a single global monthly patching process across their global infrastructure. The process is designed to radically reduce security vulnerabilities across the company and improve security for their learner data. As their disparate technology teams joined together in late 2015, it was very clear they needed to create a single global process to ease the overhead on the teams doing the patching work, while minimizing any potential customer impact securing our estate.

Commercial Category

Incident Response Transformation
Executive Sponsor: Almir Hadzialjevic, VP, Enterprise Risk and Security
Project Team: Jim Moore, Lead security Engineer – Cyber Incident Response, Jared Portela, Project Manager – Information Security, Sarah Countryman, Development Operations Engineer, Marlon English, Manager – Platform Operations, Michael Cushman, Infrastructure Engineering - Senior Engineer, Will Moore, Manager – Development Operations, David Nolan, Director – Information Security, Dave Mullin, Director Security Operations (Mosaic451 ), and Michael Hiromoto – Senior Cyber Engineer (Mosaic 451)
Location: Atlanta, GA

The Incident Response Transformation project represented an initiative to improve Aaron’s capabilities to detect, respond, and remediate information security events. This initiative focused on creating a new, higher value MSSP relationship, improving the team’s detect and respond capabilities through new technologies and processes, improving visibility into Aaron’s environment and have more complete and accurate coverage of Aaron’s threat landscape.

PCI Submission Relief
Executive Sponsor: John Kirkwood, CISO
Project Team: Frank Steele (Senior Manager Governance & Compliance), Charles Yap (Director InfoSec), Kent Lourenzo (Director InfoSec), Ezekiel Constantino (Risk and Compliance Manager), Jenny Kwok (IAM Manager), John Vaux (Security Architectural Engineer), Gary Zempich (P2PE Analyst), Philip Saint (InfoSec Engineer), Jose Abrain (Compliance Analyst), and Catherine Buerano (InfoSec Risk and Compliance Analyst)
Location: Phoenix, AZ

PCI, as a “point-in-time” assessment process can be extremely disruptive and costly to the business while not guaranteeing compliance. To tackle this issue, the Albertsons Companies team created The PCI Submission Relief program. As a result, while Albertsons must remain PCI compliant, they are no longer required to submit an annual Report of Compliance (ROC) for PCI. Rather than the “point-in-time” annual PCI compliance, Albertsons maintains a continuous compliance control program which ensures that PCI compliance can be continually demonstrated.

CSO Smart City Security Simulator
Executive Sponsor: Karthikeyan Swarnam, VP – Security Architecture
Project Team: Barbara Laing, Director Technology Security, Aleksey Ivanov, Principal Member of Technical Staff, Don Heatley, Principal Technology Security, and Carey Joseph, Lead Member of Technical Staff
Location: Warrenville, IL

AT&T’s Smart City Security Simulator is a training and visualization tool that demonstrates security aspects of various IoT and Smart City technologies and allows users to run cyber-attack scenarios while learning about potential outcomes provided by intelligent simulation engine. The Security Simulator is made up of a physical model of a city, augmented reality components, and planned remote virtual experiences. The project is designed to be flexible for future alignment with future corporate Smart City plans.

Flood 2.0
Executive Sponsor: Brian Rexroad, VP – Security Platforms
Project Team: Mike Nanashko, Director Technology, Fred Stringer, Lead Member of Technical Staff, Donald Chong, Associate Director Technology and Glenn Hochberg, Principal Member of Technical Staff
Location: Dallas, TX

The Flood 2.0 platform processes over 1 trillion records daily. Flood 2.0 analyzes flow data generated from AT&T’s IP and Mobility networks to identify malicious activity targeting services, customers, and infrastructure. It provides automated security analysis tools based on customized software, proprietary research algorithms, and commercial products to report network threats using techniques to detect anomalous changes in normal traffic behaviors. These threats are indicators of future events or real-time attacks against vulnerable targets including scanning, virus propagation, Botnet Command and Control (C&C), Distributed Denial of Service (DDoS), fraud/abuse, DNS fast-flux, and data exfiltration.

Security Vision 20/20
Executive Sponsor: Bob Varnadoe, CISO
Project Team: Randy Conner, Director, Threat Detection and Response, Kumaran Rajasekaran, Manager, Security Operations, Alex O’Brien, SIEM Engineer, Shivangi Rai, SIEM Engineer, and Saurabh Aggarwal, SIEM Engineer
Location: Atlanta, GA

Security Monitoring can be one of the trickiest and resource intensive tools to deploy well. With a quickly maturing security program, NCR saw a gap in the visibility of its monitoring program. With thousands of severs, applications, network gear and SaaS solutions to monitor, we needed a good solution for gaining this visibility and an extensive way to onboard, track and alert on the thousands of logging points in our environment. Working with our third party MSSP we put in place a program to allow a robust set of tools to do just that.

DMARC Email Security
Executive Sponsor: Pietr Lindahl, Sr. Director, Cyber Strategy, Architecture, Engineering, & Integration
Project Team: Cynthia Koens (Director, Security Integration), Shaun Gillesen (Manager, Security Engineering)
Location: Andover, MA

The goal of the DMARC Email Security project was to implement Domain-based Message Authentication, Reporting & Conformance (DMARC) across Philips’ email domains and enforce blocking emails that do not comply with DMARC policies. Utilizing Valimail solutions in their DMARC-based system, Philips is able to protect their brand from fraudulent email spoofing, prevent phishing, enhance email delivery, and enhance regulatory compliance.

Digital Transformation (IAM): Enterprise User Access Management/Shell Identity Management (EUAM|SIM)
Executive Sponsor: Scott Haynes, Enterprise IAM Programme Director
Project Team: David Fannon, Access Management, Special Projects and Michael Holste, IAM Program Manager
Location: Houston, TX

As part of a Digital Transformation initiative centered on Identity and Access Management, this project focuses on both enterprise access governance and enterprise access management. This initiative has two components: Enterprise User Access Management (EUAM) and Shell Identity Management (SIM). The project aims to automate the various security controls within Shell for all business-critical applications. This would bring all business-critical application on a common platform in terms of access management. The goal is to bring in the complete Segregation of Duties (SOD) ruleset of Shell under an automated platform to manage SOD, which is currently being done using spreadsheets or legacy tools. This will help enable automated certification campaigns for 60,000 users across the globe and insure compliance and satisfaction of audit requirements.

Sony Interactive Entertainment
SIE CloudPassage Halo Project

Executive Sponsor: Jason Harkins, Chief Security Officer
Project Team: Derrell Jenkins (Senior Director, Security Operations), Josh Fisk (Security Engineering Manager), Josh Guite (Senior Security Operations Engineer) and Tim Shea (Principal Cloud Security Architect)
Location: San Diego, CA

Sony Interactive Entertainment (SIE) is the leader in digital entertainment and creator of the PlayStation platform. As an early adopter of Agile IT and public cloud infrastructure (AWS), SIE was one of the first enterprises to experience the benefits and challenges of moving workloads out of the datacenter and into the cloud. Specifically, SIE quickly realized that traditional security tools just weren’t designed to keep up with the complexity and scale of the cloud, and so they set out to find a solution that could. They found CloudPassage Halo and thus began the journey to automate security & compliance in the cloud.

Cybersecurity Transformation: Shifting Security LEFT
Executive Sponsor: Sudharma Thikkavarapu, Senior Manager, Cybersecurity
Project Team: Garrison Hu (Principle Engineer), Griffin Howlett (Associate Engineer), Tucker Sneed (Associate Tech-X Intern), and Ye Eun Chae (Intern)
Location: Bellevue, WA

With increasing demand to support the UnCarrier, there was a growing desire to implement an enterprise solution where technology could develop and deploy solutions at accelerated speeds. The solution “Shifting Security LEFT” integrates the speed of secure development capabilities such as developer education, security diagnostic tools, and integrated security testing with current agile development techniques. Effectiveness is determined by comparing data-driven security metrics against performance KPI’s. This enables leadership to make bold UnCarrier business decisions with the confidence that security is in the development DNA.

NERC CIP Standards Version 5 Implementation Project
Executive Sponsor: Karen Mincey, VP IT & CIO
Project Team: Terri Khalil, IT QA & Compliance Director, Paul McClay Former Director, Information Security, Risk, & Compliance, Jason Sizemore, Manager, Cyber Security Operations Center, Pat Boody Former IT Compliance Advisor and Project Lead, Dale Savage, Compliance Technical Lead, Scott Wetterling, Project Manager, Dali Uresti, Lead Compliance Analyst, Xiomara Acevedo-Barrios, Compliance Analyst, Vince Galentine, Industrial Control Systems Sr. Security Architect, David Grotenberg, Sr. Cyber Security Specialist, Brad Morrow, Former Cyber Security Analyst, Chris Oneal, NERC Cyber Security Controls Analyst, Elvin Ramirez, Sr. Cyber Security Specialist, Eric Templeton, Configuration Management Analyst, Cay Robertson, Manager, Service Desk & Access Administration, Gregorian Ward, NERC Patching Administrator, Vince Labrato, Substation CIP Compliance Analyst, Gary Benson, Substation Sr. Consulting Engineer, John Currier, Manager, Manager, Substation Engineering & Grid Modernization, Bill Davis, Ethics and Compliance Manager, Ernie Giudice, Manager, Distributed Systems, Susan Mueller, Director, Emergency Management, Manny O’Bryant, Administrator Strategy & Business Continuity, Jeff Ogden, Manager, Network Operations and Broadband, Bharat Patel, Sr. Network and Systems Analyst, Ron Petrus, Manager, Substation Operations, Randy Pisetsky, Supervisor, Substation Engineering, Yasodha Ratnasekera Manager, Asset Management & Performance, Bryan Schenke, Sr. Network and Systems Analyst, Patrick Shell, Manager, Asset Management, Kevin Rimes, Physical Security Coordinator – Access Controls, Katy Schneider, Corporate Investigator, Kelly Sloan, Manager, Facility Services, Chris Steele, Manager, Engineering & Maintenance, and Peggy Steele, Manager, Human Resources
Location: Tampa, FL

Protecting the power that keeps the community running: that was the goal of the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards Version 5 Implementation Project. While TECO Services are well-prepared to serve our 750,000+ customers with safe, reliable electricity, very real threats like cyberattacks raise the challenges exponentially. About 120 people in departments across TECO tackled 221 requirements to significantly enhance and add controls for the Bulk Electric System (BES) control centers, as well as bring substations into scope. With a massive project that few outside the company are aware of, TECO has built a stronger, safer community.

Financial Services Category

Executive Sponsor: Roland Cloutier, Staff Vice President, Global Chief Security Officer
Project Team: James Lugabihl (Director, Execution Assurance), Marta Palanques (Security Lead Consultant, Execution Assurance), Borja Gullon (Security Lead Consultant, Execution Assurance), Ioana Hurubeanu (Security Consultant, Execution Assurance), AJ Anand (Director, Business Operations), Lokeshkumar Polamarasetty (eGRC Archer & Security Application Developer), Nagakiran Gogineni (eGRC Archer & Security Application Developer), Zac Haas (Sr. Director, Sales Operations)
Location: Roseland, NJ

The project was set out to build a self-service reporting platform to provide a comprehensive operational view of the ADP Global Security Organization (GSO)’s portfolio of services and an understanding of the risk posture from the business point of view. This project aimed to identify, correlate and visualize reliable data and information needed for decision makers to understand risk, determine the value of their security investments, and make it consumable by allowing users to navigate it visually and explore relationships.

Global Third-Party Risk Management (GTPRM) 2.0
Executive Sponsor: Roland Cloutier, Staff Vice President, Global Chief Security Officer
Project Team: Phani B Dasari (Sr. Director Global Third-Party Risk Management), Daniel Sanchez (Director, Third-Party Risk Management)
Location: Roseland, NJ

The project was set out to build a self-service reporting platform to provide a comprehensive operational view of the ADP Global Security Organization (GSO)’s portfolio of services and an understanding of the risk posture from the business point of view. This project aimed to identify, correlate and visualize reliable data and information needed for decision makers to understand risk, determine the value of their security investments, and make it consumable by allowing users to navigate it visually and explore relationships.

horace mann
Blend the NOC and SOC Together, Creating an Integrated Operations Center (IOC)
Executive Sponsor: Sandy Figurski, Sr. Vice President and CIO, Horace Mann
Project Team: Eddy Wilson; Sr. Information Security Architect, James Bantner; Sr. Cyber Analyst, Tyler Gladu; Cyber Analyst, and Bryce Combs; Cyber Analyst
Location: Springfield, IL

Horace Mann set out to merge their NOC and SOC together into a single, blended platform creating an IOC (Integrated Operations Center) - one platform ingesting two environments. The team introduced security orchestration, automation and incident response tools to replace antiquated manual processes. This allowed them to meet mandated governance and compliance and decrease auditor enhanced fatigue. In parallel, the project delivered metrics driven report functionality for risk management that allowed newly created operational activities to be identified, addressed, and aligned to support Horace Mann’s business goals and objectives, including, meeting regulatory compliance for oversight transparency.

mass mutual
Cyber Strong Behavior Program
Executive Sponsor: Jesus (Laz) Montano, CISO
Project Team: Todd Campbell (AVP), Karen Croake (Information Risk Consultant), Tess McCarthy (Information Risk Consultant)
Location: Springfield, MA

MassMutual’s Cyber Security Awareness program enabled the company to establish a Cyber Strong culture through the implementation of a data driven behavioral recognition and repercussion program. The program established a menu of highly visible solutions that could be deployed to recognize positive employee behaviors reported by peers or identified through technical monitoring capabilities. Phishing resilience as well as malware and data loss monitoring capabilities were utilized to assess negative employee and contractor behaviors. Associates who were found to exhibit behaviors that put the company at risk, such as clicking on malicious links, were addressed using pre-defined design patterns in collaboration with Human Resources. By championing positive behaviors and addressing negative behaviors, the company highlighted the criticality of protecting the company’s valuable digital assets and enabled all associated to keep security front of mind.

Morningstar Security Champion Program
Executive Sponsor: Ricardo Lafosse, CISO
Project Team: Dan Nellessen – IT Risk and Compliance, Praveen Jha – Software Security Architect, Brian Cameron - Software Security Architect, and Michael Allen – Chief Information Officer
Location: Chicago, IL

The Morningstar Security Champion is a grass roots program developed to assign individuals in product team resources to provide direct security oversight, security guidance, and acting as a channel to escalate security issues directly with the Application Security team. This program is the core component that fuels Morningstar’s internal metrics program that gamifies the reduction of vulnerabilities across the organization.

us bank
Access Management: Unified Next Generation Identity Governance Across U.S. Bancorp
Executive Sponsor: Jason Witty, EVP & CISO
Project Team: Linda Anderson (Information Security Specialist), Udaya Annae (Project Manager), Cynthia Bahr (Information Security Director - Identity and Access Management), Theresa Baker (Information Security Specialist), Mike Betz (Initiatives Manager), Chris Branson (Identity Engineer), Derek Dahlen (Director, IAM Lifecycle, Delivery & Controls), Scott Deery (Project Manager), Ronda Deutsch (Initiatives Manager), Traci Drapela (Admin Manager, Information Security), Dale Erickson (Information Security Specialist), Alex Friedrichsen (Information Security Specialist), Brian Griffin (Manager, Information Security), John Hunter (Information Security Services PMO Portfolio Lead), Melissa King (Initiatives Manager), Jaime Lopez (Information Security Specialist), Rebecca Lower (Information Security Specialist), Mary Maflin (Information Security Specialist), Brenda McCauley (Information Security Specialist), Beatrice “Yvonne” McRae (Project Manager), Nikki Myers (Manager, Information Security), Amy Nicholas (Information Security Specialist), JoAnn O’Rourke (Senior Manager, Information Security), Dickson Oyaro (Business Analyst), Gboyega Oyeymi (Manager, Information Security), Edward Palmer (Information Security Specialist), Doug Ritari (Application Developer), Molly Rolland (Information Security Specialist), Becky Schmitz (Business Analyst), Mustafa Syed (Information Security Tech Consultant), Russ Terrell (Information Security Specialist), Indiran Thirumani (Senior Manager, Information Security), Paul Urevig (Information Security Specialist), Phil Vander Haar (Senior Manager, Information Security), Zachary Varner (Information Security Specialist), Jeff Wheaton (Information Security Specialist), Chase Williams (Admin Manager, Information Security), and Jason Zajicek, Manager (Information Security)
Location: Naperville, IL

This project sought to rollout a centralized Identity and Access Management platform across U.S. Bancorp. The platform, “Access Management,” provides solutions to key workflows including, user access requests and approvals, automated provisioning via connectors, certifications for user access, role owner and entitlement owner reviews, manual provisioning queue management, and preventative SOD (Separation of Duties). The platform replaces multiple applications, delivering a reduction in costs, labor and redundant governance and controls. Additionally, it more efficiently supports the “least access” principle and reduces the number and frequency of audit findings related to identity, access, and elevated privileges.

Health Care Category

The Aetna Entitlements, Identity, & Risk System (AEIRS)
Executive Sponsor: Kurt Lieber, Vice President, CISO, Global Security Aetna Core, Aetna
Project Team: Jon Backus (Product Manager), Candice Chang, Jason Cruces, Shazia Khan, Jeffrey Graff, Jeffrey Harris, Nathan Harris, Cheryl McCarthy, Angelique Nix, and Barbara Troutman
Location: Phoenix, AZ

The team at Aetna is using leading-edge technology that uses machine learning to provide early detection of anomalies in user behavior. The Aetna Entitlements, Identity, & Risk System (AEIRS), is a User and Entitlement Behavior Analytics (UEBA) program that evaluates millions of event records looking for anomalous or unusual behavior and alerts when detected. The analytics engine, AEIRS, determines and tracks normalized behavior for every Aetna user and then uses it to look for abnormal breaks from pattern, as well as rules-based criteria through behavior models. It also calculates a risk score for each individual user that has access to an Aetna system. The risk scores will change based on anomalous or unusual behavior detected by a model. The models and risk scores can then be used to trigger control changes in real-time.

Omniscient Eye - Data Protection
Executive Sponsor: Umesh Yerram, VP, Chief Data Protection Officer
Project Team: Arvin Bansal (Director Cyber, Risk and Governance), Jose Boac (Manager, Data Security), Kathleen Romualdo (Data Security Analyst), Tumaini Ryoba (Cloud Security), Raju Amin (Data Discovery and Analyst Leader), Ritu Sharada (Data Discovery Analyst), JP Cheenepalli (Security Architect), Brian Catherwood (Lead Security Architect), Other Contractors and Consultants
Location: Chesterbrook, PA

With network boundaries dissolving due to rapid consumption of cloud-based applications & infrastructure and field workforce using unmanaged devices to access sensitive systems and data in the cloud, any Organizations’ life blood – data – is now constantly flowing in & out of its network and cloud instances. AmerisourceBergen (ABC) is in the business of creating healthier futures by enhancing patient outcomes so any unauthorized disclosure of sensitive patient data will have a life altering impact or unauthorized disclosure of financial data will have a significant impact of its M&A and shareholders futures. Therefore, having full visibility into ABC’s critical data is very critical. In addition, with growing demand to collaborate with external parties on new business opportunities or improving business processes, cyber criminals are exploiting this vector to introduce threats to disrupt businesses. Project Omniscient Eye was initiated not only to monitor, detect and protect any unauthorized transmission of ABC data out of ABC networks and ABC sanctioned cloud services but also detect any threats that are introduced in our sanctioned cloud applications and infrastructure.

Precog - Cyber Threat Prediction and Detection Platform
Executive Sponsor: Umesh Yerram, VP, Chief Data Protection Officer
Project Team: Kumar Chandramoulie (Director Cyber defense, Threat Intelligence and Incident Response), Mark Sakoian (Cybersecurity Specialist), Brad Retterath (Cybersecurity Engineering Leader), Calvin Raphile (Cyber Incident Response Leader), Cameron Hatzmann (Threat Intelligence and Hunting Leader), Tessa Kaye (Cybersecurity Analyst), Mani Sampath (Cybersecurity Engineer), Aravind Gopalakrishnan (Cybersecurity Engineer), Ramakrishna Naraharisetti (Cyber Analyst), JP Cheenepalli (Security Architect), Brian Catherwood (Lead Security Architect), Other Contractors and Consultants
Location: Chesterbrook, PA

Cyber criminals are getting very creative and sophisticated every day weaponizing zero-day threats and leveraging new threat vectors & threats to attack large enterprises causing significant business disruption. AmerisourceBergen is in the business of creating healthier futures by enhancing patient outcomes so any business disruption will have a life altering impact. Therefore, they initiated this project to not only detect known knowns but predict unknown unknowns at lightning speed to disrupt and respond to those threats. They partnered with Securonix to build a robust, flexible, scalable and stable platform to collect Billions of events per week and seamlessly find the proverbial “needle in the haystack”. They collect every piece of log intelligence generated within our global networks to gain 360-degree visibility into our networks and leverage cutting edge data analytics algorithms to analyze Billions of events per week to detect and predict hundreds of cyber threats. This platform also provides rich contextual data to Cyber Command Center analysts to launch cyber incident response processes quickly based on the severity of the threat.

Mobile Clinician Project
Executive Sponsor: Jeremy Meller, VP IS&T
Project Team: Heath Baker, Team Lead, Field Services (SR), Robert Covington, Manager, Cyber Security, Frank Grogan, Sr Cyber Security Analyst, Jamie Hobbs, Sr Applications Analyst, Desiree Jennings, Project Manager, Atul Kanvinde, Director IS Business Partnerships, Clinical, Mike Kendall, Team Lead, Field Services, Jeremy Meller, VP IS&T, Stoddard Manikin, CISO, Brandon Potvin, Applications Advisor, Josh Sears, Senior Applications Analyst, Justin Shelf, Applications Analyst, and Sarah Thomas, Manager Optimization & Support
Location: Atlanta, GA

To improve clinician to clinician communication, Children's Healthcare of Atlanta replaced the existing hospital communication solution to provide enhanced services, including: bar code scanning, secure messaging and integration with Epic. The purpose of this project was to develop and implement the necessary clinical and infrastructure components to improve operational workflows in order to provide a seamless and secure means of communication and medication administration documentation. Objectives included providing secure messaging compliance, increasing mobile efficiency of nurses and clinicians, improving communications effectiveness between caregivers, integrate alerting, nurse-call, and bed-management, and reducing the number of devices needed for the care process.

Business Resilience – Changing the Culture from Continuity to Resilient Enterprise
Executive Sponsor: Scott Pettigrew, VP and Chief Security Officer
Project Team: Latasha Robinson, George Macrelli, and Tosha Terry-Lee
Location: Irving, TX

From integration, to automation, compliance to communication, the HMS Business Resilience Program is an integrated enterprise wide program that applies automation for monitoring world events, including HMS infrastructure technology, such as, servers, networks, and assets. It provides consistent change monitoring and management by automating the updating of infrastructure changes for their business impact analyses and recovery procedures. It allows HMS to demonstrate compliance with HITRUST, ISO, and SOC frameworks, which ensures the standardization of control information. This cultural shift positioned HMS in pursuing a ‘Resilient Enterprise’ designation from an international continuity program leader.

Secure Cloud Infrastructure
Executive Sponsor: Scott Pettigrew, VP and Chief Security Officer
Project Team: Michael Madero (Manager, Security Architecture) and Mark Ma (Security Architect)
Location: Irving, TX

The objective of the Secure Cloud Infrastructure was to create an environment that could support highly sensitive data and meet HMS's high security standards while complying with government and commercial compliance frameworks. The successful implementation of this project has allowed HMS to achieve fast and consistent application deployments that leverage cross-platform single sign-on technology.

Security Risk Management & Assurance Program – Bringing it all Together!
Executive Sponsor: Scott Pettigrew, VP and Chief Security Officer
Project Team: Brian Pannell Director (Security Assurance), Daryl Hykel (Manager Security Assurance), George Macrelli (Sr. Director, Security Assurance)
Location: Irving, TX

When implementing a security risk management program, a capability maturity approach is essential to success. This begins with an assessment to determine the current security policy and process maturity. HMS has adopted a security control framework which is measurable and managed and has layered its governance practices over this security model. This program has allowed them to tie together their initial program design methodology and have streamlined multiple authoritative sources into a common set of controls that are tailored for their organization.

Early Vulnerability Detection System (EVDS)
Executive Sponsor: Douglas Falduto, VP, Admin & Chief Security Officer
Project Team: Enterprise Architecture: Alan Leung (Director), Niraj Patel (Manager), Pranshi Gupta (Security Analyst), Information Technology: Kumuda Gogineni (Manager), Srinu Paloju (Technical Test Lead), Mike Schimpf (Manager)
Location: Newark, NJ

In cyber security, the earlier vulnerabilities are detected, the less costly they are to remediate. The Early Vulnerability Detection System (EVDS) identifies vulnerabilities throughout a project lifecycle and facilitates development of multiple levels of defenses within our applications. The EVDS is a combination of people, process and technology that fully adjusts to the polymorphic nature of current technology solutions. Security recommendations are delivered via the basic elements of a standard project: business requirements, architecture design and test cases. The EVDS has already identified and remediated multiple critical vulnerabilities that would have resulted in catastrophic breaches.