ISE® Northeast Project Award Nominees 2011

Heartland Payment Systems
E3™ End-to-End Encryption
Executive Sponsor: John South, Chief Security Officer
Project Team: Sarah McCrary, Larry Godfrey, Paul Minutillo, Dustin Francis

E3™ end-to-end encryption is designed to combat the growing problem of credit/debit card fraud by protecting cardholder data during the payment transaction lifecycle, from the moment of card swipe to and through the processing system. E3 provides the strongest degree of security available — with no extra costs — safeguarding various stakeholders in the payments ecosystem, including consumers, business owners, banks and financial institutions. E3 also affords merchants added breach protection with the E3Warranty.

IT Governance, Risk, and Compliance Program (IT GRC)
Executive Sponsor: Michael Mathias, Vice President and Chief Information Officer
Project Team: Jason Fortin, Don Simon, Diane McCammon, Chris Gadwah, Donna Richmond, Mia Hodge, Glynn Baron

Aetna implemented an IT Governance, Risk, and Compliance (GRC) program as a way to enable the organization to manage their governance, risk, and compliance activities.  The program initially focused on the areas of policy management, compliance assessments, and vulnerability management.  In addition, the IT GRC technology capabilities have allowed Aetna to effectively measure their technical environment (e.g. servers and databases) and procedural controls against the many authoritative sources for compliance (e.g. Payment Card Industry).  The strategic goal is to provide Aetna’s management with the ability to make informed, risk-based decisions on factors such as threats, likelihood, and impact.

Children's Hospital of Philadelphia
Role Based Security - EPIC System
Executive Sponsor:Cathy Beech, CISO, Children's Hospital of Philadelphia
Project Team: Jessica Van Kooten, Lindsay Burns, Elizabeth Catone, Kelvin Blasse, Melinda Hanford, Colleen Reifsnyder, Manoj Ramachandran, Jean Scholefield, Cheryl Barnes-Haigler, Philly Hak, Cheryl Cantafio, Catherine Shirilla, Peter Marabella, Kimberly Mason, Bimal R. Desai, MD, Virginia Bird, Anne Marie Krause
Location: Philadelphia, PA

CHOP established a dedicated Information Security team to support the development, implementation, deployment, and maintenance of the new role based security model as part of the Hospital’s implementation of its integrated electronic medical record (EMR) system for its entire healthcare network.  This project established standardized roles across the Hospital within the EPIC system and established the foundation for our Role Based Access Control (RBAC) and User Provisioning projects that will begin in fiscal year 2012.

IT Security Exposure Tool (ITSET)
Executive Sponsor: Hinrich Voelcker, Managing Director – Global Head IT Security
Team Members: Peter Lassig, Blair Habig, Sanjay Menon, Markus Sanio

The IT Security Exposure Tool (ITSET) delivers a Global interactive Security Heat Mapping model that identifies IT security exposures and guides the prioritization of re-mediation efforts. The Tool is in production and the on-boarding of applications will be finished by  September 2011 utilizing multiple Data Control Feeds.  ITSET delivers an interactive Global Technology wide application-centric Heat Mapping model, identifying IT security risks in order to prioritize re-mediation and exposure reduction efforts. Aggregated view of Security and Risk related IT Infrastructure information for Applications and their underlying components using mini-dashboards.  As a unique feature, the Application layers are visualized in a dynamic component tree, with further drill down for risk evaluation.  All the information is pulled directly from global asset repositories including location, ownership and support group information.

Highly Privileged Access Monitoring and Control for Windows Servers
Executive Sponsor: Mike Parrella, Senior Team Leader, Information Security
Project Team: Phani Dasari, Sumeet Lakhwani, Michael A. Minwell, Rudy Urena, Jeffrey Kolmos, Hardik Mehta, Vishnu Pemmasani, Paul Engelbert, Trina Ford and William O'Connell
Location: Roseland, NJ

The Highly Privileged Access Monitoring and Control project was undertaken to prepare GE Capital for operating under stricter regulatory standards imposed by the federal government through the Dodd-Frank Act. The project involved establishing an operational definition of file transmission and implementing technology to prohibit the egress of sensitive information while enabling such data to flow freely within the organization from secure source to secure destination without impeding business processes. The initiative leverages the Verdasys Digital Guardian Enterprise Information Protection platform as the cornerstone of a transparent and user-aware solution that provides monitoring, identification, control and blocking capabilities to ensure that administrators cannot mishandle sensitive and confidential HPA information residing on mission-critical Windows servers.

Enterprise Security, Identity Management & Access Governance
Executive Sponsor: Scott Pettigrew, Chief Security Officer, HMS
Team Members: Mark Ma, Jason Guzman, Len Atkinson, Deb Whitehead, Luke Magda, Jeremy Miller, Joe Spearin, Quyen To
Location: New York, NY

HMS, the nation’s largest healthcare cost containment service provider, set out in 2009 with aggressive goals for an Identity and Access Management program. Due to the rapid growth of the dynamic healthcare industry, HMS experienced ongoing challenges due to the complex regulatory pressures and compliance requirements. By working with Identity and Access Management Specialists, Logic Trends, HMS developed and executed an extensive undertaking to reduce risk exposure, improve on/off boarding processes, provide employees and contractors rapid access to mission critical systems, introduce electronic provisioning and bring consistent, auditable role governance, role maintenance and access management to the enterprise.

Security Oversight and Risk Assessment (S.O.A.R.) Portal Project
Executive Sponsor: Dennis Brixius, Vice President and Chief Security Officer
Project Team: Thomas Schultz, Michael Haddad, Michael Weiss, Thomas Greitz, Irina Yevzikov, Kenny Chau, Preetam Sirur, Michael Pesola, Christopher Puzio

The McGraw-Hill Companies Security Oversight and Risk Assessment (SOAR) Portal Project developed a centralized Information Security portal to help track various risk factors that could impact McGraw-Hill information systems and applications. The SOAR Portal has three unique risk focused modules. The three modules include, general risk tracking, security policy exceptions and application control self assessment. The SOAR Portal Program has enabled the Information Security team to work with different business units to improve the overall information security posture of the Company.

Met Life
Application Security Development for Continued Education and Development
Executive Sponsor: Laz Montano, Vice President, MetLife
Team Members: Gerald Brouillette, Michael Harrison, Rajnish Goyal
Location: Bloomfield, CT

MetLife embarked on an application vulnerability testing project on all its Internet accessibleapplications. The MetLife IT Risk team integrated more than 140 diverse applications culminating in the execution of more than 200 vulnerability tests that helped identify potential security vulnerabilities in real-time to empower developers and protect the organization and its customers.

Security Consolidation with McAfee Cloud Services
Executive Sponsor: Daniel Srebnick, Associate Commissioner & CISO
Team Members: Daniel Srebnick, Jamie Arnold, Nick Mauriello, Larry Pfeifer
Location: New York, NY

The New York City Department of Information Technology and Telecommunications (DoITT) McAfee project was designed to provide consolidation of security throughout New York City. The DoITT worked with McAfee to deploy cloud services and leverage threat analytics to support 180,000 end users from 52 agencies. The DoITT, in conjunction with McAfee, deployed an integrated network, host and cloud solution to enhance New York City government against the cyber threat.

User Access Request (UAR) System
Executive Sponsor: Todd Levy, VP and ISO
Team Members: Igor Grapp, Michael Beresford, Michael Beresford, Ilona Shenderovich

The purpose of this project was to develop and deploy a comprehensive structured workflow allocation to cover all processes associated with user requests for physical and logical access at all levels within the International Fund Services (IFS) business unit of Alternative Investment Services. Included in this workflow are all request, approval, confirmation, verification and reporting requirements associated with or required by physical and logical access controls related to information security.

Advanced SIEM for VA OI&T Region 1
Executive Sponsor: Andrew Peterson, Division Chief, Security Management Division
Team Members: Kenneth Crandell, Vincent Bui, Jeremy Phillips, Sherry L Wilson, Kristofer E. Phillips, Michelle Yu

The Veterans Affairs Office of Information and Technology (OI&T) is entrusted to manage private data for millions of Veterans around the world. The team was under a great deal of pressure: first, to comply with security requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and Federal Information SecurityManagement Act (FISMA); and to manage the data across a disparate set of offices and systems. In order to respond to audits more effectively and reduce the risk of data leaks, the OI&T Region 1 team consolidated their Security Information and Event Management systems to a single, centrally-managed solution.