ISE® Southeast Project Award Nominees 2016

The SATraining Program
Executive Sponsor: David Rooker, Chief Security Officer
Project Team: Rob Walsh, Caesar Candelaria, David Wood, Rosemary Ramon and Wesley Wilson
Location: Seneca, SC
Security awareness training programs have traditionally been little more than yearly training to check off a requirement for compliance. These programs change very little in protecting individuals or the company and do not improve the protection of the organization’s intellectual property. Actian Corporation’s SATraining program establishes a detailed security awareness strategy across the enterprise globally. Emphasizing how security begins at home, the program stresses training the team on how to protect their family, friends & significant others’ computers and information, creating a “culture change” in the home first.

change healthcare
TITAN - Threat Intelligence Tactical Analysis Network
Executive Sponsor: Haddon Bennett, CISO
Project Team: Jason Jones – VP Cyber Threat and Response, John Fellers – Cyber Threat Hunter, Robert Landry - InfoSec Engineer, Russ Lieneman- InfoSec Engineer, and Craig Ray- InfoSec Analyst
Location: Nashville, TN
Change Healthcare’s TITAN is a threat intelligence and analysis network which enables pro-active, threat-based defense, threat analysis, identification, and tracking. TITAN pulls threat intelligence from a variety of sources, stores incident data in a centralized repository, and enables research and analysis to help determine if seemingly isolated incidents are components of advanced persistent threats. When new threats are identified, TITAN disseminates this information to Change Healthcare’s internal security tools automatically. TITAN provides the context between threat intelligence and security incidents identified and logged to our SIEM. TITAN publishes threats identified internally to NH-ISAC, thus helping other member organizations consume targeted threat intelligence.

cox automotive
Rugged DevOps
Executive Sponsor: Tony Spurlin, CISO
Project Team: John Sewall, CAI, Manager Security Engineering, Scott Thole, CAI, Senior Security Engineer, Joe Aranbayev, CAI, Senior Security Engineer, Raj Rajagopalan, CAI, Quality Assurance Architect, Todd Bussey, Kelley Blue Book, Manager Production Engineering, Todd Grotenhuis, NextGear Capital, Senior Security Engineer, Brian Popiliski, VinSolutions, Director Production Engineering, Darren Ayre, CAI United Kingdom, Security Manager, David Hearns,, Director of Development, Scott Andrews, Australia, Director of Production Engineering
Location: Atlanta, GA
Cox Automotive implemented a comprehensive application security program, integrating cloud-based static application security testing and in-house dynamic application security testing with its agile software development lifecycle (SDLC). As a result, Cox Automotive reduced application security vulnerabilities by 20% in the first year while cutting the amount of application rework by 60% to accelerate more secure solutions into production. This also enabled the company to strengthen its competitive advantage and lower costs.

Executive Sponsor: Phil Agcaoili, SVP
Project Team: Tom Phillips, Jason Witty, Michelle Stewart, Mark Gelhardt, James Edgar, Brent Comstock, Shane Cruze, Osiris Martinez, Clint Garrison, Michael Varno, Doug Dement, Andrew Kalat, Rodney Strader, and Shelbi Rombout.
Location: Atlanta, GA
SecurityON is a multi-year endeavor and consists of multiple projects to establish world class security, transform corporate culture to the culture of security, and to leverage a rich startup culture with the financial backing of the 4th largest bank in the United States. Borrowing from Elavon’s 2014 branding, BusinessON, and sharing the word “ON” from ElavON, the name SecurityON was chosen to inspire the organization towards a common shared vision to be world class.

Security Program Transition to Address Cloud First IT Strategy
Executive Sponsor: Joseph DiBiase, Director Global Information Security
Project Team: Tom Farmer – Security Manager, Mark Hall - Security Engineer , Scott Stanfield – Security Administrator, Adrian Apps –Security Engineer, and Edwin Goes – Security Engineer
Location: Atlanta, GA
Interface IT has adopted a Cloud First strategy. This required a transition in how the security team thinks about the cloud and then a development of a security strategy to address “Cloud First.” The goals of the project are to sufficiently protect Interface’s information assets and systems and do this in the most efficient way possible.

lake health
Total Activity Visibility Enhancement (TAVE)
Executive Sponsor: Keith Deumling, Information Security Officer
Project Team: Jerry Peters, Chief Information Officer & VP of Information Technology, Joyce Taylor, Chief Privacy Officer , Christopher Kaija, Information Security Analyst, David Adams, Manager of Programming Systems, and Sherri Adams, Network Engineer
Location: Concord, OH
TAVE has transformed information security for Lake Health by providing a holistic view of activity across all entry and exit points in its infrastructure, including physical context of where user actions are occurring. TAVE was initiated after several incidents revealed the need to detect activity from multiple data systems collectively rather than individually. TAVE now allows Lake Health to convert large amounts of raw data into actionable information, enabling the security team to identify threats in real time and determine the exact point of infiltration. This allows threats to be effectively contained and controlled without impacting patient services.

NCR Enterprise GRC
Executive Sponsor: Bob Varnadoe, CISO
Project Team: Alok Kumar, Security Architect; Ken Duong, Developer; and Garima Vashishtha and Reema Raheja, Risk & Compliance.
Location: Duluth, GA
Managing IT risk at NCR, a software and technology centric company, was quite a challenging effort as IT risk is managed throughout the enterprise without a means of centralized oversight. NCR’s CISO Bob Varnadoe established an initiative to centralize Risk Management and replace the old system based on manual processes. A selection committee chose the GRC module within ServiceNow. The ServiceNow GRC tool allowed for the replacement of manual efforts prone to error with repeatable processes leveraging efficiencies. Security functions managed by GRC include: Risk Application Inventory, Application Risk Review, Risk Acceptance, Risk Registry, Asset Management, Vendor Risk Management and Controls Mapping.

Vendor Governance & Oversight Program
Executive Sponsor: Rini Fredette, SVP & Enterprise Risk Officer
Project Team: Rini Fredette- SVP & Enterprise Risk Officer, Joy Anderson- VP Vendor Relations & Governance, Jackie Keenan- Sr. Specialist Vendor Strategy, Cathy Pandrock- Specialist Vendor Relations, Cheryl Lawrence- Specialist Vendor Relations , Jean Graham- VP Internal Controls & Compliance, Lori Lucas- Manager, Information Security, David Duncan- Principal Accounting Policy & Controls, Steve Salzer- SVP Corporate Counsel, Jim Krems- Program Manager Vendor Audit, Greg Clark- Principal Enterprise Risk Management, and James Green - Business Continuity Program Manager.
Location: St. Petersburg, FL
In the world we live in today, we are seeing more and more data breaches at the hands of third party providers. Due to the increase in third party provider risk, PSCU undertook a project to overhaul vendor governance and oversight. The initiative included formalizing PSCU’s third party onboarding process and elevated the criteria of our potential partners. In addition, the project team re-engineered the third party provider risk scorecard. Finally, the capstone of the project was the development and execution of an ongoing oversight program to include executive level reporting and dashboards.

DR Next Project
Executive Sponsor: Jennifer Graham, SVP Technology Risk and Compliance
Project Team: Jennifer Graham – Executive Sponsor, Mike Cook – Delivery Manager, Mary Simpkins – Project Manager, Mike Patel – BCRS Program Manager, and Richard McClure – BCDR Program Manager
Location: Atlanta, GA
DR Next supports a 5 year Business Continuity Program (BCP) Renovation roadmap addressing key deficiencies in response to a 2011 Federal MRA. The program was renovated to effectively comply with required supervisory guidance and provide assurance of essential recovery capabilities. It also heightens the recovery preparedness and operational excellence through broader testing, infrastructure flexibility, and administration optimization. DR Next key elements, including end-to-end transactional testing capabilities, consolidation of standards, application level recovery, and extended accessibility to DR environments were delivered. The bank’s overall risk management posture significantly improved resulting in closure of the 2011 MRA following an August 2015 Federal ECM audit.

Tractor Supply Company IAM Initiative
Executive Sponsor: Michael Mangold, Director Information Security
Project Team:Anthony Mannarino – Manager, Information Security, Chris Threet – Sr. Purchasing Specialist, Vendor Mgmt., Marc Cover – Lead Systems Engineer, Wintel, Christine Jones – Security Specialist, and Dale Stubblefield – Lead Systems Engineer, UNIX
Location: Brentwood, TN
Tractor Supply’s IAM initiative is designed to automate all phases of Identity and Access Management for the organization. Project phases are inclusive of fully dynamic access governance, automated user provisioning and de-provisioning, password management, and role based access controls.