ISO 27001 Implementation and Certification
Executive Sponsor: Tim Sargi, Security Audit and Consulting Services, Antares Management Solutions
Project Team: Kevin McGuirk
Antares Management Solutions implemented the ISO 27001 Information Security framework to demonstrate our mature information security program. A contributing factor in selecting the ISO 27001 Standard instead of other disciplines was that several of the documented procedures in Antares’ ISO 9001 Quality Management System are applicable to information security: facilitating implementation and leveraging the Company’s previous quality management investment. Two critical components of the ISO 27001 standard is transparent management commitment and review of security events, resources, challenges and performance in accordance with business objectives articulated by MMO line executives participating on our standing IT Governance Committee.
IT Risk Assessment Project
Executive Sponsor: David Montgomery, VP, Quality & Security Assurance
Project Team: Julie Talbot-Hubbard, Mike Morabito, Rob Krajci, Kari Sklenka, Scott Hennerfeind
Over the past 12 months, Cardinal’s IT Risk Management Leadership team drove the implementation of a comprehensive IT Risk Assessment project conclusive of an updated IT Risk Policy framework, Security Training & Awareness, an organizational wide Risk Escalation Process, an infrastructure and Application Risk Assessment, Disaster Recovery testing and a comprehensive view, prioritization and on-going management of IT risks across the organization.
The implementation of this program has provided the organization the “springboard’ to begin to move from reactive to proactive. This project enabled cardinal to validate a risk dashboard of a true representation of Cardinal’s Risk posture and corrective actions.
Identity Governance Implementation
Executive Sponsor: Michael Phillips, IT Director
Project Team: Paul Puckett, Tushar Desai, Leslie Mazina, Ann Krienke and Sandra McKnight
CenterPoint Energy faces a variety of regulatory pressures, many of which include specific requirements for identity and access controls, including demonstrable proof that companies know who has access to what IT resources. CenterPoint had many of these controls in place, but they used a manual process to manage access privileges, which was prone to error, time consuming and expensive to maintain. To automate its identity controls, the company selected SailPoint IdentityIQ as its integrated identity governance solution. The company is now able to easily and cost-efficiently identify and revoke inappropriate access, detect and remediate policy violations, and eliminate high-risk accounts.
Security In the Cloud
Executive Sponsor: Christopher Rence, CIO/VP
Project Team: Vickie Miller, Scott Charleston
2009 Network Access Control Project The project was chartered to install network port security that would proactively keep unauthorized people off the internal corporate network to prevent possible internal cyber attacks while providing limited guest access to the Internet for day to day vendor presentations.
Kellogg Center PCI-DSS
Executive Sponsor: Michael Dawisha
Project Team: Gene Willacker, Paul Heberlein, Brian Pillar, Ryan Finn, Kirti Singh, Jill Respecki
Complete all requirements in order to achieve compliance with Payment Card Industry Data Security Standards. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures when handling credit cards. The compliance with PCI DSS for the Kellogg Hotel and Conference Center at Michigan State University required redesigning the network, updating applications, changing business practices, writing and disseminating policies and procedures for all 200+ items required to be considered compliant. We added 15 additional servers, installed a new firewall appliance, installed Citrix and RSA tokens for external access to the credit card environment as well as replacing all 60 computers int the Hotel. Over 6000 hours of labor were spent by the Hotel staff and the Information Services team to achieve compliance.
Executive Sponsor: Lisa Hodkinson, VP, Information Risk Management
Project Team: Mukesh Tayal, Tom Pugh, Chris Hayes, Greg Green, Sachin Sardar, Nicole Schlosser, Angela Myers, Justin Daines, William Koch
The PCI requires compliance with over 200 standards resulting in an entire network being in scope for compliance. This is expensive. Applications that use credit cards must transmit card numbers to a Data Power appliance in a PCI virtual cage in the web hosting environment. Leveraged existing Data Power shared web service to encrypt the card number and amount, using the public key of the payment processor. Info is sent to the application’s web server to minimize changes in the existing apps.
GRC – Governance, Risk and Compliance
Executive Sponsor: Lee Parrish, Director, Information Assurance
Project Team: Judy Kiser, Mark Beck, Wail Jastaniah, Alexandra Pichardo, Anthony Carr, Jeffrey Nix, Wes McLain, Mark Leary
The team created a GRC: governance, risk, and compliance, team for Northrop Grumman within the Information Systems Sector. The team crafted a suite of risk management services for the InfoSec service catalog. They developed processes for doing onsite risk assessments and stood up a robust automated GRC platform to enhance our service capabilities. Lastly, the team reached out to other business units to assist in their GRC solutions.
Implementation of IT Controls
Executive Sponsor: Pamela Rucker, Vice President of IT
Project Team: Lloyd Dawson, Frank Duke, Beth Wilcox, Hassan Hakam, Ida Joiner
Although PSC is a privately-held organization, executive management has instituted a control-based philosophy of how PSC will design and conduct business processes, including IT. The initial IT control environment, including Sarbanes-Oxley (SOX) controls, was based on an operational perspective instead of using a risk-based approach. Initial control testing results validated that using a risk-based approach addressed key compliance requirements, including detecting high risks and discovering vulnerabilities across all critical IT systems, both of which are required for publicly held corporations. PSC IT management implemented a new SOX and monitoring control environment in early 2009 and subsequently received positive results from an external audit of IT systems.
2010 NAC Project
Executive Sponsor: Steve Hotte, Senior Vice President & Chief Information Officer
Project Team: Jerry Hasten (project manager), Chris Hayes, Mike Conover, Mike Mahaffey, Travis Michalak, Cherise Wise, Kristin Lowery, Mathews Thomas
Due to increasing concern over Cyber Security, Southern Union implemented Network Admission Control (NAC) technology that enables the network to authenticate and authorize devices and users before granting them full access to network resources. When a device is first connected to the network it will be considered un-trusted and must go through an assessment before being allowed to access the network. This assessment contains conditions that must be met, such as up-to-date anti-virus signatures, existence of specific files or registry values, etc. Once all conditions have been satisfied, the device will be trusted and able to function normally.
Self-Service Based Password Management
Executive Sponsor: Bob Young, CTO
Project Team: Bridget Campbell, Marsha Brock, Terry Fesenmeyer
Design and implementation of a self-service based password management solution that provides a consistent, intuitive end user experience for setting and resetting passwords regardless of where and how it is accessed.
TXU Energy Roles Rebuild
Executive Sponsor: Christopher Holm, Director IT Risk, Security and Controls
Project Team: Mike Hill, Glenn Baker, Sabrina Dyer, Casey Davis, Blake Elder, Phillip Henderson, Javed Husain, Kevin Jackson, Yoganathan Sivapragasam, Sai Vallurupalli, Chris Vanderbosch, Jon Wise, Tanner Simmons
The Roles Rebuild team successfully completed rebuilding individual user roles for SAP security for IT and then every functional organization at TXU Energy. The endeavor touched every employee at TXU Energy and was completed on schedule and within budget. In addition, Role Security Rule sets were developed for Separation of Duties compliance for every role. Subsequent controls exception remediation efforts were completed on schedule.
USAA Info Sec Authentication Program
Executive Sponsor: Gary McAlum, SVP/Chief Security Officer
Project Team: James Ravizee, Jack Key, Richard Davey, Tammy Sanclemente, Thomas Buckingham, Betty Del Valle, Ryan Johnson, Mary Beth Block, David Row, Ashley Brown, Wil Bennett
USAA is a leader in the industry through innovation of unique methods for strengthening its authentication across many channels (.com, speech, member service representatives, and mobile). For example: USAA gave its mobile users faster, more secure mobile logon access to their banking, insurance and investment accounts through its new quick logon and authentication security software. This simplifies account access for USAA members while strengthening the logon security for its popular USAA Mobile App which allows bank deposit functionality from the iPhone and Androids platforms. Almost 1.3 million of USAA's 7.4 million members access USAA's mobile platforms to conduct financial transactions.