Information Security Risk Management Program
Executive Sponsor: Cynthia Whitley, CISO, Allstate Insurance
Project Team: Drake Cody, Phil Kulinsky, Rafael Castanos, Bryan Jones
Implement an Information Security Risk Management Framework to measure, manage, and report information security risk. This framework is built on a repository of common security controls which provides a centralized store of all compliance measurements. This framework also includes an inventory of information security metrics that measure our security controls against baselines that were set as part of an ISO security controls assessment. These measurements are augmented by questionnaires and validated through risk assessments to provide an overall measure of information security risk by risk categories that can be used when making key business decisions.
End to End Data Protection, Risk Mitigation & PCI Compliance
Executive Sponsor: Joe Bentfield
Project Team: Joe Bentfield, Janet Kerns, Dan Madsen, Daniel Schulte, Mike Sterner, Larry Abram
The End to End Data Protection, Risk Mitigation & PCI Compliance Project at AT&T enables the following information security imperatives: (a) Do the right thing by the corporation, employees, business customers, consumers, vendors and suppliers; (b) Meet internal corporate and security policies; (c) Meet a broad set of legislative regulatory compliance, industry mandates and initiatives, including PCI, SAS 70, SysTrust, GLBA, HIPAA, CPNI, SOX, etc.; (d) Satisfy business customer contracts; and (e) Enable business efficiency. The project utilizes approaches that are game-changing in securing information from end to end, and leverages breakthrough technologies in innovative solutions that remove barriers.
SailPoint Identity IQ Full Suite Implementation
Executive Sponsor: Brad Jobe, Director of Information security
Project Team: Brad Jobe, Scarlett O’Malley, Michael Lindskov, Robert Block, Bill Haase, Pete Wallace, Ben Wise, JC Will
CUNA Mutual Group’s Information Security team led by Brad Jobe, Director of Information Security, partnered with professional services firm Logic Trends and SailPoint to take an innovative approach in minimizing risk, achieving compliance, and creating administrative business efficiencies. While implementing a closed-loop process for best-practice certification and remediation and increasing compliance security, the team concurrently automated their provisioning and de-provisioning procedures. The result was a single identity and governance solution that met stringent industry compliance requirements, and generated immediate administrative cost savings for the organization.
BSOC – Business Security Operations Center
Executive Sponsor: Spencer Mott, Chief Information Security and Intellectual Property Officer
Project Team: Shammy Rana, Matt Farrer, Calvin Dickinson, Ben Stanbury, Nelson Ho, Robin Wilson, Barbu, Ionut-Daniel; Bobeanu, Victor-Flavius; Ciocoi, Maria Madalina; Constantin, Ciprian-Septimiu; Costache, Marian Bogdan; Cotenescu, Vlad; Doroftei, Alexandru; Gaspar, Andrei Dimitrie; Ionescu, Mihai; Iordache, Constantin Cosmin; Nunu, Silviu; Pirvu, Mihai; Prioteasa, Ileana-Emilia; Schverin, Cosmin Constantin; Soare, Marius; Stanciu, Alexandru-Cristian; Vanut, Marian
The project was to establish “Business Security Operation Center” (BSOC), new generation 24X7 operation providing security and risk management services to all global offices. The type of services that went into the BSOC service portfolio met a specific criteria and ‘scoring’. The criteria included Revenue Generation, Business Expansion, Employee Mobility, Loss Mitigation and Business Innovation. BSOC supplements on-site manned guarding with remote surveillance by innovative adaptation of surveillance techniques. BSOC remotely monitors and manages Information security tools, disaster recovery plan, provide data compliance support, intellectual property protection and fraud monitoring for all global operations. BSOC is a new twist on a traditional Security Operations Center as it addresses key ‘business’ enabling security services by centralizing security from all different domains such as physical security (including supply chain), incident management, information security, intellectual property protection, fraud monitoring to name a few.
DLP for IP Protection
Executive Sponsor: Kevin Swailes, Director Global IP Protection, COE (Center of Excellence)
Project Team: Katie Gough, Patrick Sullivan, Walter Miller, Ross Schalmo, Juan Castillo, Kevin Cearlock
The DLP for IP Protection project was undertaken to protect GE Energy’s investment in its innovative technologies and competitive advantage by protecting its intellectual property and trade secrets. The project involved designing a holistic approach to IP Protection and implementing DLP technology to secure classified information from insider threat while enabling sensitive information to move freely across the global organization and enable business processes. The initiative leverages the Digital Guardian Enterprise Information Protection platform as the cornerstone for a policy-driven solution that provides discovery, monitoring, prevention and deterrence capabilities to ensure trusted and privileged users cannot mishandle sensitive data.
Create a Collaborative Security Culture
Executive Sponsor: Amy Wang, Director, Information Services and Information Security Officer, Henry Ford West Bloomfield Hospital
Project Team: Rich Wong, Chip Reese, Alex Panoff, Shannon Southway, and Chuck Sulikowski
Information security is more than just an IT function, it is also part of the holistic approach that Henry Ford West Bloomfield looks at in taking care of the entire patient when they come through our doors. Through a combination of education, rounding and audits, this project has built the foundation and culture to empower users to make information security a part of their daily lives.
Symantec DLP (Vontu) Implementation
Executive Sponsor: Kathleen Golovan, VP and General Auditor
Project Team: Tim Sargi, Stephanie Schaeffer, Rick Schuler, Brad Gladish, Bill Davidson, Soon Pak, Brian Berman, Charles Huber, Bob Sunyak, Bill Halsey, Nita Voveris, Fran Norris
This project was to implement selected Vontu software modules and the hardware to support the monitoring and blocking of network, e-mail, and desktop activity that could potentially cause HIPAA, PCI or other regulatory compliance violations. While the implementation of Vontu does not eliminate the risk, it greatly reduces the occurrence of sensitive data leaving the company by identifying and/or capturing data deemed sensitive, quarantining or redirecting outgoing sensitive data to more secure transmission methods, and providing metrics on violations that support validation of self-reporting and facilitate policy enforcement and modification.
Kellogg Center PCI-DSS
Executive Sponsor: Michael Dawisha
Project Team: Gene Willacker, Paul Heberlein, Brian Pillar, Ryan Finn, Kirti Singh, Jill Respecki
Complete all requirements in order to achieve compliance with Payment Card Industry Data Security Standards. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures when handling credit cards. The compliance with PCI DSS for the Kellogg Hotel and Conference Center at Michigan State University required redesigning the network, updating applications, changing business practices, writing and disseminating policies and procedures for all 200+ items required to be considered compliant. We added 15 additional servers, installed a new firewall appliance, installed Citrix and RSA tokens for external access to the credit card environment as well as replacing all 60 computers int the Hotel. Over 6000 hours of labor were spent by the Hotel staff and the Information Services team to achieve compliance.
Effective Risk Management = Effective Business Management
Enabling the business through Effective Risk management
Executive Sponsor: Lisa Hodkinson, VP, Information Risk Management
Project Team: Chris Hayes, Mike Conover, Mike Mahaffey, Travis Michalak, Cherise Wise, Kristin Lowery, Mathews Thomas
This program established the framework, process and tools to identify and prioritize the top IT risks for the organization and the information needed for business leaders to decide which risks they should mitigate now, mitigate later or reasonably assume. The framework gained inputs from business objectives, current IT risks, industry trends and broader IT risk landscape to prioritize the top risks and build a multi-year roadmap for IT risk management initiatives. We applied the learning and methods followed in our (insurance and financial services) industry to build tools and processes to assign dollar values for “loss exposures” and then aggregated them to show total loss exposure and “earnings at risk” to help business leaders prioritize the risks to mitigate.
2010 NAC Project
Executive Sponsor: Steve Hotte, Senior Vice President & Chief Information Officer
Project Team: Jerry Hasten (project manager), Chris Hayes, Mike Conover, Mike Mahaffey, Travis Michalak, Cherise Wise, Kristin Lowery, Mathews Thomas
Due to increasing concern over Cyber Security, Southern Union implemented Network Admission Control (NAC) technology that enables the network to authenticate and authorize devices and users before granting them full access to network resources. When a device is first connected to the network it will be considered un-trusted and must go through an assessment before being allowed to access the network. This assessment contains conditions that must be met, such as up-to-date anti-virus signatures, existence of specific files or registry values, etc. Once all conditions have been satisfied, the device will be trusted and able to function normally.