Translating an ISO-Based Risk Management Program into an Information Security Roadmap
Executive Sponsor: Subra Sripada, Sr. Vice President, Chief Information Officer, Beaumont Health System
Project Team: Tim Purves, Kim Detwiler, Nathan Ouellette and Brian Clippard
Location: Troy, MI
As a leading provider of healthcare services in Southeastern Michigan, protecting patient information is a top priority for Beaumont Health System. Beyond the ongoing requirements defined by HIPAA, Beaumont has developed a holistic risk management program. Last year, the Beaumont system partnered with VIOPOINT and Modulo to conduct a high-level risk assessment that effectively translated the high-risk areas into a two year actionable plan. The resulting information security roadmap established a detailed set of project-based initiatives that will have a significant impact on reducing any ongoing risks to patient data.
Data Classification and Protection
Executive Sponsor: Rafael Diaz, CISO, State of Illinois
Project Team: Patrick Beaird, Sesh Iyengar, LuAnn Derocchi, Lance Shelley, Gary Grigsby, Deb Shotts
Location: Chicago, IL
The pilot project had three fundamental goals for the Department of Central Management Services. We were expecting to aientify all the hosted enterprise applications and data stores with “confidential data.” Once identified, we would ensure appropriate security configurations and controls are in place to safeguard this data. Finally, the goal was to report, track, and verify who has what type of access to the data. The resulting project actually delivered a Data classification and Protection Policy – with classification schema. Detailed procedures for managing access, along with the roles and responsibilities defined for business owners, system owners, and security owners. Ultimately, a database for tracking systems, data, roles, and classifications was required for the vast amount of data that was gathered. In order to continue the project in other consolidated agencies, a template for process and procedures for classifying and identifying “confidential data “ was developed.
Sallie Mae’s Enterprise-wide Continuous Monitoring and Vulnerability Management Program Evolution
Executive Sponsor: Jerry Archer, Senior VP and Chief Security Officer (CSO)
Project Team: Chris Tuten, Brian Brush, John Washington, Andy Budack, Noel Koperczak
Location: Fishers, Indiana
In 2011, Sallie Mae’s information security team realized the need to replace its vulnerability scanning process as a way to better secure its expanding computing infrastructure within an increasingly constrained budgetary environment. After evaluating the potential impact on its systems, the team initiated this complex task knowing that significant reengineering of the company’s processes would be required. Committed to the end result, the team moved from periodic, compliance-oriented scanning to full implementation of a new enterprise-wide continuous monitoring program in record time, more than doubling scanning coverage while realizing an annual cost savings of 31% over the next 5 years.
Executive Sponsor: Tim Stanley , Director, Information and Infrastructure Security
Project Team: Chelsa Russell, Chris Beard, Hafsa Farooqui, Jack Le, Chris Shuler, John Benson, Jeff Creamer, Charles Hutsell, Kiki Lee, Quenton Maddux, Matt Musquiz, Joseph Nguyen, Kraig Nguyen, Alice Pancamo, Javier Ruiz, Gordon Salisbury, Hadi Sbeiti, Mike Smith and Jeremy Warren.
The project was to establish an “Information Protection” team, aligning people, process, and technology to drive effective threat management, incident response, and information protection at Waste Management. This effort pulled together end-point protection, data leakage protection, log collection, event analysis, encryption, and incident response functions into a centralized team. Additionally, all supporting technologies were upgraded and reconfigured to maximize the effectiveness and capabilities of each platform. Detailed processes were established and documented to drive consistency and operational effectiveness.