Application Security Assurance Program (ASAP)
Executive Sponsor: John Bader, SVP, Allstate
Project Team: Yabing Wang, Pat, Wiet, Kenny Alperstein, Leo McCavana, Orlando Lopez, Ryan Russell, Jerry Higgins and Cynthia Whitley.
Location: Northbrook, IL
The vision of the Application Security & Assurance Program (ASAP) is to integrate secure practices into the Allstatesoftware development lifecycle (SDLC) processes. This program is not about implementing a tool to resolve a specific issue. It is about adopting a holistic approach from People, Process, Technology and Governance perspective and making sure security is embedded into SDLC from the start. As part of the risk management, the goal of this program is to focus on application security, and to reduce the vulnerabilities, understand and manage the risks, and improve the Confidentiality, Integrity and Availability of Allstate’s applications.
BCBSM Information Security Operation Center
Executive Sponsor: Tonya Byers, Director; Gary Harvey, VP Information Technology
Project Team: Angela Williams,Sanjeev Vohra, Ron Farhat, Michael Moore and Shirley Meeks
Location: Detroit, Michigan
Blue Cross Blue Shield of Michigan (BCBSM) was one of the first BCBS plans to implement a Security Operations Center or SOC (pronounced sock). The SOC hosts a collection of IT security toolsthat provide the capability of centralized monitoring and detection of threats, vulnerabilities, and security events that could adversely affect BCBSM’s information assets, technical infrastructure, and most importantly our data. The SOC is focused on monitoring our computers, servers, firewalls and networks. The SOC was created as part of ongoing efforts by our Information Security team to help us proactively recognize threats and vulnerabilities. This center allows us to better minimize risks, downtime and data loss by providing timely monitoring to security teams, supporting audit and compliance efforts, and assisting with incident response and forensics efforts. By leveraging the tools within the SOC we are better positioned in our fight against malicious attacks from outside our organization.
CNA’s Governance, Risk Management and Compliance Program
Executive Sponsor: Robert Allen, VP, Service Management & CISO, CNA
Location: Chicago, IL
CNA has implemented an Enterprise Risk Register that consolidates corporate risks into a single repository where decision-makers can gain visibility and model loss exposure based on pertinent characteristics. Applying a universal risk taxonomy, detailed risk analysis can be modeled to ensure rating accuracy which allows for a standardized and balanced scale of risk comparisons from each of the functional business areas. The resulting risk measurements are used for awareness and remediation prioritization, including action plan assignment and tracking.
Key Risk Indicators are linked to organization risks, utilizing a metrics-driven process of dynamically monitoring the health of implicated business areas and risk categories. Controls and their effectiveness are also linked to risks, resulting in a broad sense of how the enterprise is managing its potential losses. Inherent and controlled risk ratings are captured, assisting in the understanding of the effort expended or required to maintain an acceptable risk profile. High-level risk categories are utilized to summarize risk data, providing useful information to diversified committees. Role-based management dashboards are produced to allow easy understanding of risk contributors relative to the viewer’s purview of responsibilities.
Security Program Evolution
Executive Sponsor: Joanne Cummins, CIO, Standard Register
Project Team: Philip Woods, David Pappas, Marta Sullivan, Steve Braswell, Robin Housley, Aaron McCray, Kevin Mundhenk, Mike McGill, Cory Trese, Raj Nair, Tim McDonald, Terrance Merriman and Andy Blosser. We had help from Deloitte, Battelle & Battelle, HP, Verizon, Forsythe and an anonymous customer.
Location: Dayton, Ohio
Have you ever been in a situation where sales promised something that didn’t exist? Every IT organization has faced that challenge! In Standard Register’s case, we were simply asked to create an isolated FISMA-compliant Authorization Boundary conforming to NIST. Did I mention that we had never done that before? And, how many times do you get to say that Security made the sale?! Leveraging our mature security program and collaborating with our customer and partners, we designed, delivered and externally attested the solution in nine months enabling our customer to gain the required scale, flexibility and cost savings - securely.