ISE® Central Project Award Nominees 2015

Blue Cross Blue Shield/Blue Care Network of Michigan
Insider Threat/B-Secure Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Angela Williams, Danielle Majors, Shannon Robinson and Cantrell Daniels
Location: Detroit, MI

The B-Secure program involves the information security team performing a walkthrough security assessment to gauge the current security posture of our environment. The results of the security assessment are rated and distributed in a formalized report to leadership and the information security team captures metrics. In addition, the B-Secure program aids our information security team with identifying areas of improvement to continuously educate the workforce on security awareness practices and insider threat concepts. After an assessment is complete, the appropriate areas participate in a security awareness remediation training to improve workforce security awareness and assessment rating.

Blue Cross Blue Shield/Blue Care Network of Michigan
Health Information Privacy and Security (HIPS) Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Kimberley Smith, Shannon Robinson, Cantrell Daniels and Sean Van Daele
Location: Detroit, MI

The Health Information Privacy and Security (HIPS) Program is led by Information Security, in collaboration with Enterprise Security, Ethics and Compliance, Privacy and Security Compliance, Corporate and Financial Investigations, Legal, Information Technology, and Customer Service Representative and Training. It involves a presenting a series of interactive events and activities. The HIPS Program focuses on information privacy and security, promoting the safeguards that exist to protect member’s health information and other BCBSM/BCN assets.

Blue Cross Blue Shield/Blue Care Network of Michigan
HITRUST Framework Integration Project
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Tonya Byers, Damon Stokes, Angela Williams, Sanjeev Hae-Ming Hwu and Shannon Robinson
Location: Detroit, MI

BCBSM/BCN adopted HITRUST Common Security Framework (CSF) for its information security framework that fully integrates existing security requirements placed on healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and other government agencies (e.g., NIST and CMS).

Blue Cross Blue Shield/Blue Care Network of Michigan
Supplier Risk Management (SRM) Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Cecilia Burger, Shannon Robinson, Joe Dylewski, John Becker and Cantrell Daniels
Location: Detroit, MI

The Supplier Risk Management program gauges each supplier’s capability to protect BCBSM/BCN’s sensitive information exchanged and computing assets provisioned, in the normal course of the business relationship, while adhering to established HIPAA/HITECH requirements and information security industry standards, by:

  • Identifying risks of new/existing suppliers who connect to BCBSM/BCN infrastructure, access BCBSM/BCN data, develop or maintain BCSM/BCN’s software
  • Tracking remediation plans
  • Executing on-site visits or desktop assessments, based on detailed questionnaires, to ensure security measures are implemented
  • Monitoring, reassessing, and decommissioning suppliers per contractual agreement
  • Employing a quantitative, risk-based approach to supplier ranking and reporting metrics

C N A
Security Convergence Initiative
Executive Sponsor: Robert Allen, VP, CSO & Service Management
Project Team: Larry Lidz, Rani Badireddi and Drake Cody
Location: Chicago, IL

The purpose of this initiative was to identify and leverage overlapping services and resources to combine Corporate Security and Information Security into a converged Security organization. Services were reorganized from both organizations to improve CNA’s ability to manage risks, respond to events, and provide the best service to key stakeholders and customers. Service gaps were identified and addressed, and service offerings were improved where possible. Services were strengthened and relationships advanced between Corporate/Information Security and primary customers including Audit, Corporate Compliance, Enterprise Risk Management, Risk Control, Underwriting, Claims, Human Resources, Employee Relations, and Legal.

The Ohio State University
Identity Access Management and Privileged Account Management
Executive Sponsor: Kevin Chase, Chief Information Officer
Project Team: Loren Woeber, Brent Bailey , Listyanna Dowell and Tammy Coker
Location: Dallas, TX

Energy Future Holdings needed to enable seamless business access to applications and data while still adhering to compliance and regulatory controls. In addition, the lack of an automated approach for the enterprise has led to an inconsistent user experience, an inefficient operation and challenges in managing security, risk and compliance. In less than a year, Energy Future Holdings implemented CA Advanced Authentication, CA Single Sign-On, CA Identity Manager, CA Identity Governance, and CA Privileged Identity Manager.  Successful execution of this IAM initiative is a significant plank of EFH’s overall IT strategy, and has resulted in the following accomplishments:

  • Replaced the current IAM processes tied to the mainframe/RACF environment in support of EFH's migration strategy from a mainframe environment to a distributed systems environment.
  • Introduced an identity and access management platform that permits users to securely authenticate once to EFH, and then reliably and robustly access multiple enterprise (business) applications.
  • Replaced complex manual processes with:
    • Automated provisioning (e.g. hires, transfers, terminations)
    • Self-service (e.g. password management)
    • Simplified access management system to enhance user experience, support continued expansion, and improve information security policy enforcement and process efficiency
    • Automated access governance (e.g. recertification, segregation of duty controls)

The Ohio State University
Project SAND
Executive Sponsor: Amolak Gosal, Chief IT Risk & Cyber Security Officer
Project Team: Patrick Sullivan, Harish Pahuja, John Moore, Gabor Koltai, Aaron Hoy, Branko Bibic, Robert Blake, Miriam Pastrana, Mike Stephens, Tim Long, Bob Wysocki and Patrick Graves
Location: Houston, TX

GE Oil & Gas is positioning itself today to counter the information security threats of tomorrow. Project SAND is a global information security program designed to increase GE Oil & Gas’ ability to embrace new technology and the new mobile workforce. SAND is comprised of 3 key objectives:

  1. Secure third party connections
  2. Harden internet facing application infrastructure
  3. Simplify the complex Active Directory landscape

By hardening and simplifying the core IT infrastructure, SAND has enabled the secure integration of $3B+ of acquisitions into GE Oil & Gas. In addition, SAND has provided an improved platform for secure collaboration between employees, suppliers, and customers.

HMS
Business Resilience Program
Executive Sponsor: Scott Pettigrew, Chief Security Officer
Project Team: George Macrelli, Denise Mason, Daryl Hykel, Sean Miller, Michael Lee and Catherine Sisterson
Location: Irving, TX

Business Resilience Program: Business Continuity Management (BCM) and Security Risk Management (SRM) responsibility has been somewhat of a conflict because, although it is important to have a plan for such an unlikely catastrophe, there are other serious risks that have a nearly certain likelihood of occurring. Risks like privacy, fraud and inaccurate data. Emotions run high in the face of rare and disastrous events, causing a rush to allocate funds and efforts to safeguard against them. HMS’s Integrated Business Resilience Program is part of a comprehensive SRM program, which allows a more reasoned and less emotional understanding of the universe of business risks faced by HMS. This program produces efficiencies with regards to how HMS reacts to catastrophic risk.

The Ohio State University
Information Security Framework, Phase 1
Executive Sponsor: Helen Patton, CISO, The Ohio State University
Project Team: Gary Clark, Jim Herbeck, Matt Williams, Charlie Smith and Amber Buening
Location: Columbus, OH

The Information Security Framework project implemented the “Information Security Management System (ISMS) across the Ohio State University. The problem: how to engage over 129 independent business units, each with their own distributed IT departments, budgets and business priorities. With a total project budget of only $270,000 the project team implemented a new framework, encouraged 98% of units to voluntarily participate in a one month survey to establish a maturity baseline, engaged non-IT unit leaders in assuming responsibility for their information risks, and raised the Information Risk Management bar for higher education institutions across the United States.

The Ohio State University
Multi-layered Cybersecurity Initiative
Executive Sponsor: Steven Hunter, Chief Information Officer
Project Team: Kevin Richardson
Location: Houston, TX

In 2014, several large retailers were victims of massive network breaches, resulting in credit card exposures for millions of customers. Stage Stores took a proactive approach to ensuring it would not be the next victim. The company’s IT leadership devised a strategy to upgrade and fortify Stage Stores’ network and payment card infrastructure. The multi-pronged strategy included:

  • Implementing Point-to-Point Encryption (P2PE) to prevent payment card data exposures at the POS
  • Upgrading malware and virus defenses
  • Strengthening network defenses
  • Ethical hacking exercise to identify potential weaknesses
  • Employee education on social engineering

Texas CISO Council
Information Security Program Essentials Guide
Executive Sponsor: Philip Beyer, Chief Founder
Project Team: Brian Engle, Philip Beyer, Parrish Gunnels, John South, Brian Wrozek, Joe Krull, Joe Oranday, Mary Dickerson and Greg White
Location: TX

There are many similar and overlapping information security control frameworks for technology risk management and security operations (e.g. ISO 27001/2, the ISF Standard of Good Practice, and the NIST 800 series). The lack of a strategic and business- oriented approach for establishing an effective and sustainable program, however, has forced organizations to define unique and in some cases limited approaches to the ongoing challenge of managing technology risk. The Texas CISO Council has addressed this problem by capturing the essential elements of a complete program, and through the Information Security Program Essentials Guide has provided a reference that can benefit every organization.

U S A A
Biometric Logon for Mobile App
Executive Sponsor: Gary McAlum, Senior Vice President, Chief Security Officer
Project Team: Philip Leininger, Thomas Buckingham, Rick Swenson, Tom Clark, John Harris, Vicki Shapiro, Hoang Vo, Rochelle Tijerina, Robert Barner, Maria Gummerson, Tammy Sanclemente, Sudarshan Rangarajan and David James
Location: San Antonio, TX

USAA continues to innovate in security, first with two-factor “Quick Logon” and now by providing a game changing experience of using facial or voice biometrics as a convenient and secure means of logging onto the USAA Mobile Application. This capability expands on our existing use of an embedded security token with our biometrics technology, eliminating the need for static usernames and passwords while improving the overall logon experience. This giant step directly addresses safeguarding personal information being harvested from data breaches and social engineering, by focusing on what you have and who you are and not on what you know.

U S A A
Next Generation Identity and Access Management
Executive Sponsor: Mike Coogan, Director, Information Security
Project Team: Steve Hammond, Mary Jane Imperial and Radha Chellappan
Location: Houston, TX

Waste Management built a fully business-integrated access management solution that allows business users to participate in identity governance. Provisioning and de-provisioning for over 60 applications was built out, including for application-specific roles, eliminating tens of thousands manual steps per year. Approval is tied to the financial structures of the company, and as those structures change, the approval flow changes in real time. Additionally, roles for high-turnover jobs and web-based certifications were created, saving countless hours of work throughout the company. Automated password reset, integrated with the web and IVR, eliminated thousands of tickets from our help desk.