Consolidated Evidence Assessment Locker (CEAL)
Executive Sponsor: Jim Routh,Chief Security Officer, VP of Global Security, Aetna
Project Team: Mignona Cote – SR Director, Information Security
Enterprises increasingly demand reliable security control assurance and resiliency, which drove Aetna to create the Audit Evidence Locker. Aetna implemented a solution that correlates common regulatory requirements with security policies and artifacts demonstrating the highest level of resiliency in private enterprise. The Audit Evidence Locker demonstrates Aetna’s mature cyber security program by providing an automated conduit for supporting test evidence on the effectiveness of Aetna’s security program. Implementation has eliminated extensive manual efforts by modernizing the way artifacts are collected to meet regulatory compliance and enterprise requirements by collecting the data once, then relating the artifact to numerous assessment requirements.
Physical Access, Surveillance, and Access Governance Program
Executive Sponsor: George Macrelli, Sr. Director, Security Assurance, HMS
Project Team: Kyra Hawkins, Kevin Shamlin
This program was the designed, development, and integrated for the Management and surveillance of physical access to our Data Centers, and 26 Business offices. It entailed the migration from an antiquated electronic access control system to a more robust system that would bring together, Video, Burglar Alarm, Access monitoring, Access Control, Emergency Control, and Access Governance across the entire HMS Business Enterprise.
Building Security Risk Management with HITRUST CSF
Executive Sponsor: George Macrelli, Sr. Director, Security Assurance, HMS
Project Team: Daryl Hykel, Sean Miller
HMS Security has established a Security Risk Management Program using the HITRUST Common Security Framework. The initiative included the design and development of a Security Risk Management & Assurance Program that sits on the HITRUST CSF, and is mapped to our Policies, Controls Standards, and Procedures. We use the HITRUST Control catalog to assess, monitor, remediate, and report risk to our Executive and Board members. The program was developed using the RSA Archer Tool, which supports our, Policy, Vendor, Business Continuity, T&V, and Audit, Compliance, and Issues Management programs.
U.S. Bank Enterprise Tokenization Integration Project
Executive Sponsor: Jason Witty, CISO, U.S. Bancorp
Project Team: Michelle Guckeen, Project Manager, Thoralf Symreng, Manager Information Security Risk & Compliance, Carol Stennett, Information Security, Risk & Compliance
The goal of the Tokenization Project was to reduce the amount of sensitive cardholder data stored in U.S. Bank’s network, using tokenization technology that replaces the primary account number (PAN) with a surrogate value--the “token.” This was a highly complex development project that required mapping of data-flows between applications, partnership with multiple CIOs who had to change applications in specifically orchestrated sequences, and business process re-engineering to remove or reduce use-cases where business processes were formerly using real data that required significant protective controls around it. The result was a dramatic reduction in data that required protection.