ISE® North America Project Award Nominees 2011

Commercial Category

Aetna
IT Governance, Risk, and Compliance Program (IT GRC)
Executive Sponsor: Michael Mathias, Vice President and Chief Information Officer
Project Team: Jason Fortin, Don Simon, Diane McCammon, Chris Gadwah, Donna Richmond, Mia Hodge, Glynn Baron

Aetna implemented an IT Governance, Risk, and Compliance (GRC) program as a way to enable the organization to manage their governance, risk, and compliance activities.  The program initially focused on the areas of policy management, compliance assessments, and vulnerability management.  In addition, the IT GRC technology capabilities have allowed Aetna to effectively measure their technical environment (e.g. servers and databases) and procedural controls against the many authoritative sources for compliance (e.g. Payment Card Industry).  The strategic goal is to provide Aetna’s management with the ability to make informed, risk-based decisions on factors such as threats, likelihood, and impact.


B N Y Mellon
Governance, Risk and Compliance Automation
Executive Sponsor: Daniel Conroy, Managing Director and Head of the Information Security Group
Project Team: Darrell Hawkins, Mamani Older, Rodney Richardson, Gary Portnoy, Peter Cacchioli

The purpose of Governance, Risk and Compliance Automation project is to provide greater insight into the enterprise’s infrastructure and network and to identify emerging threats through the primary integration of Network Access Control, Security Event and Information Management and other network security tools. Endpoint compliance and respective security risks, guest networking, as well at threats from insiders, cybercrime and sabotage represent top concerns with regard to protecting bank resources and information assets. Removing the burden of manually monitoring and mitigating these daily issues allows the security team to focus on more proactive measures.



IT Security Exposure Tool (ITSET)
Executive Sponsor: Hinrich Voelcker, Managing Director – Global Head IT Security
Team Members: Peter Lassig, Blair Habig, Sanjay Menon, Markus Sanio

The IT Security Exposure Tool (ITSET) delivers a Global interactive Security Heat Mapping model that identifies IT security exposures and guides the prioritization of re-mediation efforts. The Tool is in production and the on-boarding of applications will be finished by  September 2011 utilizing multiple Data Control Feeds.  ITSET delivers an interactive Global Technology wide application-centric Heat Mapping model, identifying IT security risks in order to prioritize re-mediation and exposure reduction efforts. Aggregated view of Security and Risk related IT Infrastructure information for Applications and their underlying components using mini-dashboards.  As a unique feature, the Application layers are visualized in a dynamic component tree, with further drill down for risk evaluation.  All the information is pulled directly from global asset repositories including location, ownership and support group information.


Electronic Arts
BSOC – Business Security Operations Center
Executive Sponsor: Spencer Mott, Chief Information Security and Intellectual Property Officer
Project Team: Shammy Rana, Matt Farrer, Calvin Dickinson, Ben Stanbury, Nelson Ho, Robin Wilson, Barbu, Ionut-Daniel; Bobeanu, Victor-Flavius; Ciocoi, Maria Madalina; Constantin, Ciprian-Septimiu; Costache, Marian Bogdan; Cotenescu, Vlad; Doroftei, Alexandru; Gaspar, Andrei Dimitrie; Ionescu, Mihai; Iordache, Constantin Cosmin; Nunu, Silviu; Pirvu, Mihai; Prioteasa, Ileana-Emilia; Schverin, Cosmin Constantin; Soare, Marius; Stanciu, Alexandru-Cristian; Vanut, Marian

The project was to establish “Business Security Operation Center” (BSOC), new generation 24X7 operation providing security and risk management services to all global offices. The type of services that went into the BSOC service portfolio met a specific criteria and ‘scoring’. The criteria included Revenue Generation, Business Expansion, Employee Mobility, Loss Mitigation and Business Innovation. BSOC supplements on-site manned guarding with remote surveillance by innovative adaptation of surveillance techniques. BSOC remotely monitors and manages Information security tools, disaster recovery plan, provide data compliance support, intellectual property protection and fraud monitoring for all global operations. BSOC is a new twist on a traditional Security Operations Center as it addresses key ‘business’ enabling security services by centralizing security from all different domains such as physical security (including supply chain), incident management, information security, intellectual property protection, fraud monitoring to name a few.


Highly Privileged Access Monitoring and Control for Windows Servers
Executive Sponsor: Mike Parrella, Senior Team Leader, Information Security
Project Team: Phani Dasari, Sumeet Lakhwani, Michael A. Minwell, Rudy Urena, Jeffrey Kolmos, Hardik Mehta, Vishnu Pemmasani, Paul Engelbert, Trina Ford and William O'Connell
Location: Roseland, NJ

The Highly Privileged Access Monitoring and Control project was undertaken to prepare GE Capital for operating under stricter regulatory standards imposed by the federal government through the Dodd-Frank Act. The project involved establishing an operational definition of file transmission and implementing technology to prohibit the egress of sensitive information while enabling such data to flow freely within the organization from secure source to secure destination without impeding business processes. The initiative leverages the Verdasys Digital Guardian Enterprise Information Protection platform as the cornerstone of a transparent and user-aware solution that provides monitoring, identification, control and blocking capabilities to ensure that administrators cannot mishandle sensitive and confidential HPA information residing on mission-critical Windows servers.


Heartland Payment Systems
E3™ End-to-End Encryption
Executive Sponsor: John South, Chief Security Officer
Project Team: Steve Elefant, Sarah McCrary, Larry Godfrey, Paul Minutillo, Dustin Francis

E3™ end-to-end encryption is designed to combat the growing problem of credit/debit card fraud by protecting cardholder data during the payment transaction lifecycle, from the moment of card swipe to and through the processing system. E3 provides the strongest degree of security available — with no extra costs — safeguarding various stakeholders in the payments ecosystem, including consumers, business owners, banks and financial institutions. E3 also affords merchants added breach protection with the E3Warranty.


Pacific Gas and Electric Company
Enterprise Security Technology Strategy
Executive Sponsor: Craig A. Rosen, Enterprise Security Architect, Senior Principal, Pacific Gas and Electric Company
Project Team: Stephen Zalewski, Scott Decker, Billy Glenn, Tatiana Antontchouk

The Enterprise Security Technology Strategy is a comprehensive technology-focused "living" strategy consisting of three areas of focus for PG&E. These are identity & access management, data & information protection, and network & infrastructure protection. The strategy is designed to provide high-level technology investment direction across all aspects of the company from all enterprise back-office systems to securing the Smart Grid. The strategy is realized over time either through business initiatives or leveraged to launch large-scale information security projects. The strategy significantly helps reduce technology fragmentation across the enterprise by applying an architectural perspective, reduces costs and complexity, promotes cross-organizational collaboration, and clearly aligns security technology investments to the business. This ultimately helps to more rapidly advance the security protection posture for the company.



User Access Request (UAR) System
Executive Sponsor: Todd Levy, VP and ISO
Team Members: Igor Grapp, Michael Beresford, Michael Beresford, Ilona Shenderovich

The purpose of this project was to develop and deploy a comprehensive structured workflow allocation to cover all processes associated with user requests for physical and logical access at all levels within the International Fund Services (IFS) business unit of Alternative Investment Services. Included in this workflow are all request, approval, confirmation, verification and reporting requirements associated with or required by physical and logical access controls related to information security.



Get Secure/Stay Secure Program
Executive Sponsor: Greg Wood, Chief Information Security Officer
Project Team: Brian Dezell, Evan Gaustad, Narasimharao Tatini, Robert Lebowitz, Roger Preston, Jeffrey Nordlie

We are building a fully integrated application security program designed to set a high and uniform standard for holistic and practical application security, where meeting compliance requirements is simply a by-product of the program. Key innovations include; integrated feedback loops between dynamic and static testing to refine our secure coding practices, abusiness-centered approach to security development that is sensitive and responsive to business requirements, a leaner and more nimble approach to threat modeling, and the training and embedding of security champions within dev teams.


Walt Disney Company
Bag It and Tag It
Executive Sponsor: Glen Taylor, Vice President
Project Team: Dawn Ellis, Mike Pruitt, Ahmed Faridy, Tim Gruber, Cleora Madison, Vicky Justynski, Craig Smith, Jason Summerlin, Peter W Gold, Richard Robertson, Greg Harry, Kathy Burns, Kevin Haertling, Melanie K Roush

Walt Disney World is the largest single site employer in the US with over 58,000 cast members in 1 location. The recent consumer trend towards wireless devices combined with this huge workforce resulted in many unknown or rogue wireless access points. With 47 sq. miles of property (the size of San Francisco) it would have taken an army of people to find, catalog, and address this situation. Disney Cast Members thrive on this type of challenge and used creativity and crowd sourcing to mitigate the risk.

Government Category


Advanced SIEM for VA OI&T Region 1
Executive Sponsor: Andrew Peterson, Division Chief, Security Management Division
Team Members: Kenneth Crandell, Vincent Bui, Jeremy Phillips, Sherry L Wilson, Kristofer E. Phillips, Michelle Yu

The Veterans Affairs Office of Information and Technology (OI&T) is entrusted to manage private data for millions of Veterans around the world. The team was under a great deal of pressure: first, to comply with security requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and Federal Information SecurityManagement Act (FISMA); and to manage the data across a disparate set of offices and systems. In order to respond to audits more effectively and reduce the risk of data leaks, the OI&T Region 1 team consolidated their Security Information and Event Management systems to a single, centrally-managed solution.



Security Consolidation with McAfee Cloud Services
Executive Sponsor: Daniel Srebnick, Associate Commissioner & CISO
Team Members: Daniel Srebnick, Jamie Arnold, Nick Mauriello, Larry Pfeifer
Location: New York, NY

The New York City Department of Information Technology and Telecommunications (DoITT) McAfee project was designed to provide consolidation of security throughout New York City. The DoITT worked with McAfee to deploy cloud services and leverage threat analytics to support 180,000 end users from 52 agencies. The DoITT, in conjunction with McAfee, deployed an integrated network, host and cloud solution to enhance New York City government against the cyber threat.

Health Care Category

Aetna
IT Governance, Risk, and Compliance Program (IT GRC)
Executive Sponsor: Michael Mathias, Vice President and Chief Information Officer
Project Team: Jason Fortin, Don Simon, Diane McCammon, Chris Gadwah, Donna Richmond, Mia Hodge, Glynn Baron

Aetna implemented an IT Governance, Risk, and Compliance (GRC) program as a way to enable the organization to manage their governance, risk, and compliance activities.  The program initially focused on the areas of policy management, compliance assessments, and vulnerability management.  In addition, the IT GRC technology capabilities have allowed Aetna to effectively measure their technical environment (e.g. servers and databases) and procedural controls against the many authoritative sources for compliance (e.g. Payment Card Industry).  The strategic goal is to provide Aetna’s management with the ability to make informed, risk-based decisions on factors such as threats, likelihood, and impact.


Aetna
Data Center II
Executive Sponsor: Ray Biondo, VP & Chief Information Security Officer
Project Team: Brenda Callaway, Maria Cotts, Kenneth Hill, Nancy Moy, Richard Beaderstadt, Charles Moore, Linda Husted, Kevin Sandschafer

The Data Center II Project encompassed all of the work streams required to implement a fully functional tier 4 second Data Center for HCSC. Project teams from all IT disciplines worked in conjunction with the disaster recovery team, program management, and HCSC Leadership to design and implement the new Data Center. The Data Center will initially provide Disaster Recovery capabilities for all HCSC critical business applications in the production environment. The HCSCDisaster Recovery Program, currently out-sourced to IBM, will be in-sourced to the new data center and managed by by HCSC resources.


Children's Hospital of Philadelphia
Role Based Security - EPIC System
Executive Sponsor:Cathy Beech, CISO, Children's Hospital of Philadelphia
Project Team: Jessica Van Kooten, Lindsay Burns, Elizabeth Catone, Kelvin Blasse, Melinda Hanford, Colleen Reifsnyder, Manoj Ramachandran, Jean Scholefield, Cheryl Barnes-Haigler, Philly Hak, Cheryl Cantafio, Catherine Shirilla, Peter Marabella, Kimberly Mason, Bimal R. Desai, MD, Virginia Bird, Anne Marie Krause
Location: Philadelphia, PA

CHOP established a dedicated Information Security team to support the development, implementation, deployment, and maintenance of the new role based security model as part of the Hospital’s implementation of its integrated electronic medical record (EMR) system for its entire healthcare network.  This project established standardized roles across the Hospital within the EPIC system and established the foundation for our Role Based Access Control (RBAC) and User Provisioning projects that will begin in fiscal year 2012.

IRS
Identity Management
Executive Sponsor: Scott Breece, Director of Security Strategy and Compliance
Project Team: Brenton Warner

CHS is challenged with managing user accounts across multiple technologies. The management of users includes user provisioning for new employees, account management for roles based access and termination of accounts. The existing technology, Novell Identity Manager (SIM); is currently implemented into the environment. The current version of this technology doesn’t provide the flexibility to meet all the business needs as the environment has evolved. But, the newest revision level of the application presents new and improved features that will assist CHS with meeting the needs of the business.


Create a Collaborative Security Culture
Executive Sponsor: Amy Wang, Director, Information Services and Information Security Officer, Henry Ford West Bloomfield Hospital
Project Team: Rich Wong, Chip Reese, Alex Panoff, Shannon Southway, and Chuck Sulikowski

Information security is more than just an IT function, it is also part of the holistic approach that Henry Ford West Bloomfield looks at in taking care of the entire patient when they come through our doors. Through a combination of education, rounding and audits, this project has built the foundation and culture to empower users to make information security a part of their daily lives.

HMS
Enterprise Security, Identity Management & Access Governance
Executive Sponsor: Scott Pettigrew, Chief Security Officer, HMS
Team Members: Mark Ma, Jason Guzman, Len Atkinson, Deb Whitehead, Luke Magda, Jeremy Miller, Joe Spearin, Quyen To
Location: New York, NY

HMS, the nation’s largest healthcare cost containment service provider, set out in 2009 with aggressive goals for an Identity and Access Management program. Due to the rapid growth of the dynamic healthcare industry, HMS experienced ongoing challenges due to the complex regulatory pressures and compliance requirements. By working with Identity and Access Management Specialists, Logic Trends, HMS developed and executed an extensive undertaking to reduce risk exposure, improve on/off boarding processes, provide employees and contractors rapid access to mission critical systems, introduce electronic provisioning and bring consistent, auditable role governance, role maintenance and access management to the enterprise.

Kaiser Permanente
Operational Risk Management Project
Executive Sponsor: Richard Seiersen, ORM Architect
Project Team: Richard Seiersen, Jason Ellis, Carl Koster, Brian Kavanagh, Kevin DePeugh, David Cho, Michael Ruiz

The Operational Risk Management project applies security intelligence within a GRC framework to allow Kaiser Permanente to identify and prioritize actionable security risk. Business intelligence practices are used to automate the collection of enterprise asset data, vulnerability data, and mitigation data into a “single pane of glass.” “Risk tolerance rules,” then operate on the aforementioned data, creating workflow for the purpose of protecting Kaiser's critical assets. The net result is a highly scalable and automated full-stack framework for addressing both vulnerability remediation and associated mitigation up and in the systems stack.


Software Code Quality Checking (SCQC)
Executive Sponsor: John Keane, IT Specialist, TRICARE Management Activity, Part of Military Health System
Team Members: Dr. Greg Guernsey, Mark Callan

SCQC is a project to scan the source code, executables, and related artifacts of the applications in use by the organization, e.g., documentation, to ensure that the system under review can continue with development, demonstration, and test; and can meet the stated performance, maintainability, and usability requirements within cost (program budget), schedule (program schedule), risk, and other system constraints. SCQC encompasses the use of static code analysis, static security analysis, dynamic code analysis, dynamic security analysis, and architectural analysis and is usually performed using automated tools.