ISE® North America Project Award Nominees 2012

Commercial Category

Client Security Management Office Portal (CSMO)
Executive Sponsor: Roland Cloutier, Vice President and CSO, ADP
Project Team: Phani Dasari, Sumeet Lakhwani, Michael A. Minwell, Rudy Urena, Jeffrey Kolmos, Hardik Mehta, Vishnu Pemmasani, Paul Engelbert, Trina Ford and William O'Connell
Location: Roseland, NJ

Responding to the global data security and international privacy-related concerns of ADP's 570,000+ clients operating in more than 130 countries around the world can be quite challenging.  Among other things, it involves ensuring consistency and accuracy as well as reducing the lead times to resolve pre-sales security and privacy questions, issues and concerns. It also involves the creation of a centralized self-service repository of vetted responses to client questions. Development and implementation of the CSMO Portal intended to reduce turnaround times for requests for proposal (RFP) responses and client security questionnaires while delivering a centralized service model affording streamlined interface to request information, documentation and client centered solutions. By delivering a single, common repository for product security white papers, product security questionnaire responses, and global data security and privacy knowledgebase/Wiki, ADP reduces the turnaround times for RFP responses and client security questionnaires by greater than 50 percent.

Trusted Platform Security Initiative (TPSI)
Executive Sponsor: Terry Rice, AVP, Service Delivery & Risk Management, Merck & Co.
Team Members: V. Jay LaRosa, William O’Connell, Denise Hucke, Michael A. Minwell, AJ Anand, Victoria Ruiz, Shahir Shah, Dustin VanWinkle, Jim Hickstein, Rudy Urena, Jeffrey Kolmos, Saurabh Thakral and James Carter
Location: Whitehouse Station, NJ

In order to enable ADP’s worldwide business protection efforts, the Global Security Organization (GSO) sponsored the company’s largest and most significant security program named Trusted Platform Security Infrastructure (TPSI) to create a world-class ecosystem of advanced operational capabilities, security technologies and controls. TPSI program provides advanced detection and intelligence capabilities in all ADP operating units globally. The entire TPSI architecture utilizes holistic business intelligence technologies that are managed through a converged Enterprise Risk Platform.

Applied materials
Enterprise Information Safety
Executive Sponsor: Matthew Archibald, CISO
Project Team:Robin Carriere, Kannan Perumal, Hari Jayaram, Tarun Chakravarthi, Sebastian Bechtolsheim, Kerry Bryan, Natarajan Chandrasekaran, Randy Folsom, Chuck Jones, Christina Moore, Glaston Ford, Monil Naicker, Jignesh Patel, Brad Powell, Susan Spohn, Veronika Tonry, Lakshmi Vaman
Location: Santa Clara, CA

The EIS Mission: To build a "culture of information safety" by transforming people, process and technology embedding an information lifecycle management (ILM) framework in the fabric of how we do business. It safeguards customer, supplier and partner relationships and protects important and sensitive company data, personal and regulatory information assets. Required global change affecting People (internal + external partners/customers), Processes and Technology approach.

Enterprise Data Loss Prevention
Executive Sponsor: Derek Houts, Sr. Manager of Information Security, Broadcom Corporation
Project Team: Geoff Aranoff, James lee and Jonathan Lee
Location: Irvine, CA

In 2012, Broadcom’s IT security team successfully deployed data loss prevention to more than 11,000 worldwide endpoints to protect their intellectual property from data theft and misuse. By using Websense Data Security Suite technology, Broadcom safely enabled its employees to access confidential data, while increasing the IT Security team’s productivity.

Rapid Time to Value - Data Loss Prevention for CDI-Aerospace
Executive Sponsor: Steve Levenkron, CIO, CDI Corporation
Project Team: Steve Troncelliti, Tom Kuczynski, Lauren Irby, Steve Perez, Frank Aneiros, James McCarthy, Peter Ephriam and Michael Parrella
Location: Tempe, AZ

The Data Loss Prevention project was an "out of the blue" development created by CDI-Aerospace to satisfy, one of its largest customers, GE Aviation, who invoked a data loss prevention policies and guidelines mandate for all of their third-party providers who handle their proprietary information. The request came as a surprise and had what was thought to be an impossible implementation deadline. This project, however, showcases the successful deployment of ground-breaking, DLP managed service technology that can be defined as an industry milestone for being one of the first implementations of DLP as an on-demand, managed service, offering an innovative solution to resource-constrained organizations needing to implement a rapid time to value information protection program./p>

The Security IPv6 Readiness Project
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Louis Yeck, John Brzozowski, Fred Wittenberg, Eddie Galarza, Amine Brahimi
Location: Philadelphia, PA

With global IPv4 address allocations nearing depletion, Comcast embarked on implementing IPv6 on its network.  This created many security challenges, especially when tools and systems lacked support for IPv6.  The security team launched a project to develop, assess, and implement an IPv6 security framework that met the business’ tight timelines with the implementation of IPv6.

Health Ways
Hotel Security Program
Executive Sponsor: David Billeter
Project Team: David Billeter, Jonathan Card, Steve Bardsley, Chad Strange

IHG implemented Trustwave’s hotel security program for its 700 managed and 3,000+ franchised locations. Project included implementing a combination of firewalls, IPS, scanning, log monitoring, POS software agents and other supporting technology across their global infrastructure. The goal of the Hotel Security Program was to reduce breaches within the hotels and help the hotels comply with the PCI-DSS requirements.

Health Ways
Security Guy Roadshow
Executive Sponsor: Peter Hill
Project Team: Jamie Galioto, Sheila Austin, Jeff Johnson, Doug Everson, Ryan Massey 

Security Awareness at ING has traditionally been accomplished via annual mandatory compliance courses and ad-hoc emails. Despite all the many layers of defense deployed at ING, we recognized that without informed employees, our risk was much greater. In an effort to improve security awareness and reach our customers in a different manner, we created an animated character named "Security Guy". Using this character, we created videos that discussed information protection topics. We also conducted ING Security Guy Road Shows at each of our major sites.  At the sites, we setup convention style in a large area, with booths manned by various security and risk professionals. The Road Shows had great attendance and received positive feedback from all employees and made a visible impact on the ING security and risk culture.

Health Ways
Security Operations Center
Executive Sponsor: Peter Hill
Project Team: Tim Hillyard, Brian Withrow, Dmitriy Bliznyakov, Michelle Joseph, Adam Markuson, George Toro, Joshua Gordon, Tom Limber, Kyle Fenzel, Derek McGowan

ING is putting customers’ minds at ease and living up to the expectation that companies should do more to protect personal and financial information with the opening of its security operations center in Minneapolis in late 2010 and its new security operations center in Jacksonville in late 2011. The culmination of five years of investment, the centers are staffed with employees 24 hours a day, seven days a week, 365 days a year. It relies on a robust set of tools to detect and prevent inappropriate activity and provide an integrated view of that activity across the environment. As more sophisticated threats evolve, the center can expand its capabilities by integrating new tools into the environment or enhancing the ways in which existing tools are used. The expert team is also experienced in recognizing signs of potentially abnormal behavior. The combination of skilled resources and quality tools allows for the high-performance response the company’s customers expect, ensuring threats do not even make it through the "front door."

Business-Critical Application Control Monitoring
Executive Sponsor: Marcus Prendergast, VP & Global Head of Security, ITG
Team Members: Marcus Prendergast and James B. O'Kane
Location: New York, NY

With significant operations in “dark” trading, ITG has a critical mandate to ensure client privacy. ITG has interdependent, highly risk-sensitive applications with separate access control mechanisms, making it impossible to centrally manage application and data access. Using SIEM, an industry-leading application monitoring solution was built to enable real-time alerting and rapid remediation when access policies are violated, detect anomalous user behavior, and proactively manage access control.

J P Morgan Chase
JPMC Trusted Email
Executive Sponsor: Jim Routh, Managing Director – Internet & Mobile Security, JP Morgan Chase
Project Team: Mark Risoldi and Vic Talamo
Location: New York, NY

Industry leading project to implement best practices and new standards to significantly reduce fraudulent email to customers leveraging a highly innovative approach resulting in the elimination of up to 600,000,000 fraudulent emails (including phishing attempts) sent to bank customers annually. The fraudulent emails look like bank emails to customers and often contain malware or phishing attacks. The result is more lift in email marketing, brand protection and less fraud for bank customers.

Scaling Cloud Security by Converging the Data Center with a Global Public Cloud
Executive Sponsor: Bill Burns, Director, IT Security/Networks
Project Team: Stephane Rossan
Location: Los Gatos, CA

Migration of distributed, security controls including software-based application firewalls and intrusion detection to provide basic security and compliance controls. These controls protect sensitive customer information and transactions, provides a “single pane of glass” of the entire attack surface (Datacenter and public cloud), and are compatible with both puppet-based and DevOps deployment models. Furthermore, these controls are embedded into the cloud instance build process, so are truly “baked in by default” for all new instances spawned. As new Netflix web systems automatically scale to match customer demand throughout the day, these security controls are transparently applied to follow the demand curve.

Paychex Phish Market
Executive Sponsor: Todd Colvin
Project Team: Mark Ballister and Jeff Lach
Location: Webster, NY

Confronted with increasing campaigns of fraudulent emails, the Paychex Phish Market provides employee’s with an automated, graphically engaging and easily navigable web interface to aid in the recognition of “phish.” Through the Paychex Phish Market, employees can readily see what their peers across the company are reporting through the “phish watch” and “fresh catch” board. They can also review “Phish Recipes” to receive training on common phishing tactics. More importantly, they can forward a suspected phishing email where an automated analysis is performed and a risk score is assigned to each submission. Finally, and when in doubt, employee’s can rely on Phish Monger Phil for a professional assessment.

Factory Application Control/Whitelisting Project
Executive Sponsor: Curtis Coleman, CISO, Seagate Technology
Team Members: Steve Haines, plus 15 team members from 4 countries
Location: Scotts Valley, CA

The Factory Application Control/Whitelisting Project was undertaken to protect both legacy factory testing systems with embedded computers and high-risk, high-value knowledge worker systems. The project addressed the need to 1) Replace the resource-intensive antivirus system that impacted throughput capacity within the factory environment and 2) Augment the signature-based antivirus system with strong defense that would prevent malware from executing on the knowledge worker computers. Throughout the effort it was critical to maintain factory production capacity while protecting the testing systems from malware and other threats.

Corporate Security Initiative (CSI)
Executive Sponsor: Van Nguyen, Director of IT Security
Project Team: Stan Lee, Ryan Young, Cyndi Zou and Joon Park
Location: Mountain View, CA

The Synopsys Corporate Security Initiative is a multi-phase collaborative effort sponsored by the company executives to implement controls to identify, track, and monitor sensitive and confidential information. Thecore team was responsible for developing a corporate framework, which extends from executive management team through the business process owners and the technical administrative team. The deliverables included technical DLP implementation of Websense TRITON, incident response methodology, and executive reports and dashboards.

Server and Network Access Management Project
Executive Sponsor: John Tolo, Director, System Control & Reliability
Team Members: Bill Gibbons, Stan Hollowell, Jason Radetski, Tom Dudgeon

To effectively secure access to the servers and networks that house their Energy Management Systems, Tucson Electric Power implemented an access management solution. The solution centralizes the administration, enforcement, and auditing of access policies across their Unix/Linux and Windows servers. TEP is able toautomatically enforce granular, role-based authorization policies and eliminate the sharing of privileged account passwords. As well, user activity logs are automatically consolidated for NERC-specific documentation. The organization is not only able to achieve compliance and reduce the risk of a security breach, they are also improving operational efficiency with simplified administration and automated alarm and reports.

Government Category

DoD Cyberscope Enterprise Reporting Service
Executive Sponsor: Alice Fakir, Senior Associate, Booz Allen Hamilton
Project Team: John Hunter, Robby Carter, Melody Balcet, J.C. Wilson, Alice Fakir, Greg McCullough, Blake Stephens, Kate Schnabe, Jason Ma, Brian Maxwell, Matt Houy, Josh Anderson, Bonnie Lee, Richard Reilly,Todd Hamlin
Location: Atlanta, GA

The DoD Cyberscope is a GOTS capability that leverages existing DoD capabilities to facilitate reporting, aggregation and analysis of the DoD’s Information systems for improved Information Assurance (IA) Awareness, and maintain Federal Information Systems Management Act compliance through automation. It is the first Government off the shelf (GOTS) product that provides machine-to-machine reporting of IA data for DoD entities.

city of Airdrie
Security in the City
Executive Sponsor: Paul Hurst, Network Engineer, City of Airdrie
Project Team: Russell McKeage, Eric Goulden and Jennifer Northwood
Location: Airdrie,Canada

The City of Airdrie has worked to secure their entire organization by creating a security project that addresses perimeter, endpoint, mobile and wireless security. Using solutions from Sophos the city is now able to manage all areas of their security through a single interface. The city was also able to create a mobile response vehicle that is fully outfitted with technology secured by Sophos. This not only helps protect the citizens of the City of Airdire, it ensures the network is secure and operations continue to function as needed.

Department of Central Management Services Illinois
Data Classification and Protection
Executive Sponsor: Rafael Diaz, CISO, State of Illinois
Project Team: Patrick Beaird, Sesh Iyengar, LuAnn Derocchi, Lance Shelley, Gary Grigsby, Deb Shotts
Location: Chicago, IL

The pilot project had three fundamental goals for the Department of Central Management Services. We were expecting to aientify all the hosted enterprise applications and data stores with “confidential data.” Once identified, we would ensure appropriate security configurations and controls are in place to safeguard this data. Finally, the goal was to report, track, and verify who has what type of access to the data. The resulting project actually delivered a Data classification and Protection Policy – with classification schema. Detailed procedures for managing access, along with the roles and responsibilities defined for business owners, system owners, and security owners. Ultimately, a database for tracking systems, data, roles, and classifications was required for the vast amount of data that was gathered. In order to continue the project in other consolidated agencies, a template for process and procedures for classifying and identifying “confidential data “ was developed.

Operational Security Program Management Office
Executive Sponsor: Lauren Buschor, Assoc. CISO, IRS
Project Team: Team of 65 information security professionals
Location: Lanham, MD

Using a revolutionary modernization project called CADE 2 as a catalyst, the Operational Security PMO established a ground-breaking security program that addressed all components of information assurance for the Federal Tax Systems of the United States. The PMO developed disaster recovery plans for every critical system in CADE 2, providing information security for a modernization project that has already processed over 1.8 billion transactions and issued 83 million tax refunds.

Montgomery County Maryland
Enterprise Cloud Security Security Service and Architecture
Executive Sponsor: Keith Young, Security Official at Montgomery County Maryland Government
Project Team: Sonny Discini, Richard Rogers, Robert Surenko
Location: Rockville, MD

Beginning in March 2009, the Montgomery County Enterprise Information Security Office realized that as cyber threats became more complex, so did the tools and protection needed to protect the County’s information infrastructure. Additionally, as budget pressures continued for the foreseeable future, the need to find lower-cost solutions became critical. After a review of currently offered security services, demands for new services, and changes in technologies and price structures, the Department of Technology Services Enterprise Information Security Office re-engineered its existing enterprise services to public Cloud-based offerings.

United States Postal Service
USPS Security Process Enhancement
Executive Sponsor: Mgr. Corporate Information Security
Project Team: Rickey Branning, Ken Lassiter, Bryon Page, Greg Martin, and Venkat Yendapalli
Location: Raleigh, NC

The Data Loss Protection project purpose is to decrease and protect sensitive information corporate-wide that is sent out unprotected. The USPS Security Process Enhancement team work side-by-side in the day-to-day design and analysis, debugging, critical support, and strategic deployment to ensure that sensitive enhanced information, including social security numbers and debit/credit card information, is not exposed to those without a need-to-know or stored in inappropriate locations on IT resources. The team supports a network that is one of the largest in the world and supports over 400,000 employees and contractors, and over 800 business and support services applications.

Health Care Category

Children's Hospital of Philadelphia
Executive Sponsor:Cathy Beech, CISO, Children's Hospital of Philadelphia
Project Team: Kelvin Blasse, Abigail Flitter, Clifford Karafin, Haswinder Virk, Scott McCreary, Adena Tuckman, Al Wilson and Alex Zausner
Location: Philadelphia, PA

This project included the implementation of a technology solution to support CHOP’s litigation needs with regards to eDiscovery. The technology solution was designed with reference to the industry standard Electronic Discovery Reference Model (EDRM). The project also established eDiscovery processes that comply with CHOP’s document retention policy, the Federal Rules of Evidence, and facilitated compliance with the Federal Rules of Civil Procedure and relevant case law.

Health Care Service Corporation
Business Resiliency Planning: 2012 NATO Summit
Executive Sponsor: Raymond Biondo, Vice President and Chief Information Security Officer
Project Team: Raymond Biondo, Brenda Callaway and Reed White
Location: Chicago, IL

In past years, NATO has held summits all over the world to bring their leadership together. Many times, these summits are met with violent protests and destruction of public and private property. Chicago’s decision to host the 2012 NATO Summit this past May put HCSC’s headquarters , and the 5,000+ people who work in that building, within a short distance of the event. HCSC kicked off the Business Resiliency Planning project to develop and implement appropriate contingency plans to avoid any disruption to the business and preserve the safety of its employees.

Health Spring
HealthSpring Identity and Access Management Project (HS Secure and HS Access)
Executive Sponsor: Kyle Duke, CISO, HealthSpring
Project Team: Anthony Mannarino, Christopher Korman, Chris Fuller

Business Objectives: Streamline and perform timely user attestation to achieve compliance with industry and government regulations. Improve compliance accuracy, speed and scalability. Save on administrative overhead and streamline operational efficiencies.

HMS Helps US Healthcare System Operate More Efficiently with Automated Identity & Access Management and Governance
Executive Sponsor: Scott Pettigrew, Chief Security Officer, HMS
Team Members: Scott Pettigrew, George Macrelli, Mark Ma, Eric Shapp, Jeremy Miller and Joe Spearin
Location: New York, NY

Healthcare payers, including Medicaid and Medicare, HMOs and managed care organizations, access healthcare information via HMS’s online portal which must be secure to comply with industry regulations. Manual identity and access management processes meant that maintaining security and compliance was time-consuming and costly. HMS partnered with FishNet Security’s IAM Services Group to develop a phased strategic Identity & Access Management plan and integrate a platform for automated provisioning and self-service password management leveraging CA technology solutions. The company has been able to significantly reduce costs while increasing security. It has also been able to improve customer service by providing more rapid access to mission-critical systems, and simplify compliance and auditing.

Research Collaboration in the Cloud: How NCI and Partners use Interoperable Digital Identities and Signatures to Accelerate Drug Development
Executive Sponsor: Terence Rice, CISO, Merck & Co. Inc.
Team Members: Steven Friedman, Les Enterline and Mollie Shields-Uehling
Location: Fort Lee, NJ

An ongoing study involving government and industry cancer researchers indicates that using interoperable digital identities, digital signatures and cloud computing will accelerate initiation of a clinical trial while lowering its costs.

Education/Non-Profit Category

Quinnipiac University
Executive Sponsor: Brian Kelly, Information Security Officer, Quinnipiac University
Team Members: Michael Ruotolo, Fabiano Iacusso and Jan Bevins
Location: Hamden, CT

This project was driven by Quinnipiac University’s Information Security Office to: Create an environment for common access to certificate and identity management solutions, Provide departments and other university units with delegated certificate management authority, Cost savings for certificates Unlimited SSL certificates (including extended validation certificates), client (personal) certificates, and code signing certificates for one fixed annual fee.