ISE® North America Project Award Nominees 2013

Commercial Category

A E S
AES Global Cybersecurity Program
Executive Sponsor: Scott Goodhart, Vice President, Global Network, and Chief Information Security Officer
Project Team: Martin Kessler and Dante Martins.
Location: Arlington, VA

In order to build and grow the AES Global Cybersecurity Program, the Office of the CISO developed and distributed a survey to members of the newly formed Global IT Security Council (made up of AES cybersecurity stakeholders worldwide).  The survey was based on the harmonization of two key cybersecurity models: the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and the CSIS 20 Critical Security Controls.  Results of the survey were consolidated, analyzed, and used to help AES strengthen our cybersecurity capabilities, share knowledge and best practices among our businesses, and prioritize future actions and investments to improve cybersecurity.


arc
ISO 27001 Design, Implementation and Certification
Executive Sponsor: Leslie Bauer, Chief Risk Officer, Airlines Reporting Corporation
Project Team: Rich Licato, Chris Nowell, James Fallon and Tiana Moore.
Location: Arlington, VA

The project was the design, implementation and formal certification of an ISO 27001 Security Management Program. Starting from scratch, the Corporate Risk Organization and Information Security Department created the necessary framework of policies, standards and procedures required for a successful ISO 27001 security management program. To realize these changes and see the project succeed, we also changed our departmental culture and how security was thought of; moving from a compliance driven necessary evil to a cooperative, solution oriented team that is included from the start in decision making for nearly all product, project and process activities in the company.


alliance data
Embracing Shadow IT
Executive Sponsor: Thomas Large, Sr. Director/CSO, Alliance Date Systems, Inc.
Project Team: Lee Heath, Brian Mork and Houston Hopkins.
Location: Plano, TX

The project for Embracing Shadow IT was to allow for the Information Security entity within Alliance Data to identify disruptive technologies that would typically be frowned upon by the ITO and/or Information Security departments, and to find ways to support them where possible. Over the course of 12 months, we have successfully identified and integrated several such solutions in a compliant and secure manner to meet the dynamic needs of the business, and have received such positive feedback from the C-Suite of executives that it is now an ongoing initiative.


Allstate
Application Security Assurance Program (ASAP)
Executive Sponsor: John Bader, Senior Vice President, Allstate
Project Team: Yabing Wang, Pat, Wiet, Kenny Alperstein, Leo McCavana, Orlando Lopez, Ryan Russell, Jerry Higgins and Cynthia Whitley.
Location: Northbrook, IL

The vision of the Application Security & Assurance Program (ASAP) is to integrate secure practices into the Allstatesoftware development lifecycle (SDLC) processes. This program is not about implementing a tool to resolve a specific issue. It is about adopting a holistic approach from People, Process, Technology and Governance perspective and making sure security is embedded into SDLC from the start. As part of the risk management, the goal of this program is to focus on application security, and to reduce the vulnerabilities, understand and manage the risks, and improve the Confidentiality, Integrity and Availability of Allstate’s applications. 


Becton Dickinson
Data Loss Prevention (DLP)
Executive Sponsor: Rick Gonzalez, Manager, Global Information Security, BD
Project Team: John Ochman, Erik Bakken, Sr.
Location: Franklin Lakes, NJ

BD is a manufacturing company that relies on bringing innovative new products to the market ahead of the competition. The loss of a single product design to a competitor could cost BD millions of dollars in revenue. With a pipeline full of new product releases, increased shared R&D with third party developers and manufacturing rapidly expanding into growth areas ripe with IP theft, Information Security needed a solution to help identify sensitive information and protect it from leaving BD’s control. The project focus was to have a fully functional Data Loss Prevention (DLP) solution installed and running as quickly as possible. After deployment, the policies and infrastructure of the project were very successful. So successful, in fact, that within the first few weeks of going live, an insider was identified and sufficient information was passed to the FBI for them to make an arrest on the alleged theft of millions of dollars of IP.


B N Y Mellon
Unstructured Data Governance Project
Executive Sponsor: Donna Nemecek, VP, Manager Technology Risk Assurance & Senior Information Risk Officer, BNY Mellon
Project Team: Susan Wade, Tijuanna Beckles and Gina Grisaffi
Location: New York, NY

BNY Mellon’s Risk and Compliance Group has developed a governance process to provide security and user access certifications over high risk data stored in network shared drives, which are scrutinized by Regulatory Agencies, external and internal auditors.


celanese
IT Security Transformation
Executive Sponsor: Parrish Gunnels, IT Global Information Security Manager, Celanese Corporation
Project Team: Kerrin Sleeth, Kai Cerveny, Aaron Pryor, Jeff Kok, Jesse Noriega. Don Borthwell, Mike Kennemer, Oliver Weber, Jeff Brown, Suzanne Graham, Bruce Bennett, Sven Streb, Mario Gluam and Klaus Boerner.
Location: Irving, TX

Celanese Corporation underwent an “IT Security Transformation” program beginning in 2012 in order to improve the overall security of the network. This program encompassed seven (7) work streams: Incident Response, Secure Access, Secure Endpoint, Secure Messaging, Web Content Filtering, Monitoring Deployment, and Organizational Alignment. Not only was this program about the implementation of new solutions, but also included new work processes and an organization to support the ongoing security efforts. This program was successfully implemented within 12 months and required support from the company Executives along with the collaboration and coordination of the entire IT organization.


Citi
Workspace Virtualization and Containment for Sourcing Providers
Executive Sponsor: Dan Tigar, Managing Director Citigroup Architecture & Technology Engineering (CATE) CitiSecure Platform
Project Team: Matt Ramey, Bill Sztabnik, Brian Firlein, Vincent D’Onofrio, Sean Hunnicutt.
Location: Melville, NY

The solution utilizes a containment approach that satisfies a requirement to establish a controls framework to secure Citi’s Desktop Virtualization strategy for Third Parties. The containment strategy ensures that “least privileges” entitlement is enforced, including Application and Network access controls, at a desktop level.


C.N.A.
CNA’s Governance, Risk Management and Compliance Program
Executive Sponsor: Robert Allen, VP, Service Management & CISO, CNA
Location: Chicago, IL

CNA has implemented an Enterprise Risk Register that consolidates corporate risks into a single repository where decision-makers can gain visibility and model loss exposure based on pertinent characteristics. Applying a universal risk taxonomy, detailed risk analysis can be modeled to ensure rating accuracy which allows for a standardized and balanced scale of risk comparisons from each of the functional business areas. The resulting risk measurements are used for awareness and remediation prioritization, including action plan assignment and tracking.

Key Risk Indicators are linked to organization risks, utilizing a metrics-driven process of dynamically monitoring the health of implicated business areas and risk categories. Controls and their effectiveness are also linked to risks, resulting in a broad sense of how the enterprise is managing its potential losses. Inherent and controlled risk ratings are captured, assisting in the understanding of the effort expended or required to maintain an acceptable risk profile. High-level risk categories are utilized to summarize risk data, providing useful information to diversified committees. Role-based management dashboards are produced to allow easy understanding of risk contributors relative to the viewer’s purview of responsibilities.


comcast
Remote Workforce Refresh
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Charles Hudson, Jr., Glen Pirrotta, John Roskoph, Andrew Black.
Location: Philadelphia, PA

Remote Workforce Refresh (RWR) sought to accomplish a fairly straightforward objective when it was first kicked off and morphed into a large number of critically important and highly cost and security effective opportunities as it progressed. Our project’s primary goal was to develop a standard, elegant, highly secure and agile technical framework to support our customer care work from home workforce. The existing user base exceeded 2,000+ users with an expectation to increase to as many as 8,000+. There was a strong focus to increase the velocity of user provisioning, while decreasing cost of deployments, technical complexity and technical touch points along with an equally strong need for ease to use and high security. Today we have adapted this solution support 5 critical business functions and have dramatically reduced our capital and operational costs for secure endpoints by %50 or greater. Site activations are self-serve and are completed in minutes without any requirement to stage or schedule activations or require technical hands on support.


comcast
Integrated Security Framework
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

The goal of the Integrated Security Framework (ISF) is to ensure the right controls exist across the enterprise, identify and eliminate control redundancy, limit control gaps, and optimize financial and operational efficiency through automation. It is designed to be a cyclical effort whereby controls are rationalized, mapped to policies and standards, gaps identified, risks identified and remediated, and metrics produced.  The framework will consist of all relevant regulations and standards including but not limited to PCI, SOX, Mass State Law, COBIT, ISO 27002.  Mapping of Comcast controls are conducted against these standards and regulations to identify coverage and redundancy and to address gaps through policy and control implementation.  Automation and dashboards implemented through Archer will provide ongoing operational and financial efficiency.


comcast
Compliance Automation
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

Achieving and maintaining regulatory (PCI/SOX) compliance in today’s ever changing technology environment is an arduous task.  The Comcast IIS team recognizes this and implemented a solution that automates many of the checks and audit tasks by using the RSA Archer application. The first phase of this project (PCI Automation) was successfully deployed April 1, 2013.  The project automated over 100 regular PCI controls with an estimated annual savings of $100,000 and 1,000 man hours saved.  SOX Automation is scheduled to complete in September 2013 and provide automation of all 12 SOX controls across all Comcast SOX applications greatly reducing required man hours previously required to evidence control compliance.


comcast
Compliance Automation
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

Achieving and maintaining regulatory (PCI/SOX) compliance in today’s ever changing technology environment is an arduous task.  The Comcast IIS team recognizes this and implemented a solution that automates many of the checks and audit tasks by using the RSA Archer application. The first phase of this project (PCI Automation) was successfully deployed April 1, 2013.  The project automated over 100 regular PCI controls with an estimated annual savings of $100,000 and 1,000 man hours saved.  SOX Automation is scheduled to complete in September 2013 and provide automation of all 12 SOX controls across all Comcast SOX applications greatly reducing required man hours previously required to evidence control compliance.


comcast
Self-Service Governance, Risk & Compliance Portal
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Charles Hudson, Jr., Kallol Ray, Laura Whitt-Winyard, Donna Chenetz, Luis Colon.
Location: Philadelphia, PA

This project developed a self-service portal so that business users can execute security processes on-demand and just-in time to meet their business requirements. This technology was implemented to support Comcast’s overall “Agile” and “Lean” methodologies and significantly reduce the response time and provide actionable data to the business in real-time.  These deployments have enabled us to “demystify” security processes and empower the business users by providing them direct access to our security processes and technologies.


ebay
Predictive Security Intelligence, via Centralized Vulnerability Management
Executive Sponsor: Lance Harris, Sr. Information Security Manager, eBay, Inc.
Location: San Jose, CA

This main goal of the project was to improve eBay’s vulnerability management process and improve efficiency by managing and triaging the massive amount of vulnerabilities in their environment. This was accomplished by implementing CORE Insight. It is now possible for the team to prioritize threats and focus its limited resources on issues that will have the greatest impact on the business.


Fidelity
Customer Protection Program (CPP)
Executive Sponsor: Timothy McKnight, Executive Vice President & Chief Technology Risk Officer, Fidelity Investments
Team Members: Gregory Kanevski, Vice President, Customer Protection Program (on behalf of the leadership team)
Location: Boston, MA

The initial objective of the program was to assess the existing security, privacy and customer protection technology deployments for effectiveness and longevity taking into account the firm’s existing protections, market & regulatory trends, and emerging technologies that could significantly enhance the customer experience. Ultimately, the goal was to collect, synthesize and clarify this information into a prospective roadmap outlining a vision and three-to-five year strategy for the firm.


khosla
Khosla Ventures Hacking Exposure
Executive Sponsor: David Baca, Vice President – IT, Khosla Ventures
Project Team: Billy Rios, Aaron Bryson, Terry McCorkle, Derek Soeder and Eric Cornelius
Location: Menlo Park, CA

Even the more secure organizations are highly exposed to hackers. Khosla Ventures agreed to permit a complete Presponse Security Health Check on its organization and publish the results to the public to demonstrate how companies are vulnerable to social, cyber and physical threats today.  For a $2.5Billion and high intellectual property organization, security is paramount to its survival and success.  Cylance, Inc. performed the security assessment and found that even with greater than average security infrastructure, the door to the organization was wide open – literally!


Johnson & Johnson
Enterprise Vulnerability Management and Web Application Vulnerability Scanning
Executive Sponsor: Casey Marquette, Director, Global Command Center, Johnson & Johnson
Team Members: Sheryl Austin, Kevin Cole, Trish DiGiacomo, Daneian Easy, Lou Kaltz, Matthew Simkovic, Michael Wagner.
Location: Raritan, NJ

To ensure the protection of Johnson & Johnson’s intellectual property and maintain its brand reputation, the Global Security Operations and Worldwide Information Security teams implemented the corporation’s largest and most significant security project named Enterprise Vulnerability Management and Web Application Vulnerability Scanning (EVMWAVS). The goal of the project was to create a world-class ecosystem of advanced operational capabilities, security technologies and procedures to provide advanced detection and intelligence capabilities in all of the corporation’s 275 subsidiary companies globally.


miami marlins
Securing Marlins Park with Network Access Control
Executive Sponsor: David Enriquez, Sr. Director, Information Technology, Miami Marlins
Team Members: Ozzy Macias
Location: Miami, FL

When the Miami Marlins broke ground on its new state-of-the-art, 37,400-seat stadium, David Enriquez, senior director of information technology, and his team set out to create the most technologically advanced ballpark in the country. To achieve this, the IT team needed full visibility and control over what and who was connecting to the ballpark’s network. By partnering with Bradford Networks, Enriquez and his team have 100 percent visibility and control over all of the ports at Marlins Park, and can automatically provide fast, easy and appropriate levels of access to thousands of approved devices through its Network Access Control solution.


Scotiabank
QRadar SIEM Implementation for Threat Intelligence and Security Monitoring
Executive Sponsor: Ray Archer, SVP & CISO, Scotiabank
Project Team: YRob Knoblauch, Adam Evans,& Alain-Desire Kamenyero, Vicky Laurens, David Tozer, Egor Burnashev, Ify Ajokubi and Kelvin Lomboy
Location: Scarborough, ON

Qradar SIEM was deployed at Scotiabank to collect, correlate and index data from thousands of sources around the globe. Data is ingested into the SIEM platform and provides security analysts with a correlated and contextualized view of the Scotiabank network in real-time allowing them to detect anomalies in near real-time. The SIEM solution has moved Scotiabank closer to an “Intelligence Based Security” model  which provides analysts with the ability to respond quicker to emerging threats while reducing impact to their users and customers by leveraging internal and external intelligence sources during threat remediation activities. This implementation has allowed Scotiabank to react to new threats more quickly and armed with deep intelligence.


Standard Register
Security Program Evolution
Executive Sponsor: Joanne Cummins, CIO, Standard Register
Project Team: Philip Woods, David Pappas, Marta Sullivan, Steve Braswell, Robin Housley, Aaron McCray, Kevin Mundhenk, Mike McGill, Cory Trese, Raj Nair, Tim McDonald, Terrance Merriman and Andy Blosser. We had help from Deloitte, Battelle & Battelle, HP, Verizon, Forsythe and an anonymous customer.
Location: Dayton, Ohio

Have you ever been in a situation where sales promised something that didn’t exist? Every IT organization has faced that challenge! In Standard Register’s case, we were simply asked to create an isolated FISMA-compliant Authorization Boundary conforming to NIST. Did I mention that we had never done that before? And, how many times do you get to say that Security made the sale?! Leveraging our mature security program and collaborating with our customer and partners, we designed, delivered and externally attested the solution in nine months enabling our customer to gain the required scale, flexibility and cost savings - securely.


symcor
PCI DSS Implementation Program
Executive Sponsor: Della Shea, Chief Privacy and Information Risk Officer, Symcor
Project Team:Della Shea, John Wall, Haresh Desai, Hugh Murray, Paul Gregoire and Chris Ward.
Location: Toronto, ON

Symcor established a cost effective PCI DSS compliance program by implementing multiple large-scale projects simultaneously. The ultimate challenge was to implement 5 year work plan within 18 to 24 months. Several process enhancements and technology implementations were introduced including encryption, file integrity monitoring, security information and event management. An innovative governance framework was also introduced to support compliance. Based on the premise of ‘re-use, repurpose and collaborate’, Symcor achieved PCI DSS compliant status on time and under budget by nearly $1 million. This outcome made every aspect of the program simple and repeatable which is being expanded to the enterprise.


Travel Click
Network Segmentation and InfoSec Vault Project
Executive Sponsor: Mark Gelhardt, CISO, TravelClick
Project Team: Adam Hall, David Marshal, Scott Adams, Noel Agilar, Derek Felska, Eric Tian, Paolo Adajar and Talal Ahmed
Location: Atlanta, GA

TravelClick Completely reconfigured its network topology to incorporate a new Information Security Vault area. This project looked at the configuration of the TravelClick network and how to change that network to be ready for the future global risks and specifically how to protect the valuable data that TravelClick maintained (i.e., Intellectual Property, Credit Card, etc.). A separate network segment was set up (Information Security Vault) with increase security within the vault by encrypting and tokenizing specific data to make that data even more secure. All of this was done without any disruption to our clients and our business.


twitter
Twitter Domain Authentication Service
Executive Sponsor: Josh Aberant, Postmaster, Twitter
Location: San Francisco, CA

The Twitter Domain Authentication Service was deployed to prevent malicious unauthorized use of Twitter domains and brands in email communications across the Internet. Prior to deployment of the service, Twitter customers had no way of knowing if the email they’d received purporting to be from Twitter was actually from Twitter or was from a criminal impersonating a Twitter server. Since the rollout of the project, Twitter users have been able to know that emails claiming to be from Twitter.com and other Twitter domains are really from Twitter, and the level of email phishing attacks against Twitter have dropped over 95%. This represents over 110 million malicious emails per day being blocked from reaching Twitter users.


u b s
Software Security Program
Executive Sponsor: Ajoy Kumar, Executive Director & Head of Application Security, UBS
Project Team: Ajoy Kumar, Scott Madison, Madhu Cheriyadath, Victor Fieldhouse, and Yashesh Shah.
Location: Weehawken, NJ

The software security program addresses, in a holistic manner, information security for internally developed and externally developed code, as well as embedding security into the procurement process for third party software products. The program is composed of four tiers: governance, policy/process, automation/education and metrics.


union bank
Union Bank’s Implementation of Good for Enterprise
Executive Sponsor: Dana Edwards, Executive Vice President, Chief Technology Officer, Information Technology, Union Bank
Project Team: Mary George, Dana Edwards
Location: San Francisco

As the number of Union Bank employees using iOS, Android and other devices increased, so did the challenge to provide secure access to email and business applications on non-RIM devices. After searching for a solution that supported the devices that Union Bank employees were demanding, Union Bank’s IT department selected Good for Enterprise and deployed it to over 3,800 employees. To increase mobile collaboration, the bank decided to use Good Dynamics; when used with Good for Enterprise, Good Dynamics allowed users to access, edit and distribute email attachments and files securely, creating an end-to-end mobile workflow.


U.S.A.A.
Secure Logon for usaa.com
Executive Sponsor: Gary McAlum, SVP Chief Security Officer, USAA & Jack Key, VP Chief Privacy Officer, USAA
Project Team: Tom Clark, Debra Casillas, Ben Van Ruitenbeek, Diana Teneyuca, Ed Woodly, Tammy Sanclemente, Maria Gummerson, Dustin Patterson, Bill Lewis, Mitchell Mebane, Alice Fluker, Sally Ammerman, Luther Johnson and Rene Hernandez.
Location: San Antonio, Texas

The Secure Logon project provides a secure “Pin and In” simplified login experience for desktop users when accessing usaa.com. This solution combines Trusteer’s Rapport secure browsing software with Verisign’s soft token solution and stronger device fingerprint for added security. Secure Logon will allow multiple users to register on a single device and allow members to register multiple devices. The Secure Logon design will ensure that the member’s account is secured using a multi-factor solution whether the device they are on is configured for Secure Logon or not.


yellow pages
Web Application Security Automation
Executive Sponsor: Joe Bennett, Chief Information Security Officer, YP
Team Members: Joe Bennett, Steven Singer and James Zimmerman Location: Glendale, CA

Given eCollege’s always on SaaS platform and the critical importance of securing customer data, eCollege invested in building out a programmatic and comprehensive approach to application layer. eCollege has taken a defense in depth approach to the application layer focusing on Web Application Firewall, dynamic scanning technologies, vulnerability assessments and manual penetration testing. Additionally, eCollege is integrating and automating application security early into the Software Development Lifecycle to find and remediate security vulnerabilities early in the development process. Combined with security awareness and secure coding sessions this program has improved the security posture of the organization.


Health Care Category

blue cross blue shield of Michigan
BCBSM Information Security Operation Center
Executive Sponsor: Tonya Byers, Director; Gary Harvey, VP Information Technology
Project Team: Angela Williams,Sanjeev Vohra, Ron Farhat, Michael Moore and Shirley Meeks
Location: Detroit, Michigan

Blue Cross Blue Shield of Michigan (BCBSM) was one of the first BCBS plans to implement a Security Operations Center or SOC (pronounced sock). The SOC hosts a collection of IT security toolsthat provide the capability of centralized monitoring and detection of threats, vulnerabilities, and security events that could adversely affect BCBSM’s information assets, technical infrastructure, and most importantly our data. The SOC is focused on monitoring our computers, servers, firewalls and networks. The SOC was created as part of ongoing efforts by our Information Security team to help us proactively recognize threats and vulnerabilities. This center allows us to better minimize risks, downtime and data loss by providing timely monitoring to security teams, supporting audit and compliance efforts, and assisting with incident response and forensics efforts. By leveraging the tools within the SOC we are better positioned in our fight against malicious attacks from outside our organization. 


merck
EngageZone
Executive Sponsor: Terry Rice, AVP, Service Delivery & Risk Management, Merck & Co.
Team Members: (Merck) Phyllis Post, Andy Porter, Jason Victor, Keith Respass, Andrea Kirby, Terry Bauman, Steve Borst, Vish Gadgil, JoAnn Weitzman, Cathy Carfagno, Maria Pascual, Brian Swartley and John Litvinchuck. (Exostar) Tom Johnson, Dan McConnell, Vijay Takanti, Raju Nadakuduty, Paul Rabinovich, Rob Sherwood and Lisa Sullivan
Location: Whitehouse Station, NJ

Merck partnered with Exostar to redefine business-to-business engagements by creating a Life-Sciences Identity Broker in the Cloud. This secure cloud-based hub is where teams from multiple companies can access any number of technology services through a multi-tenant identity broker, protecting sensitive data and intellectual property from unauthorized access. The result included the reduction of time to stand up business-to-business collaborations, minimized administrative cost, and elimination of the need to replicate redundant technology infrastructure. In addition, the model improves the security and risk profiles for these teams by moving away from point-to-point engagements to a highly-scalable service model that can be monitored and protected from outside threats.


pharmerica
EPCS for Electronic Prescription Pharmacy Compliance
Executive Sponsor: Jeffrey Pettingill, Enterprise IT Risk & Compliance, PharMerica Corporation
Project Team: Michael LaMondra, Michael Krok, Muhammad Amjad, John Davis, Daniel Teklu, Sherry Walts, Christopher Aloi, team at McGladrey LLP, Joseph Benfatti and Aris Baghoumian.
Location: Louisville, KY

The goal of this project was to obtain Electronic Prescription Controlled Substance certification to dispense controlled substances electronically for our patients located in long-term care facilities. Compared to paper or fax prescriptions, e-prescribing improves medication safety, better management of medications costs, improved prescribing accuracy and efficiency, increase practice efficiency while improving health care quality and reducing health care costs through the reduction of adverse drug events and increased prescribing of generic medications. Making the process of prescription filling easier for patients will improve patient compliance with their medications. E-prescribing will help decrease the number of unfilled prescriptions by removing one step in the traditional prescription filling process, but also build a more complete medication history for our US pharmacies which a patient may use.


Sutter Health
Sutter Health Endpoint Encryption Project
Executive Sponsor: Jeff Trudeau, Information Security Officer, Sutter Health
Project Team: Jeff Trudeau, Kant Deemark, Jason Elrod and Mark Bristow

Deploy an encryption solution to all endpoint devices including laptops, desktops and tablets, to protect against the loss of confidential information in the event of a lost or stolen device. Phase II of the project also enabled encryption on the USB ports of these devices. Any data copied off a device onto a USB or external media drive would require encryption. Provide a FIPS 140-2 certified centrally managed encryption solution that would prevent reportable breaches of PHI and regulated data.


Academic/Public Sector Category

internal revenue service
Vulnerability Remediation Implementation Process (VRIP)
Executive Sponsor: Mary R. Hernandez, Director, Enterprise Operations, Security Operations and Standards Division, IRS
Team Members: Pamela D. Lloyd, Julio Ricard, Pamela Anderson, Cayce Pappas and Mike T. Hogbin
Location: Lanham, MD

The VRIP process reports, assigns and manages the remediation of operational vulnerabilities detected by system scanning tools and can be used to remediate other weaknesses found as well. It is a collaborative effort between Cyber Security, Enterprise Operations, and the Application Development organizations of the IRS. VRIP provides an enterprise-wide vulnerability-centric approach to vulnerability remediation while both minimizing duplicated efforts and standardizing the remediation of security weaknesses. This process has also established a library of remediation guidance for future reference thus, eliminating the unnecessary need to again research industry standards and best practices.


e college
Securing Application Layer
Executive Sponsor: Aaron Weaver
Location: Centennial, CO

Given eCollege’s always on SaaS platform and the critical importance of securing customer data, eCollege invested in building out a programmatic and comprehensive approach to application layer. eCollege has taken a defense in depth approach to the application layer focusing on Web Application Firewall, dynamic scanning technologies, vulnerability assessments and manual penetration testing. Additionally, eCollege is integrating and automating application security early into the Software Development Lifecycle to find and remediate security vulnerabilities early in the development process. Combined with security awareness and secure coding sessions this program has improved the security posture of the organization.


Kennesaw State University
KSU Identity and Access Management Initiative
Executive Sponsor: Lectra Lawhorne, Executive Director of Information Technology Services, Kennesaw State University
Project Team: McCree Lake and Stephen Gay
Location: Kennesaw, GA

An implementation of IBM Security Identity Manager and other systems that creates and manages a centralized repository with key data elements about every person in the organization merged together from multiple sources that in turn fully automates the management and creation of accounts and services on multiple systems in the enterprise. The project substantially automated existing business processes which were previously not easily enforceable through workflows managed by defined and business-drivenworkflows. Additionally, the system creates a single sign-on environment across the entire enterprise by synchronizing passwords and users across all systems and enforcing password standards for regulatory compliance.


University of Massachusetts
University Cyber-security Initiative
Executive Sponsor: Larry Wilson, CISO, University of Massachusetts
Project Team: Todd Glover, Chris Misra, Larry Wilson, Gene Kingsley, Andrew Darling, Brian Sullivan, Jim Packard, Anthony Kolodziej, Jake Cunningham, Wil Khouri and Dan Jones.
Location: Shrewsbury, MA

The University of Massachusetts Cyber-security initiative involves planning, designing, implementing and managing a University-wide technology-based program based on the SANS 20 Critical Security Controls (CSC). The main deliverables include IT asset management, software asset management, system and network configuration, malware defenses, vulnerability management, log management, security administration, data loss prevention, etc. The primary goal is to establish technology, implementation and security monitoring standards that are implemented and managed across all five campuses (Amherst, Boston, Dartmouth, Lowell, Worcester Medical School), UMASS On-line and the President’s Office. Successful implementation of this program will ensure the University reduces the impact and exposure of a Cyber-security threat.