ISE® North America Project Award Nominees 2015

Commercial Category

Aarons
Aaron's Secure Software Development Lifecycle
Executive Sponsor: Chris Bullock, Director of Information Assurance, Aaron's
Project Team: Bhavin Patel, James Moore, Meghan Flynn and Sarah Countryman.
Location: Kennesaw, GA

Aaron's Secure Software Development Lifecycle is a unique fusion of advanced application security technologies with the company's agile software development methodology. By scanning application code for vulnerabilities as it's being written, this project enables Aaron's developers to seamlessly resolve identified issues, not only improving application quality and security but also accelerating application time-to-market and reduce costs substantially. Aaron's also made corporate-wide engagement a key part of the project by sharing application security testing results with everyone from senior management to store owners—not just developers—to promote collaboration and engagement with security as key enabler of business success.


ATT
Project Astra
Executive Sponsor: Ed Amoroso, Chief Security Officer, AT&T
Project Team: Dan Solero, Michelle Barry, Rodney Dilts and Anthony Ramos.
Location: Bedminster, NJ

AT&T’s Astra project is an innovative, cloud-based platform to protect all internal applications within the AT&T cloud environment. The Astra ecosystem and framework enables virtual security services to be delivered effortlessly via APIs and automated intelligent provisioning, creating micro-perimeters around specific applications based on application specific requirements. Using an Agile software development approach, the project integrated internally developed software with both open source and vendor solutions to create an extensible architecture, providing protection to AT&T’s enterprise network.


Tokenization of all Caesars PCI environment
Executive Sponsor: Steve McNamara, VP of IT Security, Caesars Entertainment
Team Members: Team Members: Bobby Wilkins, Vaishali Caldwell, CJ Foster, Mukti Bhakta, Judi Evans, Sue Traynor, Brian Bunney, Alan Kennemar, Aaron Otte, Eric Williams, Swithin George, Komala Mekapati, Mike Rogers, Tyler Adams, Rebecca Davis, Marilyn Ellis-Visser, Raju Bade, Revathi Kannan, Elton Cassels, Manuj Bhatia, Greg O'Keefe, Jeanine Glass, Shaun Burnett, Galen Duff Luette Loop, Haamid Shaik, Minh Tran, Chad Becker and John Plough
Location: Las Vegas, NV

This project successful eliminated all credit card (CC) data in affected systems by deploying Point to Point encryption (P2PE) and Tokenization. Using these two solutions the affected systems no longer see, process, or store CC data, protecting Caesars from breach or theft of that data. P2PE encrypts the CC numbers at the swipe preventing any memory scrape risks and tokenization replaces actual CC data with a token, randomized 16-character alphanumeric representation of the CC data.

Comcast
Comcast 360° Vendor Risk Assurance Program
Executive Sponsor: Myrna Soto, Global CISO, Comcast
Project Team: Myrna Soto, Ramesh Sepehrrad, Charles R. Hudson, Robert Irwin, Kallol Ray and Joseph Gallagher.
Location: Philadelphia, PA

Comcast 360° Vendor Risk Assurance Program powered by Bay Dynamics Risk Fabric Platform is an innovative, scalable and robust program providing a single pane of glass for vendor risk management for Information and Infrastructure Security (IIS), National Governance, Risk and Compliance (GRC) Leadership and SOC teams. The program provides a holistic defense against the targeted attacks leveraging the vendor as a threat vector. With this strategic assurance program in place, Comcast has increased its visibility and control across its vendor ecosystem. Comcast, as a result of this program, has maximized organizational efficiencies, improved timely responsiveness, and measurably reduced vendor related risk by actively engaging vendors with timely and actionable information.

Comcast
PCI3.0 Automation
Executive Sponsor: Myrna Soto, Global CISO, Comcast
Project Team: Myrna Soto, Ramesh Sepehrrad, Charles Hudson, Kallol Ray, Joseph Gallagher and Laura Whitt-Winyard. Location: Philadelphia, PA

Comcast 360° Vendor Risk Assurance Program powered by Bay Dynamics Risk Fabric Platform is an innovative, scalable and robust program provFacing a material increase in the scope, requirements, and complexity for maintaining compliance under the new PCI3.0 standards, Comcast has provided its PCI stakeholders the ability to rapidly adapt to the changing requirements. Through Risk Fabric’s web application front-end portal, PCI stakeholders can make updates to their PCI inventory, react to control compliance findings for their in-scope systems, and view near-real-time dashboards relevant to PCI security control activities. This continuous compliance model ultimately detangles the web of security results relevant to PCI3.0, proactively placing security in the hands of those who can take immediate action, replacing the wait until audit mentality.

Comcast
The SIEM Project
Executive Sponsor: John Kelly, VP, Information Security, Comcast Cable
Project Team: Jorge Nieves, James Hoelsworth, Roger Colins, Paul Husarick, Steve Danner.
Location: Philadelphia, PA

The intent of this project was to improve the current Security Information and Event Management (SIEM) system. The new SIEM had to address the challenge of expandability in order to keep pace with company growth while remaining flexible enough to address the unique requirements of each business unit. It had to be capable of ingesting a variety of vendor and solutions logs quickly while providing seamless failover with no data loss. We wanted to virtualize the environment by building a SIEM cloud or SaaS like environment.

The Ohio State University
Identity Access Management and Privileged Account Management
Executive Sponsor: Kevin Chase, Chief Information Officer
Project Team: Loren Woeber, Brent Bailey , Listyanna Dowell and Tammy Coker
Location: Dallas, TX

Energy Future Holdings needed to enable seamless business access to applications and data while still adhering to compliance and regulatory controls. In addition, the lack of an automated approach for the enterprise has led to an inconsistent user experience, an inefficient operation and challenges in managing security, risk and compliance. In less than a year, Energy Future Holdings implemented CA Advanced Authentication, CA Single Sign-On, CA Identity Manager, CA Identity Governance, and CA Privileged Identity Manager.  Successful execution of this IAM initiative is a significant plank of EFH’s overall IT strategy, and has resulted in the following accomplishments:

  • Replaced the current IAM processes tied to the mainframe/RACF environment in support of EFH's migration strategy from a mainframe environment to a distributed systems environment.
  • Introduced an identity and access management platform that permits users to securely authenticate once to EFH, and then reliably and robustly access multiple enterprise (business) applications.
  • Replaced complex manual processes with:
    • Automated provisioning (e.g. hires, transfers, terminations)
    • Self-service (e.g. password management)
    • Simplified access management system to enhance user experience, support continued expansion, and improve information security policy enforcement and process efficiency
    • Automated access governance (e.g. recertification, segregation of duty controls)

GE
Project SAND
Project Team: Patrick Sullivan, Harish Pahuja, John Moore, Gabor Koltai, Aaron Hoy, Branko Bibic, Robert Blake, Miriam Pastrana, Mike Stephens, Tim Long, Bob Wysocki and Patrick Graves
Location: Houston, TX

GE Oil & Gas is positioning itself today to counter the information security threats of tomorrow. Project SAND is a global information security program designed to increase GE Oil & Gas’ ability to embrace new technology and the new mobile workforce. SAND is comprised of 3 key objectives:

  1. Secure third party connections
  2. Harden internet facing application infrastructure
  3. Simplify the complex Active Directory landscape

By hardening and simplifying the core IT infrastructure, SAND has enabled the secure integration of $3B+ of acquisitions into GE Oil & Gas. In addition, SAND has provided an improved platform for secure collaboration between employees, suppliers, and customers.

Jabil
Jabil Security-as-a-Service Initiative
Executive Sponsor: John Graham, CISO, Jabil
Project Team: Erik Collasius, John Graham, Mike Theriault, Walther Ardon, Greg Fisher, Troy Riley and Gabriella Nelms.
Location: St. Petersburg, FL

Jabil’s global customer base is highly competitive regarding intellectual property, cutting edge innovation, and the secrecy surrounding new product launches. Losing this data would result in millions of dollars in contract fines, as well as, major loss of existing and future business. To minimize customer and Jabil risk, Jabil created and adopted a portfolio of security-as-a-service solutions in order to better protect and secure the company’s critical information. The security-as-a-service initiative spanned three areas: application access, data loss prevention and external threats. This project enables Jabil to close security gaps, have an accelerated rapid time to value, leverage its security technology and practices as a market differentiator and create a competitive business advantage in the marketplace.


JJ Keller
Application Development Standardization Project
Executive Sponsor: Mark Holub, Sr. Data Security Manager, J.J. Keller & Associates, Inc.
Project Team: Mark Holub, Mike Kuphal, Jason Radocay, Jason Poquette, Ryan Boynton and Kim Winter.
Location: Neenah, WI

J. J. Keller embarked on an application development standardization project, aimed at unifying processes to create a corporate development policy that integrated secure coding, in accordance with industry regulation such as PCI-DSS and ISO 27001. The project brought together people, process and technology to form a unified approach that covered a complex application environment.



Global PCI Standardization Project
Executive Sponsor: Jonathan Chow, Chief Security Officer & Senior Vice President
Team Members: Julie Yoo, Sal Hernandez, Clement Chen, Wahid Iqbal, Anthony Fabia and Michael Carrera
Location: Hollywood, CA

In a climate where risks around credit card data breaches are higher than ever, the Live Nation Security & Compliance Team was challenged with securing and maintaining PCI compliance for hundreds of millions of credit card transactions, and tens of thousands of assets in a vastly decentralized organization with multiple divisions operating around the globe. Having launched a successful program in North America that could be repeated year-over-year, the Live Nation team started an initiative to create a sustainable program framework, methodology, and processes to introduce to the company’s International markets for consistent application of policies, controls, and tools.

stage stores
Multi-layered Cybersecurity Initiative
Executive Sponsor: Steven Hunter, Chief Information Officer
Project Team: Kevin Richardson
Location: Houston, TX

In 2014, several large retailers were victims of massive network breaches, resulting in credit card exposures for millions of customers. Stage Stores took a proactive approach to ensuring it would not be the next victim. The company’s IT leadership devised a strategy to upgrade and fortify Stage Stores’ network and payment card infrastructure. The multi-pronged strategy included:

  • Implementing Point-to-Point Encryption (P2PE) to prevent payment card data exposures at the POS
  • Upgrading malware and virus defenses
  • Strengthening network defenses
  • Ethical hacking exercise to identify potential weaknesses
  • Employee education on social engineering

Tractor Supply Company
Operationalize a 24/7 Security Operations Center (“SOC”)
Executive Sponsor: Michael Mangold, Director, Information Security, Tractor Supply Company
Project Team: Michael Mangold, Don Marsee, Jason Beaty, Keith Drone, Jason Pointer, Raymond Beaudoin and Gabriel Kraft.
Location: Brentwood, TN

Tractor Supply built and operationalized a formalized 24/7 Security Operations Center. This included pulling log sources from over 8000 devices, correlating events, establishing run books, creating automated remediation steps, establishing a team and a visual presentation of metrics for our executive team.


Tractor Supply Company
TSC Access
Executive Sponsor: Michael Mangold, Director of Information Security, Tractor Supply Company
Project Team: Michael Mangold, Anthony Mannarino, Christine Jones, Marc Cover and Chris Threet.
Location: Nashville, TN

This purpose of this initiative is to automate all phases of Identity and Access Management (auditing, provisioning, privileged account management and Single Sign-On) at Tractor Supply Company. The aforementioned phases are inclusive of fully dynamic Access Governance, automated user provisioning and de-provisioning, password management, and Role Based Access Controls.


TXU
Security Automation Program
Executive Sponsor: Aaron (Ravi) Malick
Project Team: Terry Coots, Rodney Brown, Sabrina Dyer, Rachel Higgs and Kiran Ketha.
Location: Irving, TX

The goal of the Security Automation Program was to increase the security of our applications by reducing manual process execution and providing advanced monitoring. The program ensured accurate manual control execution through increased review and also implemented tools and reports to detect security or control events in advance of an audit. It fully automated manual processes within areas that affect SOX controls to ensure long term accuracy of controls reporting. The Security Automation Program helped minimize manual work, improve visibility into system settings and sensitive access opportunities, and ensure that teams only have access to the information they need.


YP
Project Xenos
Executive Sponsor: Joe Bennett, CISO, Director of Enterprise IT & Information Security, YP
Project Team: Joe Bennett, Roosevelt Reynolds, Steve Singer, Phil Santos, James Zimmerman and Darrel Butler.
Location: Tucker, GA

IT and Security budgets and headcounts are constantly under attack. With Security resources running lean, implementation and maintenance of programs is a constant battle of resources and finances. Project Xenos was created to address the issue of how to implement and maintain programs (Data Loss Prevention, Managed Security Services, and the like) to address risks posed to the company in a sufficient manner.


Academic/Public Sector Category

Columbia
IT Risk Management Security & Privacy Program
Executive Sponsor: Medha Bhalodkar, CISO and AVP, Columbia University/Information Technology
Project Team: Chuck Eigen, Joel Rosenblatt, Larry Lee, Chris Dowden, Bhargava Gorty, Demian Vanderputten, Spencer Malmad, Martin Wren and Dan Ellentuck.
Location: New York, NY

Over the last 12 months, rather than doing security projects or initiatives in a reactive manner, or reporting risks in “silos”, our CISO proposed that we implement a comprehensive program for Security and Risk Management that outlines a multi-layered approach to Security at the University. Our program includes major areas such as strategy, policies and standards, governance and operating model, management processes, management reporting, communication, training, and awareness. Using this program as our framework, the program team assessed the current status of controls/maturity on all categories, as well as the tools required, and then identified/planned and implemented multi-year Security and Risk Management initiatives, which were communicated across all stakeholders, and obtained CISO Executive sponsorship and alignment. These projects were all monitored and reported to senior management over the identified period.

DHS
Linking the Oil and Gas Industry to Improve Cyber Security (LOGIICS)
Executive Sponsor: Greg Wigton, LOGIIC Program Manager, DHS Science & Technology Directorate, Cyber Security Division
Project Team: The LOGIIC member organizations are U.S. Department of Homeland Security (DHS), Science and Technology Directorate (S&T) Cyber Security Division (CSD), BP, ExxonMobil, Chevron, Shell, and Total. The Automation Federation (AF) serves as the LOGIIC host organization. DHS S&T CSD has contracted with the nonprofit research center SRI International to provide scientific and technical guidance for LOGIIC.
Location: Washington, D.C.

The Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) program is an ongoing collaboration of oil and natural gas companies and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T). LOGIIC was formed in 2004 to facilitate cooperative research, development, testing and evaluation procedures to improve cybersecurity in petroleum industry digital control systems. The program undertakes collaborative R&D projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. The program objective is to promote the interests of the sector while maintaining impartiality, the independence of the participants and vendor neutrality. After a successful first project, the LOGIIC consortium was formally established as a collaboration between DHS, the Automation Federation, and five of the major oil and gas companies. The LOGIIC program has completed several R&D projects – LOGIIC Correlation Project, LOGIIC Host Protection Strategies Project and LOGIIC Safety Instrumented Systems Project, and more projects are being planned to help provide novel solutions to the oil and gas sector.

The Ohio State University
Information Security Framework, Phase 1
Executive Sponsor: Helen Patton, CISO, The Ohio State University
Project Team: Gary Clark, Jim Herbeck, Matt Williams, Charlie Smith and Amber Buening
Location: Columbus, OH

The Information Security Framework project implemented the “Information Security Management System (ISMS) across the Ohio State University. The problem: how to engage over 129 independent business units, each with their own distributed IT departments, budgets and business priorities. With a total project budget of only $270,000 the project team implemented a new framework, encouraged 98% of units to voluntarily participate in a one month survey to establish a maturity baseline, engaged non-IT unit leaders in assuming responsibility for their information risks, and raised the Information Risk Management bar for higher education institutions across the United States.

Financial Services Category

ADP
Integrated Application Security Testing (IAST)
Executive Sponsor: Roland Cloutier, Chief Security Officer, ADP
Project Team: V.Jay LaRosa, Chris Olsen, Atanas Dimitrov, Craig Butler, Owen Buckingham, Joseph Kraft, Manmadh Kancharla, Devi Nekkanti, Raghunath Kunta, Nagasuman Veeranala, Ramakrishna Marella and Sumeet Lakhwani.
Location: Roseland, NJ

In order to support ADP’s continuing drive to increase the speed of our software development release cycles, we have implemented an integrated automated application security testing technology into our quality assurance testing processes. This technology provides the following benefits:

  • Provides continual analysis of application code running Java or .NET
  • Finds vulnerabilities in real-time
  • Allows development teams vision into potential security issues as code is moved into the QA environment
  • Allows for minor release testing to be performed without direct interaction with the security testing team
  • Simple to install with little performance overhead
  • Automated library monitoring and inventory for vulnerability management

Blackstone
Advanced Threat Detection: Enabling the Workforce to Become the Human Sensor
Executive Sponsor: Jay Leek, Chief Information Security Officer, Blackstone
Project Team: Adam Fletcher, Adam Mattina, Mauricio Velazco, Alex Licursi, Padma Menon, Andriy Noble and Renee Pollack.
Location: New York, NY

No matter how many security tools we deploy, the firm is still at risk of compromise via business communication - email. So we empowered our workforce to become the human sensor to protect the firm.

BNYMellon
Vendor Risk Management Program Transformation
Executive Sponsor: Tess Martillano, CIRO – Latin America & Global Head of Cross-Functional Risk, BNY Mellon
Project Team: Frank Roppelt, Shelly Kennedy, Christopher Medina, Myrna Alejo-Brusco, John Shea, Deborah Cavish, Yvette Egas, Ehren Dominguez, John Edwards, Mike Lyons, Albert Medina, Jose Morales, Javier Moreno, Edgar Rodriguez, Derek Rose, Adrielle Lim, Fernandes Borda and Graham Sneader.
Location: New York, NY

BNY Mellon embarked on a transformation project to deploy a best-in-the-industry Vendor Risk Management (VRM) program, delivering a seamless, transparent, repeatable, consistent, measurable and automated process to assess information security risk in new and existing vendor relationships, globally. The new VRM program targets information security of both direct and cascaded subcontractors, allowing for recognition and remediation of information security control gaps prior to onboarding. Using a collaborative approach, VRM changed how BNY Mellon manages vendor-related information security risk.

C N A
Security Convergence Initiative
Executive Sponsor: Robert Allen, VP, CSO & Service Management
Project Team: Larry Lidz, Rani Badireddi and Drake Cody
Location: Chicago, IL

The purpose of this initiative was to identify and leverage overlapping services and resources to combine Corporate Security and Information Security into a converged Security organization. Services were reorganized from both organizations to improve CNA’s ability to manage risks, respond to events, and provide the best service to key stakeholders and customers. Service gaps were identified and addressed, and service offerings were improved where possible. Services were strengthened and relationships advanced between Corporate/Information Security and primary customers including Audit, Corporate Compliance, Enterprise Risk Management, Risk Control, Underwriting, Claims, Human Resources, Employee Relations, and Legal.


Janus ElasticSearch Security Visualization Engine
Executive Sponsor: Joseph McComb, Director, Information Security
Team Members: Todd Garrison, Enterprise Security Specialist
Location: Denver, CO

Janus utilized Elasticsearch, Logstash and Kibana (big data technologies) to drive an internal security analytics program. The open source tools were used to pull in relevant security log information and provide an interface to rapidly search security relevant information. The project had zero dollar cost in software licensing and reduced incident response times by fifty percent.

Transunion
IDMart
Executive Sponsor:Jasper Ossentjuk, CISO, TransUnion
Project Team: David Griffin, Sandeep Samarthy and Lori Schliesmann.
Location: Chicago, IL

TransUnion’s Identity Management solution comprised of five disparate systems, each with different owners. Associates requesting new or changes to access had to navigate a system that was not user-friendly and provided few self-service options. The process to fulfill requests for simple things such as requesting membership to groups was also manual. This resulted in an inefficient process and severely limited our ability to act quickly on/approve requests.

Recently, TransUnion implemented IDMart, which improves the end-user experience by providing a shopping cart platform to request access that’s easy to navigate, provides more self-service options, and automates the fulfillment processes.

U S A A
Biometric Logon for Mobile App
Executive Sponsor: Gary McAlum, Senior Vice President, Chief Security Officer
Project Team: Philip Leininger, Thomas Buckingham, Rick Swenson, Tom Clark, John Harris, Vicki Shapiro, Hoang Vo, Rochelle Tijerina, Robert Barner, Maria Gummerson, Tammy Sanclemente, Sudarshan Rangarajan and David James
Location: San Antonio, TX

USAA continues to innovate in security, first with two-factor “Quick Logon” and now by providing a game changing experience of using facial or voice biometrics as a convenient and secure means of logging onto the USAA Mobile Application. This capability expands on our existing use of an embedded security token with our biometrics technology, eliminating the need for static usernames and passwords while improving the overall logon experience. This giant step directly addresses safeguarding personal information being harvested from data breaches and social engineering, by focusing on what you have and who you are and not on what you know.

Health Care Category

Blue Cross Blue Shield/Blue Care Network of Michigan
Insider Threat/B-Secure Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Angela Williams, Danielle Majors, Shannon Robinson and Cantrell Daniels
Location: Detroit, MI

The B-Secure program involves the information security team performing a walkthrough security assessment to gauge the current security posture of our environment. The results of the security assessment are rated and distributed in a formalized report to leadership and the information security team captures metrics. In addition, the B-Secure program aids our information security team with identifying areas of improvement to continuously educate the workforce on security awareness practices and insider threat concepts. After an assessment is complete, the appropriate areas participate in a security awareness remediation training to improve workforce security awareness and assessment rating.

Blue Cross Blue Shield/Blue Care Network of Michigan
Health Information Privacy and Security (HIPS) Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Kimberley Smith, Shannon Robinson, Cantrell Daniels and Sean Van Daele
Location: Detroit, MI

The Health Information Privacy and Security (HIPS) Program is led by Information Security, in collaboration with Enterprise Security, Ethics and Compliance, Privacy and Security Compliance, Corporate and Financial Investigations, Legal, Information Technology, and Customer Service Representative and Training. It involves a presenting a series of interactive events and activities. The HIPS Program focuses on information privacy and security, promoting the safeguards that exist to protect member’s health information and other BCBSM/BCN assets.

Blue Cross Blue Shield/Blue Care Network of Michigan
HITRUST Framework Integration Project
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Tonya Byers, Damon Stokes, Angela Williams, Sanjeev Hae-Ming Hwu and Shannon Robinson
Location: Detroit, MI

BCBSM/BCN adopted HITRUST Common Security Framework (CSF) for its information security framework that fully integrates existing security requirements placed on healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and other government agencies (e.g., NIST and CMS).

Blue Cross Blue Shield/Blue Care Network of Michigan
Information Security Training and Awareness Program
Executive Sponsor: Damon Stokes, Senior Manager of Governance, Risk and Performance, Blue Cross Blue Shield/Blue Care Network of Michigan
Project Team: Damon Stokes, Marcia Mangold, Cia Hang, Michael Mangenje, Mical Meeks and Jimmy Sze.
Location: Detroit, MI

The Information Security Training and Awareness Program deliver training and awareness to BCBSM’s employees. It is aimed at security education through the following efforts:

  • New hire information security awareness
  • Targeted departmental and role-based information security training
  • Assessment programs
  • Awareness events
  • Online interactive content
  • Message board content
  • Regular corporate-wide memos and articles
  • Information Security promotions and branding
  • HITRUST CyberRx War game simulation

Blue Cross Blue Shield/Blue Care Network of Michigan
Supplier Risk Management (SRM) Program
Executive Sponsor: Tonya Byers, Director II, Information Security
Project Team: Damon Stokes, Cecilia Burger, Shannon Robinson, Joe Dylewski, John Becker and Cantrell Daniels
Location: Detroit, MI

The Supplier Risk Management program gauges each supplier’s capability to protect BCBSM/BCN’s sensitive information exchanged and computing assets provisioned, in the normal course of the business relationship, while adhering to established HIPAA/HITECH requirements and information security industry standards, by:

  • Identifying risks of new/existing suppliers who connect to BCBSM/BCN infrastructure, access BCBSM/BCN data, develop or maintain BCSM/BCN’s software
  • Tracking remediation plans
  • Executing on-site visits or desktop assessments, based on detailed questionnaires, to ensure security measures are implemented
  • Monitoring, reassessing, and decommissioning suppliers per contractual agreement
  • Employing a quantitative, risk-based approach to supplier ranking and reporting metrics


Security Verification and Validation Service (SVVS)Executive
Executive Sponsor: Sponsor: Brenda Callaway, Executive Director, Blue Cross Blue Shield of Illinois
Team Members: Brenda Callaway, Chris Lodico, Dan Pritzlaff, Scott Kovitch, John Michell and Tom Burm Jr.
Location: Chicago, IL

Blue Cross and Blue Shield of Illinois is one of the largest health insurance companies in nation and faces many security challenges when operating in a very large, distributed and complex IT environment. As a result, the Security Verification and Validation Service (SVVS) was developed to evaluate compliance to security and technical standards across enterprise technologies and verify remediation effectiveness of security issues. Security compliance evaluation includes: patch management, server / workstation configuration, password policy, anti-virus signatures and performs monitoring of wireless rogue access points and malicious process detection on servers.


Application Security Program Management
Executive Sponsor: Jason Morton, Application Security Manager | Office of the CISO
Team Members: Tim Heimerl, Andrew Welsh, Matin Kahn, Bud Wilkinson, Manuela Robinson, Carla Lewis and Ben Kinsella
Location: Denver, CO

The project was focused on transforming how application security was managed for DaVita HealthCare Partners’ complex ecosystem. The goal was to move from a one-man operation into a fully integrated program, built on a single platform that could scale with the business needs.

By May, 2015, DaVita has brought the software development lifecycle (SDLC) for 18 applications under automated security assessment, trained 90 developers around the world, established a secure mobile program, put a system in place to ensure that all third-party application used by DaVita HealthCare Partners are secure, and actively monitors all 141 of the company’s associated websites.

HCSC
Installation of the GRC Program
Executive Sponsor: Brenda Callaway, Executive Director, Information Security, Healthcare Service Corporation
Project Team: Brenda Callaway, Jennifer Inserro, Chris Lodico, Steve Helwig and Mary Swibes.
Location: Chicago, IL

Ever expanding government regulation, data retention and risk management procedures mandated by HIPAA, HITECH, ACA, PCI and state regulators have all placed unprecedented pressure on HCSC to coordinate enterprise-wide tracking and organization of compliance measures. Additionally, it is our obligation to support the HCSC Customer First philosophy and ensuring our ability to meet these challenges is paramount. The instillation of the GRC program allows HCSC to centralize governance and collaboration (through the GRC Council) and replace keeping data in separate "silos," to use a single framework to monitor, analyze and enforce rules and procedures.

HMS
Business Resilience Program
Executive Sponsor: Scott Pettigrew, Chief Security Officer
Project Team: George Macrelli, Denise Mason, Daryl Hykel, Sean Miller, Michael Lee and Catherine Sisterson
Location: Irving, TX

Business Resilience Program: Business Continuity Management (BCM) and Security Risk Management (SRM) responsibility has been somewhat of a conflict because, although it is important to have a plan for such an unlikely catastrophe, there are other serious risks that have a nearly certain likelihood of occurring. Risks like privacy, fraud and inaccurate data. Emotions run high in the face of rare and disastrous events, causing a rush to allocate funds and efforts to safeguard against them. HMS’s Integrated Business Resilience Program is part of a comprehensive SRM program, which allows a more reasoned and less emotional understanding of the universe of business risks faced by HMS. This program produces efficiencies with regards to how HMS reacts to catastrophic risk.

IMHC
Intermountain Healthcare’s Security Operations Center
Executive Sponsor: Karl West, AVP, Chief Information Security Officer, HMS
Project Team: Carl Allen and Nathan Moon.
Location: Salt Lake City, UT

Though somewhat common in many industries, Security Operations Centers (SOCs) have yet to catch on in healthcare. Intermountain Healthcare may be one of the first healthcare organizations to build and staff a 24/7 SOC to monitor, mitigate, and address cyber threat.

Quest
SAM (Security Access Management) and Automating the Next-Gen IAM
Executive Sponsor: Joe Adornetto, Executive Director, IT Security, Quest Diagnostics
Project Team: Dennis Walsh, Krishna Meruga, Cory Donovan, Phil Rubbo, Amit Patel, James Gover, Omar Radi and Robert Wilkinson.
Location: Lyndhurst, NJ

Security Access Management (SAM) is the root of a three-pronged strategy that automates end-user access, privileged access, and federated identity as part of our Next-Gen identity and access management structure. Prior to building out the solution, Quest Diagnostics had a diverse, autonomous access control structure that was neither efficient nor effective. One of the critical objectives for the development of SAM was for unified access management across the enterprise, starting with a web portal that automates twice-a-year recertification for hundreds of applications, new-hire and transfer provisioning, and privileged access. This automation saves more than 20,000 manager and security administrator hours every 6 months over the prior manual re-certification process alone. It also enables the business with an auditable platform that empowers users, supporting the concept of end user ‘need to know’, while simultaneously protecting systems, devices and applications.