Client Security Management Office Portal (CSMO)
Executive Sponsor: Roland Cloutier, Vice President and CSO, ADP
Project Team: Phani Dasari, Sumeet Lakhwani, Michael A. Minwell, Rudy Urena, Jeffrey Kolmos, Hardik Mehta, Vishnu Pemmasani, Paul Engelbert, Trina Ford and William O'Connell
Location: Roseland, NJ
Responding to the global data security and international privacy-related concerns of ADP's 570,000+ clients operating in more than 130 countries around the world can be quite challenging. Among other things, it involves ensuring consistency and accuracy as well as reducing the lead times to resolve pre-sales security and privacy questions, issues and concerns. It also involves the creation of a centralized self-service repository of vetted responses to client questions. Development and implementation of the CSMO Portal intended to reduce turnaround times for requests for proposal (RFP) responses and client security questionnaires while delivering a centralized service model affording streamlined interface to request information, documentation and client centered solutions. By delivering a single, common repository for product security white papers, product security questionnaire responses, and global data security and privacy knowledgebase/Wiki, ADP reduces the turnaround times for RFP responses and client security questionnaires by greater than 50 percent.
Trusted Platform Security Initiative (TPSI)
Executive Sponsor: Terry Rice, AVP, Service Delivery & Risk Management, Merck & Co.
Team Members: V. Jay LaRosa, William O’Connell, Denise Hucke, Michael A. Minwell, AJ Anand, Victoria Ruiz, Shahir Shah, Dustin VanWinkle, Jim Hickstein, Rudy Urena, Jeffrey Kolmos, Saurabh Thakral and James Carter
Location: Whitehouse Station, NJ
In order to enable ADP’s worldwide business protection efforts, the Global Security Organization (GSO) sponsored the company’s largest and most significant security program named Trusted Platform Security Infrastructure (TPSI) to create a world-class ecosystem of advanced operational capabilities, security technologies and controls. TPSI program provides advanced detection and intelligence capabilities in all ADP operating units globally. The entire TPSI architecture utilizes holistic business intelligence technologies that are managed through a converged Enterprise Risk Platform.
Data Protection Program (DPP) for SAP
Executive Sponsor: Damian McDonald, Vice President, Global Information Security, BD
Project Team: Peter Alfieri, Michael Layden, John Ochman and Jason Gonsalves
Location: Franklin Lakes, NJ
BD has 30,000 employees at locations around the globe. The charter for the Data Protection Program for SAP was to select and implement the tools and procedures needed to meet privacy and security requirements for a new ERP implementation at BD. The ERP project, internally known as The EVEREST project, replaced several SAP legacy ERP and manufacturing applications from around the globe with a single SAP instance hosted in the US. The new system included the full product offering from SAP spread across several production and non-production landscapes. EVEREST was the biggest IT project BD has ever implemented and the DPP project was critical to its overall success. The Security team designed and implemented a solution that provided critical security controls for this new SAP environment. It was also mandated that the BD security team not slow down or otherwise inhibit the overall EVEREST SAP implementation. The project scope included strategy, architecture, budgeting, planning, vendor assessment, technology evaluations, procurement and solution implementation. The final solution included enterprise encryption, database activity monitoring and security event correlation for all of EVEREST.
Executive Sponsor:Cathy Beech, CISO, Children's Hospital of Philadelphia
Project Team: Kelvin Blasse, Abigail Flitter, Clifford Karafin, Haswinder Virk, Scott McCreary, Adena Tuckman, Al Wilson and Alex Zausner
Location: Philadelphia, PA
This project included the implementation of a technology solution to support CHOP’s litigation needs with regards to eDiscovery. The technology solution was designed with reference to the industry standard Electronic Discovery Reference Model (EDRM). The project also established eDiscovery processes that comply with CHOP’s document retention policy, the Federal Rules of Evidence, and facilitated compliance with the Federal Rules of Civil Procedure and relevant case law.
The Security IPv6 Readiness Project
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Louis Yeck, John Brzozowski, Fred Wittenberg, Eddie Galarza, Amine Brahimi
Location: Philadelphia, PA
With global IPv4 address allocations nearing depletion, Comcast embarked on implementing IPv6 on its network. This created many security challenges, especially when tools and systems lacked support for IPv6. The security team launched a project to develop, assess, and implement an IPv6 security framework that met the business’ tight timelines with the implementation of IPv6.
HHS CyberSecurity Program
Executive Sponsor: Daniel Galik, CISO, USDepartment of Health and Human Services
Team Members: Frank Baitman, Kevin Charest, Wallace Wilhoite, Jeff Graham, Paul Son, Johnny Hughes, Mark Hannah, Steve Swansbrough, Brad Ellison, Nathan Volk, Traci Green, Mark Deffenbaugh, Damon Lee, Mike Levin, Tim Defoggi and hundreds of active participants from different HHC operating divisions. Consulting team members include John Trauth, George Young, Robert Chamberlin, Derrick Jones, Albert Martinez and Travis Lavender
Location: Washington, D.C.
The U.S. Department of Health and Human Services is a federation of largely autonomous operating divisions with a vast amount of sensitive data to protect. In response to the need for Department-wide situational awareness and a consistent, effective method for dealing with threat data, the HHS CyberSecurity project—spearheaded by the HHS Computer Security and Incident Response Center (CSIRC)—leveraged an integrated set of tools to develop and implement a comprehensive cybersecurity program.
HMS Helps US Healthcare System Operate More Efficiently with Automated Identity & Access Management and Governance
Executive Sponsor: Scott Pettigrew, Chief Security Officer, HMS
Team Members: Scott Pettigrew, George Macrelli, Mark Ma, Eric Shapp, Jeremy Miller and Joe Spearin
Location: New York, NY
Healthcare payers, including Medicaid and Medicare, HMOs and managed care organizations, access healthcare information via HMS’s online portal which must be secure to comply with industry regulations. Manual identity and access management processes meant that maintaining security and compliance was time-consuming and costly. HMS partnered with FishNet Security’s IAM Services Group to develop a phased strategic Identity & Access Management plan and integrate a platform for automated provisioning and self-service password management leveraging CA technology solutions. The company has been able to significantly reduce costs while increasing security. It has also been able to improve customer service by providing more rapid access to mission-critical systems, and simplify compliance and auditing.
Information Security and Privacy Awareness Program
Executive Sponsor: Jeffrey Lolley, Head of Global Information Security, Hogan Lovells
Team Members: Daniel Solove and Joanne Jiggetts
Location: Washington, DC
Development of a Information Security & Privacy Awareness program that utilized ground breaking concepts in training and awareness, incorporating engaging imagery and storytelling to hold the attention of an audience. The program was the first mandated training and awareness program within any large legal services company.
Business-Critical Application Control Monitoring
Executive Sponsor: Marcus Prendergast, VP & Global Head of Security, ITG
Team Members: Marcus Prendergast and James B. O'Kane
Location: New York, NY
With significant operations in “dark” trading, ITG has a critical mandate to ensure client privacy. ITG has interdependent, highly risk-sensitive applications with separate access control mechanisms, making it impossible to centrally manage application and data access. Using SIEM, an industry-leading application monitoring solution was built to enable real-time alerting and rapid remediation when access policies are violated, detect anomalous user behavior, and proactively manage access control.
JPMC Trusted Email
Executive Sponsor: Jim Routh, Managing Director – Internet & Mobile Security, JP Morgan Chase
Project Team: Mark Risoldi and Vic Talamo
Location: New York, NY
Industry leading project to implement best practices and new standards to significantly reduce fraudulent email to customers leveraging a highly innovative approach resulting in the elimination of up to 600,000,000 fraudulent emails (including phishing attempts) sent to bank customers annually. The fraudulent emails look like bank emails to customers and often contain malware or phishing attacks. The result is more lift in email marketing, brand protection and less fraud for bank customers.
Information Security Awareness Program Globalization
Executive Sponsor: Jesus Montano, Vice President, MetLife
Team Members: Jesus Montano, Ed O'Neill, David Holley, Thomas Wolff, Jessica Ong, Amanda Lucas
Location: Bloomfield, CT
Provided on-line training to all associates across 44 countries in 23 languages to establish a consistent message across the company to highlight fundamental security concepts. Conducted a global Security Awareness Maturity assessment to gain a better understanding of associates knowledge, attitudes, and behaviors with regard to information security. Developed a library of security awareness messages and tools to enable each country to create customized security awareness plans.
Endpoint Security and HIPAA Compliance Overhaul - An Innovative & Sustainable Approach
Executive Sponsor: Vikrant Arora, Director of Security, Infrastructure Services, NYC Health and Hospitals Corporation
Team Members: Enterprise Security Team, Windows Team and Service Desk and External Partners (Vendors)
Location: Bronx, NY
Implement a sustainable security and HIPAA compliance framework across the largest municipal healthcare organization in the country in under 20 months. This includes implementing United States Government Configuration Baseline (USGCB), Endpoint Encryption (Workstations, Laptops and Removable Media), User "Awareness" and "How To" Training and laying the foundation for implementing Data Loss Prevention as well as other security solutions. This was accomplished as part of and in conjunction with an enterprise wide upgrade from Windows XP to Windows 7.
Executive Sponsor: Brian Kelly, Information Security Officer, Quinnipiac University
Team Members: Michael Ruotolo, Fabiano Iacusso and Jan Bevins
Location: Hamden, CT
This project was driven by Quinnipiac University’s Information Security Office to: Create an environment for common access to certificate and identity management solutions, Provide departments and other university units with delegated certificate management authority, Cost savings for certificates Unlimited SSL certificates (including extended validation certificates), client (personal) certificates, and code signing certificates for one fixed annual fee.
Research Collaboration in the Cloud: How NCI and Partners use Interoperable Digital Identities and Signatures to Accelerate Drug Development
Executive Sponsor: Terence Rice, CISO, Merck & Co. Inc.
Team Members: Steven Friedman, Les Enterline and Mollie Shields-Uehling
Location: Fort Lee, NJ
An ongoing study involving government and industry cancer researchers indicates that using interoperable digital identities, digital signatures and cloud computing will accelerate initiation of a clinical trial while lowering its costs.
Militarization Metrics and Governance
Executive Sponsor: David Ritenour, CISO, SunGard Financial Institution
Project Team: Trask O’Hara, Hani Kaldas, Chris Young, Nick Berger and Mahesh Sonavane
Location: Wayne, PA
With the challenge of being an umbrella organization with more than 20 different business units; all operating with inconsistent asset management, technology, infrastructure, and policies, a number of obstacles became increasingly more important to overcome. The Intelligence covers all areas of ISO and various industry requirements on a global basis in over 200 locations across 70+ countries and is the only metric portal that can directly remediate compliance goals while staying within various change management vehicles across all 20+ sub companies. It provides flexible and multiple views and actions into the data based upon the role of the user.