ISE® Northeast Project Award Nominees 2013

Allstate
Application Security Assurance Program (ASAP)
Executive Sponsor: John Bader, Senior Vice President, Allstate
Project Team: Yabing Wang, Pat, Wiet, Kenny Alperstein, Leo McCavana, Orlando Lopez, Ryan Russell, Jerry Higgins and Cynthia Whitley.
Location: Northbrook, IL

The vision of the Application Security & Assurance Program (ASAP) is to integrate secure practices into the Allstatesoftware development lifecycle (SDLC) processes. This program is not about implementing a tool to resolve a specific issue. It is about adopting a holistic approach from People, Process, Technology and Governance perspective and making sure security is embedded into SDLC from the start. As part of the risk management, the goal of this program is to focus on application security, and to reduce the vulnerabilities, understand and manage the risks, and improve the Confidentiality, Integrity and Availability of Allstate’s applications. 


blue cross blue shield of Michigan
BCBSM Information Security Operation Center
Executive Sponsor: Tonya Byers, Director; Gary Harvey, VP Information Technology
Project Team: Angela Williams,Sanjeev Vohra, Ron Farhat, Michael Moore and Shirley Meeks
Location: Detroit, Michigan

Blue Cross Blue Shield of Michigan (BCBSM) was one of the first BCBS plans to implement a Security Operations Center or SOC (pronounced sock). The SOC hosts a collection of IT security toolsthat provide the capability of centralized monitoring and detection of threats, vulnerabilities, and security events that could adversely affect BCBSM’s information assets, technical infrastructure, and most importantly our data. The SOC is focused on monitoring our computers, servers, firewalls and networks. The SOC was created as part of ongoing efforts by our Information Security team to help us proactively recognize threats and vulnerabilities. This center allows us to better minimize risks, downtime and data loss by providing timely monitoring to security teams, supporting audit and compliance efforts, and assisting with incident response and forensics efforts. By leveraging the tools within the SOC we are better positioned in our fight against malicious attacks from outside our organization. 


Becton Dickinson
Data Loss Prevention (DLP)
Executive Sponsor: Rick Gonzalez, Manager, Global Information Security, BD
Project Team: John Ochman, Erik Bakken, Sr.
Location: Franklin Lakes, NJ

BD is a manufacturing company that relies on bringing innovative new products to the market ahead of the competition. The loss of a single product design to a competitor could cost BD millions of dollars in revenue. With a pipeline full of new product releases, increased shared R&D with third party developers and manufacturing rapidly expanding into growth areas ripe with IP theft, Information Security needed a solution to help identify sensitive information and protect it from leaving BD’s control. The project focus was to have a fully functional Data Loss Prevention (DLP) solution installed and running as quickly as possible. After deployment, the policies and infrastructure of the project were very successful. So successful, in fact, that within the first few weeks of going live, an insider was identified and sufficient information was passed to the FBI for them to make an arrest on the alleged theft of millions of dollars of IP.


B N Y Mellon
Unstructured Data Governance Project
Executive Sponsor: Donna Nemecek, VP, Manager Technology Risk Assurance & Senior Information Risk Officer, BNY Mellon
Project Team: Susan Wade, Tijuanna Beckles and Gina Grisaffi
Location: New York, NY

BNY Mellon’s Risk and Compliance Group has developed a governance process to provide security and user access certifications over high risk data stored in network shared drives, which are scrutinized by Regulatory Agencies, external and internal auditors.


Citi
Workspace Virtualization and Containment for Sourcing Providers
Executive Sponsor: Dan Tigar, Managing Director Citigroup Architecture & Technology Engineering (CATE) CitiSecure Platform
Project Team: Matt Ramey, Bill Sztabnik, Brian Firlein, Vincent D’Onofrio, Sean Hunnicutt.
Location: Melville, NY

The solution utilizes a containment approach that satisfies a requirement to establish a controls framework to secure Citi’s Desktop Virtualization strategy for Third Parties. The containment strategy ensures that “least privileges” entitlement is enforced, including Application and Network access controls, at a desktop level.


C.N.A.
CNA’s Governance, Risk Management and Compliance Program
Executive Sponsor: Robert Allen, VP, Service Management & CISO, CNA
Location: Chicago, IL

CNA has implemented an Enterprise Risk Register that consolidates corporate risks into a single repository where decision-makers can gain visibility and model loss exposure based on pertinent characteristics. Applying a universal risk taxonomy, detailed risk analysis can be modeled to ensure rating accuracy which allows for a standardized and balanced scale of risk comparisons from each of the functional business areas. The resulting risk measurements are used for awareness and remediation prioritization, including action plan assignment and tracking.

Key Risk Indicators are linked to organization risks, utilizing a metrics-driven process of dynamically monitoring the health of implicated business areas and risk categories. Controls and their effectiveness are also linked to risks, resulting in a broad sense of how the enterprise is managing its potential losses. Inherent and controlled risk ratings are captured, assisting in the understanding of the effort expended or required to maintain an acceptable risk profile. High-level risk categories are utilized to summarize risk data, providing useful information to diversified committees. Role-based management dashboards are produced to allow easy understanding of risk contributors relative to the viewer’s purview of responsibilities.


comcast
Remote Workforce Refresh
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Charles Hudson, Jr., Glen Pirrotta, John Roskoph, Andrew Black.
Location: Philadelphia, PA

Remote Workforce Refresh (RWR) sought to accomplish a fairly straightforward objective when it was first kicked off and morphed into a large number of critically important and highly cost and security effective opportunities as it progressed. Our project’s primary goal was to develop a standard, elegant, highly secure and agile technical framework to support our customer care work from home workforce. The existing user base exceeded 2,000+ users with an expectation to increase to as many as 8,000+. There was a strong focus to increase the velocity of user provisioning, while decreasing cost of deployments, technical complexity and technical touch points along with an equally strong need for ease to use and high security. Today we have adapted this solution support 5 critical business functions and have dramatically reduced our capital and operational costs for secure endpoints by %50 or greater. Site activations are self-serve and are completed in minutes without any requirement to stage or schedule activations or require technical hands on support.


comcast
Integrated Security Framework
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

The goal of the Integrated Security Framework (ISF) is to ensure the right controls exist across the enterprise, identify and eliminate control redundancy, limit control gaps, and optimize financial and operational efficiency through automation. It is designed to be a cyclical effort whereby controls are rationalized, mapped to policies and standards, gaps identified, risks identified and remediated, and metrics produced.  The framework will consist of all relevant regulations and standards including but not limited to PCI, SOX, Mass State Law, COBIT, ISO 27002.  Mapping of Comcast controls are conducted against these standards and regulations to identify coverage and redundancy and to address gaps through policy and control implementation.  Automation and dashboards implemented through Archer will provide ongoing operational and financial efficiency.


comcast
Compliance Automation
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

Achieving and maintaining regulatory (PCI/SOX) compliance in today’s ever changing technology environment is an arduous task.  The Comcast IIS team recognizes this and implemented a solution that automates many of the checks and audit tasks by using the RSA Archer application. The first phase of this project (PCI Automation) was successfully deployed April 1, 2013.  The project automated over 100 regular PCI controls with an estimated annual savings of $100,000 and 1,000 man hours saved.  SOX Automation is scheduled to complete in September 2013 and provide automation of all 12 SOX controls across all Comcast SOX applications greatly reducing required man hours previously required to evidence control compliance.


comcast
Compliance Automation
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Shirley Barnes, Swapan Chattopadhyay, Laura Whitt-Winyard, Robert Irwin, Kallol Ray, Rob Nedumakel, Charles Hudson, Jr.
Location: Philadelphia, PA

Achieving and maintaining regulatory (PCI/SOX) compliance in today’s ever changing technology environment is an arduous task.  The Comcast IIS team recognizes this and implemented a solution that automates many of the checks and audit tasks by using the RSA Archer application. The first phase of this project (PCI Automation) was successfully deployed April 1, 2013.  The project automated over 100 regular PCI controls with an estimated annual savings of $100,000 and 1,000 man hours saved.  SOX Automation is scheduled to complete in September 2013 and provide automation of all 12 SOX controls across all Comcast SOX applications greatly reducing required man hours previously required to evidence control compliance.


comcast
Self-Service Governance, Risk & Compliance Portal
Executive Sponsor: Myrna Soto, SVP, Chief Information & Infrastructure Security Officer, Comcast
Team Members: Charles Hudson, Jr., Kallol Ray, Laura Whitt-Winyard, Donna Chenetz, Luis Colon.
Location: Philadelphia, PA

This project developed a self-service portal so that business users can execute security processes on-demand and just-in time to meet their business requirements. This technology was implemented to support Comcast’s overall “Agile” and “Lean” methodologies and significantly reduce the response time and provide actionable data to the business in real-time.  These deployments have enabled us to “demystify” security processes and empower the business users by providing them direct access to our security processes and technologies.


Fidelity
Customer Protection Program (CPP)
Executive Sponsor: Timothy McKnight, Executive Vice President & Chief Technology Risk Officer, Fidelity Investments
Team Members: Gregory Kanevski, Vice President, Customer Protection Program (on behalf of the leadership team)
Location: Boston, MA

The initial objective of the program was to assess the existing security, privacy and customer protection technology deployments for effectiveness and longevity taking into account the firm’s existing protections, market & regulatory trends, and emerging technologies that could significantly enhance the customer experience. Ultimately, the goal was to collect, synthesize and clarify this information into a prospective roadmap outlining a vision and three-to-five year strategy for the firm.


Johnson & Johnson
Enterprise Vulnerability Management and Web Application Vulnerability Scanning
Executive Sponsor: Casey Marquette, Director, Global Command Center, Johnson & Johnson
Team Members: Sheryl Austin, Kevin Cole, Trish DiGiacomo, Daneian Easy, Lou Kaltz, Matthew Simkovic, Michael Wagner.
Location: Raritan, NJ

To ensure the protection of Johnson & Johnson’s intellectual property and maintain its brand reputation, the Global Security Operations and Worldwide Information Security teams implemented the corporation’s largest and most significant security project named Enterprise Vulnerability Management and Web Application Vulnerability Scanning (EVMWAVS). The goal of the project was to create a world-class ecosystem of advanced operational capabilities, security technologies and procedures to provide advanced detection and intelligence capabilities in all of the corporation’s 275 subsidiary companies globally.


merck
EngageZone
Executive Sponsor: Terry Rice, AVP, Service Delivery & Risk Management, Merck & Co.
Team Members: (Merck) Phyllis Post, Andy Porter, Jason Victor, Keith Respass, Andrea Kirby, Terry Bauman, Steve Borst, Vish Gadgil, JoAnn Weitzman, Cathy Carfagno, Maria Pascual, Brian Swartley and John Litvinchuck. (Exostar) Tom Johnson, Dan McConnell, Vijay Takanti, Raju Nadakuduty, Paul Rabinovich, Rob Sherwood and Lisa Sullivan
Location: Whitehouse Station, NJ

Merck partnered with Exostar to redefine business-to-business engagements by creating a Life-Sciences Identity Broker in the Cloud. This secure cloud-based hub is where teams from multiple companies can access any number of technology services through a multi-tenant identity broker, protecting sensitive data and intellectual property from unauthorized access. The result included the reduction of time to stand up business-to-business collaborations, minimized administrative cost, and elimination of the need to replicate redundant technology infrastructure. In addition, the model improves the security and risk profiles for these teams by moving away from point-to-point engagements to a highly-scalable service model that can be monitored and protected from outside threats.


Standard Register
Security Program Evolution
Executive Sponsor: Joanne Cummins, CIO, Standard Register
Project Team: Philip Woods, David Pappas, Marta Sullivan, Steve Braswell, Robin Housley, Aaron McCray, Kevin Mundhenk, Mike McGill, Cory Trese, Raj Nair, Tim McDonald, Terrance Merriman and Andy Blosser. We had help from Deloitte, Battelle & Battelle, HP, Verizon, Forsythe and an anonymous customer.
Location: Dayton, Ohio

Have you ever been in a situation where sales promised something that didn’t exist? Every IT organization has faced that challenge! In Standard Register’s case, we were simply asked to create an isolated FISMA-compliant Authorization Boundary conforming to NIST. Did I mention that we had never done that before? And, how many times do you get to say that Security made the sale?! Leveraging our mature security program and collaborating with our customer and partners, we designed, delivered and externally attested the solution in nine months enabling our customer to gain the required scale, flexibility and cost savings - securely.