Compliance Risk Management Program
Executive Sponsor: Roland Cloutier, CSO, ADP
Project Team: Xavier Macarrilla, Ian Sparrow, Digna Penha, Daniel Sanchez, Irina Lescure and Marc Aguilar.
Location: Roseland, NJ
ADP Streamline business utilizes an international network of specialist payroll processing partners (subcontractors) providing services to multinational companies, with a sustained growth rate of 30% revenue on average during the last 6 years and with an increasing international presence from 30+ countries in 2008 up to 100+ countries in 2014. While ADP Streamline has the overall liability as primary contractor for the payroll service by coordinating the partner network, the ADP Streamline partners are responsible for the delivery of local services in more than 100 countries.
Processing payroll involves handling highly confidential and proprietary information. To ensure ADP’s security standards are met, ADP created the Compliance Risk Management program to provide assurances that:
- Partners are compliant with Payroll Service standards as part of ADP obligations, according to ISAE 3402 and SOX frameworks.
- Information Security and Business Continuity has been applied, according to the ISO27002 framework.
The Compliance Risk Management program is an on-going project with a very well defined lifecycle. All ADP Streamline partners have to be assessed on-site at least once every 3 years, which means that at least 30 of them have to be audited on a yearly basis. Improvement and risk reduction is assessed continuously following a risk-based approach.
The Compliance Risk Management program is led by 4 experienced international auditors with strong background and knowledge on IT, Security, Compliance and Audit, with proven experience in the “Big Four” audit firms and international banking institutions.
The Compliance Risk Management program is an ongoing program that was launched in 2009, initially focused on IT and Security, and enhanced in 2013 including Payroll Compliance and Business Governance controls. The effectiveness and success of this program is assessed on an annual basis, so the latest metrics cover the period July 2013 – June 2014.
AES Global Advanced Threat Protection Solution
Executive Sponsor: Scott Goodhart
At AES, we recognize that as a Fortune 200 global power company with a diverse portfolio of distribution businesses and thermal and renewable generation facilities spanning across 20 countries, we have become a major focus for targeted cyberattacks and are among the top five most targeted sectors worldwide. As part of our implementation of the NIST Cybersecurity Framework, we identified an opportunity to improve our defense in depth architecture by piloting and then implementing a global advanced threat protection solution to complement our existing defenses and better protect against both email and web-based cyberattacks.
Aetna Trusted eMail Program
Executive Sponsor: Jim Routh, CISO, Aetna
Project Team: Jim Routh, David Corris, Lee Rodriguez, Peter Haines and Tim Tompkins.
Location: Hartford, CT
The Aetna Trusted eMail Program was designed to protect Aetna’s customers from malicious email purporting to be from Aetna, to significantly improve customers’ email experience and Aetna’s marketing effectiveness, and to prevent Aetna’s brands from being abused in fraudulent email messages. Since the project rollout began, Aetna has blocked more than 10 million malicious emails from being sent to Aetna customers, dramatically reducing the amount of phishing and malware incidents.
Software Security Program Implementation
Executive Sponsor: Jim Routh, CISO, Aetna
Project Team: Tim Tompkins, Brian Heemsoth, Jay Marehalli, Mark Willis, Sara Dunnack and Derek Swift.
Location: Hartford, CT
Aetna’s Software Security Program integrates security controls into the enterprise’s software delivery methodologies to improve developer productivity in producing resilient software while also fundamentally reducing security risk in Aetna’s software assets. During the first year of a three-year plan, the Software Security Group (SSG) successfully implemented an enterprise-wide training and security champion program, integrated new processes, technology, and services to scale risk-based preventative controls across Aetna’s entire software portfolio, and implemented practical techniques to enable effective governance through reporting of key performance indicators. The success of the program positions Aetna as a software security leader in the health care industry.
An ounce of security response is worth a pound of prevention: Shifting the security paradigm
Executive Sponsor: Jay Leek, CISO, Blackstone
Project Team: Jay Leek, Adam Mattina, Mauricio Velazco and Padma Menon.
Location: New York, NY
In response to the constantly evolving threat landscape, Blackstone has overhauled its security program by upending the traditional security paradigm – prevent, detect and react – and embracing an information risk & security approach that balances prevention with enhanced visibility, intelligence and response. We’ve shifted the goal from “not getting hacked” to being able to identify a compromise and remove it from the environment before it creates any harm to the organization.
A tailored solution for access entitlements
Executive Sponsor: Jay Leek, CISO, Blackstone
Project Team: Jay Leek, Adam Mattina and Lena Licata.
Location: New York, NY
The objective of this project was to give business data owners and the security team real-time visibility into access provisioning of the firm’s most sensitive data. With the proper technology and process in place, our team was able to give comfort to businesses and external parties that the right people had the right access at the right time. Using a creative approach to log management and reporting, we improved the transparency of our business processes. Additionally, our team was able to meet audit and regulatory requirements without purchasing expensive software while materially improving the protection of our confidential information.
CitiNAC (Network Access Control)
Executive Sponsor: Dan Tigar, Managing Director, Citigroup Architecture and Technology Engineering (CATE) CitiSecure Platform
Project Team: John R. Miller, Bill Sztabnik, Carl Froggett, Dave Tirado, Brian Firlein, Patricia Davis, Howard Chang, Vincent D’Onofrio and Steve Chang.
Location: Melville, NY
The thrust of the CitiNAC (Network Access Control) project lay in the profound urgency to aggressively develop and deploy a proactive security solution that would: dynamically yield real time intelligence of all users, devices, systems and applications requesting access to or on Citi’s protected network; provide Enterprise-wide management and enforcement of security policies across Windows and non-Windows systems; block rogue and non-compliant devices; and assess endpoint compliance states allowing Citi to more efficiently remediate endpoint threats and violations. Citi now has one of the largest active global commercial deployments of Network Access Control (NAC) technology.
Dun and Bradstreet Brand Protection Project
Executive Sponsor: Elliott Glazer, CSO, Dun and Bradstreet
Project Team: Elliott Glazer, Topher Newman, Rich Manz, Drew Beebe, Rasheed Chambers, Brian Ellis, Richard Sepcic, Kevin Flynn, Patrick Peterson, Agari Founder & CEO, and Michael Kiefer, Brand Protect.
Location: Short Hills, NJ
Like most major brands in the market place today bad guys, cybercriminal “Phishers”, attempt to use commonly recognized brands to get victims to infect themselves with malware through malicious links or attachments in the form of email. D&B was one of these brands so attacked. Starting in February 2013, Phishers started sending massive amounts of email across the globe to unsuspecting victims using the D&B brand with a malicious attachment. As the problem continued and increased a solution was necessary to protect the brand. Implementation of critical email technologies such as SPF, DKIM and DMARC were identified as the way forward. The D&B global Security team initiated a project in May 2013 with the goal of reducing calls to the D&B Call Center by 50% through this implementation.
IT Security Analytics (ITSA)
Executive Sponsor: Charles Hudson, Executive Director, National Governance, Risk & Compliance, Comcast
Project Team: Kallol Ray, Venkat Paruchuri, Laura Whitt-Winyard and Luis Colon.
Location: Philadelphia, PA
The ITSA solution at Comcast solves a problem that practically all security organizations deal with – numerous security tools with individual dashboards, reports (many of which are aesthetically unappealing), remediation portals – all working independent of one another and requiring manual analysis to uncover enterprise risk. Comcast’s ITSA program extends beyond the boundaries of a typical IT Analytics program by creating an end-to-end centralized capability that consolidates numerous security tool reports, provides real-time contextual security analysis, produces stunning visual interactive security metrics, generates behavioral analytics, initiates orchestrated automated remediation and facilitates manual remediation workflows.
Comcast Just-in-Time Sensitive Information Training
Executive Sponsor: Charles Hudson, Executive Director, National Governance, Risk & Compliance, Comcast
Project Team: Robert Irwin, Kallol Ray, Paul Fournier, Patrick McGranaghan, Venkat Paruchuri and Laura Whitt-Winyard.
Location: Philadelphia, PA
The Comcast Just-in-Time Sensitive Information Training project is designed to provide real-time, automated, task specific, interactive and media-rich security awareness training to individuals who trigger a policy violation within the Bay Dynamics’ Risk Fabric solution. Examples of such incidences include Data Loss Prevention events, non-compliance to stated policies, and deviations from their own user baseline or the baseline of their peer groups.
By tracking the Just-in-Time training’s effectiveness against a user’s future activities, Comcast can now measure how the program is influencing organization-wide behavior and its impact in meeting a vast array of corporate and regulatory mandates.
Advanced Attack Response and Mitigation (AARM)
Executive Sponsor: Myrna Soto, CISO, Comcast
Project Team: Myrna Soto, John Kelly, Glen Pirrotta, John Roskoph, Dan Phan, Jeff Stoklosa and Andrew Perry.
Location: Philadelphia, PA
Internet access and reliable publicly routable network transport are critical to the health of both Domestic U.S. and Global Economic, Commercial and National Defense interests. Loss of ISP resources can have serious if not catastrophic effects on national and international markets, disrupt transportation and other essential infrastructure, and result in major degradation in brand and reputation of competitive service operators. With ever-rising demand of high-speed and high-availability networks the threat of disrupting or even targeting this infrastructure increases. In response to the evolving threat landscape we embarked on a very aggressive effort to more effectively protect our infrastructure, services and consumers from network borne attacks. This project succeeded in meeting that objective.
Enterprise-wide Risk Dashboard and Alerting
Executive Sponsor: John Masserini, CSO, MIAX Options Exchange
Project Team: Philip Varughese and Chaz Pulmeri.
Location: Princeton, NJ
The goal of the Enterprise-wide Risk Dashboard and Alerting project was to deploy a best-of-breed solution that would be used by every single operations team to monitor, alert, and report on corporate-wide risks. The cutting-edge solution, based upon the correlation, aggregation, and risk scoring functions of IBM’s QRadar platform provides custom, individualized dashboards to the entire Operation’s Center as well as concise, risk-centric dashboards and reports to executive management. Additionally, with the integration of our real-time threat intelligence feeds, we are able to proactively alert on known bad actors that are using new attack vectors which otherwise go unnoticed.
Data Loss Prevention (DLP)
Executive Sponsor: Vito Sardanopoli, Director of IT Security Technical Services, Quest Diagnostics
Project Team: Mark Douches, Dino Scrivanich, Krishna Meruga, Richard Menta and Al Matahen.
Location: Lyndhurst, NJ
Quest Diagnostics partnered with RSA to reduce the risk to confidential data as it flows within and out of the organization. This is achieved by the examination of data in motion, in use, and at rest using criteria that identifies what data is confidential. Employees are involved as active participants in the DLP process. The result of this participation makes our staff more sensitive to the handling of data in an electronic form, particularly staff who regularly handle data in a physical form. Ultimately, this aids in achieving the final goal, which is to reduce the risk of data loss.
Comcast Center of Excellence for Computer Security Innovation & Center for Hardware Assurance, Security, and Engineering at the University of Connecticut
Executive Sponsor: Mark Tehranipoor, Professor, University of Connecticut
Project Team: Professors John Chandy, Laurent Michel and Jerry Shi.
Location: Storrs, CT
CSI research covers the following domains – Authentication, Hardware Security, Theft Prevention, Software Security, Anti-Tampering, Broadband Security, and Supply Chain and a layered approach to security in the age of “Internet of Things”. The center’s research initiatives focus on addressing broadband security starting from the customer’s home to the infrastructure used for transporting data to the equipment on the service provider’s premise. The goal is for a holistic approach to providing supply chain assurance of equipment starting from manufacturing to distribution to placement in customer homes. One of the main charters of CSI is to train and develop the next-generation security engineers through research opportunities, security contests/challenges and other relevant activities.