ISE® Northeast Project Award Nominees 2017

Project Gateway
Executive Sponsor: Mike Towers, VP, CISO, Allergan
Project Team: Vadim Parizher – Exec Dir, Enterprise Architecture – Leadership/Design, Bill Thornton – VP, R&D/HR IT – HR, Sandy Dalal – Director, I&AM Services – I&AM, Elma Benevenga – Program Mgt, Dan Coan – Infrastructure, Gigi Lai – Data Management

After 30+ acquisitions and divestitures in a 3 year period, the team at Allergan sought to completely rebuild, from the ground up, their entire identity & access management platform. This also included updating associated business processes for new hires onboard, contingent worker onboarding, baseline entitlements, provisioning/deprovisioning and access request/approval. Rather than pick an existing, incumbent solution and migrate over, the Allergan team decided to basically throw everything away and start over.

Cyber Value at Risk
Executive Sponsor: Myrna Soto, Corporate SVP Chief Technology Risk Officer & Global CISO, Comcast
Project Team: Chuck Hudson, Executive Director

Comcast’s Cyber Value at Risk program, executed using Bay Dynamics’ Risk Fabric platform, enables the company to continuously protect its most valued assets (data, systems and applications) by quantifying the impact of cyber risk based on actual threat and vulnerability data in the environment, and then prioritizing mitigation actions based on those activities that directly address the established risks. The platform automatically delivers relevant threat and vulnerability information to an array of stakeholders responsible for the involved mitigation and continuously measures how much risk is being reduced due to the actions taken. Importantly, Risk Fabric better enables the security team to direct their fixed resources at the most important, and potentially costly, exposures.

Domain Security Platform
Executive Sponsor: Douglas Falduto, VP, Admin & Chief Security Officer, Horizon Blue Cross Blue Shield of New Jersey
Project Team: Damon Becknel (Chief Information Sec Officer), Alan Leung (Dir, Enterprise Security Arch), Rongzhong Zheng (Dir, IT Security Operations), Ronak Zaveri (Manager, IT Relationship Mgmt), Niraj Patel (Manager, Security Architecture), Dhiraj Chotrani (Cyber Security Analyst), Meghna Thakrar (Business Systems Analyst), Abdullah Oudeh (Infrastructure Analyst), Brian Lentini (Infrastructure Analyst), Ghias Minto (IT Security Analyst)

Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) continuously seeks to advance its cyber security posture, and recently implemented the “Domain Security Platform” which automatically identifies, monitors and blocks potentially malicious, newly registered external domains and websites likely to pose an elevated risk to Horizon BCBSNJ. Project objectives were to reduce Horizon BCBSNJ’s visible attack surface to “unclassified” domains, and thus reduce the risk of malware infection, credential exploitation and data exfiltration to and from those sources.

Faster and More Secure with Cloud
Executive Sponsor: Douglas Falduto, VP, Admin & Chief Security Officer, Horizon Blue Cross Blue Shield of New Jersey
Project Team: Damon Becknel (Chief Information Sec Officer), Alan Leung (Dir, Enterprise Security Arch), Niraj Patel (Mgr, Security Architecture), Ghias Minto (IT Security Analyst), Frederick Kampf (Mgr, Sales IT Admin), Ronak Zaveri (Mgr, IT Relationship Mgmt), Christian Fry (Business Systems Analyst), John Fischer (Mgr, Enterprise Architect), Vishal Talak (Technology Architect)

Horizon Blue Cross Blue Shield New Jersey moved to the cloud so its IT team could focus on providing better products faster, instead of managing infrastructure operations. The team has always been focused on providing the most secure solutions possible instead of accepting check-box compliance. They deployed Salesforce as their CRM and AWS as their IaaS provider, but realized they had critical security requirements that called for a dedicated cloud security solution. The security team deployed a CASB as a single control point for Shadow IT, Salesforce, and AWS – turning raw cloud data into risk-based actionable insights.

HarvardKey Two-Step Verification Project
Executive Sponsor: Christian Hamer, CISO, Harvard University
Project Team: Dennis G. Ravenelle, Sr. Project Manager, Bill Knox, Associate CISO, Sandy Silk, Director, IT Sec. Cons. & Ed., Courtney Harwood, Director, Service Desk, Acacia Matheson, Sr. Communications Officer, Juliana DiLuca, Sr. Communications Officer, Tim Vaverchak, Director, IAM Product Ops., Tim Gleason, Directory Architect, Ken Schwartz, Sr. Developer

Information Security is a top priority for Harvard University. Not unlike their peers in higher education, Harvard has experienced a dramatic rise in recent years in the number of highly sophisticated cyberattacks aimed at their community members, systems, online resources, and networks. At the outset of fiscal year 2017, University senior leadership decided to accelerate the roll out of two-step verification for all VPN access and on HarvardKey (Harvard’s primary identity and access management system) for some 65,000 users to be completed by Thanksgiving recess – less than 20 weeks. Originally, the effort was planned to be completed over several years.

The Cybersecurity Service Desk
Executive Sponsor: Rohan Amin, Global CISO, JPMorgan Chase & Co.
Project Team: Vincent Infantino (Cybersecurity Service Delivery), John Wyatt (Service Desk Manager, Chelsea Weng (Generalist), John Rafer (Generalist), Simon Ahsan (Generalist), James Kho (Generalist), Michael Bobby (Performance and Metrics)

JPMorgan Chase continues to make Cybersecurity awareness a priority, and as a worldwide leading financial services firm, an innovative approach has been adopted to ensure that Cybersecurity is at the forefront of every employee’s considerations. Through the Cybersecurity Service Desk project, the firm created an internal tool for employees that serves as a single point of contact providing educational materials about cyber safety, ways for employees to get help for cyber-related questions or incidents and enabling an easy way for employees to escalate issues.

The Vulnerability Scoring Model (VxSx) Project
Executive Sponsor: Rohan Amin, Global CISO, JPMorgan Chase & Co.
Project Team: Dave Robinson – Managing Director, Martin Dawson – Executive Director, Venkat Seshadri – Executive Director, Graham Hill – Vice President, Andy Graham – Vice President

Today organizations are faced with the constant threat of exploit through vulnerabilities in underlying technologies. As hardware and software vulnerabilities are discovered, firms have traditionally prioritized remediation efforts based solely on the criticality rating of the vulnerability. In a complex enterprise environment such as JPMorgan Chase, this approach falls short as it fails to consider business context of the targeted assets. The Vulnerability Scoring Model combines the criticality of the vulnerability (Vx) within the context of business impact at JPMorgan Chase (Sx) to quantify risk and set an informed, targeted remediation path.

Novartis Deception Project
Executive Sponsor: Jeff Moore, Global Head of Security, Novartis Institutes for BioMedical Research
Project Team: Eric Gunter (Senior Security Engineer)

Despite a very mature security posture and high-end cybersecurity technology in their network, NIBR wanted to implement a deception based solution that would help them address a gap in their ability to early and accurately detect advanced threats that were inside their network. They are adopting deception, and by deploying it comprehensively across their environment, they will also be able to make a potential attacker’s job much more difficult.

Quest Diagnostics Privileged Account Management (PAM)
Executive Sponsor: David Dulong, Executive Director, Infrastructure and Operations and Security, Quest Diagnostics
Project Team: Dennis Walsh – Director of Identity and Access Management, Krishna Meruga – Sr. Project Manager, Cory Donovan – Lead IT Security Specialist, Phil Rubbo – Sr. IT Security Specialist, Amit Patel – Sr. IT Security Specialist, Omar Radi – Lead IT Security Specialist, Bob Wilkinson - Sr. IT Security Specialist, Jim Gover - Lead IT Security Specialist

End-user accountability: It’s a good thing, particularly now that privileged access to critical systems, apps, and data is not just limited to our own people on our on-premises networks. The cloud is standard operating procedure for most businesses now, plus consultants and third party organizations are a constant presence as they manage elements of our environment. PAM was built to give Quest Diagnostics firmer control of privileged accounts as well as greater visibility into the day-to-day use of these accounts, regardless of user. It also streamlined account maintenance with automated account provisioning and lifecycle management. Most importantly, the cloaks of anonymity that for all intents and purposes obfuscated the activities of staff and hired outsiders were stripped away. Every hand that touches their systems is now observable and accountable.

Winning Business Buy-in Through Tailored Incident Response Tabletops
Executive Sponsor: David Dulong, Executive Director, Infrastructure and Operations and Security, Quest Diagnostics
Project Team: Richard Menta – Lead IT Security Specialist

The team at Quest Diagnostics establish tailored business incident response exercises. These special tabletops are notable because their secondary goal is to train their security team for a specific type of attack. Their primary goal is to engage the decision makers in the business whose buy-in is critical to their ongoing initiatives. In these scenarios they simulate a breach that shuts down a piece of the business and then ask the business to make difficult decisions. It is hard to remain complacent when you are asked to make an immediate and critical decision, even in a simulation. This stimulates buy-in from that sector of the business, motivating needed change and establishing added goodwill with the security team.

sandy alexander
Centralize Branch Office Security Management
Executive Sponsor: Justin Fredericks, Director of Information Technology, Sandy Alexander
Project Team: Lee Huy Nguyen, IT Systems Administrator, Sharon Pratt, Vice President of Human Resources

Sandy Alexander sought a more cost-effective and efficient security alternative to their MSSP for branch office security management. They needed to secure multiple branch office locations throughout the United States in a way that provided them with greater visibility and control over this distributed environment. They were especially frustrated with the service quality and response time of the MSSP and required a new, agile security approach. The team specifically wanted to find a solution to connect and secure our branch offices and vendors in a way that was more cost-effective, less complex, more agile and secure.

Cyber-Incident Detection and Response in the United Nations Development Programme (UNDP)
Executive Sponsor: Paul Raines, CISO, United Nations Development Programme
Project Team: Alexey Kuzmenko, Security Analyst

UNDP’s cyber-incident response team significantly upgraded its capabilities to become an international model of best practice. First, it developed an in-house system that pinpoints potential compromises by comparing known malware indications with the security traffic feeds from UNDP’s 177 country offices. Second, it developed a threat intelligence and web site scanning capability to identify potential risks to the organization. Third, the incident response team improved its readiness by developing global in-house exercises and participating in international capture-the-flag competitions. Finally, the cyber-security team sponsors annual international conferences to train IT personnel from developing nations. Thus, in short time UNDP has become a center of excellence among non-profit international organizations.

Providing Cost-Effective Cybersecurity Governance, Risk and Compliance in the United Nations Development Programme (UNDP)
Executive Sponsor: Paul Raines, CISO, United Nations Development Programme
Project Team: Alexey Kuzmenko, Security Analyst

The UNDP cyber-security team undertook an extensive project to improve its cyber-security GRC. First they executed a risk assessment which included risk mitigation actions and assigned owners. Second, they developed a workflow application to send quarterly reminders to risk owners for timely updates. Third, they developed a compliance survey for IT managers in the 177 country offices. Fourth, they improved cloud security governance by implementing a cloud access control and risk-based, second factor authentication system. Lastly, they executed a project to comply with the SWIFT security controls framework and plan for future upgrades. Thus, over the past year UNDP has evolved its cyber-security GRC to become a best-of-breed model.