CSO50 2015

CSO50 winners announced

1 2 3 4 5 Page 2
Page 2 of 5

11. Role-based Access Management
Blue Cross Blue Shield of Michigan

Blue Cross Blue Shield of Michigan has more than 13,000 individual system accesses available for over 200 different applications. This complexity causes a number of issues -- end users were confused over which system accesses to select, system response times lagged, and managers and role owners spent too much time certifying the accesses.

The company set out to implement role-based access to reduce the access request selections by 50%. The role-based access model was well received, however the challenge was to educate users on how to create business roles solely based on business process or job function within their divisions instead of focusing on what the end users currently had access to in building the business roles.

In the new Identity and Access Management system with RBAC, users can choose from 500 LAN and 500 application business roles. The selections are further reduced if they narrow the search by division.

12. Premium Secure VMS
Boston University

Boston University’s IT servers house a diverse set of information on its student’s, faculty’s and staff’s financial information, health records and other sensitive data.

In multicast tenant environment, information and resources are often accessed by more than one tenant, and protected information may leak through shared memory and other mechanisms. BU Information Security and Systems Engineering groups worked together to create a secure image in a virtual environment that is certified for use by its highest classification of restricted data.

Today, BU can move sensitive workloads that had been restricted to standalone servers to its virtual environments at a savings of up to 80%. It has also improved security for those workloads.

13. Brown HIV Researchers in South Africa Implement Cloud-secured Dropbox
Brown University

Brown University Assistant Professor Caroline Kuo conducts research in South Africa, working with children orphaned or made vulnerable by AIDS. Kuo and the IT department faced a difficult security challenge: how to enable HIV field researchers to share large audio, video and document files while meeting strict university rules governing the use and storage of sensitive data, as well as collaboration challenges with technologies in developing countries.

The IT departments helped researchers implement nCrypted Cloud, a security layer on top of Dropbox, to meet security compliance. Working with the same Dropbox user interface and approach to folders that many of the researchers already used, nCrypted Cloud could encrypt data stored in the cloud service and provided a variety of tools for collaboration and a centralized console to manage the encryption and audit trail of data.

The project allowed researchers, for the first time, to coordinate and collaborate with multiple team members in multi-site locations and time zones using a streamlined, user-friendly platform.

14. Combining Physical and Information Security into One Function
Caterpillar Inc.

Enterprises traditionally operate separate IT and physical security organizations that often function independently of one another. In today's threat environment, however, the lines between those organizations have blurred and security issues require action from many security stakeholders.

Caterpillar set out to converge security functions to more effectively identify, address and reduce enterprise security risks across Caterpillar globally. Executives developed a single organization and standardized governance processes and operating procedures, which include an all-hazards approach to mitigation of risks. This change led to efficiencies and improvements in investigations, consolidated threat intelligence, incident response, communication and program management.

The project also significantly reduced the time it takes to detect and respond to security incidents on a global basis.

15. Deterring Inappropriate Access to Patient Records
Children’s Healthcare of Atlanta

High-profile patients or family members who are admitted to a hospital or outpatient facility run the risk of having nosy staff access their personal files out of curiosity or for financial benefit. The Break-the-Glass (BTG) project at Children’s Healthcare of Atlanta safeguards the personal and protected health information of both patients and employees in its Epic electronic medical record system. BTG functionality deters inappropriate access of patient records while still allowing access to data for care delivery, operations and billing.

When workforce members attempt to access a sensitive record, BTG prompts them to select a valid business reason and to re-authenticate with their Epic password before access is granted.

Before BTG, a single privacy incident in 2012 involved some 76 departments seeking access. When a privacy incident occurred in 2013, BTG was applied within 11 minutes of the patient’s admission, and inappropriate accesses decreased by 98%.

16. Secure Colorado
Colorado Governor’s Office of Information Technology

Colorado’s Governor's Office of IT averts about 800,000 malicious events each day. To combat the growing threat, it created Secure Colorado, the state's first cyber security strategic plan. It is focused on achieving quick and sustainable risk reduction at a reasonable cost while promoting an environment of technology innovation, adoption of open source and cloud-based technology, and the open sharing of data where appropriate.

The initiative involved re-aligning the state’s security framework with the SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defense, starting with the first sub-five controls, which could be implemented quickly and inexpensively, and that have been proven to decrease an organization's risk of compromise. The five sub-controls were implemented within 120 days.

Today, Colorado has experienced more than a 75% drop in monthly malware infections, and more than 97% of all state systems are being monitored, audited and managed in near real time.

17. Protecting Sensitive Data Wherever it Exists
Comcast Corp

Comcast DLP program used to be highly focused on the typical scope of credit card and social security numbers, but today it is transformed into a highly proactive and holistic enterprise data security program that protects Comcast's most sensitive data, wherever it exists.

The media giant implemented a full commercial DLP solution, and then added capabilities beyond the industry standards to make it a world-class program. For instance, it integrated one third-party solution that monitors and protects data sent or stored to the corporate approved cloud storage provider. Another integrated solution aggregates key security tool data to a central repository where IT analytics is performed to identify trends and anomalies. Multiple data feeds are also consolidated here to show a single view of data security and compliance.

Today, millions of customer and employee records are "exact data matched" for highly accurate monitoring to prevent breaches.

18. On-Demand Private Cloud for Business Application Hosting with Enhanced Security
Deepak Fertilisers and Petrochemicals Corp. Ltd.

The India-based company wanted to expedite new business applications in a secure way. Previously, IT staff had to procure a secure server and storage for installing new applications, taking up data center rack space and adding to power and cooling costs. The process was also labor-intensive because moving or migrating applications from one server to another was difficult.

So the chemical company created an on-demand private cloud in an existing data center for quickly hosting business applications and securing application access over the internet for remote users.

The private cloud puts new applications into business’s hands faster and enhances security. It has also reduced power consumption of servers by 35%, increased server utilization rate from 30% to 80% and reduced 18 hours of administration time per month.

19. Addressing both User Satisfaction and Information Security in Healthcare
Fletcher Allen Health Care

To comply with the healthcare industry’s HITECH Act, medical staff is required to take extra steps when accessing data in exam rooms and at hospital workstations. Increased security measures such as strong passwords have proven to be a burden not only to remember, but also to also correctly type time after time. Fletcher Allen also has a mix of applications across various operating systems that do not all sync with the same authentication source, requiring employees to remember several different passwords, which encourages easy-to-crack password choices.

The healthcare provider implemented Imprivata’s OneSign solution that improves access to applications, while eliminating the need to remember dozens of passwords and meeting HIPAA requirements for access and authentication.The solution also grants users a self-service password reset tool, allowing them to reset their Active Directory password and multifactor authentication PIN by answering security questions. This ultimately reduces calls to the Help Desk for reset assistance.

20. Site Security Incident Reporting System
Fraser Health

British Columbia healthcare provider Fraser Health was looking to take back direct control and ownership of security incident reports generated from its healthcare facilities. It implemented the Integrated Protection Services’ Site Security Incident Reporting System. The system was both new and innovative for the program. It allowed IPS to combine disparate security reporting systems across four health organizations, encompassing over 40 acute, primary and residential care facilities, into one standard system.  

The system improved privacy and confidentiality issues because reports are now stored on IPS' secure network. It improved intelligence sharing across all healthcare facilities and provided enhanced data metrics, which allows for greater statistical analysis capabilities. 

The improved data metrics obtained in the first two fiscal quarters of 2014-15 allowed IPS to make changes to security resource models at multiple sites, resulting in savings of $130,000 per year and the addition of 12 hours of security per day at one hospital.

1 2 3 4 5 Page 2
Page 2 of 5
7 hot cybersecurity trends (and 2 going cold)