CSO50 2015

CSO50 winners announced

1 2 3 4 5 Page 5
Page 5 of 5


41. Creating a Global, 24/7 Information Security Incident Response Team
United Nations Development Program

UNDP wanted to upgrade and expand the coverage of its information security incident response. But it lacked the manpower, training, procedures, equipment and geographic dispersement needed for the 24/7 coverage demanded by an international organization spread over 177 countries.

Over the course of 12 months, UNDP created a global team of trained incident responders equipped with the procedures, training and capabilities needed for effective incident detection, notification, reaction, handling, escalation and closure of information security incidents. The newly created ISIRT team was able to meet the stringent requirements of the Forum for Incident Response and Security Teams (FIRST), an international organization of highly qualified incident response teams that securely share threat and incident information between organizations.

42. Establishing a Financial Crimes Analytics Lab

USAA is increasingly a target for account takeover activities on member servicing channels, such as assuming an employee’s identity on the phone or going online. Fraudsters will go to great lengths to figure out the answers to multiple security questions that only legitimate members would know, or they socially engineer their way to the answers to gain account access.

USAA established the Financial Crimes Analytics Lab to identify and track emerging threats, perform advanced correlations including threat trending, threat prediction, threat interdiction, and measure the effectiveness of new and existing security and fraud controls. The company leveraged agile methodology in project context, deployed a big data platform to analyze complex data, and integrated data feeds from sources that had not previously been correlated, such as authentication logs, web session information and credit/debit card transaction logs.

Year-to-date, the analytics lab has prevented losses of more than $4 million.

43. Enterprise Encryption Service: Data Defense in Depth
United States Postal Service

USPS relies on the privacy trust of its customers to make its electronic commerce and business successful. With that in mind, USPS wanted to secure all sensitive data in-motion and at-rest within the Postal Service IT infrastructure. What’s more, the CISO wanted to present this security solution as an enabling function, which supports and adds value to the business.

So it developed and implemented an Enterprise Encryption Service that delivers a standards-based encryption mechanism to USPS employees and partners. USPS leveraged the existing DLP solution that was currently deployed to not just block data, but to give users the ability to communicate in a secure manner when handling sensitive enhanced PII and PCI data.

The business is now using this technology instead of trying to bypass security controls that were once put in place to block all sensitive enhanced data.

44. Phishing for Clickers

Many companies bolt-on security. Others talk about getting ahead of risks. At Viewpost, a business network for invoicing and payments, they’ve set an ambitious goal to culturally build security and compliance into their everyday operations — at the executive level and throughout the organization. Central to this was establishing an Executive Risk Management Committee, reporting to the board, to review, discuss dimension and understand all cybersecurity risks, controls and the current status of the environment.

The ERMC created nearly 1,500 pages of documents to discuss risks and ways to achieve security on the front end in a collaborative fashion, and the executive team has spent over 2,400 minutes in ERMC meetings discussing the security environment.

Just one of many benefits has been the organization’s creation of a rigorous, ongoing and company-wide awareness program designed to avoid the perils of phishing.

45. Locking Down 10,000 Shared Folders
Voya Financial

Voya Financial faced a major dilemma when an audit found that data in their shared folder structure wasn’t secure. Complicating matters more, the organization hadn’t ever encountered a remediation project quite like this, so they were faced with cleaning up a mess with unknown scope. Naturally, they needed to develop a timeline and budget that allowed for analyzing all devices and locking down everything that was open. Ultimately, with the help of a specialized tool and much hard work, they’ve successfully scanned about 880 terabytes of data across 10,000 folders.

The team scanned 1,722 shared drives and found there were 4,459 folders containing open access. These folders were remediated in waves through the end of 2014.

46. Creating and Deploying a Successful Physical Security Campaign
Voya Financial

Studies show that changing employee behavior and responses to cyber threats such as social media, phishing and other popular attack vectors can significantly reduce an organization's security risk.

To better secure the information and assets of Voya Financial, the organization embarked on an awareness and education campaign designed to improve physical security. After conducting site assessment surveys for nine major sites, metrics and insight to the physical security practices were collected for each location. Leveraging employee awareness activities including posters, intranet articles, emails, blog posting, tip cards, and dialogue, the organization realized an increase in instances of employees reporting unknown or un-escorted visitors.

With the campaign in place, instances of employees reporting unknown or un-escorted visitors have increased. One-on-one discussions, emails, blog article comments and site surveys provided an outlet to gauge employee involvement.

47. Information Security Training Campaign: “Put Yourself in the Picture!”
Warner Bros Entertainment Inc.

Global media and entertainment company Warner Bros. is proactive about keeping employees aware of information security risks.

The WB Information Security and Compliance team developed and deployed the "Put Yourself in the Picture" Information Security Awareness and Training 2014 Campaign. The campaign included awareness and learning materials focusing on key security principles delivered in short films, on-site awareness events, phishing simulations, and a custom e-learning curriculum.

Measurements conducted during the campaign showed that employees were engaged, their information security awareness increased, their understanding of the topics deepened, and most importantly, they understood how their actions could reduce risk.

48. WINS Academy Nuclear Security Certification Program
World Institute for Nuclear Security

In the nuclear industry, many of the accountants, engineers and safety professionals belong to chartered institutes that certify their members’ competence on an ongoing basis. The same cannot be said, however, for most professionals with senior managerial or regulatory responsibilities relating to nuclear security. Many governments have recognized this gap and have begun to support the need for professional development for nuclear security. At the March 2014 Nuclear Security Summit, 35 governments signed an agreement to “ensure that management and personnel with accountability for nuclear security are demonstrably competent.” To that end, the World Institute for Nuclear Security in Vienna has launched a suite of certification programs called the WINS Academy.

By offering the first online certification program in the world for nuclear security management, WINS aims to improve professional development, exchange knowledge and spark innovation in nuclear security management.

49. Cyber Security Coordination Center
Xerox Corporation Ltd.

Like many global distributed organizations, Xerox is targeted by a myriad of cyber threats aimed to disrupt business operations and/or steal corporate or customer data.

Xerox wanted to have more visibility into the threats beyond the edges of its network. So it established the Cyber Security Coordination Center to develop and deploy an enterprise-wide proactive threat analysis, detection, and response capability. The goal was to identify and assess cyber threats, gain detailed insight into ongoing or predicted threat activity, and take the proactive steps to defend against and respond to threats.

One demonstrable example of the project's business value was the rapid closure of the recent OpenSLL "Heartbleed" vulnerability. Previously, there was no visibility or tracking of a serious vulnerability enterprise-wide. In contrast, in early April 2014, the cyber threat intelligence capability identified the vulnerability, issued a patch, identified possible indicators of compromise and updated the incident response “playbook” actions.

50. Data Security Initiative
Zurich Insurance Group

In 2009, Zurich Insurance Group determined that its information security program was behind industry peers and did not adequately project data in alignment with business expectations and needs.

So Zurich formed Group Information Security (GIS) in 2010 to secure Zurich's data. They identified 29 initiatives needed to remediate 92 IT capability gaps, including data loss prevention solutions for mail, web and network, a secure file-transfer solution and endpoint protection.

Zurich started with fresh solutions instead of building upon existing solutions and added mobile device management technologies and a token-less remote access system that enabled more end users to remotely access systems and reduced costs from requiring tokens to each end user to remotely login to systems. Over 15,000 smart mobile devices have been enabled for use. Removing the need for physical tokens to log into the VPN has saved the business $800,000 a year.

Copyright © 2015 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
7 hot cybersecurity trends (and 2 going cold)