Security Case Studies

Security case studies: Selected in-depth explorations of how leading organizations have approached critical security challenges.

These case studies provide the chance to learn from your peers, whether you are creating an overall strategy or working to solve a specific tactical security problem. (Note: None of these articles were written or sponsored by product and service providers.)

Case study collection updated 10/16/2012.

Leadership and Organizational Issues

Governance, risk and compliance

Fiserv’s GRC process and software implementation (2012)

GRC is a process, not a technology. Fiserv identifies the benefits and challenges of its GRC work.

Alignment with corporate mission and profitability

Dunkin’ Brands security focuses on making dough (2010)

Aligning corporate security with corporate priorities makes everyone’s fortunes rise. A look behind the counter at Dunkin’ Donuts’ parent company. [Full article requires

E-discovery

NBC Universal takes e-discovery inhouse (2010)

NBC Universal saw requests for e-discovery services soar in just a few years. The company’s CISO, Jonathan Chow, knew there had to be a more efficient and cost-effective way to handle it.

Digital and Physical Security Convergence:

Constellation Energy (2005)

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

Enterprise Risk Management:

All systems go at Georgetown University (2010)

ERM might seem a lofty concept, but Georgetown University provides an example of turning that concept into specific systems and projects that reduce risk.

Information Risk Management:

Harland-Clarke Rechecks Risk Management (2007)

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk.

Departmental Organization:

Reinventing T-Mobile’s Security Function (2006)

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

Safety and Community Relations:

Boston’s Infectious Disease Research Lab (2006)

When controversy hit, Kevin Tuohey became the public face of a high-profile plan to study deadly diseases in Boston. To succeed, the security director would have to become part diplomat, part great communicator.

Security Metrics, Budgets and ROI

Cost management:

IT security on a shoestring budget (2011)

Michael Dent, CISO of Fairfax County Government in Virginia, created an enterprise-wide IT security program with a fraction of the budget he wanted.

Budgeting, Metrics and Security Value:

American Water (2006)

How American Water’s Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time.

Project ROI:

Digital Video Surveillance at Intel (2005)

Allen Rude, security manager at Intel, invested more than four years in an ROI study to justify the cost of digital video surveillance.

Threats and Defenses

Advanced Persistent Threats:

APT in action: The Heartland breach

Heartland Payment Systems CTO Kris Herrin talks about the attack that changed his views on data security.

GRC:

What’s the business case for GRC? (2012)

Governance, risk and compliance (GRC) can be a dauntingly complex undertaking. But for Fiserv, the alternative was even more complicated.

Situational Awareness:

Inside the new World Trade Center (2011)

Louis Barani leads the construction of an integrated system to help identify security and safety issues by connecting the dots faster.

Cloud security:

More tales from the cloud (2011)

Challenges and solutions at three companies moving into cloud-based IT services:

• Mohawk Fine Papers
• BuildFax
• Inavero

Identity management:

How DTCC took on ID management (2011)

A look at why DTCC deployed identity and access management software from Hitachi ID Systems to automate its password management processes.

Access control:

Policy-based access control at a university (2010)

One school’s approach to maintaining security in an open environment.

Virtualization Security:

Virtual Server Security at Schwan Foods (2010)

When it comes to sampling innovative technology, Schwan Foods, a multibillion-dollar frozen food producer, digs right in.

DDOS and Online Extortion:

How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack (2005)

What it’s like to get hit with a DDoS attack (2010)]

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

Fraud:

Anatomy of a Fraud (2004)

Most fraud victims clam up. In this check-tampering case, the victim-a small-business owner-decided to speak out. The resulting cautionary tale offers a rare, detailed look into the mechanics and psychology of fraud. And its aftermath.

Phishing and Incident Response:

Midsize Bank (2005)

What happens after a phishing attack? Here’s one midsize bank’s phishing incident response plan.

Product Counterfeiting:

Drug Busters: Novartis (2005)

Novartis deploys a global team to track down counterfeit drugs and help authorities prosecute counterfeiters.

Video Surveillance:

Surveillance Cameras at Secaucus Junction (2005)

New Jersey Transit’s new station finds additional benefits in its security cameras.

School Security:

Securing the Suburban High School (2007)

Privacy, safety, security and budgeting considerations collide.

Business Continuity

Crisis Communication: 

Gale Global Facilities Services (2006)

With good planning, Web and mobile technologies can help find and inform employees in the event of a disaster. A global company shows how.

Simulations and exercises:

USAA’s Disaster Drill: Practice Makes Perfect (2003)

As one of the nation’s largest insurance companies, USAA is in the business of managing risk. So it makes sense that the company uses exercises, simulations and drills to learn how to respond in the event of a disaster.