• United States



by Stacy Collett

CSO50 winners announced

Feb 03, 201536 mins
Access ControlBig DataCloud Security

cso50 winners
Credit: Thinkstock

Each year, the CSO50 awards honor 50 security projects and initiatives that have delivered groundbreaking business value through the innovative application of risk and security concepts and technologies. Here are the 2015 winners:

1. Marketing Cloud Implementation Adobe Systems Inc.

Digital media software and marketing company Adobe needed to implement a highly scalable, highly available host-based intrusion detection and system monitoring system to shorten the time it takes operations and engineering teams to detect vulnerabilities, anomalies and breaches.

In 2014, Adobe implemented a software-defined security platform for centralized monitoring of system level changes and network events for its marketing cloud platform. The platform gives its teams improved insight into the various marketing clouds’ products and services, helps network operations automate security controls and ensures compliance with internal security rules. The platform also alerts network operations of anomalous activity, non-compliance with security controls and rules, or other suspicious activities. Today the platform monitors more than 35,000 systems on multiple operating systems.

2. International Third-Party Governance, Risk and Compliance Management ADP Inc.

ADP Streamline International Business Unit uses an international network of specialist payroll processing partners that provide services to multinational companies, and the area covered by these partners has grown from 30+ countries in 2008 to 100 countries in 2014. While the business unit has the overall liability as primary contractor for the payroll service by coordinating the partner network, the partners are responsible for the delivery of local services.

The International Third Party Governance, Risk and Compliance Management Program was started to ensure that partners are compliant with the payroll service, IT and international security standards, and to motivate them to improve their level of risk and service quality as part of a continuous improvement process.

From July 2012 to June 2013, 18 on-site audits where performed in different ADP Streamline partners around the world. Some 303 findings where highlighted in a three-level risk scale, and 293 remediation actions to solve the identified issues were agreed between ADP and partners. By June 2014, 199 actions were closed, representing a 70% risk reduction.

3. Protecting Against Global Power Company Threats AES Corp.

Global power companies like AES have become a major focus for targeted cyber attacks and are among the top five most targeted sectors worldwide. The AES global cybersecurity program was formed to govern and manage cybersecurity risk for its diverse portfolio of distribution businesses and facilities across 20 countries. As part of our implementation of the NIST Cybersecurity Framework, AES identified an opportunity to improve its global defense architecture by implementing an advanced threat protection solution to complement its existing defenses.

After piloting the program, AES calculates that it could avoid tens of million of dollars in IT operational costs for security monitoring and incident handling alone by implementing the solution globally. This estimate is only the tip of the iceberg, as it will also help avoid costs of lost productivity of AES people due to downtime, forensics, potential financial losses, stolen intellectual property, reputational damage, or legal liability.

4. Industry-leading Trusted Email Program Aetna Inc.

In 2014, insurance provider Aetna implemented a Trusted Email Program that provides a new level of brand protection in the industry. The program leverages standard email protocols that support authentication and policy enforcement to drive removal of fraudulent emails from the Internet that appear to be coming from Aetna.

Aetna used email authentication to associate a clear sender identity with outbound email. Next, a domain-based message authentication, reporting and conformance (DMARC) policy was implemented to help reduce the potential for email-based abuse, such as spoofing and phishing.

In June 2014, the program identified a malicious email botnet campaign targeting a medical management company of Aetna. The domain supporting this company was targeted by malicious email sources to solicit false pharmaceutical advertisement emails to customers. A review of the email headers clearly identified this mail as fraudulent and potentially harmful to the Aetna brand.  

With DMARC policy security controls enabled, about 188,000 emails were blocked from delivery in the first three days of enforcement, and 597,000 in 45 days.

5. Securing Nuclear and Radiological Material in Healthcare Facilities Atlantic Health System

Radioactive materials are often used in healthcare facilities for medical diagnoses and cancer treatment. Homeland Security’s concerns about the possible theft or detonation of nuclear and radiological material prompted Atlantic Health System to partner with the National Nuclear Security Administration’s Global Threat Reduction Initiative and Domestic Threat Reduction Program to implement advanced technology and procedures to secure this material.

With the help of NNSA and various security vendors, AHS installed a radiation detection system, intrusion/tamper detection system, CCTV system, remote monitoring system, duress alarms, access control and emergency power with redundant monitoring locally and off-site 24/7. It also included new procedures, training and response personnel.

Since the end of 2013 when the program was implemented, 12 attempts have been made to infiltrate both the Cancer Center’s HDR Room and laboratory blood irradiator locations by the AHS infiltration testing team, known as “Red Cell.” All attempts so far have failed.

6. The Condor Physical Security Project Baker Hughes Inc.

There is consensus in the oil industry about the need to actively reduce risk exposure, avoid potential incidents and quickly mitigate the impact of realized incidents. The goal is to move beyond managing operations and into building trust in operations through a risk based intelligence-led methodology.

To that end, oil field services company Baker Hughes created the Condor project to develop a centrally managed physical security command and control capability. The team was tasked to design and implement this capability by leveraging the latest in Physical Security Information Management (PSIM) technologies and combining that with existing standard operating security procedures. The first phase of the project already resulted in $1 million of annual savings for operations. Beyond the savings and improvement in procedures, this capability has also allowed Baker Hughes to improve facility utilization and management and create a foundation for further monitoring capabilities beyond security.

7. GRC Access Control System Bharat Aluminum Company Ltd. (BALCO)

India aluminum producer BALCO recognized that proper segregation of duties and access control over key information assets are among the most effective safeguards for the sound corporate oversight required by regulatory mandates around the world, such as the Sarbanes-Oxley Act. So the company implemented an SAP GRC 10.0 Access control system for enhancing security at the access control level. The system gives them real-time analysis of segregation of duties and sensitive access violations.

8. Shifting the security paradigm The Blackstone Group LP

Over the last two years, the global investment and advisory firm has fundamentally shifted from a preventative, detective and reactive security program to one that’s built with less focus on prevention and more focus on visibility, intelligence and response.

The information risk-security approach balances prevention with enhanced visibility, intelligence and response. The framework is based on four key principles: Keep current and think ahead, constantly monitor the environment to detect and prevent threats, understand the flow of information to respond effectively, and educate employees on threats and prevention. These principles are combined with tools that detect threats, aid in investigation and containment, facilitate forensics and eventually direct remediation efforts.

Since 2013, the firm has experienced a 93.75% drop in compromised systems, largely due to better visibility into its environment and the understanding of who is attacking the firm and why.

9. Detecting Advanced Cyber Threats with Real-time Big Data Visualization Solutions Blue Cross Blue Shield of Illinois, Texas, New Mexico, Montana, Oklahoma

BCBS through its subsidiaries sought to protect its customers’ data against a rapidly evolving cyber threat landscape, so the health insurer decided to pursue research and funding for a project that would address advanced threat detection by visual means.

The insurer deployed operational intelligence software to help improve its security posture. The software combines search and discovery capabilities with analytics on data generated by IT systems, or machine data, and provide insight that helps determine the efficiency of its systems that support business.

The project has helped BCBS detect previously unknown types of cyber threats and active threats through visualization and real-time mining of historical data. It also aided with HIPAA compliance by improving the insurer’s incident detection and response capabilities.

10. Safely and Securely Unlocking Social Media Blue Cross Blue Shield of North Carolina

To increase brand value, create robust social strategies, and improve customer relationships in a rapidly changing marketplace, Blue Cross Blue Shield of North Carolina organized their “Social Media: Employee Access Project.” Prior to the project, the key concerns the company had about social media were about data loss and network utilization. So the organization embarked on a strategy to not only incorporate critical technology requirements, but also broad education and awareness that recognize appropriate use of social media at work. Through updated data loss prevention technology along with computer based training, user guides, and revised policies, the project has safely and securely provided employee access to social media, which is now a critical tool in many areas of the company and is changing how it does business.

11. Role-based Access Management Blue Cross Blue Shield of Michigan

Blue Cross Blue Shield of Michigan has more than 13,000 individual system accesses available for over 200 different applications. This complexity causes a number of issues — end users were confused over which system accesses to select, system response times lagged, and managers and role owners spent too much time certifying the accesses.

The company set out to implement role-based access to reduce the access request selections by 50%. The role-based access model was well received, however the challenge was to educate users on how to create business roles solely based on business process or job function within their divisions instead of focusing on what the end users currently had access to in building the business roles.

In the new Identity and Access Management system with RBAC, users can choose from 500 LAN and 500 application business roles. The selections are further reduced if they narrow the search by division.

12. Premium Secure VMS Boston University

Boston University’s IT servers house a diverse set of information on its student’s, faculty’s and staff’s financial information, health records and other sensitive data.

In multicast tenant environment, information and resources are often accessed by more than one tenant, and protected information may leak through shared memory and other mechanisms. BU Information Security and Systems Engineering groups worked together to create a secure image in a virtual environment that is certified for use by its highest classification of restricted data.

Today, BU can move sensitive workloads that had been restricted to standalone servers to its virtual environments at a savings of up to 80%. It has also improved security for those workloads.

13. Brown HIV Researchers in South Africa Implement Cloud-secured Dropbox Brown University

Brown University Assistant Professor Caroline Kuo conducts research in South Africa, working with children orphaned or made vulnerable by AIDS. Kuo and the IT department faced a difficult security challenge: how to enable HIV field researchers to share large audio, video and document files while meeting strict university rules governing the use and storage of sensitive data, as well as collaboration challenges with technologies in developing countries.

The IT departments helped researchers implement nCrypted Cloud, a security layer on top of Dropbox, to meet security compliance. Working with the same Dropbox user interface and approach to folders that many of the researchers already used, nCrypted Cloud could encrypt data stored in the cloud service and provided a variety of tools for collaboration and a centralized console to manage the encryption and audit trail of data.

The project allowed researchers, for the first time, to coordinate and collaborate with multiple team members in multi-site locations and time zones using a streamlined, user-friendly platform.

14. Combining Physical and Information Security into One Function Caterpillar Inc.

Enterprises traditionally operate separate IT and physical security organizations that often function independently of one another. In today’s threat environment, however, the lines between those organizations have blurred and security issues require action from many security stakeholders.

Caterpillar set out to converge security functions to more effectively identify, address and reduce enterprise security risks across Caterpillar globally. Executives developed a single organization and standardized governance processes and operating procedures, which include an all-hazards approach to mitigation of risks. This change led to efficiencies and improvements in investigations, consolidated threat intelligence, incident response, communication and program management.

The project also significantly reduced the time it takes to detect and respond to security incidents on a global basis.

15. Deterring Inappropriate Access to Patient Records Children’s Healthcare of Atlanta

High-profile patients or family members who are admitted to a hospital or outpatient facility run the risk of having nosy staff access their personal files out of curiosity or for financial benefit. The Break-the-Glass (BTG) project at Children’s Healthcare of Atlanta safeguards the personal and protected health information of both patients and employees in its Epic electronic medical record system. BTG functionality deters inappropriate access of patient records while still allowing access to data for care delivery, operations and billing.

When workforce members attempt to access a sensitive record, BTG prompts them to select a valid business reason and to re-authenticate with their Epic password before access is granted.

Before BTG, a single privacy incident in 2012 involved some 76 departments seeking access. When a privacy incident occurred in 2013, BTG was applied within 11 minutes of the patient’s admission, and inappropriate accesses decreased by 98%.

16. Secure Colorado Colorado Governor’s Office of Information Technology

Colorado’s Governor’s Office of IT averts about 800,000 malicious events each day. To combat the growing threat, it created Secure Colorado, the state’s first cyber security strategic plan. It is focused on achieving quick and sustainable risk reduction at a reasonable cost while promoting an environment of technology innovation, adoption of open source and cloud-based technology, and the open sharing of data where appropriate.

The initiative involved re-aligning the state’s security framework with the SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defense, starting with the first sub-five controls, which could be implemented quickly and inexpensively, and that have been proven to decrease an organization’s risk of compromise. The five sub-controls were implemented within 120 days.

Today, Colorado has experienced more than a 75% drop in monthly malware infections, and more than 97% of all state systems are being monitored, audited and managed in near real time.

17. Protecting Sensitive Data Wherever it Exists Comcast Corp.

Comcast DLP program used to be highly focused on the typical scope of credit card and social security numbers, but today it is transformed into a highly proactive and holistic enterprise data security program that protects Comcast’s most sensitive data, wherever it exists.

The media giant implemented a full commercial DLP solution, and then added capabilities beyond the industry standards to make it a world-class program. For instance, it integrated one third-party solution that monitors and protects data sent or stored to the corporate approved cloud storage provider. Another integrated solution aggregates key security tool data to a central repository where IT analytics is performed to identify trends and anomalies. Multiple data feeds are also consolidated here to show a single view of data security and compliance.

Today, millions of customer and employee records are “exact data matched” for highly accurate monitoring to prevent breaches.

18. On-Demand Private Cloud for Business Application Hosting with Enhanced Security Deepak Fertilisers and Petrochemicals Corp. Ltd.

The India-based company wanted to expedite new business applications in a secure way. Previously, IT staff had to procure a secure server and storage for installing new applications, taking up data center rack space and adding to power and cooling costs. The process was also labor-intensive because moving or migrating applications from one server to another was difficult.

So the chemical company created an on-demand private cloud in an existing data center for quickly hosting business applications and securing application access over the internet for remote users.

The private cloud puts new applications into business’s hands faster and enhances security. It has also reduced power consumption of servers by 35%, increased server utilization rate from 30% to 80% and reduced 18 hours of administration time per month.

19. Addressing both User Satisfaction and Information Security in Healthcare Fletcher Allen Health Care

To comply with the healthcare industry’s HITECH Act, medical staff is required to take extra steps when accessing data in exam rooms and at hospital workstations. Increased security measures such as strong passwords have proven to be a burden not only to remember, but also to also correctly type time after time. Fletcher Allen also has a mix of applications across various operating systems that do not all sync with the same authentication source, requiring employees to remember several different passwords, which encourages easy-to-crack password choices.

The healthcare provider implemented Imprivata’s OneSign solution that improves access to applications, while eliminating the need to remember dozens of passwords and meeting HIPAA requirements for access and authentication.The solution also grants users a self-service password reset tool, allowing them to reset their Active Directory password and multifactor authentication PIN by answering security questions. This ultimately reduces calls to the Help Desk for reset assistance.

20. Site Security Incident Reporting System Fraser Health

British Columbia healthcare provider Fraser Health was looking to take back direct control and ownership of security incident reports generated from its healthcare facilities. It implemented the Integrated Protection Services’ Site Security Incident Reporting System. The system was both new and innovative for the program. It allowed IPS to combine disparate security reporting systems across four health organizations, encompassing over 40 acute, primary and residential care facilities, into one standard system.  

The system improved privacy and confidentiality issues because reports are now stored on IPS’ secure network. It improved intelligence sharing across all healthcare facilities and provided enhanced data metrics, which allows for greater statistical analysis capabilities. 

The improved data metrics obtained in the first two fiscal quarters of 2014-15 allowed IPS to make changes to security resource models at multiple sites, resulting in savings of $130,000 per year and the addition of 12 hours of security per day at one hospital.

21. Security Event Management Centre – A single cyber-infrastructure view Government of New Brunswick

In 2012, the Canadian Province of New Brunswick created a Security Event Management Centre in the Office of the CIO to paint a single cyber-infrastructure picture for the province, standardize on processes and equipment, and streamline expenses.

To do this, the deputy CIO and director of information assurance conducted a gap analysis based on self-assessments by public bodies, reports from audit/comptrollers, their own Threat and Risk Assessments and a series of third-party assessments.

From that assessment they built a series of controls, choosing the items most likely to provide a positive impact on its security posture. The SEMC was the cornerstone of that program, meeting a serious need for tactical identification and response, while providing a big data foundation on which to build the rest of the pieces, such as the governance risk and compliance, and information assurance programs.

The Centre has reduced alerts that require desk-side action by 96%, from 80 per month to three, and reduced labor costs by $110,000 annually.

22. Reducing Endpoint Attack Surface GrafTech International Ltd.

Java-based malware infections were vexing IT staff at GrafTech International, representing its biggest productive loss. To fight back, the manufacturer virtualized Java for accessing Java content using Microsoft App-V, and removed Java from 90% of its workstations. The remaining workstations that still needed Java to run locally had Java disabled in the main browser. This lowered our malware infection rate by 60% and lowered the number of systems that required re-imaging by 80%.

App-V also solved another IT problem of supporting multiple versions of Java running in the environment and the challenge of keeping them patched. GrafTech has a business need for two older versions of Java, so IT created icons just for them and advertised them to only the people who need them.

Today, Java can be updated from just one location. What’s more, removing Java from 90% of its endpoints has eliminated Java-based disruptions to the business.

23. Locally Hosted Security Information and Event Management with Co-Managed Security Services Health Management Systems Inc.

HMS protects over 400 million patient records and faces many compliance requirements from HIPAA, FISMA and GLBA. Internal security staff was able to review log data during business hours, but HMS also had to prove that the information was being monitored 24x7x365. Lacking the internal resources, HMS needed to outsource.

HMS chose an SIEM and a managed service provider, which provided HMS with complete access to the product in their own environment, and the capability to manage the SIEM on their own should they choose to later.

HMS was also required to have agents installed on every system in the environment that must be kept up to date to allow systems to continue communicating with the SIEM — a large maintenance investment that HMS was able to pass on to the service provider.

Though difficult to put a price on, the greatest impact of this project, leaders say, is risk reduction, protecting customer data and meeting stringent compliance requirements.

24. Taking Back the Cloud Honeywell International Inc.

Honeywell’s IT team suspected that tech-savvy business units were taking cloud services into their own hands. The team believed that employees were either signing deals or using free cloud services to solve business problems, yet there was no proof. Meanwhile, the CEO wanted to see IT supporting employees wherever they chose to do business, through mobile and cloud technologies.

With these two challenges, Honeywell’s security team deployed software that looked into Honeywell’s cloud exposure and gave them the data they needed to make cloud decisions, reduce risk and enable employees. The data allows IT to weigh risks and trust across at least 50 security attributes so that they can customize their own appetite for risk and security around each cloud service and deliver services in high demand.

Today, stakeholders within Honeywell can negotiate with IT for services in demand, manage licenses and avoid redundant services.

25. Advancing Threat Intelligence and Incident Response IDT Corp.

Telecom provider IDT Corp. always touted exceptional incident response and remediation processes by traditional standards. But with the speed and variety of today’s threats, its 30-minute window of exposure and 12-hour manual response time were far from ideal.

IDT needed a solution that reduced their response times and made more effective use of their existing information security infrastructure and security personnel.

They turned to a solution that helped them expand their network, endpoints and malware analysis capabilities, and moved beyond containment to automated remediation.

The platform, alerted by the SIEM system about a possible incident, immediately and automatically isolates the system so that it’s only able to communicate with the platform – taking about 30 seconds. It then automatically performs full memory and disk acquisition, and enables enterprise scanning to identify all compromised nodes during a security incident and perform comprehensive batch remediation.

Today, the time it takes to isolate, gather forensic data, analyze malware and remediate has dropped from 12 hours to 2.5 hours for IDT.

26. NAGS Access Governance Suite Johnson & Johnson

Johnson & Johnson’s process for granting and monitoring access rights to the company’s IT resources traditionally involved multiple, passing spreadsheets.

The company had invested in an IDM system to automate and capture access approvals but it only handled the initial approvals. But they added an access governance suite and developed a system that is internally referred to as the NAGS Access Governance Suite. NAGS automates most of the review process from the gathering of the data through the review and on to revocation of those access rights.

One big challenge with identity-access management is that all of the access rights are expressed in technical jargon extracted from the different platforms. The NAGS team worked with application owners to get descriptions of the access granted in a language that business people understood.

The automation enabled J&J to quadruple the scope of what is reviewed with no increase in staff and a significant reduction in reviewer effort.

27. Secure File Transfer and Portal Project Joseph Decosimo and Co. PLLC

Communicating electronically with customers is vital for Joseph Decosimo and Company, a regional CPA firm with more than 300 employees in 10 offices across the southeast and in Grand Cayman. Collaboration with mobile and tech savvy internal teams and clients in an easy and secure manner is critical, as is remote “anywhere, anytime” access to data files and documents.

So the firm revamped its aging portal with a secure file transfer platform that provided a safe method of transferring and requesting files while exceeding its clients’ desire for an easily navigable portal. The firm replaced its existing platform with data rooms for team and client collaboration, electronic collaboration areas and a short-term client portal.

With the new portal and file transfer system in place, the firm has a self-maintaining secure portal for clients and its workforce. It facilitates both the transmission and the request for file security quickly, gives clients a secure method to transfer documents and dramatically reduces Help Desk calls.

28. EngageZone Merck

In the pharmaceutical and life science industry, research and development are keys to success, yet the R&D life cycle increasingly relies on collaboration with geographically dispersed external partners across clinical research organizations, academia, investigators, government agencies and healthcare providers. To achieve objectives, these external organizations and users need access to Merck systems, applications, data, and employees, and vice versa.

To succeed in this environment, Merck required a cloud-based solution that would enable them to share information and applications with hundreds of companies without risking their intellectual property or network security. They developed EngageZone — a highly secure portal that not only accelerates progress, but also has saved more than $3 million in IT operations cost.

29. Creating Sustainable Risk-based IT Assessment Processes MetLife

The current volume and frequency of the risk assessment processes were no longer in line with MetLife’s risk-based approach. It came up with a strategy that allows MetLife to perform viable due diligence security reviews for new projects, reduce the effect of assessment fatigue on its vendors and internal teams, and create a sustainable recertification program for existing projects.

Also, to aligned with the breadth and depth of this assessment strategy, MetLife created a sustainable, risk-based IT assessment process to review projects while introducing a means to forecast its assessment review process.

Today, IT risk has been able to the plot course of action over the next four years. Business partners understand what level of effort will be needed over the course of this timeframe allowing them to allocate budgetary numbers early in the annual cycle to account for small or large increases in assessments.

30. Project Safe Mobility Netshoes

Brazilian online sporting goods retailer Netshoes is 100% digital, so it is constantly looking to improve the security barriers and confidentiality features of its systems to avoid information leaks and theft.

One area of concern was smartphone use by the executive team. A smartphone left in a taxi, for instance, can represent a significant risk to the company. Project Safe Mobility was developed to provide a security layer in every situation when the executive team wants to access corporate information using a mobile device, even BYOD.

This project involved a mix of policies, processes and security tools intended to protect the executive team, which handles the most sensitive information in the company, against hackers, virus infection and theft or loss of their devices – whether cell phones, tablets or laptops.

The project was implemented in 10 months ending May 1, and so far Netshoes has zero mobile incidents reported to its information security team.

31. Data Sharing Network Helps Reduce Crime New York State Division of Criminal Justice Services

New York’s Division of Criminal Justice Services serves 11 counties and over 84 separate law enforcement agencies. The Crime Analysis Centers’ Data Sharing Network Initiative helps the state reduce crime, especially violent and firearm crime, through intelligence-driven law enforcement.

Nearly 52% of the population lives outside New York City, so DCJS organized the N.Y. Crime Analysis Centers in these communities in order to better deter crime and build safe communities. The centers are centrally located, multijurisdictional units serving multiple state and local law enforcement agencies throughout New York’s major metropolitan areas.

The centers are built around a sophisticated single-query Google-like search tool that can perform in-depth searches, analysis and sharing of all information that may be related to local crime. This analysis provides a comprehensive picture of the criminal environment within a particular county. It allows law enforcement to make informed decisions on strategic planning and tactical deployment, and helps solve crimes.

32. Grid Security Exercise North American Electric Reliability Corp. (NERC)

The North American electrical grid is the largest machine on the planet and requires constant maintenance, monitoring and continuous learning. NERC’s mission is to ensure the reliable operation of the bulk-power system and help the almost 1,900 registered entities that make up the North American bulk-power system develop dynamic cybersecurity programs.

NERC’s biennial Grid Security Exercise, GridEx, is designed to test the industry’s readiness to respond to a physical or cybersecurity incident. This is a North America-wide exercise that brings together more than 230 organizations. The event allows participants to check the readiness of their crisis action plans through a simulated security exercise, which in turn provides an opportunity for NERC and the industry to self-assess response and recovery capabilities and to adjust actions and plans as needed. NERC has hosted the event twice, in 2011 and 2013. The next exercise planned for November 2015.

33. Windows XP End of Life

Quintiles – see story here.

34. Teaming Endpoint Visibility, Access and Compliance and Behavior-based Perimeter Defenses SIRVA Inc.

At relocation company SIRVA Inc., trust is essential to winning new clients and maintaining current ones. It provides the best mobility experience possible for clients by processing critical client personal data via world-class relocation service applications.

SIRVA set out on a project to enhance global data security and privacy protection and to safeguard its networks from advanced persistent threats, malware intrusion, rogue devices and unauthorized or insecure system access.

SIRVA implemented a network access control and intrusion prevention system that provided greater endpoint visibility, access and compliance, and behavior-based perimeter defenses to protect its infrastructure and critical data from outside and inside the environment. It also gave SIRVA more flexible control enforcement depending on the region, user and issue. What’s more, it didn’t require re-architecting or upgrading of SIRVA’s infrastructure.

Since the intrusion prevention system was implemented, the relocation business application has reported no zero day attacks or intrusions.

35. Completing a Five-Year MARS-E Implementation in One Year South Carolina Health and Human Services

The South Carolina Department of Health and Human Services faced a massive challenge. To comply with the Centers for Medicare and Medicaid Services Minimum Acceptable Risk Standards for Exchanges (MARS-E), the organization had to move aggressively from relatively simple HIPAA compliance standards to full-blown FISMA-based ones. An entirely new paradigm for a state government agency, MARS-E includes the NIST 800-53 Rev. 3-based controls in FISMA combined with HIPAA, HITECH and IRS-1075 — and an implementation of this magnitude traditionally takes more than five years to complete. But the department was mandated to fully implement MARS-E in just one year.

The implementation and documentation phase lasted approximately eight months. Today, each control is currently met, and the organization continues to refine how it thinks about each solution in the highly dynamic security process.

36. Portfolio Security – Linking Security Risk with Financial Risk Stroz Friedberg

Security risk is increasingly contributing to financial risk. Global investment firm KKR Co. L.P. wanted to minimize its financial risk and measure the strength of the security programs at its portfolio companies through a high-level process that would yield meaningful results.

KKR approached Stroz Friedberg, a global leader in investigations, intelligence and risk management, which had experience in performing in-depth security assessments, but most require six to eight weeks to complete because of the complexity involved. This was a new type of request. Reducing the rigor of its assessments into a rapid-fire operation would require fresh thinking and innovation.

Over the course of two months, the team developed a new methodology as the standard across all types of companies. The measures provided KKR with a greater understanding of the risk posture of its investments, and delivered a global average of all of the portfolio companies’ scores and an immediate snapshot of KKR’s overall investment exposure.

37. Healthcare-Centered Threat Management Texas Health Resources

Texas Health Resources found itself needing to better detect threats in its highly complex environment. As they explored the challenge further, they realized that they required unique threat management functions based on the complexity of their systems, the uniqueness of their specialized business processes, and the varied interactions of players involved. All of this required a freshly designed way to manage threats, not only at the enterprise level, but how in ways it would be operationalized.

The organization applied key threat management concepts and translated them in their highly specialized environment.

38. Security and Compliance Goes Agile Texas Government NICUSA

Since 2002, the program has grown to offer more than 1,000 online services that securely processed more than 214 million transactions — all worth over $31 billion. The program’s mission is two-fold: deliver the state’s official website for constituents to access information and complete online services, and provide enterprise technology services to Texas government. The portal provides hosted online applications and payment processing for many consumer-facing government services like driver license renewals, vital record orders, vehicle registration renewals, and more. The challenge is nonetheless daunting: to provide transaction-based online services that are fast and accessible, but also secure and fully compliant with state and federal requirements. This CISO’s office enlisted agile development efforts to reduce cycle time and effort for vulnerability management, and also to mitigate risks associated with software releases.

Today, the state has cut in half the cycle time for vulnerability management and remediation. It also reduced the time to deliver security services by 90%.

39. Improving Customer Financial Security with Transparency TruStone Financial

Banking institutions are often cautioning their customers to self-monitor their own account activity for fraud. But not every banking institution provides the kind of transparency needed to effectively watch for fraudulent activity. In fact, many institutions simply show their account holders deposit activity in the form of a composite, simulated check — rather than providing image-based evidence of check deposits in and withdrawals out of a holder’s account. TruStone Financial Federal Credit Union is changing all that. They’re one of the first institutions to successfully provide their account holders immediate access to all check images. All of this improves customer service while simultaneously enhancing security and reducing fraud risk.

40. A Human Firewall

UL LLC – read the story here.


41. Creating a Global, 24/7 Information Security Incident Response Team United Nations Development Program

UNDP wanted to upgrade and expand the coverage of its information security incident response. But it lacked the manpower, training, procedures, equipment and geographic dispersement needed for the 24/7 coverage demanded by an international organization spread over 177 countries.

Over the course of 12 months, UNDP created a global team of trained incident responders equipped with the procedures, training and capabilities needed for effective incident detection, notification, reaction, handling, escalation and closure of information security incidents. The newly created ISIRT team was able to meet the stringent requirements of the Forum for Incident Response and Security Teams (FIRST), an international organization of highly qualified incident response teams that securely share threat and incident information between organizations.

42. Establishing a Financial Crimes Analytics Lab USAA

USAA is increasingly a target for account takeover activities on member servicing channels, such as assuming an employee’s identity on the phone or going online. Fraudsters will go to great lengths to figure out the answers to multiple security questions that only legitimate members would know, or they socially engineer their way to the answers to gain account access.

USAA established the Financial Crimes Analytics Lab to identify and track emerging threats, perform advanced correlations including threat trending, threat prediction, threat interdiction, and measure the effectiveness of new and existing security and fraud controls. The company leveraged agile methodology in project context, deployed a big data platform to analyze complex data, and integrated data feeds from sources that had not previously been correlated, such as authentication logs, web session information and credit/debit card transaction logs.

Year-to-date, the analytics lab has prevented losses of more than $4 million.

43. Enterprise Encryption Service: Data Defense in Depth United States Postal Service

USPS relies on the privacy trust of its customers to make its electronic commerce and business successful. With that in mind, USPS wanted to secure all sensitive data in-motion and at-rest within the Postal Service IT infrastructure. What’s more, the CISO wanted to present this security solution as an enabling function, which supports and adds value to the business.

So it developed and implemented an Enterprise Encryption Service that delivers a standards-based encryption mechanism to USPS employees and partners. USPS leveraged the existing DLP solution that was currently deployed to not just block data, but to give users the ability to communicate in a secure manner when handling sensitive enhanced PII and PCI data.

The business is now using this technology instead of trying to bypass security controls that were once put in place to block all sensitive enhanced data.

44. Phishing for Clickers Viewpost

Many companies bolt-on security. Others talk about getting ahead of risks. At Viewpost, a business network for invoicing and payments, they’ve set an ambitious goal to culturally build security and compliance into their everyday operations — at the executive level and throughout the organization. Central to this was establishing an Executive Risk Management Committee, reporting to the board, to review, discuss dimension and understand all cybersecurity risks, controls and the current status of the environment.

The ERMC created nearly 1,500 pages of documents to discuss risks and ways to achieve security on the front end in a collaborative fashion, and the executive team has spent over 2,400 minutes in ERMC meetings discussing the security environment.

Just one of many benefits has been the organization’s creation of a rigorous, ongoing and company-wide awareness program designed to avoid the perils of phishing.

45. Locking Down 10,000 Shared Folders Voya Financial

Voya Financial faced a major dilemma when an audit found that data in their shared folder structure wasn’t secure. Complicating matters more, the organization hadn’t ever encountered a remediation project quite like this, so they were faced with cleaning up a mess with unknown scope. Naturally, they needed to develop a timeline and budget that allowed for analyzing all devices and locking down everything that was open. Ultimately, with the help of a specialized tool and much hard work, they’ve successfully scanned about 880 terabytes of data across 10,000 folders.

The team scanned 1,722 shared drives and found there were 4,459 folders containing open access. These folders were remediated in waves through the end of 2014.

46. Creating and Deploying a Successful Physical Security Campaign Voya Financial

Studies show that changing employee behavior and responses to cyber threats such as social media, phishing and other popular attack vectors can significantly reduce an organization’s security risk.

To better secure the information and assets of Voya Financial, the organization embarked on an awareness and education campaign designed to improve physical security. After conducting site assessment surveys for nine major sites, metrics and insight to the physical security practices were collected for each location. Leveraging employee awareness activities including posters, intranet articles, emails, blog posting, tip cards, and dialogue, the organization realized an increase in instances of employees reporting unknown or un-escorted visitors.

With the campaign in place, instances of employees reporting unknown or un-escorted visitors have increased. One-on-one discussions, emails, blog article comments and site surveys provided an outlet to gauge employee involvement.

47. Information Security Training Campaign: “Put Yourself in the Picture!” Warner Bros Entertainment Inc.

Global media and entertainment company Warner Bros. is proactive about keeping employees aware of information security risks.

The WB Information Security and Compliance team developed and deployed the “Put Yourself in the Picture” Information Security Awareness and Training 2014 Campaign. The campaign included awareness and learning materials focusing on key security principles delivered in short films, on-site awareness events, phishing simulations, and a custom e-learning curriculum.

Measurements conducted during the campaign showed that employees were engaged, their information security awareness increased, their understanding of the topics deepened, and most importantly, they understood how their actions could reduce risk.

48. WINS Academy Nuclear Security Certification Program World Institute for Nuclear Security

In the nuclear industry, many of the accountants, engineers and safety professionals belong to chartered institutes that certify their members’ competence on an ongoing basis. The same cannot be said, however, for most professionals with senior managerial or regulatory responsibilities relating to nuclear security. Many governments have recognized this gap and have begun to support the need for professional development for nuclear security. At the March 2014 Nuclear Security Summit, 35 governments signed an agreement to “ensure that management and personnel with accountability for nuclear security are demonstrably competent.” To that end, the World Institute for Nuclear Security in Vienna has launched a suite of certification programs called the WINS Academy.

By offering the first online certification program in the world for nuclear security management, WINS aims to improve professional development, exchange knowledge and spark innovation in nuclear security management.

49. Cyber Security Coordination Center Xerox Corporation Ltd.

Like many global distributed organizations, Xerox is targeted by a myriad of cyber threats aimed to disrupt business operations and/or steal corporate or customer data.

Xerox wanted to have more visibility into the threats beyond the edges of its network. So it established the Cyber Security Coordination Center to develop and deploy an enterprise-wide proactive threat analysis, detection, and response capability. The goal was to identify and assess cyber threats, gain detailed insight into ongoing or predicted threat activity, and take the proactive steps to defend against and respond to threats.

One demonstrable example of the project’s business value was the rapid closure of the recent OpenSLL “Heartbleed” vulnerability. Previously, there was no visibility or tracking of a serious vulnerability enterprise-wide. In contrast, in early April 2014, the cyber threat intelligence capability identified the vulnerability, issued a patch, identified possible indicators of compromise and updated the incident response “playbook” actions.

50. Data Security Initiative Zurich Insurance Group

In 2009, Zurich Insurance Group determined that its information security program was behind industry peers and did not adequately project data in alignment with business expectations and needs.

So Zurich formed Group Information Security (GIS) in 2010 to secure Zurich’s data. They identified 29 initiatives needed to remediate 92 IT capability gaps, including data loss prevention solutions for mail, web and network, a secure file-transfer solution and endpoint protection.

Zurich started with fresh solutions instead of building upon existing solutions and added mobile device management technologies and a token-less remote access system that enabled more end users to remotely access systems and reduced costs from requiring tokens to each end user to remotely login to systems. Over 15,000 smart mobile devices have been enabled for use. Removing the need for physical tokens to log into the VPN has saved the business $800,000 a year.