The Alliance for Enterprise Security Risk Management: A partnership of the three leading international security organizations, formed to address issues surrounding the convergence of traditional and logical security.

Infrastructure Group Manager

Major Beverage Company

(Due to company restrictions, names of the nominee and company have been removed.)

The nominee joined the beverage company as an IT auditor 10 years ago and has since extensively audited the company’s locations around the world. This broad range of experience proved invaluable, and after 10 years of being a road warrior, he accepted the position with the Information Security Group (ISG) as an infrastructure group manager. 

Shortly after joining ISG, he developed a formal information management life cycle process to address security gaps within the organization.  The information management life cycle is a critical step in evaluating the security-worthiness of all projects. This review includes information/requirements gathering, multi-group analysis, remediation and proactive management.  These security management concepts are mapped to technical and administrative controls within the company.  The mapping process identifies the obvious gap lacking internal controls to manage internal threats, which in turn justifies and secures funding to close the gap. The goal is to integrate security throughout the process to develop, identify and surface issues early, as well as to encourage collaboration across teams to build effective solutions.

Five security initiatives have been developed to mitigate the internal threats.  The first initiative is to develop a working and repeatable patch management process.  The nominee formed a cross-function team to improve and streamline the patch management process.  As a result, a set of procedures to handle monthly, quarterly and emergency patches for the enterprise were developed; roles and responsibilities were identified; service level agreements were derived; and accountability was obtained from various teams. The new process has allowed desktops and servers keep up to date with current patches, and enabled the company to react quickly to 0-day exploits while reducing the involvement of people and time.

The second key initiative is vulnerability management. The nominee oversaw the evaluation and implementation of the vulnerability management tool.  The vulnerability management tool conducts monthly scans of the network to validate that the patches are properly deployed by the patch management process, creating a closed-loop process.

The third initiative is the widespread use of personal firewalls.   The deployment of personal firewall agent to 30,000 systems across six operating divisions of the company faced many challenges. The nominee’s positive approach and strategic planning have led his team to attain the goal in three operating divisions.  As a result, the information gathered from these divisions has proven to be invaluable in identifying risk and providing compensating controls at the host level.  Although this security initiative has been one of the greatest challenges the team has faced, the benefits are evident.  The nominee’s tireless effort, focus and organizational skill will ensure the success of all the initiatives.

The fourth initiative is the intrusion detection system (IDS).  The integration of IDS with existing networking tools presented a holistic view of the enterprise.  By teaming with network engineers and enterprise architects, the company was able to deploy a handful of strategically placed sensors to monitor the entire network, resulting in a cost savings of $750,000 in hardware and maintenance.

The final initiative is the deployment of Security Information and Event Management (SIEM) to integrate the newly developed capabilities into a single monitoring system. Integrating system logs and events from personal firewalls, antivirus software, vulnerability management tools and the IDS into a single monitoring system has allowed the team to offer the added security services without additional staff. 
 
In less than two years, the nominee and his team have succeeded in the completion of five critical security strategies.  Their successes have allowed the company to gain visibility into the internal network, identify and react to internal and external threats, aid HR and legal investigations, and provide mitigating controls to reduce risks and enable business. 

The nominee’s business-oriented approach to information security has led to many successful security projects at the company.  His commitment to improve security awareness and develop security processes and people is well recognized. He is a strong supporter of the diversity inclusion initiatives at the organization. He offers coaching in organizational skills, develops internal talents and encourages the participation in local security chapters such as ISACA and ISSA.  In conclusion, the nominee is well qualified for the AESRM award.  He has demonstrated a dynamic approach to information security, and his pragmatic leadership has enabled cost savings while reducing risk to the enterprise.

 

 

 

 

Copyright © AESRM 2008, All Rights Reserved.