Information Security
In his sixth year as Emory's Chief Information Security Officer, Brad Sanford combines an action-oriented approach toward achieving business objectives with a determined advocacy of information security principles and ideals. His focus includes IT risk management and Information Security policy, awareness, and architecture.
In retrospect, FY2013 seems like a pretty good year from an Information Security perspective. I feel like we made incremental progress on a lot of different fronts and had a few significant and noteworthy accomplishments, a few of which are detailed below.
Compliance
In FY13, we completed the implementation of an IT Governance, Risk, and Compliance (GRC) solution, and successfully incorporated Emory's HIPAA risk assessment and remediation process workflows into the new solution. We completed our first enterprise HIPAA risk assessment utilizing the solution, and constituent feedback has thus far been very positive. Additionally, Emory engaged an external security assessor who assisted Emory in completing security self-assessments for nearly 100 on-campus credit card merchants who are subject to the Payment Card Industry Data Security Standard. Enterprise Security also augmented our staff to include a FISMA security specialist and we have made arrangements to bring a FISMA security training class to Emory in October with expected attendance of approximately 15 individuals from across the enterprise.
Vulnerability Management
We completed the initial production rollout of the Emory Security Portal with plans to "go-live" within distributed IT units in January. Although we have yet to realize the full value of this solution, I am confident that this solution is going to lead to dramatic reductions in risk across the enterprise by making individual business units aware of the vulnerabilities within their environments. Enterprise Security significantly enhanced Emory's web application vulnerability scanning capabilities utilizing our current toolset, and we also conducted a proof-of-concept evaluation of alternative web application scanning and source code scanning technologies, for potential future deployment.
The team also identified new configuration audit capabilities within our existing vulnerability scanning toolsets that will greatly improve Emory's ability to identify and remediate security vulnerabilities within our centrally managed environments.
Network Security
Enterprise Security successfully implemented additional Intrusion Detection capabilities at our network perimeter in order to provide better visibility into emerging threats, and integrated this solution with Emory's Security Information and Event Management System. We also implemented a high speed (10 Gbps) network packet capture solution to aid in detailed network forensics and real time incident response.
Enterprise Security also completed an extremely successful implementation of web malware filtering capabilities across the enterprise. As a result of these efforts Emory blocks millions of attempts to communicate with malicious web sites/domains each month with almost no negative impact to our customers. With drive-by downloads being one of the most prevalent vectors of compromise, this has undoubtedly made a large impact on the overall security posture of the organization.
Thought Leadership
I’m excited that Emory seems to be improving the security posture of our institution at a faster rate than many of our academic peers, and that we have evolved our security program to the point where we are often perceived as leaders within our community of peers. This can be evidenced by the frequency with which we are asked to provide thought leadership through our participation on various advisory boards (e.g. SANS Education Advisory Board, Technology Association of Georgia, TippingPoint), panel discussions (e.g. Information Security Executive of the Year Awards, Atlanta CISO Executive Summit, Georgia Tech/FBI Cyber Security Symposium, Georgia ISSA Annual Conference), by presenting at conferences and symposiums (e.g. Educause, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), the State University System of New York (SUNY), Tech Exec Networks, the Georgia Hospital Association), and through direct personal channels (e.g. Johns Hopkins, Georgia Tech, American University).
Brad Sanford
Chief Information Security Officer, OIT Information Security
"During the past year, I've had the opportunity to work with the Security team on a number of projects. Their commitment to Emory and professionalism are exemplary. We are fortunate to have such a dedicated Security team."
Anne Marie Alexander
Manager, Identity Management, OIT Integration