In his seventh year as Emory's Chief Information Security Officer, Brad Sanford combines an action-oriented approach toward achieving business objectives with a determined advocacy of information security principles and ideals. His focus includes IT risk and compliance management, threat, incident, and vulnerability management, and Information Security policy, awareness, and architecture.
In FY14, there were some challenges with regards to incidents and turnover, but the good news is that Enterprise Security responded to the incidents well and hired quality new people. We are continuing to grow our capacity and expertise and began developing helpful new external partnerships. We joined the National Healthcare Information Security and Analysis Center (NH-ISAC) and are helping to build that organization. The ISACs have been a great resource to share threat intelligence and to understand the kind of threats our industry is facing.
FY14 saw the implementation of BitLocker as Emory's new full disk encryption tool (a tool that protects sensitive information by converting it into an unreadable format for those without an encryption key). A replacement for the old PGP encryption tool, BitLocker gives us a free whole disk encryption solution for Windows systems that allows us to employ it more broadly. With over 600 deployments since April, we are trying to complete the conversion from PGP to BitLocker by the end of next year.
We also published a new disk encryption policy. Since we now have a free option for both Windows and Macs, the new policy stipulates that all laptop and mobile devices that run Windows or OS X are required to have disk encryption. Previously, the requirement was only for devices storing sensitive information.
The Security Team focused heavily on HIPPA and PCI DSS compliance during FY14 (PCI DSS - the payment card industry data security standard used by most of the credit card companies). Last year we modified our HIPAA risk assessment and remediation processes and we conducted our first HIPPA risk assessment and remediation using Emory’s new IT GRC (governance risk and compliance) tool that we deployed. Additionally, we completed a PCI risk assessment and have initiated numerous local and enterprise remediation efforts.
As the Infrastructure Team began testing the Box file storage tool, our Enterprise Security Team analyzed the tool as a cloud file sharing and collaboration solution that allowed us to meet the enhanced security requirement for sensitive data in this environment. We evaluated the Box solution itself to make sure it had the right security capabilities, ensured that it was configured it securely, and then created the Rules of Behavior (acceptable use rules) for using the tool with sensitive data.
One of the major initiatives for FY15 is the two-factor authentication project. We plan to deploy a solution campus-wide that will require two-factor authentication from anyone outside of Emory’s network who wants to access any of eight key applications that are subject to abuse if someone's account has become compromised. Those applications are PS SA (OPUS), PS HR, PS Financials, Virtual Desktop (Healthcare), email (Outlook Web Access), Easy Proxy (access to library journals), Shibboleth (web single sign-on), and VPN. The goal is to help limit the possibility of abuse.
The Security Team will also focus on improving endpoint security. First, we will assist in the creation of security configuration baselines for key technologies (we want to make sure we incorporate some baselines in our standard builds). We also plan to implement an application whitelisting technology to restrict which applications are allowed to run on our critical server infrastructure. We also intend to enhance our security monitoring of important IT systems throughout our environment.
Brad Sanford
Chief Information Security Officer, OIT Information Security
"The Treasury and Debt Management department collaborated with Enterprise Security to successfully advance the PCI initiative. Without their partnership, Emory would not be in the solid position of PCI DSS compliance that we need in this environment."
Kim Pate
Associate VP, Treasury and Debt Management