In his fifth year as Emory's Chief Information Security Officer, Brad Sanford combines an action-oriented approach toward achieving business objectives with a determined advocacy of information security principles and ideals. His focus includes IT risk management and Information Security policy, awareness, and architecture.
Overall, FY2012 was a year of steady incremental progress on many different fronts, several noteworthy accomplishments, and a few major challenges.
The most significant progress was in the areas of email/messaging security, network protection, data protection, and the OneIT Experience. We still have lots of opportunities for improvement in Emory's security posture, but we continue to make significant progress and I believe we are clearly heading in the right direction.
Emory seems to be improving the security posture of our institution at a faster rate than many of our academic peers, and we have evolved our security program to the point where we are often perceived as leaders within our community of peers. This can be evidenced by the fact that members of our information security program have been asked or selected to present at numerous external forums including those hosted by Educause, Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), the State University System of New York (SUNY), Tech Exec Networks, National Information Security Group (NAISG), the University System of Georgia, and the Georgia Hospital Association.
Thanks to the efforts of my team and colleagues at Emory, I was also named the 2011 Information Security Executive of the Year for North America in the healthcare division and was one of three finalists for the 2011 Information Security Executive of the Year for North America in the academic division.
In FY12, OIT Security dramatically improved Emory's resilience to SPAM attacks, by leveraging auto response capabilities of Emory's SIEM and IPS infrastructure, and completed three full enterprise-wide phishing susceptibility tests utilizing the phishme.com service. Results improved by 40.9% over first run. We also evaluated and conducted proof of concept testing of an encrypted email solution at the request of Office of General Counsel (OGC). Deployment planning for this solution is currently underway.
OIT Security assisted in the evaluation, selection, and implementation of a consolidated Anti-virus solution for both Emory University and Emory Healthcare. Endpoint migrations to the new solution are well underway and targeted for completion by October of this year. We participated in the evaluation and testing of candidate solutions for Network Access Control (NAC). Proof of concept evaluations are currently underway. And the Security Team played a significant role in developing a consensus approach for the Single NetID project and played a key role in the evaluation and selection of Emory's new identity management solution, the successor to ENID.
In response to a Surgery DVD data breach, OIT Security initiated several efforts to help improve data security for electronic and paper media, the most notable effort being the enterprise wide Search and Secure effort which is now in the final remediation phase. We are very pleased with the swiftness and decisiveness of our response to this issue and based on the lessons learned and the remediation efforts completed to date we are confident that the institution is a safer place.
We developed an encryption utility that allows Emory users of Apple computers to utilize the native FileVault2 whole disk encryption capabilities of OS X. This significantly reduced the burden of encrypting and managing these devices as compared to our previous disk encryption solution for Macs. The team successfully deployed Emory’s Smart Device Security Policy to over 11,000 mobile devices across both university and healthcare lines of business, dramatically reducing the risk from lost or stolen mobile devices.
The team implemented outbound default deny server networks for all new servers deployed by UTS. OIT Security also assisted in evaluation, selection, and implementation of Palo Alto next generation firewalls. Implementation of unified threat management functionality (anti-virus, web malware filtering, intrusion detection/intrusion prevention systems (IDS/IPS), URL filtering) is currently underway. Utilization of this functionality for Web malware filtering alone should result in over $250K in annual cost avoidance.
The expanded use of reputation filtering to include REN-ISAC reputation data feeds was another major accomplishment of FY12. Reputation filtering has turned out to be immensely successful at blocking communications with known bad actors and has resulted in almost no false positives to date. The team also participated in the evaluation, selection, design and implementation of new load balancer and Web application firewall solutions. These solutions dramatically advance our web application security capabilities and eliminate long running issues that limited Emory's ability to investigate incidents involving load balanced applications and systems.
Brad Sanford
Chief Information Security Officer, OIT Information Security
"By the end of Q2 2012, the smart device project completed with deployment to roughly 11,000 devices. This project included some of the most extensive end user documentation developed for an OIT project, a testing process that included IT representatives across the enterprise, and an extensive communications campaign that demonstrated the effectiveness of OIT Security collaboration campus-wide."
Derek Spransy,
Senior Information Security Specialist, OIT Security