A Framework for Addressing Security and Managing Business Risk The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential.
Download ReportTranscript A Framework for Addressing Security and Managing Business Risk The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential.
A Framework for Addressing Security and Managing Business Risk
The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America
Creating the Framework
Prudential Background Information The Changing Environment Components of the Program The Security Community Addressing the Business Risk
Prudential Background
Founded in 1875 Prudential Financial, Inc.'s Common Stock began trading on December 13, 2001 on NYSE under the symbol "PRU." 15 million customers in the US and internationally Total consolidated 2002 annual revenues of $26.7 billion Total assets under management of approximately $422 billion as of June 30, 2003 Operating in over 30 foreign countries
Prudential Financial – IT Facts
2 large Data Centers in US, 2 in Japan 5,000 Servers in US Most international locations have small data centers Large Global Network 1,347 Network nodes (routers) 2,400 VLANs
The Changing Environment Our business is going through significant change The markets we operate Company Structure and Growth Technology we use Business Risk is changing Mergers/Acquisitions Divestitures Operation model Outsourcers Third Parties and Partners Technology Risks are increasing Regulatory change
Threat Sources
External Internal Hackers / Crackers Fame Financial Gain Hired for Industrial Espionage Hacker “wannabes” Disgruntled Employees Trusted Insiders Financial gain Unintentional errors Poor password selection Virus introduction
Some Recent Headlines……
Credit Card Server Hacked at 'Greenville News' Editor & Publisher Online 07/28/2003 Graduate Student Steals 60 Identities at University of Michigan Michigan Attorney General 8/01/2003 Kentucky State Auditor Says Hackers Infiltrated Agency Network Network World Fusion 07/30/03 Former Telecast Fiber Worker Pleads Guilty to Hacking Boston Business Journal 08/04/2003 Missing Computer Adds to Airport Screeners' Woes Newsday 7/20/2003
How Organizations are Responding
FTC expands its consumer privacy initiatives Homeland Security – Enhances programs designed to protect the U.S. financial system against criminal exploitation Businesses developing and enhancing Security Programs Terrorist Threat Integration Center (TTIC) to share information among federal agencies
The Security Program
Security Architecture Policies, Standards, Procedures and Processes Security Tools Security Research Security Awareness Program Incident Response Teams Security Community
It’s not about the best technology!
Policy Management Inventory Management Risk Assessment Standards Management
Planning
Security and Privacy Audit
Assessment
Policy Implementation Security and Privacy Certification
Implementation
Identification and Authentication Confidentiality Security Administration Privacy Choice Management Delegation Management Privacy Obligation Management
Administration
Access Control Integrity Non-Repudiation
Protect
Availability Logging Monitoring Response & Recovery Alert Management
React Detect Security Operations
Security and Privacy Architecture Security and Privacy Community Security and Privacy Policies Security and Privacy Standards
Security and Privacy Infrastructure Security and Privacy Procedures and Processes Security and Privacy Awareness Security and Privacy Enabling Applications
Implementation
Certification Security and Privacy Administration Security and Privacy Monitoring
Operation
Incident Response Review and Audit
Security Architecture
The architecture describes: The business context driving our approach to protecting our operations and systems Our core beliefs shaping our operations and systems environment Our security principles representing management's preferences for the way operations and systems are designed, developed and operated The secure processes and capabilities supporting our business objectives, capabilities and strategies
The People, Processes and Technology needed to operate securely
Security Life Cycle
Begins with Risk Assessments
Software Development Life Cycle (SDLC)
Component of all Project Management Plans
3 rd -Party/ Vendor Security Assessments
Reviews and Monitoring
Internal Risk Management
Internal & External Audits
Update Policies, Standards and Procedures
Policies, Standards, Procedures and Processes cont..
Information Security Policy Information Classification Policy(new) Data Protection Policy(new) Internet Policy Virus Policy Remote Access Policy Software Use Policy Customer Privacy Policy E-Mail
Policies, Standards, Procedures and Processes, II
Control Standards Foundation for all Security Standards Engineering Specifications Exception Process Engineering Specifications NT and Windows 2000 UNIX Internet Infrastructure Extranet Remote Access AS400
Policies, Standards, Procedures and Processes, III
Terminations and Transfers
Emergency Access
Software Development Life Cycle (SDLC)
Business Group Self Assessment
Vendor Reviews
Security Tools
Authentication
SecurePass SecurID Windows
Authorization
Access Manager RACF
RACF GetAccess Windows Security Services Enterprise Server Administrator (ESA )
Administration
Tivoli Identity Manager Vanguard
Security Technology Deployed
Confidentiality Lotus Notes Encryption Secure Shell (SSH) PGP encryption tool Monitoring / Enforcement IntruVert Sygate Solar Winds Enterprise Server Manager (ESM) Enterprise Server Reporter (ESR) Enterprise Policy Orchestra (EPO)
Security Awareness
12-month program Outside research and trend analysis Web site Presentations targeted to specific audiences New Employees Security Community In-service Training Inter-Office E-Mail Communications National Computer Security Awareness Day Computer-Based Training (CBT)
Vulnerability Assessment and Scanning
Twice a year we conduct a penetration and vulnerability test.
Ongoing mapping of the network
Access review scans periodically performed
Ongoing policy compliance monitoring
Modem sweeps several times a year
Security Monitoring and Response
Incident Response Process
Intrusion Detection Monitoring
Enterprise Security Monitor Enterprise Security Reporter RACF Reports Anti-Virus Response Team Internet Response Team Cyber Crime Investigation Organization PruAdvisories Annual Self-Assessments of the Security Program
Security Community (Internal)
Business Information Security Officers Security Administrators Program Management CTS Engineering and Operations Senior Management Involvement The community works together to: Develop and implement standards, procedures, guidelines and processes to support the security program; and Project work to address risks and emerging threats.
Security Community Overview
Every Associate has an accountability
Management is held accountable
Support organizations implement
Each business and functional area has a security office
It’s part of the BAU process
Security is becoming part of the culture.
External Security Participation
Information Systems Security Sharing Forum (ITSSF)
InfraGard
Information Systems Security Association (ISSA)
State of NJ Cyber-terrorism Task Force
The Research Board
Security Program Effectiveness
Stopping SPAM Prudential uses a spam/profanity filter for inbound Internet e-mail.
Currently we are blocking about 90,000 spam emails a day (about 35% of all inbound internet mail). Stopping VIRUSES Weekly – we stop between 800 to 1,000 viruses at our e-mail gateway.
Weekly – we detect and clean 900 – 1,200 viruses on the desktops and servers.
Occasionally we detect and clean upwards of 25,000 viruses on desktops and servers.
Security Program Observations
Awareness is a key component Benchmarking helps make the program stronger Making security part of everyone’s job is key Technology is important, but the people are more important Security experts are valuable, but so are other technology experts
It takes everyone to make it work!
Emerging Areas of Focus
Instant Messaging
Wireless Devices (PDA, Cellphones, etc.)
Outsourcing
Mergers & Acquisitions
New / Changes in Laws
Avoiding the Hype
Understand your business risks Understand the potential business impact Understand what your peers are doing Understand the relevance of the threats Understand your capabilities Understand your organizations culture
Security is a business issue and risk.
Questions
Alert Resources
CERT - Computer Emergency Response Team, Carnegie Mellon
BugTraq Security Wire Digest
Web Alert - METASeS DefenseONE Command Center
Microsoft Product Security InfraGard FIRST
AVIEN - AntiVirus Information Exchange Network McAfee & Sophos - AntiVirus vendor alerts