A framework for addressing security and managing business risk
1 / 31

The Information Security Program - PowerPoint PPT Presentation

  • Updated On :

The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America. A Framework for Addressing Security and Managing Business Risk. Creating the Framework. Prudential Background Information

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Information Security Program' - DoraAna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A framework for addressing security and managing business risk l.jpg

The Information Security Programat Prudential FinancialKen TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America

A Framework for

Addressing Security and

Managing Business Risk

Slide2 l.jpg

Creating the Framework

  • Prudential Background Information

  • The Changing Environment

  • Components of the Program

  • The Security Community

  • Addressing the Business Risk

Prudential background l.jpg
Prudential Background

  • Founded in 1875

  • Prudential Financial, Inc.'s Common Stock began trading on December 13, 2001 on NYSE under the symbol "PRU."

  • 15 million customers in the US and internationally

  • Total consolidated 2002 annual revenues of $26.7 billion

  • Total assets under management of approximately $422 billion as of June 30, 2003

  • Operating in over 30 foreign countries

Prudential financial it facts l.jpg
Prudential Financial – IT Facts

  • 2 large Data Centers in US, 2 in Japan

  • 5,000 Servers in US

  • Most international locations have small data centers

  • Large Global Network

  • 1,347 Network nodes (routers)

  • 2,400 VLANs

The changing environment l.jpg
The Changing Environment

  • Our business is going through significant change

    • The markets we operate

    • Company Structure and Growth

    • Technology we use

  • Business Risk is changing

    • Mergers/Acquisitions

    • Divestitures

    • Operation model

    • Outsourcers

    • Third Parties and Partners

  • Technology Risks are increasing

  • Regulatory change

Threat sources l.jpg
Threat Sources


  • Hackers / Crackers

    • Fame

    • Financial Gain

      • Hired for Industrial Espionage

  • Hacker “wannabes”


  • Disgruntled Employees

  • Trusted Insiders

    • Financial gain

  • Unintentional errors

  • Poor password selection

  • Virus introduction

Some recent headlines l.jpg
Some Recent Headlines……

Credit Card Server Hacked at 'Greenville News'

  • Editor & Publisher Online 07/28/2003

    Graduate Student Steals 60 Identities at University of Michigan

  • Michigan Attorney General 8/01/2003

    Kentucky State Auditor Says Hackers Infiltrated Agency Network

  • Network World Fusion  07/30/03

    Former Telecast Fiber Worker Pleads Guilty to Hacking

  • Boston Business Journal 08/04/2003

    Missing Computer Adds to Airport Screeners' Woes

  • Newsday 7/20/2003

How organizations are responding l.jpg
How Organizations are Responding

  • FTC expands its consumer privacy initiatives

  • Homeland Security – Enhances programs designed to protect the U.S. financial system against criminal exploitation

  • Businesses developing and enhancing Security Programs

  • Terrorist Threat Integration Center (TTIC) to share information among federal agencies

The security program l.jpg
The Security Program

  • Security Architecture

  • Policies, Standards, Procedures and Processes

  • Security Tools

  • Security Research

  • Security Awareness Program

  • Incident Response Teams

  • Security Community

    It’s not about the best technology!

Security architecture l.jpg
Security Architecture

  • The architecture describes:

    • The business context driving our approach to protecting our operations and systems

    • Our core beliefs shaping our operations and systems environment

    • Our security principles representing management's preferences for the way operations and systems are designed, developed and operated

    • The secure processes and capabilities supporting our business objectives, capabilities and strategies

      The People, Processes and Technology needed to operate securely

Security life cycle l.jpg
Security Life Cycle

  • Begins with Risk Assessments

  • Software Development Life Cycle (SDLC)

  • Component of all Project Management Plans

  • 3rd-Party/ Vendor Security Assessments

  • Reviews and Monitoring

    • Internal Risk Management

    • Internal & External Audits

  • Update Policies, Standards and Procedures

Policies standards procedures and processes cont l.jpg
Policies, Standards, Procedures and Processes cont..

  • Information Security Policy

  • Information Classification Policy(new)

  • Data Protection Policy(new)

  • Internet Policy

  • Virus Policy

  • Remote Access Policy

  • Software Use Policy

  • Customer Privacy Policy

  • E-Mail

Policies standards procedures and processes ii l.jpg
Policies, Standards, Procedures and Processes, II

  • Control Standards

    • Foundation for all Security Standards

    • Engineering Specifications

    • Exception Process

  • Engineering Specifications

    • NT and Windows 2000

    • UNIX

    • Internet Infrastructure

    • Extranet

    • Remote Access

    • AS400

Policies standards procedures and processes iii l.jpg
Policies, Standards, Procedures and Processes, III

  • Terminations and Transfers

  • Emergency Access

  • Software Development Life Cycle (SDLC)

  • Business Group Self Assessment

  • Vendor Reviews

Security tools l.jpg






Access Manager



Tivoli Identity Manager




Windows Security Services

Enterprise Server Administrator (ESA)

Security Tools

Security technology deployed l.jpg
Security Technology Deployed

  • Confidentiality

    • Lotus Notes Encryption

    • Secure Shell (SSH)

    • PGP encryption tool

  • Monitoring / Enforcement

    • IntruVert

    • Sygate

    • Solar Winds

    • Enterprise Server Manager (ESM)

    • Enterprise Server Reporter (ESR)

    • Enterprise Policy Orchestra (EPO)

Security awareness l.jpg
Security Awareness

  • 12-month program

  • Outside research and trend analysis

  • Web site

  • Presentations targeted to specific audiences

    • New Employees

    • Security Community

    • In-service Training

  • Inter-Office E-Mail Communications

  • National Computer Security Awareness Day

  • Computer-Based Training (CBT)

Vulnerability assessment and scanning l.jpg
Vulnerability Assessment and Scanning

  • Twice a year we conduct a penetration and vulnerability test.

  • Ongoing mapping of the network

  • Access review scans periodically performed

  • Ongoing policy compliance monitoring

  • Modem sweeps several times a year

Security monitoring and response l.jpg
Security Monitoring and Response

  • Incident Response Process

  • Intrusion Detection Monitoring

  • Enterprise Security Monitor

  • Enterprise Security Reporter

  • RACF Reports

  • Anti-Virus Response Team

  • Internet Response Team

  • Cyber Crime Investigation Organization

  • PruAdvisories

  • Annual Self-Assessments of the Security Program

Security community internal l.jpg
Security Community (Internal)

  • Business Information Security Officers

    • Security Administrators

  • Program Management

  • CTS Engineering and Operations

  • Senior Management Involvement

  • The community works together to:

    • Develop and implement standards, procedures, guidelines and processes to support the security program; and

    • Project work to address risks and emerging threats.

Security community overview l.jpg
Security Community Overview

  • Every Associate has an accountability

  • Management is held accountable

  • Support organizations implement

  • Each business and functional area has a security office

  • It’s part of the BAU process

    Security is becoming part of the culture.

External security participation l.jpg
External Security Participation

  • Information Systems Security Sharing Forum (ITSSF)

  • InfraGard

  • Information Systems Security Association (ISSA)

  • State of NJ Cyber-terrorism Task Force

  • The Research Board

Security program effectiveness l.jpg
Security Program Effectiveness

  • Stopping SPAM

  • Prudential uses a spam/profanity filter for inbound Internet e-mail.

    • Currently we are blocking about 90,000 spam emails a day (about 35% of all inbound internet mail).

  • Stopping VIRUSES

  • Weekly – we stop between 800 to 1,000 viruses at our

  • e-mail gateway.

  • Weekly – we detect and clean 900 – 1,200 viruses on the desktops and servers.

  • Occasionally we detect and clean upwards of 25,000 viruses on desktops and servers.

Security program observations l.jpg
Security Program Observations

  • Awareness is a key component

  • Benchmarking helps make the program stronger

  • Making security part of everyone’s job is key

  • Technology is important, but the people are more important

  • Security experts are valuable, but so are other technology experts

    It takes everyone to make it work!

Emerging areas of focus l.jpg
Emerging Areas of Focus

  • Instant Messaging

  • Wireless Devices (PDA, Cellphones, etc.)

  • Outsourcing

  • Mergers & Acquisitions

  • New / Changes in Laws

Avoiding the hype l.jpg
Avoiding the Hype

  • Understand your business risks

  • Understand the potential business impact

  • Understand what your peers are doing

  • Understand the relevance of the threats

  • Understand your capabilities

  • Understand your organizations culture

    Security is a business issue and risk.

Alert resources l.jpg
Alert Resources

  • CERT - Computer Emergency Response Team, Carnegie Mellon

  • BugTraq

  • Security Wire Digest

  • Web Alert - METASeS DefenseONE Command Center

  • Microsoft Product Security

  • InfraGard


  • AVIEN - AntiVirus Information Exchange Network

  • McAfee & Sophos - AntiVirus vendor alerts

Thank you questions comments l.jpg
Thank you.Questions, comments?