a framework for addressing security and managing business risk
Skip this Video
Download Presentation
A Framework for Addressing Security and Managing Business Risk

Loading in 2 Seconds...

play fullscreen
1 / 31

The Information Security Program - PowerPoint PPT Presentation

  • Uploaded on

The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America. A Framework for Addressing Security and Managing Business Risk. Creating the Framework. Prudential Background Information

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Information Security Program' - DoraAna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a framework for addressing security and managing business risk

The Information Security Programat Prudential FinancialKen TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America

A Framework for

Addressing Security and

Managing Business Risk


Creating the Framework

  • Prudential Background Information
  • The Changing Environment
  • Components of the Program
  • The Security Community
  • Addressing the Business Risk
prudential background
Prudential Background
  • Founded in 1875
  • Prudential Financial, Inc.\'s Common Stock began trading on December 13, 2001 on NYSE under the symbol "PRU."
  • 15 million customers in the US and internationally
  • Total consolidated 2002 annual revenues of $26.7 billion
  • Total assets under management of approximately $422 billion as of June 30, 2003
  • Operating in over 30 foreign countries
prudential financial it facts
Prudential Financial – IT Facts
  • 2 large Data Centers in US, 2 in Japan
  • 5,000 Servers in US
  • Most international locations have small data centers
  • Large Global Network
  • 1,347 Network nodes (routers)
  • 2,400 VLANs
the changing environment
The Changing Environment
  • Our business is going through significant change
    • The markets we operate
    • Company Structure and Growth
    • Technology we use
  • Business Risk is changing
    • Mergers/Acquisitions
    • Divestitures
    • Operation model
    • Outsourcers
    • Third Parties and Partners
  • Technology Risks are increasing
  • Regulatory change
threat sources
Threat Sources


  • Hackers / Crackers
    • Fame
    • Financial Gain
      • Hired for Industrial Espionage
  • Hacker “wannabes”


  • Disgruntled Employees
  • Trusted Insiders
    • Financial gain
  • Unintentional errors
  • Poor password selection
  • Virus introduction
some recent headlines
Some Recent Headlines……

Credit Card Server Hacked at \'Greenville News\'

  • Editor & Publisher Online 07/28/2003

Graduate Student Steals 60 Identities at University of Michigan

  • Michigan Attorney General 8/01/2003

Kentucky State Auditor Says Hackers Infiltrated Agency Network

  • Network World Fusion  07/30/03

Former Telecast Fiber Worker Pleads Guilty to Hacking

  • Boston Business Journal 08/04/2003

Missing Computer Adds to Airport Screeners\' Woes

  • Newsday 7/20/2003
how organizations are responding
How Organizations are Responding
  • FTC expands its consumer privacy initiatives
  • Homeland Security – Enhances programs designed to protect the U.S. financial system against criminal exploitation
  • Businesses developing and enhancing Security Programs
  • Terrorist Threat Integration Center (TTIC) to share information among federal agencies
the security program
The Security Program
  • Security Architecture
  • Policies, Standards, Procedures and Processes
  • Security Tools
  • Security Research
  • Security Awareness Program
  • Incident Response Teams
  • Security Community

It’s not about the best technology!

security architecture
Security Architecture
  • The architecture describes:
    • The business context driving our approach to protecting our operations and systems
    • Our core beliefs shaping our operations and systems environment
    • Our security principles representing management\'s preferences for the way operations and systems are designed, developed and operated
    • The secure processes and capabilities supporting our business objectives, capabilities and strategies

The People, Processes and Technology needed to operate securely

security life cycle
Security Life Cycle
  • Begins with Risk Assessments
  • Software Development Life Cycle (SDLC)
  • Component of all Project Management Plans
  • 3rd-Party/ Vendor Security Assessments
  • Reviews and Monitoring
    • Internal Risk Management
    • Internal & External Audits
  • Update Policies, Standards and Procedures
policies standards procedures and processes cont
Policies, Standards, Procedures and Processes cont..
  • Information Security Policy
  • Information Classification Policy(new)
  • Data Protection Policy(new)
  • Internet Policy
  • Virus Policy
  • Remote Access Policy
  • Software Use Policy
  • Customer Privacy Policy
  • E-Mail
policies standards procedures and processes ii
Policies, Standards, Procedures and Processes, II
  • Control Standards
    • Foundation for all Security Standards
    • Engineering Specifications
    • Exception Process
  • Engineering Specifications
    • NT and Windows 2000
    • UNIX
    • Internet Infrastructure
    • Extranet
    • Remote Access
    • AS400
policies standards procedures and processes iii
Policies, Standards, Procedures and Processes, III
  • Terminations and Transfers
  • Emergency Access
  • Software Development Life Cycle (SDLC)
  • Business Group Self Assessment
  • Vendor Reviews
security tools





Access Manager



Tivoli Identity Manager




Windows Security Services

Enterprise Server Administrator (ESA)

Security Tools
security technology deployed
Security Technology Deployed
  • Confidentiality
    • Lotus Notes Encryption
    • Secure Shell (SSH)
    • PGP encryption tool
  • Monitoring / Enforcement
    • IntruVert
    • Sygate
    • Solar Winds
    • Enterprise Server Manager (ESM)
    • Enterprise Server Reporter (ESR)
    • Enterprise Policy Orchestra (EPO)
security awareness
Security Awareness
  • 12-month program
  • Outside research and trend analysis
  • Web site
  • Presentations targeted to specific audiences
    • New Employees
    • Security Community
    • In-service Training
  • Inter-Office E-Mail Communications
  • National Computer Security Awareness Day
  • Computer-Based Training (CBT)
vulnerability assessment and scanning
Vulnerability Assessment and Scanning
  • Twice a year we conduct a penetration and vulnerability test.
  • Ongoing mapping of the network
  • Access review scans periodically performed
  • Ongoing policy compliance monitoring
  • Modem sweeps several times a year
security monitoring and response
Security Monitoring and Response
  • Incident Response Process
  • Intrusion Detection Monitoring
  • Enterprise Security Monitor
  • Enterprise Security Reporter
  • RACF Reports
  • Anti-Virus Response Team
  • Internet Response Team
  • Cyber Crime Investigation Organization
  • PruAdvisories
  • Annual Self-Assessments of the Security Program
security community internal
Security Community (Internal)
  • Business Information Security Officers
    • Security Administrators
  • Program Management
  • CTS Engineering and Operations
  • Senior Management Involvement
  • The community works together to:
    • Develop and implement standards, procedures, guidelines and processes to support the security program; and
    • Project work to address risks and emerging threats.
security community overview
Security Community Overview
  • Every Associate has an accountability
  • Management is held accountable
  • Support organizations implement
  • Each business and functional area has a security office
  • It’s part of the BAU process

Security is becoming part of the culture.

external security participation
External Security Participation
  • Information Systems Security Sharing Forum (ITSSF)
  • InfraGard
  • Information Systems Security Association (ISSA)
  • State of NJ Cyber-terrorism Task Force
  • The Research Board
security program effectiveness
Security Program Effectiveness
  • Stopping SPAM
  • Prudential uses a spam/profanity filter for inbound Internet e-mail.
    • Currently we are blocking about 90,000 spam emails a day (about 35% of all inbound internet mail).
  • Stopping VIRUSES
  • Weekly – we stop between 800 to 1,000 viruses at our
  • e-mail gateway.
  • Weekly – we detect and clean 900 – 1,200 viruses on the desktops and servers.
  • Occasionally we detect and clean upwards of 25,000 viruses on desktops and servers.
security program observations
Security Program Observations
  • Awareness is a key component
  • Benchmarking helps make the program stronger
  • Making security part of everyone’s job is key
  • Technology is important, but the people are more important
  • Security experts are valuable, but so are other technology experts

It takes everyone to make it work!

emerging areas of focus
Emerging Areas of Focus
  • Instant Messaging
  • Wireless Devices (PDA, Cellphones, etc.)
  • Outsourcing
  • Mergers & Acquisitions
  • New / Changes in Laws
avoiding the hype
Avoiding the Hype
  • Understand your business risks
  • Understand the potential business impact
  • Understand what your peers are doing
  • Understand the relevance of the threats
  • Understand your capabilities
  • Understand your organizations culture

Security is a business issue and risk.

alert resources
Alert Resources
  • CERT - Computer Emergency Response Team, Carnegie Mellon
  • BugTraq
  • Security Wire Digest
  • Web Alert - METASeS DefenseONE Command Center
  • Microsoft Product Security
  • InfraGard
  • AVIEN - AntiVirus Information Exchange Network
  • McAfee & Sophos - AntiVirus vendor alerts