A framework for addressing security and managing business risk
Download
1 / 31

A Framework for Addressing Security and Managing Business Risk - PowerPoint PPT Presentation


  • 457 Views
  • Updated On :

The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America. A Framework for Addressing Security and Managing Business Risk. Creating the Framework. Prudential Background Information

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Framework for Addressing Security and Managing Business Risk' - DoraAna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A framework for addressing security and managing business risk l.jpg

The Information Security Programat Prudential FinancialKen TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America

A Framework for

Addressing Security and

Managing Business Risk


Slide2 l.jpg

Creating the Framework

  • Prudential Background Information

  • The Changing Environment

  • Components of the Program

  • The Security Community

  • Addressing the Business Risk


Prudential background l.jpg
Prudential Background

  • Founded in 1875

  • Prudential Financial, Inc.'s Common Stock began trading on December 13, 2001 on NYSE under the symbol "PRU."

  • 15 million customers in the US and internationally

  • Total consolidated 2002 annual revenues of $26.7 billion

  • Total assets under management of approximately $422 billion as of June 30, 2003

  • Operating in over 30 foreign countries


Prudential financial it facts l.jpg
Prudential Financial – IT Facts

  • 2 large Data Centers in US, 2 in Japan

  • 5,000 Servers in US

  • Most international locations have small data centers

  • Large Global Network

  • 1,347 Network nodes (routers)

  • 2,400 VLANs


The changing environment l.jpg
The Changing Environment

  • Our business is going through significant change

    • The markets we operate

    • Company Structure and Growth

    • Technology we use

  • Business Risk is changing

    • Mergers/Acquisitions

    • Divestitures

    • Operation model

    • Outsourcers

    • Third Parties and Partners

  • Technology Risks are increasing

  • Regulatory change


Threat sources l.jpg
Threat Sources

External

  • Hackers / Crackers

    • Fame

    • Financial Gain

      • Hired for Industrial Espionage

  • Hacker “wannabes”

Internal

  • Disgruntled Employees

  • Trusted Insiders

    • Financial gain

  • Unintentional errors

  • Poor password selection

  • Virus introduction


Some recent headlines l.jpg
Some Recent Headlines……

Credit Card Server Hacked at 'Greenville News'

  • Editor & Publisher Online 07/28/2003

    Graduate Student Steals 60 Identities at University of Michigan

  • Michigan Attorney General 8/01/2003

    Kentucky State Auditor Says Hackers Infiltrated Agency Network

  • Network World Fusion  07/30/03

    Former Telecast Fiber Worker Pleads Guilty to Hacking

  • Boston Business Journal 08/04/2003

    Missing Computer Adds to Airport Screeners' Woes

  • Newsday 7/20/2003


How organizations are responding l.jpg
How Organizations are Responding

  • FTC expands its consumer privacy initiatives

  • Homeland Security – Enhances programs designed to protect the U.S. financial system against criminal exploitation

  • Businesses developing and enhancing Security Programs

  • Terrorist Threat Integration Center (TTIC) to share information among federal agencies


The security program l.jpg
The Security Program

  • Security Architecture

  • Policies, Standards, Procedures and Processes

  • Security Tools

  • Security Research

  • Security Awareness Program

  • Incident Response Teams

  • Security Community

    It’s not about the best technology!


Security architecture l.jpg
Security Architecture

  • The architecture describes:

    • The business context driving our approach to protecting our operations and systems

    • Our core beliefs shaping our operations and systems environment

    • Our security principles representing management's preferences for the way operations and systems are designed, developed and operated

    • The secure processes and capabilities supporting our business objectives, capabilities and strategies

      The People, Processes and Technology needed to operate securely


Security life cycle l.jpg
Security Life Cycle

  • Begins with Risk Assessments

  • Software Development Life Cycle (SDLC)

  • Component of all Project Management Plans

  • 3rd-Party/ Vendor Security Assessments

  • Reviews and Monitoring

    • Internal Risk Management

    • Internal & External Audits

  • Update Policies, Standards and Procedures


Policies standards procedures and processes cont l.jpg
Policies, Standards, Procedures and Processes cont..

  • Information Security Policy

  • Information Classification Policy(new)

  • Data Protection Policy(new)

  • Internet Policy

  • Virus Policy

  • Remote Access Policy

  • Software Use Policy

  • Customer Privacy Policy

  • E-Mail


Policies standards procedures and processes ii l.jpg
Policies, Standards, Procedures and Processes, II

  • Control Standards

    • Foundation for all Security Standards

    • Engineering Specifications

    • Exception Process

  • Engineering Specifications

    • NT and Windows 2000

    • UNIX

    • Internet Infrastructure

    • Extranet

    • Remote Access

    • AS400


Policies standards procedures and processes iii l.jpg
Policies, Standards, Procedures and Processes, III

  • Terminations and Transfers

  • Emergency Access

  • Software Development Life Cycle (SDLC)

  • Business Group Self Assessment

  • Vendor Reviews


Security tools l.jpg

Authentication

SecurePass

SecurID

Windows

Authorization

Access Manager

RACF

Administration

Tivoli Identity Manager

Vanguard

RACF

GetAccess

Windows Security Services

Enterprise Server Administrator (ESA)

Security Tools


Security technology deployed l.jpg
Security Technology Deployed

  • Confidentiality

    • Lotus Notes Encryption

    • Secure Shell (SSH)

    • PGP encryption tool

  • Monitoring / Enforcement

    • IntruVert

    • Sygate

    • Solar Winds

    • Enterprise Server Manager (ESM)

    • Enterprise Server Reporter (ESR)

    • Enterprise Policy Orchestra (EPO)


Security awareness l.jpg
Security Awareness

  • 12-month program

  • Outside research and trend analysis

  • Web site

  • Presentations targeted to specific audiences

    • New Employees

    • Security Community

    • In-service Training

  • Inter-Office E-Mail Communications

  • National Computer Security Awareness Day

  • Computer-Based Training (CBT)


Vulnerability assessment and scanning l.jpg
Vulnerability Assessment and Scanning

  • Twice a year we conduct a penetration and vulnerability test.

  • Ongoing mapping of the network

  • Access review scans periodically performed

  • Ongoing policy compliance monitoring

  • Modem sweeps several times a year


Security monitoring and response l.jpg
Security Monitoring and Response

  • Incident Response Process

  • Intrusion Detection Monitoring

  • Enterprise Security Monitor

  • Enterprise Security Reporter

  • RACF Reports

  • Anti-Virus Response Team

  • Internet Response Team

  • Cyber Crime Investigation Organization

  • PruAdvisories

  • Annual Self-Assessments of the Security Program


Security community internal l.jpg
Security Community (Internal)

  • Business Information Security Officers

    • Security Administrators

  • Program Management

  • CTS Engineering and Operations

  • Senior Management Involvement

  • The community works together to:

    • Develop and implement standards, procedures, guidelines and processes to support the security program; and

    • Project work to address risks and emerging threats.


Security community overview l.jpg
Security Community Overview

  • Every Associate has an accountability

  • Management is held accountable

  • Support organizations implement

  • Each business and functional area has a security office

  • It’s part of the BAU process

    Security is becoming part of the culture.


External security participation l.jpg
External Security Participation

  • Information Systems Security Sharing Forum (ITSSF)

  • InfraGard

  • Information Systems Security Association (ISSA)

  • State of NJ Cyber-terrorism Task Force

  • The Research Board


Security program effectiveness l.jpg
Security Program Effectiveness

  • Stopping SPAM

  • Prudential uses a spam/profanity filter for inbound Internet e-mail.

    • Currently we are blocking about 90,000 spam emails a day (about 35% of all inbound internet mail).

  • Stopping VIRUSES

  • Weekly – we stop between 800 to 1,000 viruses at our

  • e-mail gateway.

  • Weekly – we detect and clean 900 – 1,200 viruses on the desktops and servers.

  • Occasionally we detect and clean upwards of 25,000 viruses on desktops and servers.


Security program observations l.jpg
Security Program Observations

  • Awareness is a key component

  • Benchmarking helps make the program stronger

  • Making security part of everyone’s job is key

  • Technology is important, but the people are more important

  • Security experts are valuable, but so are other technology experts

    It takes everyone to make it work!


Emerging areas of focus l.jpg
Emerging Areas of Focus

  • Instant Messaging

  • Wireless Devices (PDA, Cellphones, etc.)

  • Outsourcing

  • Mergers & Acquisitions

  • New / Changes in Laws


Avoiding the hype l.jpg
Avoiding the Hype

  • Understand your business risks

  • Understand the potential business impact

  • Understand what your peers are doing

  • Understand the relevance of the threats

  • Understand your capabilities

  • Understand your organizations culture

    Security is a business issue and risk.



Alert resources l.jpg
Alert Resources

  • CERT - Computer Emergency Response Team, Carnegie Mellon

  • BugTraq

  • Security Wire Digest

  • Web Alert - METASeS DefenseONE Command Center

  • Microsoft Product Security

  • InfraGard

  • FIRST

  • AVIEN - AntiVirus Information Exchange Network

  • McAfee & Sophos - AntiVirus vendor alerts


Thank you questions comments l.jpg
Thank you.Questions, comments?