View
216
Download
0
Tags:
Embed Size (px)
Citation preview
The Information Security Programat Prudential Financial
Ken TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America
A Framework for Addressing Security and Managing Business Risk
Creating the Framework
Prudential Background Information The Changing Environment Components of the Program The Security Community Addressing the Business Risk
Prudential Background Founded in 1875 Prudential Financial, Inc.'s Common Stock began
trading on December 13, 2001 on NYSE under the symbol "PRU."
15 million customers in the US and internationally Total consolidated 2002 annual revenues of $26.7
billion Total assets under management of approximately
$422 billion as of June 30, 2003 Operating in over 30 foreign countries
Prudential Financial – IT Facts
2 large Data Centers in US, 2 in Japan 5,000 Servers in US Most international locations have small data
centers Large Global Network 1,347 Network nodes (routers) 2,400 VLANs
The Changing Environment
Our business is going through significant change The markets we operate Company Structure and Growth Technology we use
Business Risk is changing Mergers/Acquisitions Divestitures Operation model Outsourcers Third Parties and Partners
Technology Risks are increasing Regulatory change
Threat SourcesExternal Hackers / Crackers
Fame Financial Gain
Hired for Industrial Espionage
Hacker “wannabes”
Internal Disgruntled Employees Trusted Insiders
Financial gain Unintentional errors Poor password selection Virus introduction
Some Recent Headlines……Credit Card Server Hacked at 'Greenville News'
Editor & Publisher Online 07/28/2003
Graduate Student Steals 60 Identities at University of Michigan
Michigan Attorney General 8/01/2003
Kentucky State Auditor Says Hackers Infiltrated Agency Network
Network World Fusion 07/30/03
Former Telecast Fiber Worker Pleads Guilty to Hacking
Boston Business Journal 08/04/2003
Missing Computer Adds to Airport Screeners' Woes
Newsday 7/20/2003
How Organizations are Responding
FTC expands its consumer privacy initiatives
Homeland Security – Enhances programs designed
to protect the U.S. financial system against criminal
exploitation
Businesses developing and enhancing Security
Programs
Terrorist Threat Integration Center (TTIC) to share
information among federal agencies
Security Architecture
Policies, Standards, Procedures and Processes
Security Tools
Security Research
Security Awareness Program
Incident Response Teams
Security Community
It’s not about the best technology!
The Security Program
Implementation
Planning
Assessment
RiskAssessment
StandardsManagement
Policy Implementation
Security Operations
Protect
Detect
React
Access ControlIdentification and
Authentication
Confidentiality Integrity
Non-Repudiation Availability
AlertManagement
Response &Recovery
Security andPrivacy Audit
PolicyManagement
InventoryManagement
Security and PrivacyCertification
Administration
SecurityAdministration
Privacy ChoiceManagement
DelegationManagement
Privacy ObligationManagement
Logging
Monitoring
Security andPrivacy Architecture
Security andPrivacy Policies
Implementation
Security and PrivacyInfrastructure
Security and PrivacyProcedures and
Processes
Security and Privacy Standards
Security and PrivacyAwareness
Security andPrivacy Community
Operation
Security and PrivacyEnabling
Applications
Security andPrivacy
Monitoring
IncidentResponse
Review andAudit
Security andPrivacy
AdministrationCertification
Security Architecture The architecture describes:
The business context driving our approach to protecting our operations and systems
Our core beliefs shaping our operations and systems environment
Our security principles representing management's preferences for the way operations and systems are designed, developed and operated
The secure processes and capabilities supporting our business objectives, capabilities and strategies
The People, Processes and Technology needed to operate securely
Security Life Cycle
Begins with Risk Assessments
Software Development Life Cycle (SDLC)
Component of all Project Management Plans
3rd-Party/ Vendor Security Assessments
Reviews and Monitoring
Internal Risk Management
Internal & External Audits
Update Policies, Standards and Procedures
Policies, Standards, Procedures and Processes cont..
Information Security Policy Information Classification Policy(new) Data Protection Policy(new) Internet Policy Virus Policy Remote Access Policy Software Use Policy Customer Privacy Policy E-Mail
Policies, Standards, Procedures and Processes, II
Control Standards Foundation for all Security Standards Engineering Specifications Exception Process
Engineering Specifications NT and Windows 2000 UNIX Internet Infrastructure Extranet Remote Access AS400
Policies, Standards, Procedures and Processes, III
Terminations and Transfers
Emergency Access
Software Development Life Cycle (SDLC)
Business Group Self Assessment
Vendor Reviews
Security Tools Authentication
SecurePass
SecurID
Windows
Authorization Access Manager
RACF
Administration Tivoli Identity Manager
Vanguard
RACF
GetAccess
Windows Security
Services
Enterprise Server
Administrator (ESA)
Security Technology Deployed
Confidentiality
Lotus Notes Encryption
Secure Shell (SSH)
PGP encryption tool
Monitoring / Enforcement
IntruVert
Sygate
Solar Winds
Enterprise Server Manager (ESM)
Enterprise Server Reporter (ESR)
Enterprise Policy Orchestra (EPO)
Security Awareness 12-month program
Outside research and trend analysis
Web site
Presentations targeted to specific audiences New Employees Security Community In-service Training
Inter-Office E-Mail Communications
National Computer Security Awareness Day
Computer-Based Training (CBT)
Vulnerability Assessment and Scanning
Twice a year we conduct a penetration and
vulnerability test.
Ongoing mapping of the network
Access review scans periodically performed
Ongoing policy compliance monitoring
Modem sweeps several times a year
Security Monitoring and Response Incident Response Process
Intrusion Detection Monitoring
Enterprise Security Monitor
Enterprise Security Reporter
RACF Reports
Anti-Virus Response Team
Internet Response Team
Cyber Crime Investigation Organization
PruAdvisories
Annual Self-Assessments of the Security Program
Security Community (Internal)
Business Information Security Officers Security Administrators
Program Management
CTS Engineering and Operations
Senior Management Involvement
The community works together to:
Develop and implement standards, procedures,
guidelines and processes to support the security
program; and
Project work to address risks and emerging threats.
Security Community Overview
Every Associate has an accountability
Management is held accountable
Support organizations implement
Each business and functional area has a security
office
It’s part of the BAU process
Security is becoming part of the culture.
Information Systems Security Sharing Forum
(ITSSF)
InfraGard
Information Systems Security Association (ISSA)
State of NJ Cyber-terrorism Task Force
The Research Board
External Security Participation
Security Program Effectiveness Stopping SPAM Prudential uses a spam/profanity filter for inbound Internet
e-mail. Currently we are blocking about 90,000 spam emails a day
(about 35% of all inbound internet mail).
Stopping VIRUSES Weekly – we stop between 800 to 1,000 viruses at our e-mail gateway. Weekly – we detect and clean 900 – 1,200 viruses on the
desktops and servers. Occasionally we detect and clean upwards of 25,000
viruses on desktops and servers.
Security Program Observations
Awareness is a key component
Benchmarking helps make the program stronger
Making security part of everyone’s job is key
Technology is important, but the people are more important
Security experts are valuable, but so are other technology experts
It takes everyone to make it work!
Emerging Areas of Focus
Instant Messaging
Wireless Devices (PDA, Cellphones, etc.)
Outsourcing
Mergers & Acquisitions
New / Changes in Laws
Avoiding the Hype Understand your business risks
Understand the potential business impact
Understand what your peers are doing
Understand the relevance of the threats
Understand your capabilities
Understand your organizations culture
Security is a business issue and risk.
Alert Resources
CERT - Computer Emergency Response Team, Carnegie
Mellon BugTraq Security Wire Digest Web Alert - METASeS DefenseONE Command Center Microsoft Product Security InfraGard FIRST AVIEN - AntiVirus Information Exchange Network McAfee & Sophos - AntiVirus vendor alerts