The Information Security Programat Prudential Financial

Ken TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America

A Framework for Addressing Security and Managing Business Risk

Creating the Framework

Prudential Background Information The Changing Environment Components of the Program The Security Community Addressing the Business Risk

Prudential Background Founded in 1875 Prudential Financial, Inc.'s Common Stock began

trading on December 13, 2001 on NYSE under the symbol "PRU."

15 million customers in the US and internationally Total consolidated 2002 annual revenues of $26.7

billion Total assets under management of approximately

$422 billion as of June 30, 2003 Operating in over 30 foreign countries

Prudential Financial – IT Facts

2 large Data Centers in US, 2 in Japan 5,000 Servers in US Most international locations have small data

centers Large Global Network 1,347 Network nodes (routers) 2,400 VLANs

The Changing Environment

Our business is going through significant change The markets we operate Company Structure and Growth Technology we use

Business Risk is changing Mergers/Acquisitions Divestitures Operation model Outsourcers Third Parties and Partners

Technology Risks are increasing Regulatory change

Threat SourcesExternal Hackers / Crackers

Fame Financial Gain

Hired for Industrial Espionage

Hacker “wannabes”

Internal Disgruntled Employees Trusted Insiders

Financial gain Unintentional errors Poor password selection Virus introduction

Some Recent Headlines……Credit Card Server Hacked at 'Greenville News'

Editor & Publisher Online 07/28/2003

Graduate Student Steals 60 Identities at University of Michigan

Michigan Attorney General 8/01/2003

Kentucky State Auditor Says Hackers Infiltrated Agency Network

Network World Fusion  07/30/03

Former Telecast Fiber Worker Pleads Guilty to Hacking

Boston Business Journal 08/04/2003

Missing Computer Adds to Airport Screeners' Woes

Newsday 7/20/2003

How Organizations are Responding

FTC expands its consumer privacy initiatives

Homeland Security – Enhances programs designed

to protect the U.S. financial system against criminal

exploitation

Businesses developing and enhancing Security

Programs

Terrorist Threat Integration Center (TTIC) to share

information among federal agencies

Security Architecture

Policies, Standards, Procedures and Processes

Security Tools

Security Research

Security Awareness Program

Incident Response Teams

Security Community

It’s not about the best technology!

The Security Program

Implementation

Planning

Assessment

RiskAssessment

StandardsManagement

Policy Implementation

Security Operations

Protect

Detect

React

Access ControlIdentification and

Authentication

Confidentiality Integrity

Non-Repudiation Availability

AlertManagement

Response &Recovery

Security andPrivacy Audit

PolicyManagement

InventoryManagement

Security and PrivacyCertification

Administration

SecurityAdministration

Privacy ChoiceManagement

DelegationManagement

Privacy ObligationManagement

Logging

Monitoring

Security andPrivacy Architecture

Security andPrivacy Policies

Implementation

Security and PrivacyInfrastructure

Security and PrivacyProcedures and

Processes

Security and Privacy Standards

Security and PrivacyAwareness

Security andPrivacy Community

Operation

Security and PrivacyEnabling

Applications

Security andPrivacy

Monitoring

IncidentResponse

Review andAudit

Security andPrivacy

AdministrationCertification

Security Architecture The architecture describes:

The business context driving our approach to protecting our operations and systems

Our core beliefs shaping our operations and systems environment

Our security principles representing management's preferences for the way operations and systems are designed, developed and operated

The secure processes and capabilities supporting our business objectives, capabilities and strategies

The People, Processes and Technology needed to operate securely

Security Life Cycle

Begins with Risk Assessments

Software Development Life Cycle (SDLC)

Component of all Project Management Plans

3rd-Party/ Vendor Security Assessments

Reviews and Monitoring

Internal Risk Management

Internal & External Audits

Update Policies, Standards and Procedures

Policies, Standards, Procedures and Processes cont..

Information Security Policy Information Classification Policy(new) Data Protection Policy(new) Internet Policy Virus Policy Remote Access Policy Software Use Policy Customer Privacy Policy E-Mail

Policies, Standards, Procedures and Processes, II

Control Standards Foundation for all Security Standards Engineering Specifications Exception Process

Engineering Specifications NT and Windows 2000 UNIX Internet Infrastructure Extranet Remote Access AS400

Policies, Standards, Procedures and Processes, III

Terminations and Transfers

Emergency Access

Software Development Life Cycle (SDLC)

Business Group Self Assessment

Vendor Reviews

Security Tools Authentication

SecurePass

SecurID

Windows

Authorization Access Manager

RACF

Administration Tivoli Identity Manager

Vanguard

RACF

GetAccess

Windows Security

Services

Enterprise Server

Administrator (ESA)

Security Technology Deployed

Confidentiality

Lotus Notes Encryption

Secure Shell (SSH)

PGP encryption tool

Monitoring / Enforcement

IntruVert

Sygate

Solar Winds

Enterprise Server Manager (ESM)

Enterprise Server Reporter (ESR)

Enterprise Policy Orchestra (EPO)

Security Awareness 12-month program

Outside research and trend analysis

Web site

Presentations targeted to specific audiences New Employees Security Community In-service Training

Inter-Office E-Mail Communications

National Computer Security Awareness Day

Computer-Based Training (CBT)

Vulnerability Assessment and Scanning

Twice a year we conduct a penetration and

vulnerability test.

Ongoing mapping of the network

Access review scans periodically performed

Ongoing policy compliance monitoring

Modem sweeps several times a year

Security Monitoring and Response Incident Response Process

Intrusion Detection Monitoring

Enterprise Security Monitor

Enterprise Security Reporter

RACF Reports

Anti-Virus Response Team

Internet Response Team

Cyber Crime Investigation Organization

PruAdvisories

Annual Self-Assessments of the Security Program

Security Community (Internal)

Business Information Security Officers Security Administrators

Program Management

CTS Engineering and Operations

Senior Management Involvement

The community works together to:

Develop and implement standards, procedures,

guidelines and processes to support the security

program; and

Project work to address risks and emerging threats.

Security Community Overview

Every Associate has an accountability

Management is held accountable

Support organizations implement

Each business and functional area has a security

office

It’s part of the BAU process

Security is becoming part of the culture.

Information Systems Security Sharing Forum

(ITSSF)

InfraGard

Information Systems Security Association (ISSA)

State of NJ Cyber-terrorism Task Force

The Research Board

External Security Participation

Security Program Effectiveness Stopping SPAM Prudential uses a spam/profanity filter for inbound Internet

e-mail. Currently we are blocking about 90,000 spam emails a day

(about 35% of all inbound internet mail).

Stopping VIRUSES Weekly – we stop between 800 to 1,000 viruses at our e-mail gateway. Weekly – we detect and clean 900 – 1,200 viruses on the

desktops and servers. Occasionally we detect and clean upwards of 25,000

viruses on desktops and servers.

Security Program Observations

Awareness is a key component

Benchmarking helps make the program stronger

Making security part of everyone’s job is key

Technology is important, but the people are more important

Security experts are valuable, but so are other technology experts

It takes everyone to make it work!

Emerging Areas of Focus

Instant Messaging

Wireless Devices (PDA, Cellphones, etc.)

Outsourcing

Mergers & Acquisitions

New / Changes in Laws

Avoiding the Hype Understand your business risks

Understand the potential business impact

Understand what your peers are doing

Understand the relevance of the threats

Understand your capabilities

Understand your organizations culture

Security is a business issue and risk.

Questions

Alert Resources

CERT - Computer Emergency Response Team, Carnegie

Mellon BugTraq Security Wire Digest Web Alert - METASeS DefenseONE Command Center Microsoft Product Security InfraGard FIRST AVIEN - AntiVirus Information Exchange Network McAfee & Sophos - AntiVirus vendor alerts

Thank you.

Questions, comments?