310 likes | 467 Views
The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America. A Framework for Addressing Security and Managing Business Risk. Creating the Framework. Prudential Background Information
E N D
The Information Security Programat Prudential FinancialKen TyminskiVice President and Chief Information Security Officer, The Prudential Insurance Company of America A Framework for Addressing Security and Managing Business Risk
Creating the Framework • Prudential Background Information • The Changing Environment • Components of the Program • The Security Community • Addressing the Business Risk
Prudential Background • Founded in 1875 • Prudential Financial, Inc.'s Common Stock began trading on December 13, 2001 on NYSE under the symbol "PRU." • 15 million customers in the US and internationally • Total consolidated 2002 annual revenues of $26.7 billion • Total assets under management of approximately $422 billion as of June 30, 2003 • Operating in over 30 foreign countries
Prudential Financial – IT Facts • 2 large Data Centers in US, 2 in Japan • 5,000 Servers in US • Most international locations have small data centers • Large Global Network • 1,347 Network nodes (routers) • 2,400 VLANs
The Changing Environment • Our business is going through significant change • The markets we operate • Company Structure and Growth • Technology we use • Business Risk is changing • Mergers/Acquisitions • Divestitures • Operation model • Outsourcers • Third Parties and Partners • Technology Risks are increasing • Regulatory change
Threat Sources External • Hackers / Crackers • Fame • Financial Gain • Hired for Industrial Espionage • Hacker “wannabes” Internal • Disgruntled Employees • Trusted Insiders • Financial gain • Unintentional errors • Poor password selection • Virus introduction
Some Recent Headlines…… Credit Card Server Hacked at 'Greenville News' • Editor & Publisher Online 07/28/2003 Graduate Student Steals 60 Identities at University of Michigan • Michigan Attorney General 8/01/2003 Kentucky State Auditor Says Hackers Infiltrated Agency Network • Network World Fusion 07/30/03 Former Telecast Fiber Worker Pleads Guilty to Hacking • Boston Business Journal 08/04/2003 Missing Computer Adds to Airport Screeners' Woes • Newsday 7/20/2003
How Organizations are Responding • FTC expands its consumer privacy initiatives • Homeland Security – Enhances programs designed to protect the U.S. financial system against criminal exploitation • Businesses developing and enhancing Security Programs • Terrorist Threat Integration Center (TTIC) to share information among federal agencies
The Security Program • Security Architecture • Policies, Standards, Procedures and Processes • Security Tools • Security Research • Security Awareness Program • Incident Response Teams • Security Community It’s not about the best technology!
Security Architecture • The architecture describes: • The business context driving our approach to protecting our operations and systems • Our core beliefs shaping our operations and systems environment • Our security principles representing management's preferences for the way operations and systems are designed, developed and operated • The secure processes and capabilities supporting our business objectives, capabilities and strategies The People, Processes and Technology needed to operate securely
Security Life Cycle • Begins with Risk Assessments • Software Development Life Cycle (SDLC) • Component of all Project Management Plans • 3rd-Party/ Vendor Security Assessments • Reviews and Monitoring • Internal Risk Management • Internal & External Audits • Update Policies, Standards and Procedures
Policies, Standards, Procedures and Processes cont.. • Information Security Policy • Information Classification Policy(new) • Data Protection Policy(new) • Internet Policy • Virus Policy • Remote Access Policy • Software Use Policy • Customer Privacy Policy • E-Mail
Policies, Standards, Procedures and Processes, II • Control Standards • Foundation for all Security Standards • Engineering Specifications • Exception Process • Engineering Specifications • NT and Windows 2000 • UNIX • Internet Infrastructure • Extranet • Remote Access • AS400
Policies, Standards, Procedures and Processes, III • Terminations and Transfers • Emergency Access • Software Development Life Cycle (SDLC) • Business Group Self Assessment • Vendor Reviews
Authentication SecurePass SecurID Windows Authorization Access Manager RACF Administration Tivoli Identity Manager Vanguard RACF GetAccess Windows Security Services Enterprise Server Administrator (ESA) Security Tools
Security Technology Deployed • Confidentiality • Lotus Notes Encryption • Secure Shell (SSH) • PGP encryption tool • Monitoring / Enforcement • IntruVert • Sygate • Solar Winds • Enterprise Server Manager (ESM) • Enterprise Server Reporter (ESR) • Enterprise Policy Orchestra (EPO)
Security Awareness • 12-month program • Outside research and trend analysis • Web site • Presentations targeted to specific audiences • New Employees • Security Community • In-service Training • Inter-Office E-Mail Communications • National Computer Security Awareness Day • Computer-Based Training (CBT)
Vulnerability Assessment and Scanning • Twice a year we conduct a penetration and vulnerability test. • Ongoing mapping of the network • Access review scans periodically performed • Ongoing policy compliance monitoring • Modem sweeps several times a year
Security Monitoring and Response • Incident Response Process • Intrusion Detection Monitoring • Enterprise Security Monitor • Enterprise Security Reporter • RACF Reports • Anti-Virus Response Team • Internet Response Team • Cyber Crime Investigation Organization • PruAdvisories • Annual Self-Assessments of the Security Program
Security Community (Internal) • Business Information Security Officers • Security Administrators • Program Management • CTS Engineering and Operations • Senior Management Involvement • The community works together to: • Develop and implement standards, procedures, guidelines and processes to support the security program; and • Project work to address risks and emerging threats.
Security Community Overview • Every Associate has an accountability • Management is held accountable • Support organizations implement • Each business and functional area has a security office • It’s part of the BAU process Security is becoming part of the culture.
External Security Participation • Information Systems Security Sharing Forum (ITSSF) • InfraGard • Information Systems Security Association (ISSA) • State of NJ Cyber-terrorism Task Force • The Research Board
Security Program Effectiveness • Stopping SPAM • Prudential uses a spam/profanity filter for inbound Internet e-mail. • Currently we are blocking about 90,000 spam emails a day (about 35% of all inbound internet mail). • Stopping VIRUSES • Weekly – we stop between 800 to 1,000 viruses at our • e-mail gateway. • Weekly – we detect and clean 900 – 1,200 viruses on the desktops and servers. • Occasionally we detect and clean upwards of 25,000 viruses on desktops and servers.
Security Program Observations • Awareness is a key component • Benchmarking helps make the program stronger • Making security part of everyone’s job is key • Technology is important, but the people are more important • Security experts are valuable, but so are other technology experts It takes everyone to make it work!
Emerging Areas of Focus • Instant Messaging • Wireless Devices (PDA, Cellphones, etc.) • Outsourcing • Mergers & Acquisitions • New / Changes in Laws
Avoiding the Hype • Understand your business risks • Understand the potential business impact • Understand what your peers are doing • Understand the relevance of the threats • Understand your capabilities • Understand your organizations culture Security is a business issue and risk.
Alert Resources • CERT - Computer Emergency Response Team, Carnegie Mellon • BugTraq • Security Wire Digest • Web Alert - METASeS DefenseONE Command Center • Microsoft Product Security • InfraGard • FIRST • AVIEN - AntiVirus Information Exchange Network • McAfee & Sophos - AntiVirus vendor alerts