Security Governance Technology Executive Club

1
Security GovernanceTechnology Executive Club
Patti Suarez, CISSP Global Information Security
Manager Wm. Wrigley Jr. Company
2
About the presenterPatti Suarez
Global Information Security Manager for Wm.
Wrigley Jr. Company
15 years of experience in information security
With financial services, health care and
telecommunications industries
Certified Information System Security Specialist
Graduate of Roosevelt University, B.S. Telcom
3
Objectives for todays presentation
Informative
What are the drivers for Information Security at
Wrigley?
Explain how Wrigleys Information Security
foundation is standards based
Recent Threat statistics
Wrigleys Global Information Security Model
4
The Time for Information Security is Now

• External Drivers
• Changing customer structures
• E-commerce opportunities
• Changing market expectations
• Technology Development

• Internal Drivers
• Desire to meet changing customer needs and
  increase speed-to- market
• Need for global information sharing

5
Information Security is not just technology
Wrigleys Security Program An integrated
approach to selecting and deploying tools,
operational processes and organizational roles.

• Regulations have placed the final accountability
  for securing corporate and customer information
  on the shoulders of the Board of Directors.
• Gramm-Leach-Bliley
• HIPAA
• EU Privacy
• Duty to Disclose Security Breach CA
• COPPA (Childrens Online Privacy Protection Act)
• Sarbannes Oxley Act
• Federal Information Security Management Act

6
Information Security is not just technology
Everyone in Wrigley needs to have a basic
understanding of information security
requirements.
Specific responsibilities across the organization
need to be clear.
7
The Threats Are Real
Three percent of online sales will be lost
because of credit card fraud. (Dec 05,2002)
More than 7,000 viruses detected this year (Dec
12,2002)
Internet attacks against public and private
organizations jumped 28 percent from January to
June 2002. (Oct 24,2002)
Roughly 180,000 Internet-based attacks hit U.S.
businesses in first half of 2002. (Jul 09,2002)
Security breaches occur at 85 of U.S. businesses
and government organizations. (Mar 13,2001)
Reports on inside security breaches up 7
percentage points over 2000. (Oct 16,2001)
Source CSO Magazine
8
Wrigleys Information Security Mission
The Global IT Security mission is to provide
information security leadership, direction and
guidance through mutual understanding of business
enablers and tolerance of risk. We will
accomplish this by implementing industry
standards in the areas of perimeter defense, risk
mitigation, policy creation, education,
awareness, monitoring and response to security
events. Through security best practices we will
ensure the confidentiality, availability, and
integrity of our systems and data in the areas of
people, technology and process.
9
Information Security drives value into Wrigleys
Initiatives
Increases Shareholder Value
Protects Brand
Brings value to business relationships
Trusted Computing
Security Program
Physical/Logical Access Controls
10
Wrigleys Information Security ProgramBased On
International Standards
ISO 17799 internationally recognized information
security standard.
A comprehensive set of controls comprising best
practices in information security.
Intended to serve as a single reference point for
identifying a range of controls needed for most
situations where information systems are used in
industry and commerce.
Facilitates trading in a trusted environment.
11
Wrigleys Information Security Model
Architecture
Operations
Prevention
Governance
Detection
L A Y E R S
E L E M E N T S
Verification
Response
12
Information Security Program Elements
Governance Defining and overseeing the program
Security policy, standards and guidelines
Organizational roles and responsibilities
Assessment of and security plans to control risk

Metrics and processes to determine how well the
organization is adhering to information security
policies, processes, procedures, guidelines
Access controls - - who has access to sensitive
systems and data
Security awareness programs
13
ISO 17799 BENCHMARKING INTHE AREA OF
ORGANIZATIONAL SECURITY
Is there a liaison with external information
security personnel and organizations including
industry and/or government security specialists
law enforcement authorities IT service
providers telecommunications authorities?
Has a process been established to coordinate
implementation of information security measures?
Has a management approval process been
established to authorize new IT facilities from
both a business and technical standpoint?
Has a capability been established that provides
specialized information security advice?
Are responsibilities for accomplishment of
information security requirements clearly
defined?
Has a forum been established to oversee and
represent information security?
14
ISO 17799 BENCHMARKING INTHE AREA OF
ORGANIZATIONAL SECURITYContinued
Have the security requirements of the
information owners been addressed in a contract
between the owners and the outsource
organization? 
Has an independent review of information
security practices been conducted to ensure
feasibility, effectiveness, and compliance with
written policies?
Are security requirements included in formal
third party contracts?
Have third party connection risks been analyzed?
Have specific security measures been identified
to combat third party connection risks?
15
Information Security Program Elements
Operations Administering and enforcing
Information Security policies and access controls
Controls for physical/logical access to
information assets
Processes and procedures to minimize the
likelihood of disruptions, recover from
disasters, and respond to security incidents
16
Information Security Program Elements
Architecture Designing and implementing
Development methodology for secure information
systems
Systems and controls that limit the risk of
unauthorized access to business assets
17
Information Security Layers
Across the enterprise there should be layers of
protection to ensure that the risks are managed
effectively. Each security layer supports the
next to minimize the probability of security
problems and minimize the exposure Wrigley faces
when incidents do occur.
Prevention Protecting information through
effective use of technology, processes and
organizational responsibilities to limit the
potential of a threat being realized.
Detection Manual and automated mechanisms to
identify and isolate security problems. This
includes active and passive monitors and
analytical procedures.
18
Information Security LayersContinued
Verification Manual and automated mechanisms to
ensure that required security measures are in
place. This can take forms including
vulnerability assessments, audit and monitoring
tools.
Response When prevention measures fail, Wrigley
needs a rapid, pragmatic response capability.
This requires planning for containment, triage
and direct response.
19
Information Security Fronts
Information Security is not just a technology
problem. There is no silver bullet to make a
dramatic improvement in the security posture of
Wrigley. The posture depends on developing,
enforcing and maintaining safe computing
practices on the unified fronts of Tools,
Processes and Roles.
Processes Establishing repeatable solutions or
compensating controls for business risks,
ensuring that they are measured regularly, and
periodically aligning business and information
security goals.
Roles Creating the roles that ensure clear
responsibilities and accountability in business
units, Information Security organization,
suppliers and business partners. Eliminating
gaps and reducing overlaps to ensure that
requirements are met.
Tools Protecting information through effective
use of technology (e.g. firewalls, authentication
and authorization mechanisms) that result in
reusable solutions to business risk scenarios.
20
Wrigleys Security ProgramIn Perspective
Information Security Vision and Strategy
Business Initiatives
Threats
Enterprise Architecture Strategy
Legislation
Vulnerability Risk Assessment
Security Policy
Senior Management Commitment
Training and Awareness
Security Architecture and Technical Standards
Administrative and End-User Guidelines and
Procedures
Enforcement Process
Monitoring Process
Recovery Process
Information Security Management
21
Information Security drives value into Wrigleys
Initiatives
Increases Shareholder Value
Protects Brand
Brings value to business relationships
Trusted Computing
Security Program
Physical/Logical Access Controls