The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America


1
The Information Security Programat Prudential
FinancialKen TyminskiVice President and Chief
Information Security Officer, The Prudential
Insurance Company of America
  • A Framework for
  • Addressing Security and
  • Managing Business Risk

2
Creating the Framework
  • Prudential Background Information
  • The Changing Environment
  • Components of the Program
  • The Security Community
  • Addressing the Business Risk

3
Prudential Background
  • Founded in 1875
  • Prudential Financial, Inc.'s Common Stock began
    trading on December 13, 2001 on NYSE under the
    symbol "PRU."
  • 15 million customers in the US and
    internationally
  • Total consolidated 2002 annual revenues of 26.7
    billion
  • Total assets under management of approximately
    422 billion as of June 30, 2003
  • Operating in over 30 foreign countries

4
Prudential Financial IT Facts
  • 2 large Data Centers in US, 2 in Japan
  • 5,000 Servers in US
  • Most international locations have small data
    centers
  • Large Global Network
  • 1,347 Network nodes (routers)
  • 2,400 VLANs

5
The Changing Environment
  • Our business is going through significant change
  • The markets we operate
  • Company Structure and Growth
  • Technology we use
  • Business Risk is changing
  • Mergers/Acquisitions
  • Divestitures
  • Operation model
  • Outsourcers
  • Third Parties and Partners
  • Technology Risks are increasing
  • Regulatory change

6
Threat Sources
  • External
  • Hackers / Crackers
  • Fame
  • Financial Gain
  • Hired for Industrial Espionage
  • Hacker wannabes
  • Internal
  • Disgruntled Employees
  • Trusted Insiders
  • Financial gain
  • Unintentional errors
  • Poor password selection
  • Virus introduction

7
Some Recent Headlines
  • Credit Card Server Hacked at 'Greenville News'
  • Editor Publisher Online 07/28/2003
  • Graduate Student Steals 60 Identities at
    University of Michigan
  • Michigan Attorney General 8/01/2003
  • Kentucky State Auditor Says Hackers Infiltrated
    Agency Network
  • Network World Fusion  07/30/03
  • Former Telecast Fiber Worker Pleads Guilty to
    Hacking
  • Boston Business Journal 08/04/2003
  • Missing Computer Adds to Airport Screeners' Woes
  • Newsday 7/20/2003

8
How Organizations are Responding
  • FTC expands its consumer privacy initiatives
  • Homeland Security Enhances programs designed to
    protect the U.S. financial system against
    criminal exploitation
  • Businesses developing and enhancing Security
    Programs
  • Terrorist Threat Integration Center (TTIC) to
    share information among federal agencies

9
The Security Program
  • Security Architecture
  • Policies, Standards, Procedures and Processes
  • Security Tools
  • Security Research
  • Security Awareness Program
  • Incident Response Teams
  • Security Community
  • Its not about the best technology!

10
(No Transcript)
11
(No Transcript)
12
Security Architecture
  • The architecture describes
  • The business context driving our approach to
    protecting our operations and systems
  • Our core beliefs shaping our operations and
    systems environment
  • Our security principles representing management's
    preferences for the way operations and systems
    are designed, developed and operated
  • The secure processes and capabilities supporting
    our business objectives, capabilities and
    strategies
  • The People, Processes and Technology needed to
    operate securely

13
Security Life Cycle
  • Begins with Risk Assessments
  • Software Development Life Cycle (SDLC)
  • Component of all Project Management Plans
  • 3rd-Party/ Vendor Security Assessments
  • Reviews and Monitoring
  • Internal Risk Management
  • Internal External Audits
  • Update Policies, Standards and Procedures

14
Policies, Standards, Procedures and Processes
cont..
  • Information Security Policy
  • Information Classification Policy(new)
  • Data Protection Policy(new)
  • Internet Policy
  • Virus Policy
  • Remote Access Policy
  • Software Use Policy
  • Customer Privacy Policy
  • E-Mail

15
Policies, Standards, Procedures and Processes, II
  • Control Standards
  • Foundation for all Security Standards
  • Engineering Specifications
  • Exception Process
  • Engineering Specifications
  • NT and Windows 2000
  • UNIX
  • Internet Infrastructure
  • Extranet
  • Remote Access
  • AS400

16
Policies, Standards, Procedures and Processes,
III
  • Terminations and Transfers
  • Emergency Access
  • Software Development Life Cycle (SDLC)
  • Business Group Self Assessment
  • Vendor Reviews

17
Security Tools
  • Authentication
  • SecurePass
  • SecurID
  • Windows
  • Authorization
  • Access Manager
  • RACF
  • Administration
  • Tivoli Identity Manager
  • Vanguard
  • RACF
  • GetAccess
  • Windows Security Services
  • Enterprise Server Administrator (ESA)

18
Security Technology Deployed
  • Confidentiality
  • Lotus Notes Encryption
  • Secure Shell (SSH)
  • PGP encryption tool
  • Monitoring / Enforcement
  • IntruVert
  • Sygate
  • Solar Winds
  • Enterprise Server Manager (ESM)
  • Enterprise Server Reporter (ESR)
  • Enterprise Policy Orchestra (EPO)

19
Security Awareness
  • 12-month program
  • Outside research and trend analysis
  • Web site
  • Presentations targeted to specific audiences
  • New Employees
  • Security Community
  • In-service Training
  • Inter-Office E-Mail Communications
  • National Computer Security Awareness Day
  • Computer-Based Training (CBT)

20
Vulnerability Assessment and Scanning
  • Twice a year we conduct a penetration and
    vulnerability test.
  • Ongoing mapping of the network
  • Access review scans periodically performed
  • Ongoing policy compliance monitoring
  • Modem sweeps several times a year

21
Security Monitoring and Response
  • Incident Response Process
  • Intrusion Detection Monitoring
  • Enterprise Security Monitor
  • Enterprise Security Reporter
  • RACF Reports
  • Anti-Virus Response Team
  • Internet Response Team
  • Cyber Crime Investigation Organization
  • PruAdvisories
  • Annual Self-Assessments of the Security Program

22
Security Community (Internal)
  • Business Information Security Officers
  • Security Administrators
  • Program Management
  • CTS Engineering and Operations
  • Senior Management Involvement
  • The community works together to
  • Develop and implement standards, procedures,
    guidelines and processes to support the security
    program and
  • Project work to address risks and emerging
    threats.

23
Security Community Overview
  • Every Associate has an accountability
  • Management is held accountable
  • Support organizations implement
  • Each business and functional area has a security
    office
  • Its part of the BAU process
  • Security is becoming part of the culture.

24
External Security Participation
  • Information Systems Security Sharing Forum
    (ITSSF)
  • InfraGard
  • Information Systems Security Association (ISSA)
  • State of NJ Cyber-terrorism Task Force
  • The Research Board

25
Security Program Effectiveness
  • Stopping SPAM
  • Prudential uses a spam/profanity filter for
    inbound Internet e-mail.
  • Currently we are blocking about 90,000 spam
    emails a day (about 35 of all inbound internet
    mail).
  • Stopping VIRUSES
  • Weekly we stop between 800 to 1,000 viruses at
    our
  • e-mail gateway.
  • Weekly we detect and clean 900 1,200 viruses
    on the desktops and servers.
  • Occasionally we detect and clean upwards of
    25,000 viruses on desktops and servers.

26
Security Program Observations
  • Awareness is a key component
  • Benchmarking helps make the program stronger
  • Making security part of everyones job is key
  • Technology is important, but the people are more
    important
  • Security experts are valuable, but so are other
    technology experts
  • It takes everyone to make it work!

27
Emerging Areas of Focus
  • Instant Messaging
  • Wireless Devices (PDA, Cellphones, etc.)
  • Outsourcing
  • Mergers Acquisitions
  • New / Changes in Laws

28
Avoiding the Hype
  • Understand your business risks
  • Understand the potential business impact
  • Understand what your peers are doing
  • Understand the relevance of the threats
  • Understand your capabilities
  • Understand your organizations culture
  • Security is a business issue and risk.

29
Questions
30
Alert Resources
  • CERT - Computer Emergency Response Team, Carnegie
    Mellon
  • BugTraq
  • Security Wire Digest
  • Web Alert - METASeS DefenseONE Command Center
  • Microsoft Product Security
  • InfraGard
  • FIRST
  • AVIEN - AntiVirus Information Exchange Network
  • McAfee Sophos - AntiVirus vendor alerts

31
Thank you.Questions, comments?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!