The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America - PowerPoint PPT Presentation

Loading...

PPT – The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America PowerPoint presentation | free to download - id: 4a2151-NjY5M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America

Description:

A Framework for Addressing Security and Managing Business Risk The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief ... – PowerPoint PPT presentation

Number of Views:222
Avg rating:3.0/5.0
Slides: 32
Provided by: mediaTech
Learn more at: http://media.techtarget.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America


1
The Information Security Programat Prudential
FinancialKen TyminskiVice President and Chief
Information Security Officer, The Prudential
Insurance Company of America
  • A Framework for
  • Addressing Security and
  • Managing Business Risk

2
Creating the Framework
  • Prudential Background Information
  • The Changing Environment
  • Components of the Program
  • The Security Community
  • Addressing the Business Risk

3
Prudential Background
  • Founded in 1875
  • Prudential Financial, Inc.'s Common Stock began
    trading on December 13, 2001 on NYSE under the
    symbol "PRU."
  • 15 million customers in the US and
    internationally
  • Total consolidated 2002 annual revenues of 26.7
    billion
  • Total assets under management of approximately
    422 billion as of June 30, 2003
  • Operating in over 30 foreign countries

4
Prudential Financial IT Facts
  • 2 large Data Centers in US, 2 in Japan
  • 5,000 Servers in US
  • Most international locations have small data
    centers
  • Large Global Network
  • 1,347 Network nodes (routers)
  • 2,400 VLANs

5
The Changing Environment
  • Our business is going through significant change
  • The markets we operate
  • Company Structure and Growth
  • Technology we use
  • Business Risk is changing
  • Mergers/Acquisitions
  • Divestitures
  • Operation model
  • Outsourcers
  • Third Parties and Partners
  • Technology Risks are increasing
  • Regulatory change

6
Threat Sources
  • External
  • Hackers / Crackers
  • Fame
  • Financial Gain
  • Hired for Industrial Espionage
  • Hacker wannabes
  • Internal
  • Disgruntled Employees
  • Trusted Insiders
  • Financial gain
  • Unintentional errors
  • Poor password selection
  • Virus introduction

7
Some Recent Headlines
  • Credit Card Server Hacked at 'Greenville News'
  • Editor Publisher Online 07/28/2003
  • Graduate Student Steals 60 Identities at
    University of Michigan
  • Michigan Attorney General 8/01/2003
  • Kentucky State Auditor Says Hackers Infiltrated
    Agency Network
  • Network World Fusion  07/30/03
  • Former Telecast Fiber Worker Pleads Guilty to
    Hacking
  • Boston Business Journal 08/04/2003
  • Missing Computer Adds to Airport Screeners' Woes
  • Newsday 7/20/2003

8
How Organizations are Responding
  • FTC expands its consumer privacy initiatives
  • Homeland Security Enhances programs designed to
    protect the U.S. financial system against
    criminal exploitation
  • Businesses developing and enhancing Security
    Programs
  • Terrorist Threat Integration Center (TTIC) to
    share information among federal agencies

9
The Security Program
  • Security Architecture
  • Policies, Standards, Procedures and Processes
  • Security Tools
  • Security Research
  • Security Awareness Program
  • Incident Response Teams
  • Security Community
  • Its not about the best technology!

10
(No Transcript)
11
(No Transcript)
12
Security Architecture
  • The architecture describes
  • The business context driving our approach to
    protecting our operations and systems
  • Our core beliefs shaping our operations and
    systems environment
  • Our security principles representing management's
    preferences for the way operations and systems
    are designed, developed and operated
  • The secure processes and capabilities supporting
    our business objectives, capabilities and
    strategies
  • The People, Processes and Technology needed to
    operate securely

13
Security Life Cycle
  • Begins with Risk Assessments
  • Software Development Life Cycle (SDLC)
  • Component of all Project Management Plans
  • 3rd-Party/ Vendor Security Assessments
  • Reviews and Monitoring
  • Internal Risk Management
  • Internal External Audits
  • Update Policies, Standards and Procedures

14
Policies, Standards, Procedures and Processes
cont..
  • Information Security Policy
  • Information Classification Policy(new)
  • Data Protection Policy(new)
  • Internet Policy
  • Virus Policy
  • Remote Access Policy
  • Software Use Policy
  • Customer Privacy Policy
  • E-Mail

15
Policies, Standards, Procedures and Processes, II
  • Control Standards
  • Foundation for all Security Standards
  • Engineering Specifications
  • Exception Process
  • Engineering Specifications
  • NT and Windows 2000
  • UNIX
  • Internet Infrastructure
  • Extranet
  • Remote Access
  • AS400

16
Policies, Standards, Procedures and Processes,
III
  • Terminations and Transfers
  • Emergency Access
  • Software Development Life Cycle (SDLC)
  • Business Group Self Assessment
  • Vendor Reviews

17
Security Tools
  • Authentication
  • SecurePass
  • SecurID
  • Windows
  • Authorization
  • Access Manager
  • RACF
  • Administration
  • Tivoli Identity Manager
  • Vanguard
  • RACF
  • GetAccess
  • Windows Security Services
  • Enterprise Server Administrator (ESA)

18
Security Technology Deployed
  • Confidentiality
  • Lotus Notes Encryption
  • Secure Shell (SSH)
  • PGP encryption tool
  • Monitoring / Enforcement
  • IntruVert
  • Sygate
  • Solar Winds
  • Enterprise Server Manager (ESM)
  • Enterprise Server Reporter (ESR)
  • Enterprise Policy Orchestra (EPO)

19
Security Awareness
  • 12-month program
  • Outside research and trend analysis
  • Web site
  • Presentations targeted to specific audiences
  • New Employees
  • Security Community
  • In-service Training
  • Inter-Office E-Mail Communications
  • National Computer Security Awareness Day
  • Computer-Based Training (CBT)

20
Vulnerability Assessment and Scanning
  • Twice a year we conduct a penetration and
    vulnerability test.
  • Ongoing mapping of the network
  • Access review scans periodically performed
  • Ongoing policy compliance monitoring
  • Modem sweeps several times a year

21
Security Monitoring and Response
  • Incident Response Process
  • Intrusion Detection Monitoring
  • Enterprise Security Monitor
  • Enterprise Security Reporter
  • RACF Reports
  • Anti-Virus Response Team
  • Internet Response Team
  • Cyber Crime Investigation Organization
  • PruAdvisories
  • Annual Self-Assessments of the Security Program

22
Security Community (Internal)
  • Business Information Security Officers
  • Security Administrators
  • Program Management
  • CTS Engineering and Operations
  • Senior Management Involvement
  • The community works together to
  • Develop and implement standards, procedures,
    guidelines and processes to support the security
    program and
  • Project work to address risks and emerging
    threats.

23
Security Community Overview
  • Every Associate has an accountability
  • Management is held accountable
  • Support organizations implement
  • Each business and functional area has a security
    office
  • Its part of the BAU process
  • Security is becoming part of the culture.

24
External Security Participation
  • Information Systems Security Sharing Forum
    (ITSSF)
  • InfraGard
  • Information Systems Security Association (ISSA)
  • State of NJ Cyber-terrorism Task Force
  • The Research Board

25
Security Program Effectiveness
  • Stopping SPAM
  • Prudential uses a spam/profanity filter for
    inbound Internet e-mail.
  • Currently we are blocking about 90,000 spam
    emails a day (about 35 of all inbound internet
    mail).
  • Stopping VIRUSES
  • Weekly we stop between 800 to 1,000 viruses at
    our
  • e-mail gateway.
  • Weekly we detect and clean 900 1,200 viruses
    on the desktops and servers.
  • Occasionally we detect and clean upwards of
    25,000 viruses on desktops and servers.

26
Security Program Observations
  • Awareness is a key component
  • Benchmarking helps make the program stronger
  • Making security part of everyones job is key
  • Technology is important, but the people are more
    important
  • Security experts are valuable, but so are other
    technology experts
  • It takes everyone to make it work!

27
Emerging Areas of Focus
  • Instant Messaging
  • Wireless Devices (PDA, Cellphones, etc.)
  • Outsourcing
  • Mergers Acquisitions
  • New / Changes in Laws

28
Avoiding the Hype
  • Understand your business risks
  • Understand the potential business impact
  • Understand what your peers are doing
  • Understand the relevance of the threats
  • Understand your capabilities
  • Understand your organizations culture
  • Security is a business issue and risk.

29
Questions
30
Alert Resources
  • CERT - Computer Emergency Response Team, Carnegie
    Mellon
  • BugTraq
  • Security Wire Digest
  • Web Alert - METASeS DefenseONE Command Center
  • Microsoft Product Security
  • InfraGard
  • FIRST
  • AVIEN - AntiVirus Information Exchange Network
  • McAfee Sophos - AntiVirus vendor alerts

31
Thank you.Questions, comments?
About PowerShow.com