The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America - PowerPoint PPT Presentation

About This Presentation

Title:

The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America

Description:

A Framework for Addressing Security and Managing Business Risk The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief ... – PowerPoint PPT presentation

Number of Views:467

Avg rating:3.0/5.0

Slides: 32

Provided by: mediaTech

Category:

more less

Transcript and Presenter's Notes

Title: The Information Security Program at Prudential Financial Ken Tyminski Vice President and Chief Information Security Officer, The Prudential Insurance Company of America

1
The Information Security Programat Prudential
FinancialKen TyminskiVice President and Chief
Information Security Officer, The Prudential
Insurance Company of America

A Framework for
Addressing Security and
Managing Business Risk

2
Creating the Framework

Prudential Background Information
The Changing Environment
Components of the Program
The Security Community
Addressing the Business Risk

3
Prudential Background

Founded in 1875
Prudential Financial, Inc.'s Common Stock began
trading on December 13, 2001 on NYSE under the
symbol "PRU."
15 million customers in the US and
internationally
Total consolidated 2002 annual revenues of 26.7
billion
Total assets under management of approximately
422 billion as of June 30, 2003
Operating in over 30 foreign countries

4
Prudential Financial IT Facts

2 large Data Centers in US, 2 in Japan
5,000 Servers in US
Most international locations have small data
centers
Large Global Network
1,347 Network nodes (routers)
2,400 VLANs

5
The Changing Environment

Our business is going through significant change
The markets we operate
Company Structure and Growth
Technology we use
Business Risk is changing
Mergers/Acquisitions
Divestitures
Operation model
Outsourcers
Third Parties and Partners
Technology Risks are increasing
Regulatory change

6
Threat Sources

External
Hackers / Crackers
Fame
Financial Gain
Hired for Industrial Espionage
Hacker wannabes

Internal
Disgruntled Employees
Trusted Insiders
Financial gain
Unintentional errors
Poor password selection
Virus introduction

7
Some Recent Headlines

Credit Card Server Hacked at 'Greenville News'
Editor Publisher Online 07/28/2003
Graduate Student Steals 60 Identities at
University of Michigan
Michigan Attorney General 8/01/2003
Kentucky State Auditor Says Hackers Infiltrated
Agency Network
Network World Fusion 07/30/03
Former Telecast Fiber Worker Pleads Guilty to
Hacking
Boston Business Journal 08/04/2003
Missing Computer Adds to Airport Screeners' Woes
Newsday 7/20/2003

8
How Organizations are Responding

FTC expands its consumer privacy initiatives
Homeland Security Enhances programs designed to
protect the U.S. financial system against
criminal exploitation
Businesses developing and enhancing Security
Programs
Terrorist Threat Integration Center (TTIC) to
share information among federal agencies

9
The Security Program

Security Architecture
Policies, Standards, Procedures and Processes
Security Tools
Security Research
Security Awareness Program
Incident Response Teams
Security Community
Its not about the best technology!

10
(No Transcript)
11
(No Transcript)
12
Security Architecture

The architecture describes
The business context driving our approach to
protecting our operations and systems
Our core beliefs shaping our operations and
systems environment
Our security principles representing management's
preferences for the way operations and systems
are designed, developed and operated
The secure processes and capabilities supporting
our business objectives, capabilities and
strategies
The People, Processes and Technology needed to
operate securely

13
Security Life Cycle

Begins with Risk Assessments
Software Development Life Cycle (SDLC)
Component of all Project Management Plans
3rd-Party/ Vendor Security Assessments
Reviews and Monitoring
Internal Risk Management
Internal External Audits
Update Policies, Standards and Procedures

14
Policies, Standards, Procedures and Processes
cont..

Information Security Policy
Information Classification Policy(new)
Data Protection Policy(new)
Internet Policy
Virus Policy
Remote Access Policy
Software Use Policy
Customer Privacy Policy
E-Mail

15
Policies, Standards, Procedures and Processes, II

Control Standards
Foundation for all Security Standards
Engineering Specifications
Exception Process
Engineering Specifications
NT and Windows 2000
UNIX
Internet Infrastructure
Extranet
Remote Access
AS400

16
Policies, Standards, Procedures and Processes,
III

Terminations and Transfers
Emergency Access
Software Development Life Cycle (SDLC)
Business Group Self Assessment
Vendor Reviews

17
Security Tools

Authentication
SecurePass
SecurID
Windows
Authorization
Access Manager
RACF
Administration
Tivoli Identity Manager
Vanguard

RACF
GetAccess
Windows Security Services
Enterprise Server Administrator (ESA)

18
Security Technology Deployed

Confidentiality
Lotus Notes Encryption
Secure Shell (SSH)
PGP encryption tool
Monitoring / Enforcement
IntruVert
Sygate
Solar Winds
Enterprise Server Manager (ESM)
Enterprise Server Reporter (ESR)
Enterprise Policy Orchestra (EPO)

19
Security Awareness

12-month program
Outside research and trend analysis
Web site
Presentations targeted to specific audiences
New Employees
Security Community
In-service Training
Inter-Office E-Mail Communications
National Computer Security Awareness Day
Computer-Based Training (CBT)

20
Vulnerability Assessment and Scanning

Twice a year we conduct a penetration and
vulnerability test.
Ongoing mapping of the network
Access review scans periodically performed
Ongoing policy compliance monitoring
Modem sweeps several times a year

21
Security Monitoring and Response

Incident Response Process
Intrusion Detection Monitoring
Enterprise Security Monitor
Enterprise Security Reporter
RACF Reports
Anti-Virus Response Team
Internet Response Team
Cyber Crime Investigation Organization
PruAdvisories
Annual Self-Assessments of the Security Program

22
Security Community (Internal)

Business Information Security Officers
Security Administrators
Program Management
CTS Engineering and Operations
Senior Management Involvement
The community works together to
Develop and implement standards, procedures,
guidelines and processes to support the security
program and
Project work to address risks and emerging
threats.

23
Security Community Overview

Every Associate has an accountability
Management is held accountable
Support organizations implement
Each business and functional area has a security
office
Its part of the BAU process
Security is becoming part of the culture.

24
External Security Participation

Information Systems Security Sharing Forum
(ITSSF)
InfraGard
Information Systems Security Association (ISSA)
State of NJ Cyber-terrorism Task Force
The Research Board

25
Security Program Effectiveness

Stopping SPAM
Prudential uses a spam/profanity filter for
inbound Internet e-mail.
Currently we are blocking about 90,000 spam
emails a day (about 35 of all inbound internet
mail).
Stopping VIRUSES
Weekly we stop between 800 to 1,000 viruses at
our
e-mail gateway.
Weekly we detect and clean 900 1,200 viruses
on the desktops and servers.
Occasionally we detect and clean upwards of
25,000 viruses on desktops and servers.

26
Security Program Observations