1 IT Security and Privacy Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800,...

1

IT Security and PrivacyIT Security and Privacy

Group SixGroup SixNick FieselerNick FieselerJoe FitzgeraldJoe FitzgeraldCari WeggeCari Wegge

Josh WoodworthJosh Woodworth

IS 6800, Winter 2006IS 6800, Winter 2006Dr. Mary Lacity, ProfessorDr. Mary Lacity, Professor

2

9/119/11 Since the 9/11 terrorist attacks, Since the 9/11 terrorist attacks,

the United States’ business the United States’ business assets and infrastructure are key assets and infrastructure are key targets and maybe even avenues targets and maybe even avenues for future attacks.for future attacks.

Attacks through the Internet Attacks through the Internet increased by 28% in the six increased by 28% in the six months after 9/11.months after 9/11.

Other information security (IS) Other information security (IS) risks include natural disasters, risks include natural disasters, which can destroy facilities and which can destroy facilities and critical documents. critical documents.

Disaster recovery has become a Disaster recovery has become a $6 billion industry since 2001.$6 billion industry since 2001.Lally, L. “Information Technology as a Target and Shield in the Post 9/11

Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.

http://www.TechNews.com, viewed on March 27, 2006.

3

Post- 9/11 IT securityPost- 9/11 IT security Theft of trade secrets and Theft of trade secrets and

information loss due to information loss due to computer malfunctions can computer malfunctions can cause businesses to lose cause businesses to lose their competitive their competitive advantages. advantages.

The 2004 CGUFBI The 2004 CGUFBI Computer Crime and Computer Crime and Security Survey reported Security Survey reported that computer security that computer security breaches caused breaches caused $141,496,560 in total U.S. $141,496,560 in total U.S. losses . losses . Lally, L. “Information Technology as a Target and Shield in the Post 9/11

Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.

4

Post- 9/11 IT SecurityPost- 9/11 IT Security Preparation, Preparation,

prevention, and prevention, and recovery are now recovery are now crucial practices for crucial practices for businesses using IT.businesses using IT.

Security and privacy Security and privacy is the third top is the third top management concern.management concern.

Security technologies Security technologies is one of the top six is one of the top six application and application and technology technology developments.developments.

Luftman, J., and McLean, E., "Key Issues for IS Executives," MIS Quarterly Executive, Vol. 4, 2, 2005, pp. 269- 286.

5

ObjectivesObjectives

Overview of IT Security and Overview of IT Security and PrivacyPrivacy

Case Study: Home Decorators Case Study: Home Decorators Case Study: Express ScriptsCase Study: Express Scripts Comparisons and SimilaritiesComparisons and Similarities Best PracticesBest Practices ConclusionConclusion

6

IT Security importanceIT Security importance According to a report released by the Government According to a report released by the Government

Accountability Office in late December 2005, the SEC Accountability Office in late December 2005, the SEC has corrected or mitigated only eight of 51 has corrected or mitigated only eight of 51 weaknesses cited last year.weaknesses cited last year.

The report said that efforts to improve FBI IT The report said that efforts to improve FBI IT capabilities have failed so far.capabilities have failed so far.

In 9/11 report recommendations from October 2005, In 9/11 report recommendations from October 2005, President Bush was asked to lead a government-wide President Bush was asked to lead a government-wide effort to improve IT in major national security effort to improve IT in major national security institutions. institutions.

As systems get more complex, they also become less As systems get more complex, they also become less secure. secure.

Security technologies are not improving quickly Security technologies are not improving quickly enough for business.enough for business.

Lally, L. “Information Technology as a Target and Shield in the Post 9/11 Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp. 14-28.Schneier, Bruce. Secrets & Lies: Digital Security in a Networked World, Wiley Publishing, Indianapolis, 2004.

7

Planning for SecurityPlanning for Security

PoliciesPolicies Never Contradict Law – Never Contradict Law –

Enron/Andersen ConsultingEnron/Andersen Consulting Quality Security Programs Quality Security Programs

begin and end with policybegin and end with policy Least expensive but most Least expensive but most

difficult to implement difficult to implement properlyproperly

IT Security is 75% people IT Security is 75% people and 25% technologyand 25% technology

Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

8

IT Security ApproachesIT Security Approaches Bottom-Up ApproachBottom-Up Approach

Advantage: Technical Expertise of Advantage: Technical Expertise of Grassroots UsersGrassroots Users

Disadvantage: Seldom works, very little Disadvantage: Seldom works, very little organizational staying powerorganizational staying power

Top-Down ApproachTop-Down Approach Advantage: Starts at top and can flow down Advantage: Starts at top and can flow down

to all belowto all below ChampionChampion

CIO, VP-IT must gain executive buy-inCIO, VP-IT must gain executive buy-in Adopted and Promoted by Upper Adopted and Promoted by Upper

ManagementManagementWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

9

FLOW of IT processesFLOW of IT processes With executives and CIO down to usersWith executives and CIO down to users

http://www.icann.org/general/staff-organization-chart-22may03.gif

10

Systems RiskSystems Risk

““The likelihood The likelihood that the firm's that the firm's information information systems are systems are insufficiently insufficiently protected protected against certain against certain kinds of damage kinds of damage or loss.or loss. “ “

Straub, D.W., Welke, R.J. “Coping with systems risk: Security planning models for management decision making”, MIS Quarterly, Vol. 22, 4; December 1998, pg. 441.

11

Risk ManagementRisk Management

Risk Management

Risk IdentificationRisk Control

Risk Assessment

Inventorying Assets

Classifying Assets

Identifying Threats and Vulnerabilities

Selecting Strategy

Justifying Controls


12

three Levels of IT Security three Levels of IT Security PoliciesPolicies

EISP

ISSP

SysSPWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

13

Enterprise Information Enterprise Information Security Policy (EISP)Security Policy (EISP)

EISP Directly EISP Directly supports:supports: Organizational Organizational

MissionMission Executive/Executive/

Management VisionManagement Vision Organizational Organizational

Strategic DirectionStrategic DirectionWhitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

14

Issue-Specific-Security Issue-Specific-Security Policy (ISSP)Policy (ISSP)

Addresses specific areas of Addresses specific areas of technologytechnology E-mailE-mail Internet UsageInternet Usage Minimum Anti-Virus ProtectionMinimum Anti-Virus Protection

Requires frequent updates (this can Requires frequent updates (this can be related directly to companies)be related directly to companies)

Contains statement on organization’s Contains statement on organization’s position on a specific issueposition on a specific issue


15

Systems-Specific Policy Systems-Specific Policy (SysSP)(SysSP)

Codified as Standards Codified as Standards and Procedures to be and Procedures to be used when used when configuring and configuring and maintaining systemsmaintaining systems

Two Main GroupsTwo Main Groups Access Control Access Control

Lists (ACLs)Lists (ACLs) Configuration RulesConfiguration Rules


16

ACL PoliciesACL Policies

Restricts AccessRestricts Access Who: Who:

Username/PasswordUsername/Password What: Rights Users What: Rights Users

Have in SystemHave in System When: Users Can When: Users Can

Have AccessHave Access Where: Users Can Where: Users Can

Gain AccessGain Access

17

Case Study: Knights Direct Case Study: Knights Direct Catalog GroupCatalog Group

?? What is Knights Direct? What is Knights Direct?

18

Company OverviewCompany Overview

About 300 million in About 300 million in combined salescombined sales

Home Decorators Home Decorators started in 1991, Soft started in 1991, Soft Surroundings in 1999Surroundings in 1999

Headquarters in Headquarters in Hazelwood, MOHazelwood, MO

1,200 employees1,200 employees

19

President

Director of IT Other Directors

Manager of Development Manager of Tech Services

Security Administrator 4 other system & networkadministrators

Company Organizational Chart

20

IT BackgroundIT Background

30 employees30 employees

IT budget is 1.5% of IT budget is 1.5% of annual sales annual sales

(in 2005, 4.5 million)(in 2005, 4.5 million)

5 manager types, 15 5 manager types, 15 developers, developers,

3 technicians, 7 3 technicians, 7 administratorsadministrators

21

IT Security TechnologiesIT Security Technologies

Cisco firewalls and Cisco firewalls and routersrouters

Cymtec Sentry Cymtec Sentry intrusion protection intrusion protection system (IPS), Scout system (IPS), Scout intrusion detection intrusion detection systems (IDS)systems (IDS)

Co-location for Co-location for disaster recoverydisaster recovery

VPN – Virtual Private VPN – Virtual Private NetworkNetwork

Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

22

Perceived LimitationsPerceived Limitations

“ “ We believe our various protection We believe our various protection layers from different vendors protect layers from different vendors protect us as best as practical. Even though us as best as practical. Even though we have dedicated quite a few we have dedicated quite a few resources, both financial and human, resources, both financial and human, towards security, it allows us to run towards security, it allows us to run smoothly and confidently.”smoothly and confidently.”

- Manager of Technical - Manager of Technical ServicesServices


23

Examples of RiskExamples of Risk

TrendMicro’s TrendMicro’s OfficeScan on every OfficeScan on every PCPC

Virus-wall for all Virus-wall for all incoming & incoming & outgoing e-mail outgoing e-mail messagesmessages

““Day-zero” attacksDay-zero” attacksJeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

24

Future Security PlansFuture Security Plans Annual 3Annual 3rdrd party party

penetration testspenetration tests

Segmenting local Segmenting local networknetwork

Eliminate protocols that Eliminate protocols that transmit data and transmit data and passwords in clear-textpasswords in clear-text

Encrypt database fields Encrypt database fields with sensitive datawith sensitive data


25

Lessons LearnedLessons Learned

“ “ Security isn’t a destination, but rather Security isn’t a destination, but rather a journey. In order to continue smooth a journey. In order to continue smooth operations and gain the confidence of operations and gain the confidence of our customer base we need to make a our customer base we need to make a complete commitment to security, and complete commitment to security, and not take the issues lightly.”not take the issues lightly.”

- Security - Security AdministratorAdministrator


26

Case Study: Express Case Study: Express Scripts, Inc. Scripts, Inc.

?? What is Express Scripts (ESI)? What is Express Scripts (ESI)?

27

Company OverviewCompany Overview Founded in 1986Founded in 1986 Headquartered in St. Louis, Headquartered in St. Louis,

MissouriMissouri Pharmacy Benefit ManagerPharmacy Benefit Manager 13,000 employees13,000 employees $15.1 billion in revenue in 2004$15.1 billion in revenue in 2004 Ranked 137 on Fortune 500 ListRanked 137 on Fortune 500 List NASDAQ 100NASDAQ 100 Stock split in Summer 2005Stock split in Summer 2005 Subsidiaries include CuraScript Subsidiaries include CuraScript

and ESI Canadaand ESI Canada Customers include employers and Customers include employers and

insurers, generally very insurers, generally very financially savvyfinancially savvy

28

IT BackgroundIT Background One of Information Week’s 500 Most One of Information Week’s 500 Most

Technologically Progressive CompaniesTechnologically Progressive Companies 1,100 employees1,100 employees Three divisions: Application Development, Three divisions: Application Development,

Infrastructure and Architecture, and People, Infrastructure and Architecture, and People, Process and PlanningProcess and Planning

IS Security Officer- Mark KinnunenIS Security Officer- Mark Kinnunen Privacy Officer- Jennifer GoedekePrivacy Officer- Jennifer Goedeke Annual IT budget- $250 million (around 6% of Annual IT budget- $250 million (around 6% of

entire budget)entire budget) Cost of running Security Office- $1.5 millionCost of running Security Office- $1.5 million Cost of current security functionality project- Cost of current security functionality project-

$1 million$1 million Ongoing security administration is imbedded Ongoing security administration is imbedded

within each area’s support costwithin each area’s support cost ESI relies heavily on IT to do business, from ESI relies heavily on IT to do business, from

pharmacy claims processing to member pharmacy claims processing to member website accesswebsite access

Service Center is outsourced to EDSService Center is outsourced to EDS

29

IT ORGANIZATIONIT ORGANIZATIONChief Information Officer

Application Development

Infrastructure & Architecture

People, Process & Planning

Adjudication Services & Quality Assurance

Client & Patient Services

Specialty

Canada

Chief Architect

Infrastructure

Performance & Reliability

Human Resources

Finance

Strategy & Planning

President and CEO

COO

Director, Security Compliance

14 Security Analysts

http://esinet/business/ip/ Viewed on March 8, 2006

30

Information Protection at Information Protection at ESIESI

Information Protection (IP) is chartered Information Protection (IP) is chartered to protect the information assets at to protect the information assets at Express Scripts. It is part of the Express Scripts. It is part of the Information Systems (IS) organization Information Systems (IS) organization and reports to the Chief Information and reports to the Chief Information Officer.Officer.

MissionMissionTo ensure the confidentiality, integrity To ensure the confidentiality, integrity and availability of Express Scripts' and availability of Express Scripts' critical computer resources and assets critical computer resources and assets while minimizing the impact of security while minimizing the impact of security policies and procedures on business policies and procedures on business productivity.productivity.

All employees are responsible for All employees are responsible for information security.information security.


31

Examples of RiskExamples of Risk External HackersExternal Hackers

-up to 700 attacks against -up to 700 attacks against firewalls dailyfirewalls daily

PhishingPhishing Identity TheftIdentity Theft Employee OversightsEmployee Oversights

- lax about security updates - lax about security updates and computer lockingand computer locking

Disgruntled EmployeesDisgruntled Employees SpamSpam

- 80% of incoming e-mails - 80% of incoming e-mails are spamare spam

Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

32

Regulations and Regulations and CertificationsCertifications

HIPAAHIPAA Sarbanes-OxleySarbanes-Oxley DITSCAPDITSCAP

Establishes standard processes, Establishes standard processes, activities, tasks, and management activities, tasks, and management structure to certify and accredit structure to certify and accredit Information Systems that will maintain Information Systems that will maintain the integrity and security of the the integrity and security of the Defense Information InfrastructureDefense Information Infrastructure

Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006.

Kimbell, J., Walrath, M. “Life Cycle Security and DITSCAP”, IA Newsletter, Vol. 4, 2, Spring 01, pp. 16-22. http://iac.dtic.mil/iatac

33

IT Security TechnologiesIT Security Technologies Symantec AntiVirus- installed Symantec AntiVirus- installed

on every PCon every PC Tumbleweed system- used to Tumbleweed system- used to

encrypt outgoing e-mails encrypt outgoing e-mails containing PHI and other containing PHI and other confidential dataconfidential data

Remote Access for Personal Remote Access for Personal Computers- provided via a Computers- provided via a Virtual Private Network (VPN)Virtual Private Network (VPN)

Platforms- RACF, AIX, Platforms- RACF, AIX, Mainframe, Sun Solaris, HPUX, Mainframe, Sun Solaris, HPUX, Stratus, VAX/VMS, WindowsStratus, VAX/VMS, Windows


34

Perceived LimitationsPerceived Limitations

““The most important thing in security The most important thing in security isn’t the technology, it’s the people isn’t the technology, it’s the people using it.”using it.”

- IT Security - IT Security OfficerOfficer


35

IT security StrategiesIT security Strategies Maintain a consistent approach Maintain a consistent approach

to Information Protection that to Information Protection that supports the delivery of services supports the delivery of services

Maintain controls for the Maintain controls for the protection of information assets protection of information assets that comply with HIPAA and that comply with HIPAA and other regulatory requirements other regulatory requirements

Apply the principle of least Apply the principle of least privilege to protect all sensitive privilege to protect all sensitive data, including PHI data, including PHI

Identify and mitigate security Identify and mitigate security vulnerabilities in a timely manner vulnerabilities in a timely manner

Educate users of information Educate users of information assets about their responsibilities assets about their responsibilities associated with system use associated with system use Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person

by Cari Wegge, February 27, 2006.

36

ESI Security PoliciesESI Security PoliciesNew for 2006:New for 2006: Ethical hacking- evaluate system securityEthical hacking- evaluate system security Payment card masking and retention Payment card masking and retention Users must review and remove Users must review and remove

confidential comments from documents confidential comments from documents prior to external distribution prior to external distribution

Updated for 2006: Updated for 2006: System and network administrators must System and network administrators must

inform Security Compliance of inform Security Compliance of vulnerability assessment tools and usage vulnerability assessment tools and usage

Network and host-based intrusion Network and host-based intrusion detection systems required for Internet-detection systems required for Internet-accessible systems accessible systems

Wireless firewalls required if devices Wireless firewalls required if devices connect to the internal network connect to the internal network

PDA screen saver passwords are required PDA screen saver passwords are required after 15 minutes of inactivity after 15 minutes of inactivity


37

Future ESI Security PlansFuture ESI Security Plans Establish, implement, and Establish, implement, and

monitor Security Compliancemonitor Security Compliance Identify and mitigate security Identify and mitigate security

vulnerabilities vulnerabilities Ramp up auditing to ensure Ramp up auditing to ensure

legal and regulatory compliance legal and regulatory compliance HIPAA trainingHIPAA training Continued awareness educationContinued awareness education SOX, SAS, DITSCAP auditsSOX, SAS, DITSCAP audits Identity management pilotIdentity management pilot


38

Lessons learnedLessons learned

““Employee education is the most Employee education is the most important tool that we have.”important tool that we have.”

- ESI Privacy - ESI Privacy OfficerOfficer

Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006.

39

Comparison of Case StudiesComparison of Case Studies

CommonalitiesCommonalities VPNVPN Virus ProtectionVirus Protection Dedicated Department and TeamDedicated Department and Team Restricted User AccessRestricted User Access Documented Policies and PlansDocumented Policies and Plans

DifferencesDifferences IT Security Awareness WeekIT Security Awareness Week Size of Company and DepartmentSize of Company and Department OutsourcingOutsourcing Organizational HierarchyOrganizational Hierarchy Protected Health InformationProtected Health Information

40

2005 Global Security Survey2005 Global Security Survey International survey by Deloitte Touche International survey by Deloitte Touche

TohmatsuTohmatsu

Designed to identify the state of information Designed to identify the state of information security in the financial services industrysecurity in the financial services industry

Included the following:Included the following: 26 of the 120 financial institutions listed 26 of the 120 financial institutions listed

within the Global 500 Companieswithin the Global 500 Companies 28 of the top 100 global banks28 of the top 100 global banks 9 of the top 50 global insurers9 of the top 50 global insurers

Responses from organizations in 26 Responses from organizations in 26 countriescountries

2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services

41

Key FindingsKey Findings Compliance requires input Compliance requires input

from multiple stakeholdersfrom multiple stakeholders Preparation for the evolving Preparation for the evolving

nature of security threatsnature of security threats Growing popularity of the Growing popularity of the

Chief Information Security Chief Information Security OfficerOfficer

Board of Director’s interest in Board of Director’s interest in security must be a security must be a requirement requirement

Assessment of the value and Assessment of the value and impact delivered to the impact delivered to the businessbusiness

The importance of training The importance of training and awarenessand awareness2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services

42

2005 CSI/FBI Computer Crime and 2005 CSI/FBI Computer Crime and Security SurveySecurity Survey

Computer Security Institute (CSI) – world’s Computer Security Institute (CSI) – world’s leading membership organization dedicated leading membership organization dedicated to training and education on the protection of to training and education on the protection of information assetsinformation assets

Participation from FBI’s Computer Intrusion Participation from FBI’s Computer Intrusion SquadSquad

Surveyed 700 IT security professionals in Surveyed 700 IT security professionals in U.S. corporationsU.S. corporations

Survey now in 10Survey now in 10thth year year

Longest running continuous survey in the Longest running continuous survey in the information security fieldinformation security field

L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey

43L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson. 2005 CSI/FBI Computer Crime and Security Survey

46

Federal RegulationsFederal Regulations HIPAA (1996)HIPAA (1996)

Health Insurance Portability & Health Insurance Portability & Accountability ActAccountability Act

Who can see your medical info and Who can see your medical info and how it can be used?how it can be used?

Gramm-Leach-Bliley Act (1999)Gramm-Leach-Bliley Act (1999) Protection of consumer’s personal Protection of consumer’s personal

financial infofinancial info

Patriot Act (2001)Patriot Act (2001) Government and the individual’s right Government and the individual’s right

to privacyto privacy

Sarbanes-Oxley (2002)Sarbanes-Oxley (2002) Corporate accountabilityCorporate accountability

47

Chief Information Chief Information Security OfficersSecurity Officers

Responsible for all elements of Responsible for all elements of information security programinformation security program

Oversee compliance with federal Oversee compliance with federal regulations (Sarbanes-Oxley, HIPAA)regulations (Sarbanes-Oxley, HIPAA)

Establish threat level for IT securityEstablish threat level for IT security Can be broken down into several positionsCan be broken down into several positions Work closely with CIO & CEOWork closely with CIO & CEO Cost can be prohibitive for smaller Cost can be prohibitive for smaller

companiescompanies

Key Elements of an Information Security Program, Bryant Tow, Director North America Managed Security Solutions at Unisys, copyright Unisys 2004.

482005 Global Security Survey, Deloitte Global Financial Services

49

Best PracticesBest Practices Physical Security MeasuresPhysical Security Measures

Secure workstationsSecure workstations Control of facility and data Control of facility and data

accessaccess EncryptionEncryption

Administrative Security Administrative Security MeasuresMeasures Properly documented Properly documented

security policiessecurity policies Training and awarenessTraining and awareness Security auditsSecurity audits Contingency plansContingency plans

50

Contingency PlansContingency Plans

Managed Security Services Managed Security Services (security outsourcing)(security outsourcing)

IT InsuranceIT Insurance

Disaster RecoveryDisaster Recovery

51L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey

52





53L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey

54





55

ConclusionConclusion Status must be communicated clearly Status must be communicated clearly

throughout the organizationthroughout the organization Proper testing and training, including Proper testing and training, including

feedbackfeedback Alignment with business strategyAlignment with business strategy Assessment of the latest threats Assessment of the latest threats IT security must be proactive, not IT security must be proactive, not

reactivereactive

56

Questions?Questions?

1 IT Security and Privacy Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800,...

Documents

Transcript of 1 IT Security and Privacy Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800,...