Outline  Company Profile  Services Provided  Assets  System Schema  Risk Categories  Technical Risks and Mitigation  Summary

 Operates in Estonia, Latvia, Lithuania, Finland, Jordan  Largest employer in Estonia with over 7500 employees  ~ private customers  ~ business customers  Total revenue of 796 million Euros in FY 2010  Most preferred employer in Estonia  Second-best customer service in Estonia  Bonds listed on the London Stock Exchange

Eesti Energia offers comprehensive energy solutions including:  Electricity  heat and fuel  customer service and consulting ENERGY SERVICES PRODUCTION&TECHNOLOGY RESIDENTIAL BUSINESSELECTRIC, HEAT OIL, TECHNOLOGY

 The vision of Eesti Energia is to sell energy to two million customers in the Baltic Sea Region by  The mission of Eesti Energia is to devote all of their energy for the good of the people.

 Internal service hardware  Internal service software  Backup and restore system  Firewalls and VPN tunnels systems  Monitoring systems  Datacenter physical  Datacenter power  Web access to self service systems  Accounting systems  Internal technical knowledge  Interdepartment processes

 Physical accidents  Employee configuration errors  Customer configuration errors  Internal malicious actions  External malicious actions  Customer malicious actions  Missing or untested procedures  Interdepartment cross training  Software limitation  Political environment

 Data Center Incidents ◦ Data safety and accessibility  Software exploit ◦ Risks connected with software  Network problems ◦ Computer network incidents  Human factor ◦ We are not machines

Description: A system cannot work without databases. All information, finance reports, billing reports, and settings are stored in database. Risks:  Unauthorized access  Data loss  Server overwhelmed, insufficient server performance. Measures taken to prevent incidents:  Increase overall database security.  Backups are stored separately in several places geographically.  Database servers are configured for appropriate workload.

Description: Company tries to protect its IT property especially system, software and technology secrets. Information system is also company’s private property. Risk:  Software bugs can be discovered and exploited rapidly.  Software architecture cannot keep up to speed with the changing world.  New features would bring new problems, change is risky. Measures:  Design good software architecture from the beginning.  Overall workflow monitoring  Fast response to software security incidents.

Description: External and internal network security, integrity, data confidentiality are vital to company operations. Network safety and availability are the most important. Risks:  Unauthorized network penetration and anti service attacks.  Disrupted connections.  Possible leak of sensitive information due weak network defence. Measures:  Hardware: firewall, intrusion detection system, intrusion prevention system, monitoring system with notifications.  Software firewall on client machines and network flow monitoring.  Strict domain policy.

Description: Our organization is concerned that at any time any of its employee could make a mistake. They cannot control the actions of all employees at all times. Risks:  Loss of unsaved information.  A spilled cup of coffee.  Security accounts exchanging between employees. Measures:  Ensure that corporate rules and procedures are followed.  Enhance and optimize work processes.  Personnel must cooperate with policy.  Build up politics of loyalty in company culture.

Summary  Risk assurance is a fundamental concern to All organizations!  Eesti Energia is not an exception.