Pro-active Security Measures David Mannering September 20, 2004 APPA Business and Financial Conference Jacksonville, Florida 1

Lincoln Electric System Municipal utility in Lincoln, Nebraska 119,500 electric customers 450 employees at four sites 35 IT staff 2

IT Security 2

Technology Technology Hardware & software dedicated to security Firewalls Anti-virus etc. Technology 2

Operational Procedures Activities related to security Log monitoring Incident response Etc. Procedures Technology 2

User Practices User Practices Security awareness & actions Company employees Vendors & Contractors Business Partners Procedures Technology Users 2

Policy Corporate policy Security policy Authority Responsibility Standards Etc. Policy Procedures Technology Users 2

Security Structure Board & CEO Security Policy ISO-17799 Steering Committee CIO Security Orgs CSO IT Staff Training Regulations Security Program IT Staff SLA’s Local Standards Operational Procedures Physical Security Security Education IT Infrastructure IT Architecture 2

Corporate Security Policy Goal “We will secure our information systems” Authority Enforced by corporate management Responsibility Governance (Steering committee) Chief Security Officer (or equivalent) Standards ISO-17799 Method Security program 2

Corporate Security Program Local standards ISO-17799 + regulations & special conditions Influences security architecture Ties security to SLA’s Operational procedures Carried out by IT staff & users Connected to IT infrastructure Education Employee security awareness program Issues & current events Standards & procedures Vendor/contractor/partner security awareness 2

Proactive Methods Vulnerability Assessments Internal Compliance Auditing Security Awareness Training Incident Response Drills Employee background checks Alertness to current issues & events 2

Vulnerability Assessments Annually if possible Use external consultant Wholesale or Specialized scope Inform only those with need to know Act on the results Budget Staff performance goals Security program 2

Internal Compliance Auditing Announced or stealth Have clear connection to policy Prioritized by a risk assessment Coordinate with internal auditors Escalating consequences for non-compliance Warnings, loss of access, etc. Act on patterns discovered Employee training Operational procedures 2

Security Awareness Program Goals Make security part of the culture Well informed employees Employee education Annual classes Topical briefings Timely Announcements Partner & contractor awareness Compliance and confidentiality agreement Administration Management reporting 2

Incident Response Drills Practice different kinds of incidents Hacking, theft, virus infection, etc. Write the incident report Have report reviewed by non-involved party Debrief the response team Discuss the “what if’s” Update procedures if necessary 2

Employee Background Checks On hiring Employment history Educational History Criminal Records For critical positions Credit report Psychological testing Re-check periodically 2

Alertness Monitor external security organizations CERT, Infragard, ES-ISACS. etc. Check the daily news CSO, SANS, Yahoo, Wired etc. Discuss security issues with your peers 2

Conclusion King Arthur: Where hides evil, then, in my kingdom. Merlin: Always where you never expect it. Always. (Excalibur) 2

Business Card David Mannering Chief Information Officer Lincoln Electric System (402) 473-3468 dmannering@les.com 2