Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security and Privacy

Published byJohn O’Neal’ Modified over 7 years ago

Similar presentations

Presentation on theme: "IT Security and Privacy"— Presentation transcript:

1 IT Security and Privacy
Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800, Winter 2006 Dr. Mary Lacity, Professor

2 9/11 Since the 9/11 terrorist attacks, the United States’ business assets and infrastructure are key targets and maybe even avenues for future attacks. Attacks through the Internet increased by 28% in the six months after 9/11. Other information security (IS) risks include natural disasters, which can destroy facilities and critical documents. Disaster recovery has become a $6 billion industry since 2001. Lally, L. “Information Technology as a Target and Shield in the Post 9/11 Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp viewed on March 27, 2006.

3 Post- 9/11 IT security Theft of trade secrets and information loss due to computer malfunctions can cause businesses to lose their competitive advantages. The 2004 CGUFBI Computer Crime and Security Survey reported that computer security breaches caused $141,496,560 in total U.S. losses . Lally, L. “Information Technology as a Target and Shield in the Post 9/11 Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp

4 Post- 9/11 IT Security Preparation, prevention, and recovery are now crucial practices for businesses using IT. Security and privacy is the third top management concern. Security technologies is one of the top six application and technology developments. Luftman, J., and McLean, E., "Key Issues for IS Executives," MIS Quarterly Executive, Vol. 4, 2, 2005, pp

5 Objectives Overview of IT Security and Privacy
Case Study: Home Decorators Case Study: Express Scripts Comparisons and Similarities Best Practices Conclusion

6 IT Security importance
According to a report released by the Government Accountability Office in late December 2005, the SEC has corrected or mitigated only eight of 51 weaknesses cited last year. The report said that efforts to improve FBI IT capabilities have failed so far. In 9/11 report recommendations from October 2005, President Bush was asked to lead a government-wide effort to improve IT in major national security institutions. As systems get more complex, they also become less secure. Security technologies are not improving quickly enough for business. Lally, L. “Information Technology as a Target and Shield in the Post 9/11 Environment”, Information Resources Management Journal, Vol., 18, 1, Jan-March 2005, pp Schneier, Bruce. Secrets & Lies: Digital Security in a Networked World, Wiley Publishing, Indianapolis, 2004.

7 Planning for Security Policies
Never Contradict Law – Enron/Andersen Consulting Quality Security Programs begin and end with policy Least expensive but most difficult to implement properly IT Security is 75% people and 25% technology Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

8 IT Security Approaches
Bottom-Up Approach Advantage: Technical Expertise of Grassroots Users Disadvantage: Seldom works, very little organizational staying power Top-Down Approach Advantage: Starts at top and can flow down to all below Champion CIO, VP-IT must gain executive buy-in Adopted and Promoted by Upper Management Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

9 FLOW of IT processes With executives and CIO down to users

10 Systems Risk “The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss. “ Straub, D.W., Welke, R.J. “Coping with systems risk: Security planning models for management decision making”, MIS Quarterly, Vol. 22, 4; December 1998, pg. 441.

11 Risk Management Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

12 three Levels of IT Security Policies
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

13 Enterprise Information Security Policy (EISP)
EISP Directly supports: Organizational Mission Executive/Management Vision Organizational Strategic Direction Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

14 Issue-Specific-Security Policy (ISSP)
Addresses specific areas of technology Internet Usage Minimum Anti-Virus Protection Requires frequent updates (this can be related directly to companies) Contains statement on organization’s position on a specific issue Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

15 Systems-Specific Policy (SysSP)
Codified as Standards and Procedures to be used when configuring and maintaining systems Two Main Groups Access Control Lists (ACLs) Configuration Rules Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security, Thomson Course Technology, Boston, 2005.

16 ACL Policies Restricts Access Who: Username/Password
What: Rights Users Have in System When: Users Can Have Access Where: Users Can Gain Access

17 Case Study: Knights Direct Catalog Group
? What is Knights Direct?

18 Company Overview About 300 million in combined sales
Home Decorators started in 1991, Soft Surroundings in 1999 Headquarters in Hazelwood, MO 1,200 employees

19 Company Organizational
Chart President Director of IT Other Directors Manager of Development Manager of Tech Services Security Administrator 4 other system & network administrators

20 IT Background 30 employees IT budget is 1.5% of annual sales
(in 2005, 4.5 million) 5 manager types, 15 developers, 3 technicians, 7 administrators

21 IT Security Technologies
Cisco firewalls and routers Cymtec Sentry intrusion protection system (IPS), Scout intrusion detection systems (IDS) Co-location for disaster recovery VPN – Virtual Private Network Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

22 Perceived Limitations
“ We believe our various protection layers from different vendors protect us as best as practical. Even though we have dedicated quite a few resources, both financial and human, towards security, it allows us to run smoothly and confidently.” - Manager of Technical Services Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

23 Examples of Risk TrendMicro’s OfficeScan on every PC
Virus-wall for all incoming & outgoing messages “Day-zero” attacks Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

24 Future Security Plans Annual 3rd party penetration tests
Segmenting local network Eliminate protocols that transmit data and passwords in clear-text Encrypt database fields with sensitive data Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

25 Lessons Learned “ Security isn’t a destination, but rather a journey. In order to continue smooth operations and gain the confidence of our customer base we need to make a complete commitment to security, and not take the issues lightly.” - Security Administrator Jeff Nolle, Manager of Technical Services, interviewed in person by Josh Woodworth, March 2, 2006.

26 Case Study: Express Scripts, Inc.
? What is Express Scripts (ESI)?

27 Company Overview Founded in 1986 Headquartered in St. Louis, Missouri
Pharmacy Benefit Manager 13,000 employees $15.1 billion in revenue in 2004 Ranked 137 on Fortune 500 List NASDAQ 100 Stock split in Summer 2005 Subsidiaries include CuraScript and ESI Canada Customers include employers and insurers, generally very financially savvy

28 IT Background One of Information Week’s 500 Most Technologically Progressive Companies 1,100 employees Three divisions: Application Development, Infrastructure and Architecture, and People, Process and Planning IS Security Officer- Mark Kinnunen Privacy Officer- Jennifer Goedeke Annual IT budget- $250 million (around 6% of entire budget) Cost of running Security Office- $1.5 million Cost of current security functionality project- $1 million Ongoing security administration is imbedded within each area’s support cost ESI relies heavily on IT to do business, from pharmacy claims processing to member website access Service Center is outsourced to EDS

29 IT ORGANIZATION Application Development Infrastructure & Architecture
President and CEO Chief Information Officer COO Application Development Infrastructure & Architecture People, Process & Planning Adjudication Services & Quality Assurance Infrastructure Strategy & Planning Client & Patient Services Chief Architect Performance & Reliability Specialty Director, Security Compliance Human Resources 14 Security Analysts Canada Finance Viewed on March 8, 2006

30 Information Protection at ESI
Information Protection (IP) is chartered to protect the information assets at Express Scripts. It is part of the Information Systems (IS) organization and reports to the Chief Information Officer. Mission To ensure the confidentiality, integrity and availability of Express Scripts' critical computer resources and assets while minimizing the impact of security policies and procedures on business productivity. All employees are responsible for information security. Viewed on March 8, 2006

31 Examples of Risk External Hackers
-up to 700 attacks against firewalls daily Phishing Identity Theft Employee Oversights - lax about security updates and computer locking Disgruntled Employees Spam - 80% of incoming s are spam Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

32 Regulations and Certifications
HIPAA Sarbanes-Oxley DITSCAP Establishes standard processes, activities, tasks, and management structure to certify and accredit Information Systems that will maintain the integrity and security of the Defense Information Infrastructure Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006. Kimbell, J., Walrath, M. “Life Cycle Security and DITSCAP”, IA Newsletter, Vol. 4, 2, Spring 01, pp

33 IT Security Technologies
Symantec AntiVirus- installed on every PC Tumbleweed system- used to encrypt outgoing s containing PHI and other confidential data Remote Access for Personal Computers- provided via a Virtual Private Network (VPN) Platforms- RACF, AIX, Mainframe, Sun Solaris, HPUX, Stratus, VAX/VMS, Windows Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

34 Perceived Limitations
“The most important thing in security isn’t the technology, it’s the people using it.” - IT Security Officer Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

35 IT security Strategies
Maintain a consistent approach to Information Protection that supports the delivery of services Maintain controls for the protection of information assets that comply with HIPAA and other regulatory requirements Apply the principle of least privilege to protect all sensitive data, including PHI Identify and mitigate security vulnerabilities in a timely manner Educate users of information assets about their responsibilities associated with system use Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

36 ESI Security Policies New for 2006:
Ethical hacking- evaluate system security Payment card masking and retention Users must review and remove confidential comments from documents prior to external distribution Updated for 2006: System and network administrators must inform Security Compliance of vulnerability assessment tools and usage Network and host-based intrusion detection systems required for Internet-accessible systems Wireless firewalls required if devices connect to the internal network PDA screen saver passwords are required after 15 minutes of inactivity Viewed on March 8, 2006

37 Future ESI Security Plans
Establish, implement, and monitor Security Compliance Identify and mitigate security vulnerabilities Ramp up auditing to ensure legal and regulatory compliance HIPAA training Continued awareness education SOX, SAS, DITSCAP audits Identity management pilot Mark Kinnunen, IS Security Officer of Express Scripts, interviewed in person by Cari Wegge, February 27, 2006.

38 Lessons learned “Employee education is the most important tool that we have.” - ESI Privacy Officer Jennifer Goedeke, Privacy Officer of Express Scripts, interviewed over the telephone by Cari Wegge, March 20, 2006.

39 Comparison of Case Studies
Commonalities VPN Virus Protection Dedicated Department and Team Restricted User Access Documented Policies and Plans Differences IT Security Awareness Week Size of Company and Department Outsourcing Organizational Hierarchy Protected Health Information

40 2005 Global Security Survey
International survey by Deloitte Touche Tohmatsu Designed to identify the state of information security in the financial services industry Included the following: 26 of the 120 financial institutions listed within the Global 500 Companies 28 of the top 100 global banks 9 of the top 50 global insurers Responses from organizations in 26 countries 2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services

41 Key Findings Compliance requires input from multiple stakeholders
Preparation for the evolving nature of security threats Growing popularity of the Chief Information Security Officer Board of Director’s interest in security must be a requirement Assessment of the value and impact delivered to the business The importance of training and awareness 2005 Global Security Survey, Deloitte Touche Tohmatsu Global Financial Services

42 2005 CSI/FBI Computer Crime and Security Survey
Computer Security Institute (CSI) – world’s leading membership organization dedicated to training and education on the protection of information assets Participation from FBI’s Computer Intrusion Squad Surveyed 700 IT security professionals in U.S. corporations Survey now in 10th year Longest running continuous survey in the information security field L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson CSI/FBI Computer Crime and Security Survey

43 L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson
L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson CSI/FBI Computer Crime and Security Survey

44 L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson
L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson CSI/FBI Computer Crime and Security Survey

45 L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson
L. Gordon, M. Loeb, W. Lucyshyn, R. Richardson CSI/FBI Computer Crime and Security Survey

46 Federal Regulations HIPAA (1996)
Health Insurance Portability & Accountability Act Who can see your medical info and how it can be used? Gramm-Leach-Bliley Act (1999) Protection of consumer’s personal financial info Patriot Act (2001) Government and the individual’s right to privacy Sarbanes-Oxley (2002) Corporate accountability

47 Chief Information Security Officers
Responsible for all elements of information security program Oversee compliance with federal regulations (Sarbanes-Oxley, HIPAA) Establish threat level for IT security Can be broken down into several positions Work closely with CIO & CEO Cost can be prohibitive for smaller companies Key Elements of an Information Security Program, Bryant Tow, Director North America Managed Security Solutions at Unisys, copyright Unisys 2004.

48 2005 Global Security Survey, Deloitte Global Financial Services

49 Best Practices Physical Security Measures Secure workstations
Control of facility and data access Encryption Administrative Security Measures Properly documented security policies Training and awareness Security audits Contingency plans

50 Contingency Plans Managed Security Services (security outsourcing)
IT Insurance Disaster Recovery

51 L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey

52 Contingency Plans Managed Security Services (security outsourcing)
IT Insurance Disaster Recovery

53 L. Gordon, M. Loeb, W. Lucyshyn, 2005 CSI/FBI Computer Crime and Security Survey

54 Contingency Plans Managed Security Services (security outsourcing)
IT Insurance Disaster Recovery

55 Conclusion Status must be communicated clearly throughout the organization Proper testing and training, including feedback Alignment with business strategy Assessment of the latest threats IT security must be proactive, not reactive

56 Questions?

Download ppt "IT Security and Privacy"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
1 IT Security and Privacy Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800, Winter 2006 Dr. Mary Lacity, Professor.

1 IT Security and Privacy Group Six Nick Fieseler Joe Fitzgerald Cari Wegge Josh Woodworth IS 6800, Winter 2006 Dr. Mary Lacity, Professor.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Similar presentations

Ads by Google