Presentation on theme: "Security Governance Technology Executive Club"— Presentation transcript:
1 Security Governance Technology Executive Club Patti Suarez, CISSPGlobal Information Security ManagerWm. Wrigley Jr. Company
2 About the presenter Patti Suarez Global Information Security Manager for Wm. Wrigley Jr. Company15 years of experience in information security With financial services, health care and telecommunications industriesCertified Information System Security SpecialistGraduate of Roosevelt University, B.S. Telcom
3 Objectives for today’s presentation InformativeWhat are the drivers for Information Security at Wrigley?Explain how Wrigley’s Information Security foundation is standards basedRecent Threat statisticsWrigley’s Global Information Security Model
4 The Time for Information Security is Now External DriversChanging customer structuresE-commerce opportunitiesChanging market expectationsTechnology DevelopmentInternal DriversDesire to meet changing customer needs and increase speed-to- marketNeed for global information sharing
5 Information Security is not just technology Wrigley’s Security Program:An integrated approach to selecting and deploying tools, operational processes and organizational roles.Regulations have placed the final accountability for securing corporate and customer information on the shoulders of the Board of Directors.Gramm-Leach-BlileyHIPAAEU PrivacyDuty to Disclose Security Breach – CACOPPA (Childrens’ Online Privacy Protection Act)Sarbannes Oxley ActFederal Information Security Management Act
6 Information Security is not just technology Everyone in Wrigley needs to have a basic understanding of information security requirements.Specific responsibilities across the organization need to be clear.
7 The Threats Are RealThree percent of online sales will be lost because of credit card fraud. (Dec 05,2002)More than 7,000 viruses detected this year (Dec 12,2002)Internet attacks against public and private organizations jumped 28 percent from January to June 2002.(Oct 24,2002)Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of (Jul 09,2002)Security breaches occur at 85% of U.S. businesses and government organizations. (Mar 13,2001)Reports on inside security breaches up 7 percentage points over (Oct 16,2001)Source: CSO Magazine
8 Wrigley’s Information Security Mission The Global IT Security mission is to provide information security leadership, direction and guidance through mutual understanding of business enablers and tolerance of risk. We will accomplish this by implementing industry standards in the areas of perimeter defense, risk mitigation, policy creation, education, awareness, monitoring and response to security events. Through security best practices we will ensure the confidentiality, availability, and integrity of our systems and data in the areas of people, technology and process.
9 Information Security drives value into Wrigley’s Initiatives IncreasesShareholderValueProtects BrandBrings value to business relationshipsTrusted ComputingSecurity ProgramPhysical/Logical Access Controls
10 Wrigley’s Information Security Program Based On International Standards ISO internationally recognized information security standard.A comprehensive set of controls comprising best practices in information security.Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce.Facilitates trading in a trusted environment.
11 Wrigley’s Information Security Model ArchitectureOperationsPreventionGovernanceLAYERSDetectionELMNTSVerificationResponseToolsProcessRolesFronts
12 Information Security Program Elements Governance: Defining and overseeing the programSecurity policy, standards and guidelinesOrganizational roles and responsibilitiesAssessment of and security plans to control riskMetrics and processes to determine how well the organization is adhering to information security policies, processes, procedures, guidelinesAccess controls - - who has access to sensitive systems and dataSecurity awareness programs
13 ISO 17799 BENCHMARKING IN THE AREA OF ORGANIZATIONAL SECURITY Is there a liaison with external information security personnel and organizations including industry and/or government security specialists; law enforcement authorities; IT service providers; telecommunications authorities?Has a capability been established that provides specialized information security advice?Has a management approval process been established to authorize new IT facilities from both a business and technical standpoint?Has a process been established to coordinate implementation of information security measures?Are responsibilities for accomplishment of information security requirements clearly defined?Has a forum been established to oversee and represent information security?
14 ISO 17799 BENCHMARKING IN THE AREA OF ORGANIZATIONAL SECURITY Continued Have the security requirements of the information owners been addressed in a contract between the owners and the outsource organization? Has an independent review of information security practices been conducted to ensure feasibility, effectiveness, and compliance with written policies?Are security requirements included in formal third party contracts?Have specific security measures been identified to combat third party connection risks?Have third party connection risks been analyzed?
15 Information Security Program Elements Operations: Administering and enforcingInformation Security policies and access controlsControls for physical/logical access to information assetsProcesses and procedures to minimize the likelihood of disruptions, recover from disasters, and respond to security incidents
16 Information Security Program Elements Architecture: Designing and implementingDevelopment methodology for secure information systemsSystems and controls that limit the risk of unauthorized access to business assets
17 Information Security Layers Across the enterprise there should be layers of protection to ensure that the risks are managed effectively. Each security layer supports the next to minimize the probability of security problems and minimize the exposure Wrigley faces when incidents do occur.Prevention: Protecting information through effective use of technology, processes and organizational responsibilities to limit the potential of a threat being realized.Detection: Manual and automated mechanisms to identify and isolate security problems. This includes active and passive monitors and analytical procedures.
18 Information Security Layers Continued Verification: Manual and automated mechanisms to ensure that required security measures are in place. This can take forms including vulnerability assessments, audit and monitoring tools.Response: When prevention measures fail, Wrigley needs a rapid, pragmatic response capability. This requires planning for containment, triage and direct response.
19 Information Security Fronts Information Security is not just a technology problem. There is no “silver bullet” to make a dramatic improvement in the security posture of Wrigley. The posture depends on developing, enforcing and maintaining safe computing practices on the unified fronts of Tools, Processes and Roles.Roles: Creating the roles that ensure clear responsibilities and accountability in business units, Information Security organization, suppliers and business partners. Eliminating gaps and reducing overlaps to ensure that requirements are met.Processes: Establishing repeatable solutions or compensating controls for business risks, ensuring that they are measured regularly, and periodically aligning business and information security goals.Tools: Protecting information through effective use of technology (e.g. firewalls, authentication and authorization mechanisms) that result in reusable solutions to business risk scenarios.
20 Wrigley’s Security Program In Perspective Information Security Vision and StrategyBusiness InitiativesThreatsEnterprise Architecture StrategyLegislationVulnerability & Risk AssessmentSecurity PolicySenior Management CommitmentTraining and AwarenessSecurity Architecture and Technical StandardsAdministrative and End-User Guidelines and ProceduresEnforcementProcessMonitoringProcessRecoveryProcessInformation Security Management
21 Information Security drives value into Wrigley’s Initiatives IncreasesShareholderValueProtects BrandBrings value to business relationshipsTrusted ComputingSecurity ProgramPhysical/Logical Access Controls