SlideShare a Scribd company logo

Aetna information security assurance program

Siddharth Janakiram
Siddharth Janakiram
BusinessTechnologyEducation
1 of 18
Download to read offline
Introduction • Aetna founded in 1853 in Hartford Connecticut. • Offered life, liability, Property, casualty, Fidelity insurances etc. • Insured projects like Hoover Dam and National Archives building • 1960 went international • By 1981 had operations in 8 countries • 1990:- stopped issuing individual life insurance. • Focused on Healthcare and Group benefits insurance • Became the largest healthcare company in North America
Information Security at Aetna Prior 1987 • Computer Security:- Security Policy • Information System:- Backup and disaster recovery Planning • Facilities Risk management:- Security, safety and Insurance 1987 all consolidated In 1990 Hired Janus Associates Centralized Security Administration, Policy making
Infosec Exam ISPP Group • ISPP group of 5 members • Mandatory exam through SecurNet • Reports to the CIO • Modules • ISPP & Security services co- • Role Based Exams chair ISC • Responsible for information security awareness program • Outsourced Development to local eLearning vendor • Usability testing, Quality Assurance, • SecurNet Portal, Stress testing. Accessories, • Implementation newsletters, Lunches, • Help Desk/ Desktop support Posters, InfoSec Exam • Emails sent in Phases • Certificates
Why others were not as successful as Aetna? • Implementing a successful security awareness program is an essential step in enhancing security within any organizations. • An organization must understand that risk and security awareness are closely related. To reduce or may be to eliminate risk an organization’s employees must operate at an acceptable level of awareness. • Most organization failed (in that period) in implementing a successful security awareness program because they thought that it is simply a matter of shoving the information in general to the user (employee) and hoping for the best.
Reasons for the success of Aetna’s security awareness program • Understanding the importance of security system awareness was the reason for the success of Aetna. Aetna was clear with two facts • The security systems cannot help the organization if people don’t act on it. • There are high chances of increase in people oriented vulnerability from within the organization if user makes a mistake. One should engage the audience to create awareness. Aetna engaged its audience through a systematic approach. Through this approach the employees would not only receive the complete company information security training, but also a molded module that related to their everyday working environment and this enhances their relationship with information security.
Security Awareness Tutorials Testing Formal Formal Presentation The Systematic Approach Newsletters Lunch meeting Discussion groups Informal Posters Physical reminders like pen
Take an extreme situation!! • Your IT systems are hacked. • Your company's financial results are leaked to the media. • Your confidential business plans are compromised. Your employees' personal files are posted on the internet. • The market loses confidence in your organization. • Leave that!! Even a small scale security breach could leave your business without access to its critical IT systems for hours or days.
How ISPP, a small group is able to handle the InfoSec exam for more than 27000 Aetna Employees? • ISPP placed high in the organizational structure • Reporting directly to the CIO • ISPP and security services served as co-chairs of Information Security Committee (ISC) • Systematic approach towards designing the exam. • Continuous improvement in conducting the exam. • Outsourced exam development. • Tested for quality and stress. • Implemented the exam in phases
Why Amateur computer users are used for testing? • Amateur computer users struggle most in online training • Helps usability labs to design exam for everyone in the company regardless of computer skills and with less frustration This makes Aetna confident that anyone in the company can answer the exam.
Four Security Awareness Solution Providers
Fishnet security Global learning systems Vigitrust Dell security networks Pci compliance Definition of key cyber security awareness terms Data security :Trade secrets, customer data, employee data, Security testing and assessments Identity and access management Practical examples of security threats and vulnerabilities Physical security: access to building, it hardware, Compliance and certification services Data security and privacy Importance of individual responsibility People security: partners, visitors, permanent and contract staff Residency services Application security Mobile Security Phishing Identity theft Infra security: networks, remote sites, website, applications, intranet Security and governance program development Security and network integration Threats and virus protection Physical Security Crisis management: emergency response plans, disaster recovery plans, business continuity plans Security awareness training programs
Why it is important for • It’s a continuous process for the Employee, every year they need to Company’s officers to be undergo an exam on a particular able to demonstrate due topic care? • They should be taught how negligence affects the companies growth, how critical the data is to the company • They should be well trained to be proactive
Integration of Aetna’s Business Conduct and Integrity Training Program • Addresses various facets of Information security • Role based exams were introduced • Monitoring tools were introduced • Emphasis was given in Regulatory compliance, Privacy Policy, Passwords, Integrity etc. • Previously they focused on HIPPA, but post integration they neglected • Focus was narrowed down.
Why is it considered a good practice for an organization to have its users officially sign off on their security policy? • The users ensure that they will adapt themselves to the policies of the organization. • Assurance that the users will not violate the policy and procedures in the future. • Despite the violation, the document of security policy will act as a proof for scrutinization. • Confidentiality of Information leakage within different departments and outside organization.
Quantitative and Qualitative factors to consider while justifying the program’s expense • Quantitative data are not readily available as systems are evolving and new risks are emerging. • It is important not to allow the process to jeopardize the security and safety of the program by taking too long to make a funding decision. • Qualitative research involves interviews with the people responsible for the security awareness programs. The data from these interviews are analyzed to find commonly reported answers and experiences. • From an analytic perspective, this data assists in mitigating concerns about small sample sizes. This data is analyzed to determine what security awareness measures are considered effective. • Successful measures were also extrapolated based upon the factors that led to failures. For example, a critical failing of most security awareness programs is that they did not collect metrics prior to beginning awareness programs.
• Security policy, objectives and activities that properly reflect business objectives • Clear management commitment and support • Proper distribution and guidance on security policy to all employees and contractors • Effective 'marketing' of security to employees (including managers) • Provision of adequate education and training • Understanding of security risk analysis, risk management and security requirements • An approach to security implementation which is consistent with the organization's own culture • Balanced and comprehensive measurement system to evaluate performance of information security management and feedback suggestions for improvement.
Wake Up!!! We’re saying

Recommended

Tata Equity P/E Fund - A Brief Overview
Tata Equity P/E Fund - A Brief OverviewTata Equity P/E Fund - A Brief Overview
Tata Equity P/E Fund - A Brief OverviewMySIPonline - Simplifying Investments
 
TATA AIG
TATA AIG TATA AIG
TATA AIG mukta0603
 
EasyJet Analysis
EasyJet AnalysisEasyJet Analysis
EasyJet AnalysisTan Yi Liang
 
W G
W GW G
W Gguesta4a845
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Insurance & strategies for promoting insurance product & services
Insurance & strategies for promoting insurance product & servicesInsurance & strategies for promoting insurance product & services
Insurance & strategies for promoting insurance product & servicesAnkit Gautam
 
Market research for pantene case
Market research for pantene caseMarket research for pantene case
Market research for pantene caseHasan Ali Kanba
 
Oriental Insurance Company
Oriental Insurance CompanyOriental Insurance Company
Oriental Insurance CompanyPolicyX.com Private Limited
 

Recommended

Tata Equity P/E Fund - A Brief Overview
Tata Equity P/E Fund - A Brief OverviewTata Equity P/E Fund - A Brief Overview
Tata Equity P/E Fund - A Brief OverviewMySIPonline - Simplifying Investments
 
TATA AIG
TATA AIG TATA AIG
TATA AIG mukta0603
 
EasyJet Analysis
EasyJet AnalysisEasyJet Analysis
EasyJet AnalysisTan Yi Liang
 
W G
W GW G
W Gguesta4a845
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Insurance & strategies for promoting insurance product & services
Insurance & strategies for promoting insurance product & servicesInsurance & strategies for promoting insurance product & services
Insurance & strategies for promoting insurance product & servicesAnkit Gautam
 
Market research for pantene case
Market research for pantene caseMarket research for pantene case
Market research for pantene caseHasan Ali Kanba
 
Oriental Insurance Company
Oriental Insurance CompanyOriental Insurance Company
Oriental Insurance CompanyPolicyX.com Private Limited
 
Oscar mayer - There is always a Better Way
Oscar mayer - There is always a Better WayOscar mayer - There is always a Better Way
Oscar mayer - There is always a Better WayVikas C
 
Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.Ishan Pratik
 
Ingersoll rand air compressor_india
Ingersoll rand air compressor_indiaIngersoll rand air compressor_india
Ingersoll rand air compressor_indiaBhabani Lenka
 
Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014Fiona O'Driscoll
 
Midland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of CapitalMidland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of CapitalKivanc Ozuolmez
 
CASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVECASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVERohit George
 
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case AnalysisNestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case AnalysisNikhil Saraf
 
Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)Sriwiyata Ismail Zainuddin
 
ATT Inc. Strategy Analysis
ATT Inc. Strategy AnalysisATT Inc. Strategy Analysis
ATT Inc. Strategy AnalysisKyle Hughes
 
Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020Capgemini
 
Pet tech market analysis_ Lightbox
Pet tech market analysis_ LightboxPet tech market analysis_ Lightbox
Pet tech market analysis_ LightboxLightbox
 
Innovation in Insurance
Innovation in InsuranceInnovation in Insurance
Innovation in InsuranceBrent Satill
 
JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN InamAhmad8
 
EasyJet Airline
EasyJet AirlineEasyJet Airline
EasyJet AirlineUmer Awan
 
Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021Capgemini
 
IIp brand awreness of idbi
IIp brand awreness of idbiIIp brand awreness of idbi
IIp brand awreness of idbiUtkarsh Verma
 
Case Solution for StepSmart Fitness
Case Solution for StepSmart FitnessCase Solution for StepSmart Fitness
Case Solution for StepSmart Fitnesscasesolutions
 
American Express Case Study
American Express Case StudyAmerican Express Case Study
American Express Case StudyShivani Chavan
 
Bajaj-allianz-report
Bajaj-allianz-report Bajaj-allianz-report
Bajaj-allianz-reportpiyushtiwari169
 
Cloud Computing Industry Analysis
Cloud Computing Industry AnalysisCloud Computing Industry Analysis
Cloud Computing Industry AnalysisSumaya Shakir
 
Aetna interview questions and answers
Aetna interview questions and answersAetna interview questions and answers
Aetna interview questions and answersbertro262
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Khawar Nehal khawar.nehal@atrc.net.pk
 

More Related Content

What's hot

Oscar mayer - There is always a Better Way
Oscar mayer - There is always a Better WayOscar mayer - There is always a Better Way
Oscar mayer - There is always a Better WayVikas C
 
Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.Ishan Pratik
 
Ingersoll rand air compressor_india
Ingersoll rand air compressor_indiaIngersoll rand air compressor_india
Ingersoll rand air compressor_indiaBhabani Lenka
 
Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014Fiona O'Driscoll
 
Midland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of CapitalMidland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of CapitalKivanc Ozuolmez
 
CASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVECASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVERohit George
 
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case AnalysisNestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case AnalysisNikhil Saraf
 
Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)Sriwiyata Ismail Zainuddin
 
ATT Inc. Strategy Analysis
ATT Inc. Strategy AnalysisATT Inc. Strategy Analysis
ATT Inc. Strategy AnalysisKyle Hughes
 
Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020Capgemini
 
Pet tech market analysis_ Lightbox
Pet tech market analysis_ LightboxPet tech market analysis_ Lightbox
Pet tech market analysis_ LightboxLightbox
 
Innovation in Insurance
Innovation in InsuranceInnovation in Insurance
Innovation in InsuranceBrent Satill
 
JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN InamAhmad8
 
EasyJet Airline
EasyJet AirlineEasyJet Airline
EasyJet AirlineUmer Awan
 
Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021Capgemini
 
IIp brand awreness of idbi
IIp brand awreness of idbiIIp brand awreness of idbi
IIp brand awreness of idbiUtkarsh Verma
 
Case Solution for StepSmart Fitness
Case Solution for StepSmart FitnessCase Solution for StepSmart Fitness
Case Solution for StepSmart Fitnesscasesolutions
 
American Express Case Study
American Express Case StudyAmerican Express Case Study
American Express Case StudyShivani Chavan
 
Cloud Computing Industry Analysis
Cloud Computing Industry AnalysisCloud Computing Industry Analysis
Cloud Computing Industry AnalysisSumaya Shakir
 

What's hot (20)

Oscar mayer - There is always a Better Way
Oscar mayer - There is always a Better WayOscar mayer - There is always a Better Way
Oscar mayer - There is always a Better Way
 
Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.Talk to chuck - Charles Schwab & Co.
Talk to chuck - Charles Schwab & Co.
 
Ingersoll rand air compressor_india
Ingersoll rand air compressor_indiaIngersoll rand air compressor_india
Ingersoll rand air compressor_india
 
Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014Ryanair - Strategy and Value Creation 2014
Ryanair - Strategy and Value Creation 2014
 
Midland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of CapitalMidland Energy Resources, Inc. Cost of Capital
Midland Energy Resources, Inc. Cost of Capital
 
CASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVECASE STUDY ANALYSIS ON PROGRESSIVE
CASE STUDY ANALYSIS ON PROGRESSIVE
 
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case AnalysisNestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
Nestle Refrigerated Foods: Contadina Pasta & Pizza (A) - Case Analysis
 
Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)Southwest Airlines : Case Study 2016 (Group Work)
Southwest Airlines : Case Study 2016 (Group Work)
 
ATT Inc. Strategy Analysis
ATT Inc. Strategy AnalysisATT Inc. Strategy Analysis
ATT Inc. Strategy Analysis
 
Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020Top Trends in Health Insurance: 2020
Top Trends in Health Insurance: 2020
 
Pet tech market analysis_ Lightbox
Pet tech market analysis_ LightboxPet tech market analysis_ Lightbox
Pet tech market analysis_ Lightbox
 
Innovation in Insurance
Innovation in InsuranceInnovation in Insurance
Innovation in Insurance
 
JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN JD: E-INVOICE WITH BLOCKCHAIN
JD: E-INVOICE WITH BLOCKCHAIN
 
EasyJet Airline
EasyJet AirlineEasyJet Airline
EasyJet Airline
 
Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021Property & Casualty Insurance Top Trends 2021
Property & Casualty Insurance Top Trends 2021
 
IIp brand awreness of idbi
IIp brand awreness of idbiIIp brand awreness of idbi
IIp brand awreness of idbi
 
Case Solution for StepSmart Fitness
Case Solution for StepSmart FitnessCase Solution for StepSmart Fitness
Case Solution for StepSmart Fitness
 
American Express Case Study
American Express Case StudyAmerican Express Case Study
American Express Case Study
 
Bajaj-allianz-report
Bajaj-allianz-report Bajaj-allianz-report
Bajaj-allianz-report
 
Cloud Computing Industry Analysis
Cloud Computing Industry AnalysisCloud Computing Industry Analysis
Cloud Computing Industry Analysis
 

Viewers also liked

Aetna interview questions and answers
Aetna interview questions and answersAetna interview questions and answers
Aetna interview questions and answersbertro262
 
Trust elevation-share
Trust elevation-shareTrust elevation-share
Trust elevation-shareAbbie Barbir
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
CSS-454 information Security Assurance CAPSTONE
CSS-454 information Security Assurance CAPSTONECSS-454 information Security Assurance CAPSTONE
CSS-454 information Security Assurance CAPSTONEMark Simon
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assuranceIT2Alcorn
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 

Viewers also liked (11)

Aetna interview questions and answers
Aetna interview questions and answersAetna interview questions and answers
Aetna interview questions and answers
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006
 
Trust elevation-share
Trust elevation-shareTrust elevation-share
Trust elevation-share
 
Information Security
Information SecurityInformation Security
Information Security
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
CSS-454 information Security Assurance CAPSTONE
CSS-454 information Security Assurance CAPSTONECSS-454 information Security Assurance CAPSTONE
CSS-454 information Security Assurance CAPSTONE
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assurance
 
Cyber security vs information assurance
Cyber security vs information assuranceCyber security vs information assurance
Cyber security vs information assurance
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 

Similar to Aetna information security assurance program

Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 

Similar to Aetna information security assurance program (20)

Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 

Recently uploaded

Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Adnet Communications
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSkajalroy875762
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistanvineshkumarsajnani12
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Availablepr788182
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...NadhimTaha
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowranineha57744
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAITim Wilson
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannaBusinessPlans
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingNauman Safdar
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165meghakumariji156
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxCynthia Clay
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 

Recently uploaded (20)

Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 

Aetna information security assurance program

  • 1.
  • 2. Introduction • Aetna founded in 1853 in Hartford Connecticut. • Offered life, liability, Property, casualty, Fidelity insurances etc. • Insured projects like Hoover Dam and National Archives building • 1960 went international • By 1981 had operations in 8 countries • 1990:- stopped issuing individual life insurance. • Focused on Healthcare and Group benefits insurance • Became the largest healthcare company in North America
  • 3. Information Security at Aetna Prior 1987 • Computer Security:- Security Policy • Information System:- Backup and disaster recovery Planning • Facilities Risk management:- Security, safety and Insurance 1987 all consolidated In 1990 Hired Janus Associates Centralized Security Administration, Policy making
  • 4. Infosec Exam ISPP Group • ISPP group of 5 members • Mandatory exam through SecurNet • Reports to the CIO • Modules • ISPP & Security services co- • Role Based Exams chair ISC • Responsible for information security awareness program • Outsourced Development to local eLearning vendor • Usability testing, Quality Assurance, • SecurNet Portal, Stress testing. Accessories, • Implementation newsletters, Lunches, • Help Desk/ Desktop support Posters, InfoSec Exam • Emails sent in Phases • Certificates
  • 5. Why others were not as successful as Aetna? • Implementing a successful security awareness program is an essential step in enhancing security within any organizations. • An organization must understand that risk and security awareness are closely related. To reduce or may be to eliminate risk an organization’s employees must operate at an acceptable level of awareness. • Most organization failed (in that period) in implementing a successful security awareness program because they thought that it is simply a matter of shoving the information in general to the user (employee) and hoping for the best.
  • 6. Reasons for the success of Aetna’s security awareness program • Understanding the importance of security system awareness was the reason for the success of Aetna. Aetna was clear with two facts • The security systems cannot help the organization if people don’t act on it. • There are high chances of increase in people oriented vulnerability from within the organization if user makes a mistake. One should engage the audience to create awareness. Aetna engaged its audience through a systematic approach. Through this approach the employees would not only receive the complete company information security training, but also a molded module that related to their everyday working environment and this enhances their relationship with information security.
  • 7. Security Awareness Tutorials Testing Formal Formal Presentation The Systematic Approach Newsletters Lunch meeting Discussion groups Informal Posters Physical reminders like pen
  • 8. Take an extreme situation!! • Your IT systems are hacked. • Your company's financial results are leaked to the media. • Your confidential business plans are compromised. Your employees' personal files are posted on the internet. • The market loses confidence in your organization. • Leave that!! Even a small scale security breach could leave your business without access to its critical IT systems for hours or days.
  • 9. How ISPP, a small group is able to handle the InfoSec exam for more than 27000 Aetna Employees? • ISPP placed high in the organizational structure • Reporting directly to the CIO • ISPP and security services served as co-chairs of Information Security Committee (ISC) • Systematic approach towards designing the exam. • Continuous improvement in conducting the exam. • Outsourced exam development. • Tested for quality and stress. • Implemented the exam in phases
  • 10. Why Amateur computer users are used for testing? • Amateur computer users struggle most in online training • Helps usability labs to design exam for everyone in the company regardless of computer skills and with less frustration This makes Aetna confident that anyone in the company can answer the exam.
  • 12. Fishnet security Global learning systems Vigitrust Dell security networks Pci compliance Definition of key cyber security awareness terms Data security :Trade secrets, customer data, employee data, Security testing and assessments Identity and access management Practical examples of security threats and vulnerabilities Physical security: access to building, it hardware, Compliance and certification services Data security and privacy Importance of individual responsibility People security: partners, visitors, permanent and contract staff Residency services Application security Mobile Security Phishing Identity theft Infra security: networks, remote sites, website, applications, intranet Security and governance program development Security and network integration Threats and virus protection Physical Security Crisis management: emergency response plans, disaster recovery plans, business continuity plans Security awareness training programs
  • 13. Why it is important for • It’s a continuous process for the Employee, every year they need to Company’s officers to be undergo an exam on a particular able to demonstrate due topic care? • They should be taught how negligence affects the companies growth, how critical the data is to the company • They should be well trained to be proactive
  • 14. Integration of Aetna’s Business Conduct and Integrity Training Program • Addresses various facets of Information security • Role based exams were introduced • Monitoring tools were introduced • Emphasis was given in Regulatory compliance, Privacy Policy, Passwords, Integrity etc. • Previously they focused on HIPPA, but post integration they neglected • Focus was narrowed down.
  • 15. Why is it considered a good practice for an organization to have its users officially sign off on their security policy? • The users ensure that they will adapt themselves to the policies of the organization. • Assurance that the users will not violate the policy and procedures in the future. • Despite the violation, the document of security policy will act as a proof for scrutinization. • Confidentiality of Information leakage within different departments and outside organization.
  • 16. Quantitative and Qualitative factors to consider while justifying the program’s expense • Quantitative data are not readily available as systems are evolving and new risks are emerging. • It is important not to allow the process to jeopardize the security and safety of the program by taking too long to make a funding decision. • Qualitative research involves interviews with the people responsible for the security awareness programs. The data from these interviews are analyzed to find commonly reported answers and experiences. • From an analytic perspective, this data assists in mitigating concerns about small sample sizes. This data is analyzed to determine what security awareness measures are considered effective. • Successful measures were also extrapolated based upon the factors that led to failures. For example, a critical failing of most security awareness programs is that they did not collect metrics prior to beginning awareness programs.
  • 17. • Security policy, objectives and activities that properly reflect business objectives • Clear management commitment and support • Proper distribution and guidance on security policy to all employees and contractors • Effective 'marketing' of security to employees (including managers) • Provision of adequate education and training • Understanding of security risk analysis, risk management and security requirements • An approach to security implementation which is consistent with the organization's own culture • Balanced and comprehensive measurement system to evaluate performance of information security management and feedback suggestions for improvement.