Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aetna information security assurance program


Published on

Published in: Business, Technology, Education
  • Be the first to comment

Aetna information security assurance program

  1. 1. Introduction • Aetna founded in 1853 in Hartford Connecticut. • Offered life, liability, Property, casualty, Fidelity insurances etc. • Insured projects like Hoover Dam and National Archives building • 1960 went international • By 1981 had operations in 8 countries • 1990:- stopped issuing individual life insurance. • Focused on Healthcare and Group benefits insurance • Became the largest healthcare company in North America
  2. 2. Information Security at Aetna Prior 1987 • Computer Security:- Security Policy • Information System:- Backup and disaster recovery Planning • Facilities Risk management:- Security, safety and Insurance 1987 all consolidated In 1990 Hired Janus Associates Centralized Security Administration, Policy making
  3. 3. Infosec Exam ISPP Group • ISPP group of 5 members • Mandatory exam through SecurNet • Reports to the CIO • Modules • ISPP & Security services co- • Role Based Exams chair ISC • Responsible for information security awareness program • Outsourced Development to local eLearning vendor • Usability testing, Quality Assurance, • SecurNet Portal, Stress testing. Accessories, • Implementation newsletters, Lunches, • Help Desk/ Desktop support Posters, InfoSec Exam • Emails sent in Phases • Certificates
  4. 4. Why others were not as successful as Aetna? • Implementing a successful security awareness program is an essential step in enhancing security within any organizations. • An organization must understand that risk and security awareness are closely related. To reduce or may be to eliminate risk an organization’s employees must operate at an acceptable level of awareness. • Most organization failed (in that period) in implementing a successful security awareness program because they thought that it is simply a matter of shoving the information in general to the user (employee) and hoping for the best.
  5. 5. Reasons for the success of Aetna’s security awareness program • Understanding the importance of security system awareness was the reason for the success of Aetna. Aetna was clear with two facts • The security systems cannot help the organization if people don’t act on it. • There are high chances of increase in people oriented vulnerability from within the organization if user makes a mistake. One should engage the audience to create awareness. Aetna engaged its audience through a systematic approach. Through this approach the employees would not only receive the complete company information security training, but also a molded module that related to their everyday working environment and this enhances their relationship with information security.
  6. 6. Security Awareness Tutorials Testing Formal Formal Presentation The Systematic Approach Newsletters Lunch meeting Discussion groups Informal Posters Physical reminders like pen
  7. 7. Take an extreme situation!! • Your IT systems are hacked. • Your company's financial results are leaked to the media. • Your confidential business plans are compromised. Your employees' personal files are posted on the internet. • The market loses confidence in your organization. • Leave that!! Even a small scale security breach could leave your business without access to its critical IT systems for hours or days.
  8. 8. How ISPP, a small group is able to handle the InfoSec exam for more than 27000 Aetna Employees? • ISPP placed high in the organizational structure • Reporting directly to the CIO • ISPP and security services served as co-chairs of Information Security Committee (ISC) • Systematic approach towards designing the exam. • Continuous improvement in conducting the exam. • Outsourced exam development. • Tested for quality and stress. • Implemented the exam in phases
  9. 9. Why Amateur computer users are used for testing? • Amateur computer users struggle most in online training • Helps usability labs to design exam for everyone in the company regardless of computer skills and with less frustration This makes Aetna confident that anyone in the company can answer the exam.
  10. 10. Four Security Awareness Solution Providers
  11. 11. Fishnet security Global learning systems Vigitrust Dell security networks Pci compliance Definition of key cyber security awareness terms Data security :Trade secrets, customer data, employee data, Security testing and assessments Identity and access management Practical examples of security threats and vulnerabilities Physical security: access to building, it hardware, Compliance and certification services Data security and privacy Importance of individual responsibility People security: partners, visitors, permanent and contract staff Residency services Application security Mobile Security Phishing Identity theft Infra security: networks, remote sites, website, applications, intranet Security and governance program development Security and network integration Threats and virus protection Physical Security Crisis management: emergency response plans, disaster recovery plans, business continuity plans Security awareness training programs
  12. 12. Why it is important for • It’s a continuous process for the Employee, every year they need to Company’s officers to be undergo an exam on a particular able to demonstrate due topic care? • They should be taught how negligence affects the companies growth, how critical the data is to the company • They should be well trained to be proactive
  13. 13. Integration of Aetna’s Business Conduct and Integrity Training Program • Addresses various facets of Information security • Role based exams were introduced • Monitoring tools were introduced • Emphasis was given in Regulatory compliance, Privacy Policy, Passwords, Integrity etc. • Previously they focused on HIPPA, but post integration they neglected • Focus was narrowed down.
  14. 14. Why is it considered a good practice for an organization to have its users officially sign off on their security policy? • The users ensure that they will adapt themselves to the policies of the organization. • Assurance that the users will not violate the policy and procedures in the future. • Despite the violation, the document of security policy will act as a proof for scrutinization. • Confidentiality of Information leakage within different departments and outside organization.
  15. 15. Quantitative and Qualitative factors to consider while justifying the program’s expense • Quantitative data are not readily available as systems are evolving and new risks are emerging. • It is important not to allow the process to jeopardize the security and safety of the program by taking too long to make a funding decision. • Qualitative research involves interviews with the people responsible for the security awareness programs. The data from these interviews are analyzed to find commonly reported answers and experiences. • From an analytic perspective, this data assists in mitigating concerns about small sample sizes. This data is analyzed to determine what security awareness measures are considered effective. • Successful measures were also extrapolated based upon the factors that led to failures. For example, a critical failing of most security awareness programs is that they did not collect metrics prior to beginning awareness programs.
  16. 16. • Security policy, objectives and activities that properly reflect business objectives • Clear management commitment and support • Proper distribution and guidance on security policy to all employees and contractors • Effective 'marketing' of security to employees (including managers) • Provision of adequate education and training • Understanding of security risk analysis, risk management and security requirements • An approach to security implementation which is consistent with the organization's own culture • Balanced and comprehensive measurement system to evaluate performance of information security management and feedback suggestions for improvement.
  17. 17. Wake Up!!! We’re saying