Creating a Corporate Security Culture

1
Creating a Corporate Security Culture

• Sara Santarelli
  Vice President, Network and Information
  Security
• Chief Security Officer

2
Who We Are

• MCI Headquarters Ashburn, Virginia
• Voice and IP Data Communications
• Leading global communications provider, with one
  of the most expansive global IP backbones and
  wholly-owned data networks
• 2004 Revenue 21 B
• 40,000 Employees

• 33,000 Network Systems
• 45,000 Computers
• 21,000 Remote Users
• 15,000 Servers
• 8,400 Routers
• 175 Firewall Filters
• 80,000 AAA Transactions Per Day
• 52,857 Machines Managed for Anti-virus
• 212,000 Automated Password Resets per month

3
How We Secure It

• Security Policies and Standards
• Enterprise Security Task Force
• Tiered Defense Strategy
• Security Compliance Programs
• Network Security Operations Center
• Network Security Incident Response Team
• Infrastructure Monitoring Data Collection
• Industry and Governmental Collaboration
• Denial of Service (DOS) Attack Mitigation

4
Changing the Corporate Culture

• Build-In Security Governance
• Develop Business Unit Partnerships

• Consolidate multiple security organizations and
  technologies
• Develop and implement proactive and predictive,
  enterprise-wide risk management processes
• Centralize monitoring of network and systems
• Make security a function of the business process

5
Build In Security Governance

• Security Governance -- A Structured Process For
• Defining a company's security vision and strategy
• Providing a roadmap for the implementation,
  evaluation, and
• improvement of information security
  practices
• Some of the Drivers Behind MCIs Security
  Governance
• Executive Security Council
• Enterprise Security Task Force (ESTF)
• Minimum Security Baseline (MSB) Policies,
  Standards,
• and Practices
• Security Awareness Programs

6
Security Governance

• Executive Security Council
• Provides oversight and direction to ESTF
• Executive representatives from
• Network and Information Security
• Physical Security and Network Fraud
• IT and Network Engineering
• Legal, HR, and Internal Audit

• Enterprise Security Task Force (ESTF)
• 300 cross-organizational members
• Matrix-managed security policy and standards
  development
• Security awareness and education
• Functional teams for security issue resolution

7
Develop Business Unit Partnerships

• Security is part of the IT DNA
• IT Video The CIO and CSO
• IT membership integration into the ESTF
• Security part of the application development
  life-cycle

• Similar partnerships with Network Engineering,
  Network Operations Legal, Human Resources,
  Sales and Marketing, etc.
• Executive Security Council and ESTF play pivotal
  roles in developing and supporting these
  partnerships

8
Security Consolidation
CSO has global program control and functional
direction for MCIs Network and Information
Security

• Chairs MCI Executive Security Council
• VP of Network Information Security
• Network Security Operations Center
• Annoyance Call Bureau
• Internet Abuse
• Security Engineering Services
• Network System Security and Access Controls
• Mainframe and Application Security
• Law Enforcement Liaison

9
Risk Management Processes

• The Threat Is Getting Worse (CSI/FBI, Cert, and
  Symantec)
• Vulnerabilities 2005 projected to have the
  highest number of threats since tracking began
• 97 were either moderate or highly severe threats
• 73 classified as easily exploitable threats
• 59 associated with Web application technologies
• Patching Industry lags behind vulnerability
  disclosure
• 6.0 days average time between disclosure of
  vulnerability and release of associated exploit
• 54 days average time for vulnerability patch
  release (48 days lag time)

10
Proactive Predictive Security

• Risk Prevention and Risk Management
• Both are integral to proactive and predictive
  security

• Operational Strategy
• Patching
• More frequent monitoring
• Scanning Internet-facing devices more frequently
  than others
• Higher security controls

• Tiered Security Strategy
• Firewalls and gateways
• Remote access dial-up security
• Midrange security configuration compliance tools
• Virus defense (mail gateways, network and desktop)

11
Risk Management Processes

• Security program risk assessment
• Annual security program gap analysis
• Use results to develop your strategic security
  plan
• Drives projects
• Drives budget
• Security process audits
• Internal and external penetration tests
• Use credible third-party
• Build on results to drive process changes

12
The Trust Me Model Doesn't Work

• Compliance
• Sarbanes-Oxley
• Data Privacy Legislation
• Gramm-Leach-Bliley
• HIPAA
• Visa CISP
• Patriot Act

• Increasing Risk
• Business Disruption
• Lost Revenue
• Corporate Liability
• Customer Trust
• Shareholder Lawsuits

• Complexity
• Increase demand for access
• Inconsistent environment
• Lack of control
• Keeping up with vulnerabilities
• Threats from new technology

13
Centralize Network System Monitoring

• Ensure the most critical assets have the highest
  level of security and are the most protected

• Network
• Segmentation
• Protects Against Internal and External Threats
• Allows for Controlled Communication Between
  Segments

• Centralized monitoring is critical to the
  executive
• reporting process

14
Centralize Network System Monitoring

• Executive Dashboard
• Risk Score Calculated
• Key Benefits
• Executive Dashboard to gauge risk levels at a
  glance
• Ability to review security performance in
  relation to peers, company, and subordinates
• View of five worst systems at a glance
• Detailed remediation instructions

15
Security as a Function of the Business Process

• Security Compliance Management
• Security Program Risk Assessment
• Third Party Penetration Testing
• Installation of Security Tools
• Formal Exception Process
• Dedicated Security Enforcement Team
• Network Vulnerability Scanning and Testing

16
Security as a Function of the Business Process

• Security Enforcement Management
• Work prioritized using the following criteria
• Financial systems or systems containing privacy
  information
• Publicly facing (DMZ) systems
• Systems with services for which there are current
  threats and published exploits
• Actions that may be taken
• Work with the SysAdmin to bring system into
  compliance
• Direct to MSB exception when remediation solution
  not readily available
• Escalate for non-cooperative owners/administrators
  
• Quarantine if imminent risk to the network or
  computing infrastructure

17
The Most Overlooked Piece

• People can make or break the best security
  program, so an on-going security awareness
  program remains a critical piece of any
  successful security program.

• Treat security awareness like a marketing
  campaign
• ESTF Team
• Emails
• Paycheck inserts
• Video clips
• New hire orientation
• Portal login messages
• Security posters

18
Security Awareness
Internal Network Login Portal

• Rotating Security Awareness Messages
• A password is like a toothbrush
• Use it every day
• Change it periodically
• Dont lend it to anyone

19
Security Awareness
Internal PayStub System

• Rotating Security Awareness Messages
• Dont think of a password as a way to get into
  your computer, think of it as a way to keep
  others out.

20
Security Awareness
Security One Source

• Internal Security Portal
• Linked from Internal
• Company Portal
• One-stop Shopping
• All Security Services in One Place

21
Creating a Corporate Security Culture

• In Conclusion
• Build in security governance
• Develop business unit partnerships
• Consolidate multiple security organizations and
  technologies
• Develop and implement proactive and predictive,
  enterprise-wide risk management processes
• Centralize monitoring of network and systems
• Make security a function of the business

22
Questions?