Introduction
• Aetna founded in 1853 in Hartford
Connecticut.
• Offered life, liability, Property, casualty, Fidelity
insurances etc.
• Insured projects like Hoover Dam and National
Archives building
• 1960 went international
• By 1981 had operations in 8 countries
• 1990:- stopped issuing individual life insurance.
• Focused on Healthcare and Group benefits
insurance
• Became the largest healthcare company in
North America
Prior 1987
• Computer Security:- Security Policy
• Information System:- Backup and disaster recovery Planning
• Facilities Risk management:- Security, safety and Insurance
1987 all consolidated
In 1990 Hired Janus Associates
Centralized Security Administration, Policy making
Information Security at Aetna
ISPP Group
• ISPP group of 5 members
• Reports to the CIO
• ISPP & Security services co-
chair ISC
• Responsible for information
security awareness program
• SecurNet Portal,
Accessories,
newsletters, Lunches,
Posters, InfoSec Exam
Infosec Exam
• Mandatory exam through SecurNet
• Modules
• Role Based Exams
• Outsourced Development to local
eLearning vendor
• Usability testing, Quality Assurance,
Stress testing.
• Implementation
• Help Desk/ Desktop support
• Emails sent in Phases
• Certificates
Why others were not as successful as Aetna?
• Implementing a successful security awareness
program is an essential step in enhancing
security within any organizations.
• An organization must understand that risk
and security awareness are closely related. To
reduce or may be to eliminate risk an
organization’s employees must operate at an
acceptable level of awareness.
• Most organization failed (in that period) in
implementing a successful security awareness
program because they thought that it is simply
a matter of shoving the information in general
to the user (employee) and hoping for the best.
Reasons for the success of Aetna’s security awareness
program
• Understanding the importance of security system awareness was the
reason for the success of Aetna.
Aetna was clear with two facts
• The security systems cannot help the organization if people don’t act
on it.
• There are high chances of increase in people oriented vulnerability
from within the organization if user makes a mistake.
One should engage the audience to create awareness. Aetna engaged its
audience through a systematic approach. Through this approach the
employees would not only receive the complete company information
security training, but also a molded module that related to their
everyday working environment and this enhances their relationship with
information security.
Security Awareness Tutorials
Testing
Formal Presentation
Newsletters
Lunch meeting
Discussion groups
Posters
Physical reminders like pen
The Systematic Approach
Formal
Informal
Take an extreme situation!!
• Your IT systems are hacked.
• Your company's financial results are leaked to the
media.
• Your confidential business plans are compromised.
Your employees' personal files are posted on the
internet.
• The market loses confidence in your organization.
• Leave that!! Even a small scale security breach
could leave your business without access to its
critical IT systems for hours or days.
How ISPP, a small group is able to
handle the InfoSec exam for more than
27000 Aetna Employees?
• ISPP placed high in the organizational structure
• Reporting directly to the CIO
• ISPP and security services served as co-chairs of
Information Security Committee (ISC)
• Systematic approach towards designing the
exam.
• Continuous improvement in conducting the
exam.
• Outsourced exam development.
• Tested for quality and stress.
• Implemented the exam in phases
Why Amateur computer users are
used for testing?
• Amateur computer users struggle most in
online training
• Helps usability labs to design exam for
everyone in the company regardless of
computer skills and with less frustration
This makes Aetna confident that anyone in the
company can answer the exam.
Four Security Awareness Solution Providers
Fishnet security Global learning systems
Vigitrust Dell security networks
Pci compliance
Definition of key cyber security awareness terms
Data security :Trade secrets, customer data, employee
data,
Security testing and assessments
Identity and access management
Practical examples of security threats and
vulnerabilities
Physical security: access to building, it hardware,
Compliance and certification services
Data security and privacy
Importance of individual responsibility
People security: partners, visitors, permanent and
contract staff
Residency services
Application security Mobile Security Phishing
Identity theft
Infra security: networks, remote sites, website, applications, intranet
Security and governance program development
Security and network integration
Threats and virus protection Physical Security
Crisis management: emergency response plans,
disaster recovery plans, business continuity plans
Security awareness training
programs
• It’s a continuous process for the
Employee, every year they need to
undergo an exam on a particular
topic
• They should be taught how
negligence affects the companies
growth, how critical the data is to
the company
• They should be well trained to be
proactive
Why it is important for
Company’s officers to be
able to demonstrate due
care?
Integration of Aetna’s Business Conduct and Integrity Training Program
• Addresses various facets of Information security
• Role based exams were introduced
• Monitoring tools were introduced
• Emphasis was given in Regulatory compliance,
Privacy Policy, Passwords, Integrity etc.
• Previously they focused on HIPPA, but post integration
they neglected
• Focus was narrowed down.
Why is it considered a good practice for an
organization to have its users officially sign off
on their security policy?
• The users ensure that they will adapt themselves to the
policies of the organization.
• Assurance that the users will not violate the policy and
procedures in the future.
• Despite the violation, the document of security policy will
act as a proof for scrutinization.
• Confidentiality of Information leakage within different
departments and outside organization.
Quantitative and Qualitative factors to consider while justifying the
program’s expense
• Quantitative data are not readily available as systems are evolving and new risks are emerging.
• It is important not to allow the process to jeopardize the security and safety of the program by taking too long to make a funding decision.
• Qualitative research involves interviews with the people responsible for the security awareness
programs. The data from these interviews are analyzed to find commonly reported answers and experiences.
• From an analytic perspective, this data assists in mitigating concerns about small sample sizes.
This data is analyzed to determine what security awareness measures are considered effective.
• Successful measures were also extrapolated based upon the factors that led to failures. For example, a critical failing of most security awareness programs is that they did not collect metrics prior to beginning awareness programs.
• Security policy, objectives and activities that properly
reflect business objectives
• Clear management commitment and support
• Proper distribution and guidance on security policy to all
employees and contractors
• Effective 'marketing' of security to employees (including
managers)
• Provision of adequate education and training
• Understanding of security risk analysis, risk management
and security requirements
• An approach to security implementation which is
consistent with the organization's own culture
• Balanced and comprehensive measurement system to
evaluate performance of information security
management and feedback suggestions for improvement.
Wake Up!!!
We’re saying
Top Related