Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Scuttling Scalawags (cont.)

CIGNA's Craig Shumard on battling 21st-century pirates

To ensure the awareness program continues to evolve, IP conducts focus groups across the organization to help assess whether or not messages are getting through effectively to the entire employee base.

Shumard also oversees a team that focuses on vulnerability assessments and risk mitigation. "They do our penetration testing, review requests for exceptions to policies, and are responsible for our incident response. They monitor antivirus and email content filtering, and manage the relationship we have with Symantec for intrusion detection and intrusion prevention through Symantec's Managed Security Services offering or with IBM who we've contracted to manage ID access and password controls. IBM is also involved in our role-based access control (RBAC) process.

"Our RBAC program is very comprehensive. Most companies might perform RBAC for the top 200 or 300 applications, we do it for every application-over 1,700 roles and 1,800 sub-roles," Shumard says. "This further penetration is important based on the value of our information assets and potential risk."

Shumard's organization also manages the company's business continuity program, customer security inquiries and audits, security policies, and risk assessments. "Customer inquiries and audits continue to grow tremendously," Shumard says. "Customers care about how their information is protected and are expecting assurances that it is.

"In addition, since our entire program is risked based, we regularly talk to 200 to 250 employees including the most senior people enterprisewide to understand their security concerns. We then do more focused assessments, breaking down individual items looking at gaps, vulnerabilities, mitigation plans, or new projects we may have to implement. It is a comprehensive, revolving process that constantly factors in changes in the environment to our risk profiles. A compliance group ensures that policies and configuration are followed and issues are remediated."

What's it worth to you? To us?

Perhaps the most difficult measure to establish for many enterprises is to determine, on a case-by-case basis, acceptable levels of risk. For CIGNA, that meant long ago creating a risk assumption document. "We came up with a pretty extensive document that looks at various activities and the risks they pose to the enterprise," Shumard says. "As a company, the assumption of information protection risks is not widely distributed-with me and my area playing a key role and ultimate risk assumption authority residing with the CEO.

"When potential risks arise, we do our best to provide the business with alternatives, since these things are seldom clear yes or no issues. Sometimes those tactical alternatives are not ideal or they require more money be spent by the business unit, but the mitigation of risk is the driver and it's worked well over the past six-plus years."

Like many others, Shumard and CIGNA believe it is difficult to assign a financial risk to an exposure. "I take issue with folks who try to perform a cost-benefit analysis on information security issues because for the most part you're dealing with reputation risk: What's the cost of the company's reputation in the marketplace if they've had a serious breach? What's the cost of recovering from that?

<< prev 1 2 3 4 next>>


Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation