Introduction

• Aetna founded in 1853 in Hartford

Connecticut.

• Offered life, liability, Property, casualty, Fidelity

insurances etc.

• Insured projects like Hoover Dam and National

Archives building

• 1960 went international

• By 1981 had operations in 8 countries

• 1990:- stopped issuing individual life insurance.

• Focused on Healthcare and Group benefits

insurance

• Became the largest healthcare company in

North America

Prior 1987

• Computer Security:- Security Policy

• Information System:- Backup and disaster recovery Planning

• Facilities Risk management:- Security, safety and Insurance

1987 all consolidated

In 1990 Hired Janus Associates

Centralized Security Administration, Policy making

Information Security at Aetna

ISPP Group

• ISPP group of 5 members

• Reports to the CIO

• ISPP & Security services co-

chair ISC

• Responsible for information

security awareness program

• SecurNet Portal,

Accessories,

newsletters, Lunches,

Posters, InfoSec Exam

Infosec Exam

• Mandatory exam through SecurNet

• Modules

• Role Based Exams

• Outsourced Development to local

eLearning vendor

• Usability testing, Quality Assurance,

Stress testing.

• Implementation

• Help Desk/ Desktop support

• Emails sent in Phases

• Certificates

Why others were not as successful as Aetna?

• Implementing a successful security awareness

program is an essential step in enhancing

security within any organizations.

• An organization must understand that risk

and security awareness are closely related. To

reduce or may be to eliminate risk an

organization’s employees must operate at an

acceptable level of awareness.

• Most organization failed (in that period) in

implementing a successful security awareness

program because they thought that it is simply

a matter of shoving the information in general

to the user (employee) and hoping for the best.

Reasons for the success of Aetna’s security awareness

program

• Understanding the importance of security system awareness was the

reason for the success of Aetna.

Aetna was clear with two facts

• The security systems cannot help the organization if people don’t act

on it.

• There are high chances of increase in people oriented vulnerability

from within the organization if user makes a mistake.

One should engage the audience to create awareness. Aetna engaged its

audience through a systematic approach. Through this approach the

employees would not only receive the complete company information

security training, but also a molded module that related to their

everyday working environment and this enhances their relationship with

information security.

Security Awareness Tutorials

Testing

Formal Presentation

Newsletters

Lunch meeting

Discussion groups

Posters

Physical reminders like pen

The Systematic Approach

Formal

Informal

Take an extreme situation!!

• Your IT systems are hacked.

• Your company's financial results are leaked to the

media.

• Your confidential business plans are compromised.

Your employees' personal files are posted on the

internet.

• The market loses confidence in your organization.

• Leave that!! Even a small scale security breach

could leave your business without access to its

critical IT systems for hours or days.

How ISPP, a small group is able to

handle the InfoSec exam for more than

27000 Aetna Employees?

• ISPP placed high in the organizational structure

• Reporting directly to the CIO

• ISPP and security services served as co-chairs of

Information Security Committee (ISC)

• Systematic approach towards designing the

exam.

• Continuous improvement in conducting the

exam.

• Outsourced exam development.

• Tested for quality and stress.

• Implemented the exam in phases

Why Amateur computer users are

used for testing?

• Amateur computer users struggle most in

online training

• Helps usability labs to design exam for

everyone in the company regardless of

computer skills and with less frustration

This makes Aetna confident that anyone in the

company can answer the exam.

Four Security Awareness Solution Providers

Fishnet security Global learning systems

Vigitrust Dell security networks

Pci compliance

Definition of key cyber security awareness terms

Data security :Trade secrets, customer data, employee

data,

Security testing and assessments

Identity and access management

Practical examples of security threats and

vulnerabilities

Physical security: access to building, it hardware,

Compliance and certification services

Data security and privacy

Importance of individual responsibility

People security: partners, visitors, permanent and

contract staff

Residency services

Application security Mobile Security Phishing

Identity theft

Infra security: networks, remote sites, website, applications, intranet

Security and governance program development

Security and network integration

Threats and virus protection Physical Security

Crisis management: emergency response plans,

disaster recovery plans, business continuity plans

Security awareness training

programs

• It’s a continuous process for the

Employee, every year they need to

undergo an exam on a particular

topic

• They should be taught how

negligence affects the companies

growth, how critical the data is to

the company

• They should be well trained to be

proactive

Why it is important for

Company’s officers to be

able to demonstrate due

care?

Integration of Aetna’s Business Conduct and Integrity Training Program

• Addresses various facets of Information security

• Role based exams were introduced

• Monitoring tools were introduced

• Emphasis was given in Regulatory compliance,

Privacy Policy, Passwords, Integrity etc.

• Previously they focused on HIPPA, but post integration

they neglected

• Focus was narrowed down.

Why is it considered a good practice for an

organization to have its users officially sign off

on their security policy?

• The users ensure that they will adapt themselves to the

policies of the organization.

• Assurance that the users will not violate the policy and

procedures in the future.

• Despite the violation, the document of security policy will

act as a proof for scrutinization.

• Confidentiality of Information leakage within different

departments and outside organization.

Quantitative and Qualitative factors to consider while justifying the

program’s expense

• Quantitative data are not readily available as systems are evolving and new risks are emerging.

• It is important not to allow the process to jeopardize the security and safety of the program by taking too long to make a funding decision.

• Qualitative research involves interviews with the people responsible for the security awareness

programs. The data from these interviews are analyzed to find commonly reported answers and experiences.

• From an analytic perspective, this data assists in mitigating concerns about small sample sizes.

This data is analyzed to determine what security awareness measures are considered effective.

• Successful measures were also extrapolated based upon the factors that led to failures. For example, a critical failing of most security awareness programs is that they did not collect metrics prior to beginning awareness programs.

• Security policy, objectives and activities that properly

reflect business objectives

• Clear management commitment and support

• Proper distribution and guidance on security policy to all

employees and contractors

• Effective 'marketing' of security to employees (including

managers)

• Provision of adequate education and training

• Understanding of security risk analysis, risk management

and security requirements

• An approach to security implementation which is

consistent with the organization's own culture

• Balanced and comprehensive measurement system to

evaluate performance of information security

management and feedback suggestions for improvement.

Wake Up!!!

We’re saying