Surviving a Security Audit

Janet L. BondsAVP Technology and Controls

www.inginvestment.com

What’s in the Survival Kit: Agenda

ING Investment ManagementCompliance: The rules, they are a changin’Strategies: So Many Rules, So Little TimeImplementing Solutions: hChange ManagementhSecurity

Creating a Culture of Compliance

Add Your Logo here Do not use master

ING Investment Management

ING Investment Management is a leading global asset manager. Manage approximately €343 billion of assets for institutions and individual investors worldwide.Principal asset manager of ING Group, the global financial services company.hOver 3,300 employees hAn investment presence in 33 countries across the Americas, Asia-Pacific,

Europe and the Middle EasthProvides clients with access to domestic, regional and global investments.

www.inginvestmentmanagement.com

Add Your Logo here Do not use master

Investment Capabilities Our investment mission: Find unrecognized value ahead of consensus.

Investment Capabilities

Awesome Research & Analysis….

News: May 28, 2010After a choppy start to the week, global markets got some relief on reassurances from China that it didn’t intend to sell its European debt holdings. China’s vote of confidence also inspired some strength in the euro, allowing the currency to rebound from a near four-year low versus the dollar. However, both U.S. markets and the euro lost momentum on Friday on a downgrade of Spanish debt.U.S. GDP growth for the first quarter was revised modestly downward, as spending on IT equipment and software was slower than originally thought. The revised data do not alter our belief that the U.S. business cycle is shifting from initial recovery to a more sustainable expansion

Source: ING IM, FactSet, Bloomberg

Add Your Logo here Do not use master

Information Security Threats

Every time [some software engineer] says, “Nobody will go to the trouble of

doing that,” there’s some kid in Finland who will go to the trouble.

- Alex Mayfield

Compliance: The rules, they are a changin’

Rules are put in place to keep bad things from happening…

Then, another bad thing happensMore rules…

Compliance: The rules, they are a changin’Laws and Regulations

Sarbanes-OxleyhRequires a risk-based approach to both business and IT processeshAnnual testing and certification

JSOX in JapanLoi de Sécurité Financière in France Bill 198 / CSA 52-313 in Canada

Add Your Logo here Do not use master

Compliance: The rules, they are a changin’Laws and Regulations

BASEL IIhBasel II is an international standard used by banking regulators to determine how

much capital banks need to put aside to guard against the types of financial and operational risks.

Solvency IIhSolvency II creates EU-wide requirements for all companies to have a risk-based

approach towards determining capital adequacy to reduce the likelihood of failure.

Add Your Logo here Do not use master

Compliance: The rules, they are a changin’Laws and Regulations

SEChRequires maintaining records of trades and communication about registrants.

Anti-Money Laundering (AML)hFinancial companies around the globe are required to monitor, investigate and

report transactions of a suspicious nature.hRequires reporting to the central bank in the country where the money laundering is

under suspected

States: California, Massachusetts…more to follow

Add Your Logo here Do not use master

Compliance: The rules, they are a changin’Laws and Regulations

PCI DSS or the Payment Card Industry Data Security Standard hDesigned to prevent credit card fraud, hacking and various other security

vulnerabilities and threats.hAimed at financial institutions, Internet vendors and retail merchants hDeveloped by the credit card companies

Add Your Logo here Do not use master

Compliance: The rules, they are a changin’

“The young man knows the rules but the old man knows

the exceptions.”- Oliver Wendell Holmes

Add Your Logo here Do not use master

Strategy….is all about balancing risk and controls

Too Many Controls?

Strategy: So Many Rules, So Little Time

Develop a strategy for individual rule compliancehNot sustainablehCostlyhMaintain individual rules

Develop a strategy for overall compliancehPotential for leaving holes, depending on the auditorhLess costly, more efficient

Add Your Logo here Do not use master

Strategy: So Many Rules, So Little Time

Documented the ideal stateDocumented ING IM’s processesIdentified gapsAcknowledge and accept risk

Strategy: So Many Rules, So Little Time

« If everything is in control, you don’t go fast enough» --Mario Andretti

Implementing Solutions: Change Management

About ING IM’s environmenthDevelopers have access through an emergency secondary IDhPrimarily vendor/purchased applicationshThree environments, not four

ControlshCyberArk Vault stores IDs and Passwordsh InfrahProprietary system that forces the creation of a ticket when ID is checked outhSystematic process to determine when and what code is changed to ensure it

is tied to a ticket

Implementing Solutions: Security

Access to Programs and DatahAUTHENTICATION and ACCESS

– Ensure user identification and passwords are maintained– Define responsibilities for maintaining identification and passwords– Create password standards

hPERIODIC REVIEWS and ROLE-BASED ACCESS– Create and maintaining role-based access– Define roles within applications and across applications– Control identification, authentication, and access– Review roles– Review access

Implementing Solutions: Security

Access to Programs and DatahGRANTING and REVOKING ACCESS

– Requesting and granting access– Types of accounts that can be granted– Control over generic and service IDs– Revoking access– HR exiting process– Account inactivity process

hTools:– ARS– Proprietary review

application (RBAC)

– Proprietary application to remove users with inactivity over 60 to 90 days

Implementing Solutions: Security

Secure configuration of the infrastructure (0perating systems, database systems, and network components)

hREVIEW OF THE OPERATING SECURITY GUIDELINES’ IMPLEMENTATION– Reviews of the Guidelines– Performing the Review– Confirmation of Implementation

hTools:– SMS– nCircle Compliance Monitor

Implementing Solutions: Security

Security MonitoringhMonitoring Electronic Communication

– Symantec IM Manager (SIM) – logs instant messaging traffic. SIM is interoperable with AOL, MSN and Yahoo Instant Messaging systems, as well as with the internal Microsoft LCS IM system and logs all instant messenger conversations in ING IM’s KVS Vault for archiving and Compliance review. Usage requires approval from Compliance.

– KVS Vault – logs e-mail traffic that traverses ING IM’s e-mail infrastructure.– Websense – blocks usage of Webmail. Exceptions to these blocks requires approval

from Compliance.– MetaMessage – logs the usage of Blackberry PIN and SMS.

Implementing Solutions: Security

Security MonitoringhMonitoring and assessing database activities

– IIM uses Guardium monitoring and reporting capabilities to capture

– failed logon attempts, – direct access modifications, – failed executions; – developer activity by primary and secondary ID, and – suspicious production activity such as the execution of DDL and DML statements.

hMonitoring and assessing network file-level activities– IIM utilizes nCircle Configuration Compliance Manager (formerly Cambia CM). – Identifies any asset within the IIM network– Monitors file changes, updates and removals in the production environment

Implementing Solutions: Security

Security MonitoringheSentire provides comprehensive security consulting and security

monitoring services designed to keep IIM’s infrastructure secure and runningheSentire's provides:

– Vulnerability assessments, – Managed security monitoring, and – Incident notification/response.

h IIM utilizes three of eSentire’s services– Element– Cyclops:– Sniper

Implementing Solutions: DB to Track System Information

Capture risk ratings for all applicationshConfidentiality, integrity, and availability

Record all gaps in securityRecord acknowledgement of individual system risks and overall process risksOperations security guidelineshSystem configurationshWhat and how to monitor

Vendor evaluations

Creating a Culture of Compliance

The 5 Stages of Compliance Maturity:Stage 1: Compliance by HarassmentStage 2: Compliance by FearStage 3: Compliance by ConfusionStage 4: Compliance by AwarenessStage 5: Compliance by Culture

Add Your Logo here Do not use master

Stage 1: Compliance by Harassment

Individual: “Ok, Fine. I’ll do it, just leave me alone…”Management : “What do you mean? We have to do “what’? Have you done that yet?”Perception of Regulations: “This is the dumbest thing. When will those regulators get a clue!”Indication of: DenialHow to help the organization move to the next stage:

– Meet with individuals assisting with the audit, not just management– Discuss the purpose of compliance and role of security

– Discuss what could go wrong

Stage 2: Compliance by Fear

Individual: “I’ll do whatever you ask, just don’t hurt me…”Management : “Who do I need to fire?”Perception of Regulations: “Who authorized that, and that, and

that, and that, and that...” “I wonder who did something wrong….”Indication of: Panic if it isn’t done rightHow to help the organization move to the next stage:

– Discuss past issues– Discuss current issues– Make yourself available for questions

Stage 3: Compliance by Confusion

Individual: “I’m going to file a change control for EVERYTHING!” If at first you don’t pass the audit, document, document, document…..”Management: “Are you sure ‘red’ is the right color for your database? Is it the right color of red; it might be too pink? Did you run this by audit?”Perception of Regulations : “Really, I’ve got to document that too…Don’t they know how to work the system… We will never need that documented.Yeah, you might need to document it under certain circumstances that could lead to the possibility of increased risk. EXCEPTION!”Indication of: ParanoiaHow to help the customer move to the next stage:h Explain the risks to the business, customersh Explain the risks, explain the risks, explain the risks…

29

Stage 4: Compliance by Awareness

Individual: “This might be important, I should ask.”Management : “What’s the risk to the business?”Perception of Regulations : “These rules just might be important. Maybe they do know what they are talking about.”Indication of: Willingness to learnHow to help the organization move to the next stage:hWork with the customer to find out if they really understand risk

assessment methodologies.– How to categorize risks– How to prioritize risks– How to monitor risks

30

Stage 5: Compliance by CultureIndividual: “Our process says we should document, so I will.”Management: “These are risks to our business, make sure you audit these areas. There is value in compliance.”Perception of regulation : “Doing great so far, but you can improve

some processes in this way…Become best in class.”Indication of: Desire to improve

How to help the organization to move to the next stage:h Encourage the business to convert risk driven controls towards more

automated preventative control implementations.

Conclusion

By acknowledging and accepting risk, the company is stating that they are aware of the risk… and are willing to take the risk.

If you know the enemy and know yourself you need not fear the results of a hundred

battles.- Sun Tzu

Add Your Logo here Do not use master

Thank You

Janet L BondsAVP, Security and Controls

janet.bonds@inginvestment.com