Network pros 'make security happen,' CISO says

By Eric B. Parizo, SearchNetworking.com News Editor 06 Nov 2003 | SearchNetworking.com

Digg This!     StumbleUpon     Del.icio.us

ATLANTA -- Kenneth Tyminski is in an unenviable position. As chief information security officer for Prudential Insurance Company of America, he's the first one likely to receive blame when a network security snafu affects his company's bottom line.

But Tyminski told attendees at TechTarget's Networking Decisions conference that he rarely loses sleep over security, because, in reality, the burden for keeping the network safe isn't his alone.

The 30-year Prudential veteran said that a successful enterprise network security strategy must not only be based on a rigid, company-wide policy that keeps sensitive data in and viruses out, but must also allow the security burden to be shared equally among senior executives, junior network managers and everyone in between.

Most companies, Tyminski said, don't even know who is in charge of security, never mind have an established policy. By having a security officer in every major business unit, and then ensuring that those officers hold lower-level admins responsible when security problems occur, he said, his company encourages everyone to keep network defense in mind when performing day-to-day tasks.

Prudential augments that technique with a set of rigid security rules that includes automatically revoking unnecessary access privileges when an employee changes jobs, disabling print capabilities within some applications that use sensitive customer data, and denying developers access to production data.

"Whenever we can, we systematically enforce policy," Tyminski said. "Whether you like it or not, we make you change your password every 30 days, and we don't let you reuse it for a year. If you do, we make your life miserable."

That mindset applies to business partners as well. Tyminski said he recently delayed an IT project that would have saved Prudential $12 million annually because the vendor involved, whom he declined to name, decided not to share its security policy with him. Upon further review, Tyminski learned that was because the company didn't have a security policy.

Mapping the network on a monthly basis is another important element of the company's strategy. With a network the size of Prudential's -- four data centers, 5,000 servers in the United States and more than 60,000 network nodes overall -- unauthorized equipment is constantly finding its way onto the network.

During a recent scan, Tyminski said admins discovered three unauthorized Wi-Fi hot spots and later, during a physical search, two more. It also learned that one of its consultants was not only running more than a dozen unauthorized Linux machines on the network, but was also scanning network ports, all without explanation. Tyminski said that consulting relationship was soon terminated.

Though Prudential's strategy includes using IBM's Lotus Notes e-mail and instant messaging applications, along with SSH Communications Security Inc.'s Secure Shell, IntruShield from Network Associates Inc. and more, Tyminski said that hardware and software don't make the security policy a success.

"People are really what make or break security," Tyminski said. "Security people are especially valuable, but it's network people that really make security happen."

Olaf Gradin, a conference attendee and information services specialist for ConAgra Foods Inc., in Duluth, Ga., said that, as long as people are in charge of security, "There's no perfect system out there."

Gradin said that some of Tyminski's policies might help him get a better handle on remediation, especially for Microsoft's Windows operating system. He said it's a big issue for his company, which had to patch 20,000 systems overnight following word of a recent vulnerability.

Attendee David Amster, a vice president for Equifax Information Services LLC, in Alpharetta, Ga., said that for financial companies like his and Tyminski's, rigid policies are essential.

TechTarget is the organizer of Networking Decisions and owner of the family of Web sites that includes SearchNetworking.com.

FOR MORE INFORMATION:

See more of our special coverage of Networking Decisions.

Read Information Security magazine's profile: Defending the rock.

Tags: Security,  Basics,  Careers, Training and Certification,  Network Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Using the bit bucket to stymie virus traffic Networking Products of the Year 2004 Protected ports The best of 2004 The facts on firewalls Microsoft issues 10 security bulletins, seven critical Top 5 ways to make your network more secure New AIM Trojan steals financial data Proactive security: The future of secure networks Don't underestimate physical security Basics Networking Products of the Year 2004 The best of 2004 The facts on firewalls Who cares about Cisco? Top 10 things to know about network administration Selecting network services Top 10 expert webcasts Know your network cable IP storage 101 for the network admin Firewalls 101 Careers, Training and Certification Networking Products of the Year 2004 The best of 2004 Learning challenge VoIP certification tracks - Nortel's design certifications Signs of rebound in networking New year, new job? The hottest topics of 2003 Networking Decisions 2003 AT&T's Ianna: Last mile still the biggest challenge Security certifications

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary