Introduction

Aetna founded in 1853 in Hartford

Connecticut.
Offered life, liability, Property, casualty, Fidelity
insurances etc.

Insured projects like Hoover Dam and National

Archives building
1960 went international

By 1981 had operations in 8 countries

1990:- stopped issuing individual life insurance.
Focused on Healthcare and Group benefits
insurance
Became the largest healthcare company in
North America

Information Security at Aetna

Prior 1987
Computer Security:- Security Policy
Information System:- Backup and disaster recovery Planning

Facilities Risk management:- Security, safety and Insurance

1987 all consolidated
In 1990 Hired Janus Associates
Centralized Security Administration, Policy making

Infosec Exam

ISPP Group
ISPP group of 5 members

Mandatory exam through SecurNet

Reports to the CIO

Modules

ISPP & Security services co-

Role Based Exams

chair ISC
Responsible for information
security awareness program

Outsourced Development to local

eLearning vendor
Usability testing, Quality Assurance,

SecurNet Portal,

Stress testing.

Accessories,

Implementation

newsletters, Lunches,

Help Desk/ Desktop support

Posters, InfoSec Exam

Emails sent in Phases

Certificates

Why others were not as successful as

Aetna?
Implementing a successful security awareness
program is an essential step in enhancing
security within any organizations.
An organization must understand that risk
and security awareness are closely related. To
reduce or may be to eliminate risk an

organizations employees must operate at an

acceptable level of awareness.
Most organization failed (in that period) in
implementing a successful security awareness
program because they thought that it is simply
a matter of shoving the information in general
to the user (employee) and hoping for the best.

Reasons for the success of Aetnas security awareness

program
Understanding the importance of security system awareness was the

reason for the success of Aetna.

Aetna was clear with two facts
The security systems cannot help the organization if people dont act
on it.
There are high chances of increase in people oriented vulnerability
from within the organization if user makes a mistake.
One should engage the audience to create awareness. Aetna engaged its
audience through a systematic approach. Through this approach the
employees would not only receive the complete company information
security training, but also a molded module that related to their
everyday working environment and this enhances their relationship with
information security.

Security Awareness
Tutorials
Testing

Formal
Formal Presentation

The Systematic Approach

Newsletters
Lunch meeting
Discussion groups

Informal

Posters
Physical reminders
like pen

Take an extreme situation!!

Your IT systems are hacked.

Your company's financial results are leaked to the

media.
Your confidential business plans are compromised.
Your employees' personal files are posted on the
internet.
The market loses confidence in your organization.

Leave that!! Even a small scale security breach

could leave your business without access to its
critical IT systems for hours or days.

How ISPP, a small group is able to

handle the InfoSec exam for more than

27000 Aetna Employees?
ISPP placed high in the organizational structure
Reporting directly to the CIO
ISPP and security services served as co-chairs of
Information Security Committee (ISC)
Systematic approach towards designing the
exam.
Continuous improvement in conducting the

exam.
Outsourced exam development.
Tested for quality and stress.
Implemented the exam in phases

Why Amateur computer users are

used for testing?

Amateur computer users struggle most in

online training
Helps usability labs to design exam for
everyone in the company regardless of
computer skills and with less frustration
This makes Aetna confident that anyone in the
company can answer the exam.

Four Security Awareness

Solution Providers

Fishnet security

Global learning
systems

Vigitrust

Dell security networks

Pci compliance

Definition of key cyber

security awareness terms

Data security :Trade secrets,

customer data, employee
data,

Security testing and

assessments

Identity and access

management

Practical examples of
security threats and
vulnerabilities

Physical security: access to

building, it hardware,

Compliance and certification

services

Data security and privacy

Importance of individual
responsibility

People security: partners,

visitors, permanent and
contract staff

Residency services

Application security

Mobile Security
Phishing
Identity theft

Infra security: networks,

remote sites, website,
applications, intranet

Security and governance

program development

Security and network

integration

Threats and virus protection

Physical Security

Crisis management:
emergency response plans,
disaster recovery plans,
business continuity plans

Security awareness training

programs

Why it is important for

Its a continuous process for the
Employee, every year they need to

Companys officers to be

undergo an exam on a particular

able to demonstrate due

topic

care?

They should be taught how

negligence affects the companies
growth, how critical the data is to
the company
They should be well trained to be
proactive

Integration of Aetnas Business Conduct and Integrity Training Program

Addresses various facets of Information security
Role based exams were introduced

Monitoring tools were introduced

Emphasis was given in Regulatory compliance,
Privacy Policy, Passwords, Integrity etc.

Previously they focused on HIPPA, but post integration

they neglected
Focus was narrowed down.

Why is it considered a good practice for an

organization to have its users officially sign off
on their security policy?
The users ensure that they will adapt themselves to the
policies of the organization.

Assurance that the users will not violate the policy and
procedures in the future.
Despite the violation, the document of security policy will
act as a proof for scrutinization.
Confidentiality of Information leakage within different
departments and outside organization.

Quantitative and Qualitative factors

to consider while justifying the
programs expense
Quantitative data are not readily available as systems are evolving and new risks are emerging.

It is important not to allow the process to jeopardize the security and safety of the program by
taking too long to make a funding decision.
Qualitative research involves interviews with the people responsible for the security awareness
programs. The data from these interviews are analyzed to find commonly reported answers and
experiences.
From an analytic perspective, this data assists in mitigating concerns about small sample sizes.
This data is analyzed to determine what security awareness measures are considered effective.

Successful measures were also extrapolated based upon the factors that led to failures. For
example, a critical failing of most security awareness programs is that they did not collect
metrics prior to beginning awareness programs.

 Security policy, objectives and activities that properly

reflect business objectives
Clear management commitment and support
Proper distribution and guidance on security policy to all
employees and contractors
Effective 'marketing' of security to employees (including

managers)
Provision of adequate education and training
Understanding of security risk analysis, risk management
and security requirements
An approach to security implementation which is
consistent with the organization's own culture
Balanced and comprehensive measurement system to

evaluate performance of information security

management and feedback suggestions for improvement.

Wake Up!!!
Were saying