ISE Central Executive Forum and Awards 2012

Transcription

1 ISE Central Executive Forum and Awards 2012 Company Name: Project Name: Presenter: Presenter Title: Sallie Mae Enterprise-Wide Continuous Monitoring & Vulnerability Management Brian Brush Director Corporate Security 1

2 Company Overview The nation s No. 1 financial services company specializing in education & helping families save, plan and pay for college Over 25 million student and parent customers Individual products / services, including college savings, scholarship search, education loans, tuition insurance and online banking Financial services to hundreds of college campuses as well as federal and state government agencies 2

3 Overview of Business Challenge Regulatory & Contractual Requirements FISMA, SOX, GLBA, PCI and SAS-70 s (Sallie Mae) FFIEC and State of Utah (Sallie Mae Bank ) SEC, FINRA & FTC (Upromise Rewards and Investments ) Budgetary & Operational Demands Need to increase monitoring capacity by ~200% within budget No disruptions to business environment (24x7) Security Requirements Enhance security by standardizing and expanding coverage for all environments and acquisitions Design processes first, then use ncircle to implement No gaps in coverage Risk Management & Compliance Provide compliance information as a by-product of security Ability to respond when requirements change 3

4 Project Goals Improve Quality of security & compliance Increase efficiency through Automation Improve effectiveness through process Optimization 4

5 Project Goals Improve Quality of security & compliance Increase efficiency through Manage Automation all entities with the Improve same effectiveness process through process Optimization Consistent enterprise risk management 5

6 Project Goals Improve Quality Automate of discovery & security scanning, & compliance no activitiesmanual lists Increase efficiency through Automation Improve effectiveness through Scan process Optimization continuously, not just for compliance 6

7 Project Goals Improve Scan Quality once, of security report & many compliance activities Design Increase adaptable efficiency processes through Automation Improve effectiveness through process Optimization 7

8 Initial State Assess by Business Affiliate 1 Sallie Mae Affiliate 2 Partners / / / / / / / / / / / / / / / / / / / / / / / / / /24 8

9 Initial State Compliance (Re)scan FISMA Contractual PCI Manual Effort 9

10 Project Results Security Sallie Mae Affiliate 1 Enterprise Security Partners Affiliate 2 CONTINUOUS SCANNING / / / / / / / / / / / / / / / / / / / / / / / / / /24 10

11 Project Results Compliance Contractual FISMA ncircle Suite Intelligence Hub PCI CONTINUOUS SCANNING

12 Project Results Coverage Assets Evaluated % Increase Initial Phase 1 (June) Phase 2 (August) Current (May) Future (2013) Legacy Scanner Both Systems New Assets 12

13 Project Results Annual Savings Savings by Year Year 1 Year 2 Year 3 Year 4 Year 5 Dollars Saved 13

14 Summary Implementation has already: Expanded coverage by 120% Reduced overall costs by 10% Eased compliance burden for Security team through more effective reporting Improved overall real security Coverage Cost 14

15 Lessons Learned Review All Assumptions Don t assume legacy decisions are valid Verify your network architecture Plan for user error Benefits of Continuous Monitoring Current threat & compliance information Provide intelligence to IT and Business Achieve Quick Wins Showing results is critical to keep momentum of multi-year program Value beyond Security Operations Security Can be leveraged across IA / Compliance Application Development 15