Putting security and privacy issues front and centre

If Sun Life Financial Services of Canada Inc. had any doubts as to the importance of managing security, they were surely laid to rest the day after Carol Osler came to her new job as the company’s first vice-president, information security. She joined Sun Life on Sept. 10, 2001. The company had created the vice-presidency post in the context of global business requirements and “an increasing awareness on the part of our senior executives that there needed to be a more strategic emphasis on IT security worldwide,” Osler explains.

Sun Life Financial is an international financial services organization providing a diverse range of wealth accumulation and protection products and services to individuals and corporate customers. It is the holding company for Sun Life Assurance Company of Canada and the identity of a group of companies providing individuals and corporations with products and services that range from wealth accumulation and management to protection.

From headquarters in Toronto, Sun Life and its partners have operations in Canada, the United States, the United Kingdom, Hong Kong, the Philippines, Japan, Indonesia, India and Bermuda.

Osler describes her focus as one of “organizational governance, from an IT security perspective worldwide.” She accomplishes that, she says, by constructing policy standards and security programs with the company’s senior business leaders around the world.

“On the technical side, we have technical security and support that helps us run risk assessment, vulnerability scanning, mitigation strategies and incident response,” she says. “We’re running a series of worldwide programming that supports the efforts in our national offices where we also have security people who, in effect, enact and support the day to day operations.”

Having captured in 1996 the largest single piece of health insurance business in Canada — the Canadian federal government’s health insurance account — the company has been dealing with keeping medical records private and secure. That combined with addressing global privacy issues meant that Sun Life management already had in place strong privacy and security principles, says Osler. As a result, she expects Canada’s recent additional privacy legislation to have minimal impact.

“We’ve used the integration of the new legislation as a way of increasing organizational awareness, a way of joining and achieving synergies between security programming and privacy programming,” she explains. “Sun Life has been a worldwide company for some time. We’ve had privacy legislation in many countries prior to Canada’s enactment. And, as a result, the company has been well positioned to manage the new requirements here in Canada. To us, it’s a way of doing business.”

Keeping current

Osler keeps her executive colleagues current with security and privacy concerns and technology in several ways.

She participates in the EWA-Canada hosted bi-weekly information exchange with other security professionals from other financial organizations. (See sidebar)

“The group was originally formed through folks from the Bank of Montreal,” she explains. “It’s a forum where 10 or 15 major financial institutions come in to a conference call on a bi-weekly basis. We generally talk about security trends, new technology, new issues on the marketplace. It’s an opportunity for us to cross check with one another things like technology, organizations and critical security issues that are coming up in a week to week basis.”

In addition, Sun Life creates a monthly review of changes in legislation and new security alerts globally. Osler says she also assembles a monthly report to executives worldwide to bring to their attention security issues and changes in legislation and technology. She says it is “a way of keeping issues current with our senior executives, but also keeping trends of new legislation on the horizon for our executive group. We sort through those in terms of the issues that are more likely to have impact on our business.”

That monthly executive report also highlights financial sector related findings, i.e. complaints and responses, posted on Canada’s privacy commissioner’s Web site. She says these findings are viewed in the context of ‘What has been in front of the privacy commissioner that could impact our business and how can we learn from those findings?’

Vendors trail business leaders

In general, Osler sees a positive trend toward heightened awareness and heightened concern with “business leaders really grabbing on to the notion that security and privacy are critical business enablers.” But she sees vendors as having a way to go so that security isn’t just an afterthought.

“I think the industry is still lacking in the area of building security up front,” she argues. “Microsoft has a pretty good marketing spin, but we have not seen their technology produce the kinds of root security technology that should be there. Their recent release of XP is an example of that. They released it, and a week after the release, there was a huge security vulnerability in it. The industry, I think, is strategically trying to position security in a more holistic way. But the evidence of that in real tangible results on the technology front? I don’t think we’ve seen that as of yet. I think there’s work to be done in the industry to integrate security in the front end of technology development.”

In addressing the challenge of defining ROI, she says Sun Life applies their risk assessment models to construct costs associated with both security and privacy risks against the cost of mitigation. “It helps us to begin to quantify the associated costs and risks associated with the vulnerabilities and that helps us get closer to defining our ROI. It isn’t a well-articulated business to date, so it is difficult, at times, to get the ROI that one is looking for. It’s about where you start in the spectrum. As a whole, in order to get to well-defined ROI, one must be able to define the cost of risk and the cost of mitigation. It’s a challenge, but I think it’s doable.”

Osler says Sun Life has a formal security and privacy program that helps effectively manage the protection of information across the company worldwide.

“We see the relationship between security and privacy as being symbiotic — you can’t do one without the other,” she says.

Overcoming privacy conflicts

Osler claims to have overcome the conflict between security and privacy by working with the company’s chief privacy officer in its Canadian operations and “getting really really clear about the legal implications.” She says they develop joint programs to increase awareness of both security and privacy issues. A “Respect and Protect” program is intended to increase organizational awareness on processes which relate to the way information is handled and managed.

“We’ve done things like crafted new computer log-on banners that advise users on our system about our requirements to monitor and its relationship to privacy,” she reports. “We’ve worked really hard to provide the right level of information to our user base and our employees about the need to monitor information from a security perspective, but doing it in a way that complies with the privacy legislation.

“It is true that these two things do bump up against one another,” she adds, “and security people would have a natural disposition to think that privacy gets in the way. In my personal view, it does not get in the way. It’s a way of crosschecking your application of security against some reasonable principles about privacy.

“My view is (that) we should tell people what we are doing. It acts as a deterrent from a security perspective to say ‘this system is being monitored under these conditions.'”

Keeping apprised of security and privacy concerns

Security specialists EWA-Canada, whose acronym stands for the militant-sounding name Electronic Warfare Associates, hosts and facilitates a security information exchange conference call in which Sun Life Financial’s CIO Carol Osler participates.

EWA makes a report and agenda based on information from all the various financial organizations whose names have been removed to keep secret the source of the information. “They are a way of us sharing information without crossing any lines around the sharing of proprietary or classified information amongst the private sectors,” says Osler.

Beyond organizing the call on a bi-weekly basis, EWA-Canada provides access to trained IT security experts who are able to look at what is happening and present an analysis relevant to the client group. If a company has been attacked, for example, a report might reveal what happened to an anonymous firm and the discussion could revolve around what might be avoided another time with suggestions provided by EWA-Canada’s IT security expert. This twice-monthly information exchange forum is geared to the financial sector, but EWA-Canada reports it provides this and other services to other sectors and client groups.

The service is facilitated by Janet Chandler, manager of CanCERT, which EWS-Canada established in 1998 as “Canada’s first national Computer Emergency Response Team.”

The 24/7 operation monitors, collects and disseminates information related to networked computer threats, vulnerabilities, incidents and incident response for Canadian government, business and academic organizations – in collaboration with other “CERTs” and EWA companies around the world.

“This provides a pretty unique perspective of what is being seen out in the Internet,” says Chandler. “They compare themselves and get more of a sense of ‘am I being attacked more than others as a group’ or more than a company like EWA-Canada.

“One of the big problems with all these IDS (intrusion detection) systems and firewalls is they spew out so much information which must be analysed… We put out informational reports on a daily and weekly basis as well as alerts and advisories. All these are discussed during conference calls.”

EWA-Canada offices are located in Ottawa, St.John’s, Winnipeg and Edmonton. www.ewa-canada.com