Auditors are armed with a menacing regulatory stick. When they shake it and demand that a security manager demonstrate a comprehensive risk and vulnerability management program, there's little tolerance for excuses.
This was the nagging concern of Andreas Wuchner, Novartis AG's head of global IT security.
"You have to prove that you have done risk management on an ongoing basis--to show that you do your patch management, that you actively manage the security situation," Wuchner says. "[Two years ago,] we could not necessarily show that."
Uncertainty over Novartis' security posture was a function of isolation; security had limited visibility into remote locations operating in more than 140 countries. Some were keen on security, while others with fewer resources focused their priorities elsewhere. Baseline security policies were nearly impossible to enforce. Meanwhile, mandates outlined in Basel II, HIPAA and SOX were clearly not going away.
If they were going to survive an audit, the fiefdoms in the giant pharmaceutical's kingdom had to be dissolved.
That was more than 18 months ago. Since then, Novartis AG has hopped on the fast track toward aggressive security management, beginning with a high-level risk assessment and ending with an overhaul of the company's security policies and frameworks, and the development of centralized management systems.
Novartis manufactures prescription drugs used to treat cancer, cardiovascular disorders and nervous system malfunctions. The company also owns a consumer health division that manufactures Ex-Lax, Maalox, Theraflu and Gerber baby products. In 2004, Novartis' global sales reached $28.2 billion. Not only does it share data with business partners and service providers, the company has reams of intellectual property that needs to remain confidential yet selectively accessible.
Before Wuchner and Manfred Schreck, the head of group information security at Novartis, could pursue a centralized management system, they had to identify and prioritize the systems and information most at risk. Less formal risk assessments had been conducted every two years since the company was formed in 1996, but in 2004 a top-level assessment helped the pharmaceutical company turn the corner.
"There had been a lot of changes [since 1996], yet we were still living with our old information security policy and framework," Schreck said. "We had never looked at the overall change to the company's risk exposure."
Consultants interviewed three dozen top Novartis managers--including C-level executives, attorneys and IT managers in the U.S. and Europe--to assess current and future risks to information, which systems should be prioritized and what business processes were potentially at risk. According to Schreck, mobile devices were deemed the top emerging threat.
This shift from tactical to strategic thinking is something many enterprises strive for.
"Novartis' company-wide risk management reflects a far-reaching change in the role of the security manager, from firefighter to prevention professional," says Michael Rasmussen, VP of enterprise risk and compliance management research at Forrester Research.
Resource constraints and regulatory pressures are forcing companies to make business distinctions in their security decisions. Undergoing a risk assessment analysis, rather than just looking at a laundry list of system capabilities, is a wise decision, Rasmussen says.
"In the emerging model, the security manager must do just what Novartis has tried to do here: set the risk in a business context," Rasmussen says.
The fix begins at the policy level with rules that spell out, for example, the obligation of outside entities in an outsourcing arrangement to conform to internal security guidelines. Novartis makes this a contract requirement.
Schreck relies on checklists, too. He comes to a business partnership negotiation armed with a defined set of security questions and requirements, including internal audit-process requirements and a clear understanding of how information will be treated at the termination of a contract.
These diverse initiatives take their cue from a single baseline security policy that spells out the fundamental requirements for any IT implementation.
Checking Vital Signs
With baseline policies developed, there was still the matter of having visibility into Novartis' regional operations.
Novartis is a subscriber to Qualys' QualysGuard Enterprise managed service. Forty automated vulnerability scanners are deployed at Novartis locations worldwide and the information generated from the continuous scans, along with a database of vulnerability data provided by Qualys, are tailored to Novartis' needs. Wuchner and his teams used this customized data to develop their own version of the SANS/FBI Top 20 list of vulnerabilities, which guides the company in prioritizing its system and application resources. The list is the baseline used in the development of external and internal vulnerability management platforms. Front-end graphical interfaces, known as heat maps, were also built.
SeTraSys, short for Security Tracking System, is the external platform; it monitors 150 devices including Web servers, firewalls, routers and switches.
Kaizen--Japanese for "continuous improvement"--is the internal platform monitoring the 100,000 devices used by 81,500 employees.
Each front-end interface enables managers to determine at a glance whether resources are performing according to established baselines and policies. Managers access a global map, click on a country, then click on one or all of Novartis' sites in that country. From there, problems are ranked: Red is a trouble spot, yellow is a potential issue, and green is for all clear.
An internally developed algorithm looks at the confidentiality and criticality of data, while also assessing the size of the local IT shop and its ability to respond to potential threats. The formula factors in performance indicators such as current availability and the number of problems weighed against the size of the local operation.
"Maybe the site in Guatemala does not have any critical data locally because it's only a sales office," Wuchner says. "That is something we will try to reflect in the reporting. You need to focus your attention on the things that are most important, like the main ERP system or the places where you have patient records."
While local IT leaders can always access the map, Wuchner's team also monitors the overall system; a large group watches the internal security situation, and a smaller cadre monitors firewalls and other external points.
The heat maps took nine months to plan, design, test and deploy. Wuchner says getting people to use the system was a challenge because local leaders required training from Qualys and in-house instruction to familiarize themselves with the system and how to interpret the data.
Business managers were then asked via questionnaires to provide input as to which systems were relevant to their business processes and how confidential data was being handled.
"The trouble is that this company doesn't stand still," Wuchner says. "You buy or sell something, you migrate systems from PeopleSoft to SAP, you introduce a new product. These changes are going on all the time, and each time your whole risk assessment data is gone."
Healthy From the Inside Out
Since internal threats are considered most dangerous, the Kaizen platform makes the important determination of which vulnerabilities apply to Novartis' systems.
"You want an internal view that has been prioritized based on your situational awareness of what software has been installed and how it is configured. So, in some sense, the internal view becomes a valuable filter," says Cliff Neuman, director of the University of Southern California Center for Computer Systems Security.
This initiative has also given Novartis the framework necessary to comply with future regulations and laws.
"Operational continuity is such an important consideration. When you can look at what assets you have, what is running and what is not, that is a really important starting point for troubleshooting and for avoiding downtime," says Eugene Schultz, CTO at High Tower Software and a former Novartis consultant. "If downtime means that someone doesn't get access to needed research, or that research data is compromised, these can be catastrophic business issues."
Once SeTraSys or Kaizen identifies a vulnerability or security incident, an alert is dispatched via a secure link and ticketing system to the help desk. The alert details the incident with a high-level overview and remediation recommendations. The management platform tracks the entire lifecycle of security- and compliance-related issues from discovery to their remediation.
"The platforms remove the 'magic' (security metric numbers that may or may not reflect reality) and the guesswork regarding the true health status of our global IT infrastructure," Wuchner says.
With a few clicks, Novartis can find specific application vulnerabilities and determine how many unpatched systems exist. Reports then detail when they were fixed and how long it took to remedy them. These platforms also deliver helpful asset and configuration management information.
"Before this, a local IT manager had to rely entirely on his people to say whether everything was under control," Wuchner says. "As a business IT manager, you didn't know all these details, so you had to trust what other people said. Now those same managers can very easily go in and see the problem for themselves and ask, 'What does this mean?' Managers have abilities they never had before--to see what is going on, to measure it and to manage it."