Coventry Health Care

1
Megan Yarabinetz September 10, 2010 The
Pennsylvania State University IST 495

• Coventry Health Care

2
Cranberry 1 Includes Data Center
3
Cranberry 2
4
Company Background

• Incorporated November 21, 1986 as Coventry
  Corporation
• Headquarters are located in Bethesda, Maryland.
• Provides health care solutions for group and
  individual health insurance, Medicare and
  Medicaid programs, Workers Compensation and
  Behavioral Health Care services.
• Serves more than 5 million members in all 50
  states.
• Employs approximately 14,000 employees with over
  1,000 Information Technology employees
• reference www.cvty.com

5
Information Risk Management Department
6
Information Risk Management-Mission

Information Risk Management Mission Statement

• To support the central mission of the company by
  ensuring business operational continuity and
  assuring the Confidentiality, Integrity and
  Availability (CIA) of its information and
  information systems.

7
Information Risk Management- Organization and
Functions
8
Responsibilities

• Participated in Risk Assessment Planning Meetings
• Analyzed Coventrys Information Risk Management
  Program (ISO 27001)
• Participated in Information Security Policy
  Mapping Meetings
• Interviewed Key Executives to document the
  Information Security Program impact on their
  departments

9

• Objectives

10
Objective 1 Risk Assessments in a Corporate
Environment

• Risk Assessment Methodology OCTAVE Allegro

Establish Drivers Profile Assets Indentify Threats Indentify Mitigate Risks
Step 1 Establish Risk Measurement Criteria Step 2 Information Asset Profile Step 4 Identify Areas of Concern Step 6 Identify Risks
Step 3 Indentify Information Asset Containers Step 5 Identify Threat Scenarios Step 7 Analyze Risk
Sep 8 Select Mitigation Approach
11
Objective 2 ISO 27001 Framework
12
Objective 3 Information Security Policies
Procedures in a Corporate Environment

• Coventry has a policy mapping group that meets on
  a regular basis
• There is a standard policy template used
• ISG team is responsible for policy development
• Policies are drafted by the ISG team
• Policies are published on a SharePoint site
• Violation of policies can result in sanctions

13

• Key Executive Interviews

14
Key Executive Interviews

• Executives interviewed
• Enterprise Architect
• Director, Application Development
• Director, IT Finance
• Director, Information IT Management (IT Audit)
• Vice President, IT Infrastructure
• Chief Compliance Officer
• Senior Business Technology Leader
• Vice President, E-Commerce
• Vice President, Customer Service Operations

15
Key Executive Interviews (cont.)

• Summary of Positive Impact of Information
  Security Program
• Established policies and standards
• Keeps them out of legal trouble
• ISG Team is helpful, as well as their security
  Spot Lights
• Summary of Negative Impact of Information
  Security Program
• Many executives stated None
• Some found implementing policies and standards to
  be time consuming

16
Computer Forensics Lab

• Director has 25lb Alienware Laptop
• 72inch Plasma TV used to monitor traffic and
  attacks
• Ability to pinpoint where attacks come from
• Use FTK and EnCase Computer Forensics Software
• Hard drives kept in a safe with chain of custody
  forms
• Ability to monitor employees as well as potential
  attackers

17
Wrap- Up