Andreas Wuchner

Drugs are a serious business – something Andreas Wuchner knows only too well. He's global head of IT security at Novartis, the Swiss-based healthcare giant. Like other international companies, it has to meet strict corporate governance requirements laid down by legislation such as the US Sarbanes-Oxley Act. And on top of that, it has to comply with rules set down by bodies such as the Food and Drug Administration (FDA).

Since 2000, Wuchner has made it his business to ensure systems are robust, of course, but he also has to be able to prove systems are compliant. And if non-compliance does occur, he has to demonstrate that remedial action is taken as swiftly as possible to satisfy his auditors and, ultimately, the regulators.

Starting as a one-man band six years ago, when the importance of network security was just beginning to be recognised, he now runs a five-strong team in Basel, with another 12 people scattered around the globe.

It is a fairly slim team for such a large and widespread operation. But, thanks to an ambitious automation project set up over the past 18 months, Wuchner has achieved a level of control that allows him to detect any non-compliance in hours.

"We need to know everything that is connected to our network. If there is a new threat or vulnerability, we must be able to immediately assess what it means for us," he explains.

"For example, if there is vulnerability on Windows Server 2000, we can see at the touch of a button how many Windows 2000-based servers we have, and how many of them are business critical. We can then prioritise how we deal with it. We have moved from being reactive to proactive in our approach to security."

The system is based on external and internal risk-management platforms, both of them using vulnerability scanning technology from Qualys.

Wuchner uses the services of Swiss compliance management company Setrasys to monitor around 150 external devices for vulnerabilities, such as web servers, firewalls and routers/switches directly connected to the internet.

The internal risk management platform (dubbed Kaizen – the Japanese term for continuous improvement) uses around 40 QualysGuard scanners deployed around the world. They feed into an SQL database that tracks both vulnerabilities and details about the company's networked devices and infrastructure.

Novartis also designed a graphical front-end that displays security and compliance status information in near real time. This provides security managers with a graphic 'heat map' that denotes the status of their systems. They can also drill down for more detail by clicking on devices on the map.

Once a security vulnerability or incident is identified, both systems (Kaizen and Setrasys) dispatch an alert to a helpdesk or ticketing system such as Remedy, so a security manager can take immediate action. The alert is sent via a secured link that details the incident with a high-level overview, as well as specific details, including ways to rectify the situation.

The management platform tracks the whole lifecycle of security and compliance-related issues, from discovery through to remedy. For each affected system, a graphic view details when the issue was identified, how long it stayed unsolved and when it was resolved. Regular reports and average remediation times are automatically generated based on the severity of the risk and Novartis's internal security key performance indicators (KPIs).

The KPIs are a crucial element in linking the business of security with the business itself. With every new system, business owners are asked to classify each data asset according to its importance. Mission-critical systems are identified and, most importantly, any systems that could affect compliance with Sarbanes-Oxley, the FDA or other legislation, are also flagged up.

KPIs are agreed at senior management level, and the system allows everyone involved to see whether they are meeting their targets or not.

"We can manage it because we can measure it. Before, security was hard to define, just a gut feeling, or a bit of magic. Now we have transparency and we can prioritise what we do," notes Wuchner.

With every new business process that involves IT, a project-management lifecycle process ensures that Novartis's security polices are established and maintained. "For example, when a new application needs to be developed to support a new business process, our software-development lifecycle process consists of milestones and checks to ensure that either Kaizen or Setrasys or both, as well as the security team, are involved, so that development proceeds in accordance with policy," he says.

With security built in from the start, and with each system and data asset categorised, any incident or new vulnerability can be quickly assessed for its impact on the business.

The daily scans highlight any areas of risk, enabling the team to target the most critical systems first, and to monitor and maintain the company's global security and compliance posture.

"Before the implementation of both management platforms, Novartis had no easy way to globally manage its security and compliance risks; it was simply too big of an effort," says Wuchner. "Each region was responsible for maintaining the security and compliance of its own systems. Each region had its own strengths and weaknesses, with some geographical regions doing a better job of maintaining compliance, while others focused on securing their systems from vulnerabilities. Now, we are able to ascertain risks to our systems an a global basis, manage their remediation, and report on the progress."

This approach makes it possible for Novartis to prioritise each event – whether it's a printer or a PC that can be rebuilt within 30 minutes, or a severe problem that would require several hours or more to repair.

"As a result of this initiative, a newly published vulnerability can now be immediately evaluated for both its technical impact and for organisational risk," he says. "With this information, the IT department can easily see the number of existing affected systems and determine the resources needed to complete remediation. Because security, classification and compliance flags exist for each system, remediation efforts can be effectively targeted and prioritised toward the most important system components."

The reports provided by the Setrasys services have also streamlined the company's regulatory efforts – by packaging up information for auditors. "Auditors can scrutinise any geographical region they desire for compliance data, and they can see the entire lifecycle of relevant events, such as when a system was identified to have fallen out of compliance to the exact time it was then remedied," he says.

The risk-management approach also enables the company to respond both intelligently and logically to incidents. It is crucial, he says, to have a solid understanding of the different priorities attached to various parts of the system.

"In this way, the IT infrastructure that supports crucial business processes can be focused on first," he says. Then, by having approved processes in place, a company can ensure that security events are properly handled through the detection, assessment, escalation, solution and, most importantly, he argues, communication throughout the organisation.

"There is nothing worse to a company than untrained employees fire-fighting events that could have been avoided by proper communication," he adds. "Human failure is the biggest concern when it comes to incident response."

But as Wuchner is the first to admit, security cannot be enforced from above, even with the best automation. Security awareness is, therefore, a key ingredient that constantly needs to be topped up with new campaigns.

He has provided everyone at Novartis with free anti-virus software for their home PCs, sent out copyright posters, and even had security messages printed on napkins for the company cafeteria. In addition, he has a marketing team that does nothing but spread the word about good and bad security practice.

"We educate staff with small give-aways, or with poster campaigns to remind people that security is important. Our security performance gets a mention in the annual report, so people can see how good are we," he says. "We also move the responsibility to end users and the IT folks – they all get security KPIs or objectives. If someone is working in Unix or Microsoft, they need to get the relevant security education. This spreads out the responsibility. With a shared responsibility, you have a better chance of success, rather than just being a policeman and going around telling people what's wrong."

As well as pleasing the auditors, the system has also gone down well with the local CIOs working around the globe, who might have struggled before to manage security.

"Initially, there was some fear at a local level that their performance could be monitored," he admits. "But instead of making a technology project out of it, we said: 'Come on, we'll give you a tool – completely paid for – to do all you need to do to get transparency of what is going on at your site'."

It means they can monitor their own performance in the knowledge that everyone is working to the same security template.

"The local CIOs used to complain that they didn't have the resources to measure security – and that was valid. But now they have a tool to do the work locally, or to get help at a regional level if they need it. And if they know that the auditors are coming, they can be well prepared."

He explains that, since the project was completed last October, there have been no complaints: "It doesn't cost them anything, and it helps them to do their jobs better."

Looking forward, he says the initiative has also provided Novartis with the necessary framework to comply with future regulations and laws.

"These two security management platforms remove the magic and the guesswork regarding the true health status of our global IT environment," says Wuchner. "With a few clicks, we can find specific application vulnerabilities and determine how many unpatched systems exist around the globe. Reports then detail when they were fixed, and how long it took to remedy them. These platforms also deliver helpful asset and configuration management information."

It is an impressive achievement. Most organisations are still struggling to apply risk-management disciplines to IT security. Maybe they are missing a trick.

One thing that has worked in Novartis's favour is a rigid adherence to a standard desktop. The company has no less than 70,000 identical desktop machines, and very few users have administration rights.

A standardised desktop makes life so much easier – a prescription that others might think of following.