1. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding Computer Fraud Ranked #9 Preventing Involves: Effective Risk Management Proper Design and Operation of Controls Effective Monitoring Event Identification Event Escalation Effective Response Progra m

2. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-2 9. Preventing and Responding to Computer Fraud Crisis Response: Planning and Preparation Incident Identification Incident Stabilization and Containment Incident Remediation Incident Communications Incident Recovery Incident Monitoring Reporting Communication Is Key to Ensuring Stakeholders are Informed and “On-side”

3. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-3 9. Preventing and Responding to Computer Fraud Has appropriate policies in place to detect management override abuse Knows what to do should a fraud-related incident occur Has adequately designed our systems to meet regulatory and legislative requirements to prevent fraud from occurring v Appropriately designed policies and internal controls to reduce IT-related fraud risks to an appropriate level Has considered the fraud risks associated with Information Technology (IT) 42% 47% 51% 56% 60%

4. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-4

5. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-5 10. Managing Vendors and Service Providers Outsourcing and Offshoring are Not New Outsourced Service Offerings are Not New What is New is the Technology- Specifically Cloud Computing SaaS (Software as a Service ) provides users with application software.. SaaS facilitates deployment of applications without the cost and complexity of buying and maintaining the software. PaaS (Platform as a Service) provides users with a computing platform or solution stack. IaaS (Infrastructure as a Service) a virtualized platform combined with storage and a network. Billing of services is based on the amount of resources consumed. The cost will typically reflect the level of activity

6. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-6 Issues & Risks - Security, Privacy, Availability and Continuity Security – Cloud providers’ security practices, co-mingling of data from other users, cloud service providers' business practices, SSAE 16/3416 Privacy – Cloud providers’ privacy practices, location of data, possible breach of Canadian/Provincial laws (e.g. PHI) Availability – Cloud providers’ financial stability, robustness of infrastructure, redundancy of critical components, up-time record Continuity – Business continuity and disaster recovery plans, incident response plans/history Compliance – Ability to comply with legislative, regulatory and industry requirements, e.g. privacy, (PIPEDA) security (ISO 27002), financial (GLB, PCI), Health Care, HIPPA, HiTech, PHIPA 10. Managing Vendors and Service Providers

7. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-7 All the old outsourcing risks exist; plus some new ones 10. Managing Vendors and Service Providers

8. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-8 KPMG survey reveals state of IT outsourcing Karl Flinder - 18 September 2012 Source: : http://www.computerweekly.com/news/2240163409/KPMG-survey-reveals-state-of-IT-outsourcing http://www.computerweekly.com/news/2240163409/KPMG-survey-reveals-state-of-IT-outsourcing £14bn worth of UK IT services contacts ($21 Cdn) Total IT budget of £30bn ($45 Cdn) Survey Population Survey Results 76% of organisations will continue to outsource IT at the same level Only 19% said they will outsource more Savings is still cited as a key factor for 76% of respondents 90% of public sector organisations outsourcing IT Only 29% have it provided from offshore 10. Managing Vendors and Service Providers This compares with 66% of organisations across all sectors

9. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-9 10. Managing Vendors and Service Providers Able to negotiate a sufficiently flexible contract that will allow the entity to reasonably adjust/exit the contract as needed Knows when a Vendor/Service Provider is complying or not-complying with its service level agreement (SLA) 30% 38% v Follows a specific process that enables the organization to easily identify a reliable Vendor/Service Provider 40% v Is performing the appropriate due diligence before engaging a Vendor/Service Provider

10. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-10 10. Managing Vendors and Service Providers 41% 48% v Able to validate the sufficiency and completeness of terms & conditions within a service level agreement (SLA) v Able to analyze the cost implications of starting to use/switching to a Vendor/Service Provider 51% v Understands and has adequately assessed the risk of using a Vendor/Service Provider With Responses to 6 out of the 7 Questions at Less Than 50% Confidence Level There is Need for Extensive Changes to Management and Governance Knowledge, Skills and Resources

11. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-11 What Messages Did You Obtain From The Survey? 1. Managing and Retaining Data 2. Securing the IT Environment 3. Enabling Decision Support and Analytics 4. Managing IT Risk and Compliance 5. Governing and Managing IT Investment and Spending 6. Ensuring Privacy 7. Managing Systems Implementation 8. Leveraging Emerging Technologies 9. Preventing and Responding to Computer Fraud 10. Managing Vendors and Service Providers

12. TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-12 Thank You for Your Interest and Participation Robert G Parker MBA, FCA, CPACA, CISA, CRISC, CMC