Presentation on theme: "British Computer Society in Upper Canada IT Risk in the context of Data Privacy & Information Security Presented by Jason Hall Head of IT Risk RBC Capital."— Presentation transcript:
British Computer Society in Upper Canada IT Risk in the context of Data Privacy & Information Security Presented by Jason Hall Head of IT Risk RBC Capital Markets
IT Risk – The Root of Information Security & Privacy A REBRANDING OF INFORMATION SECURITY?
IT Risk Historically – Information Security synonymous with Information Technology Risks IT Risk – Information Security is once facet of a multitude of risk/controls that are relevant to your business Includes Disaster Recovery/Resiliency, Change Management, etc… Constraints on a system/process Integrated approaches are required to managing Technology related risks in your organization Business involvement is critical IT Risk defined: the potential that a threat exploits weaknesses of an asset resulting in loss/harm to the organization
Business Drivers define which Risks are important to your organization External Malicious Internal Malicious External Non-MaliciousInternal Non-Malicious Categories: Industrial Espionage State Sponsored Terrorism Organized Crime Motivation For Profit Competitive Advantage ….because we can… Categories: Extortion (Organized Crime) State Sponsored Terrorism Motivation For Profit Pressure/Compromised Individuals ….because I’m smarter than you think… Categories: Error in judgement Speed to market Simple Mistake Motivation Speed to Market Unaware of consequences 8 th & Ave C Categories: Mother Nature Regulatory Requirements Motivation Mother Nature Regulation
Right Size the Control Environment Vendor Management IT Continuity Facilities Change Management Information Security IT Risk Operational Support Training Awareness Response Development Lifecycle Logical Access Example… Business Driver - Intellectual Property provides a competitive advantage Business Problem: Transfer files from corporate laptop to client PCs Technology Solution: $150 for each encrypted USB Keys ensure that if a USB is lost/stolen – data is protected Business willing to accept the risk or pay to ensure that if a USB Key is stolen – IP is secure? Business Drivers focus the organization Broad coverage covering ‘constraints that are important’ Concept of Risk Acceptance is a foundational ‘Tool’ for IT Risk
External Non-Malicious – Sandy asks challenging questions of organizations Challenges faced by NY based FIs Manhattan based Data Centre Regional DR/WAR Centres Global Applications required for Market Open in SYD, HKG, LDN Work Area Recovery Locations Impacted Questions asked by Organizations All the plans of war go out the window after the first shot is fired - Napoleon Perfect Storm and/or Sequential Failures Tertiary Facilities/Bunkers/WAR Locations Vendors/Third Parties contractual obligations Staffing - get the right people to the right location
Internal Non-Malicious Challenges Faced By Knight Capital: Direct Financial Loss: ~$440MM; Reputational Loss: Unknown; Market Cap: see below Software Error resulted in the release of unintended trades on August. No restriction on volumes Software Error occurred in first minutes 35 Minutes – lack of ‘Kill Switch’ – stops processing when limits are reached Challenges asked of Organizations Integrated Testing Strategies Technology understanding Business’ Risk Profile Independent Testing/Approvals
External Malicious Huawei Largest Telecommunications equipment maker in the world Purported ties to China’s People’s Liberation Army and Communist Party US Congressional committee has urged firms to stop doing business with Huawei based on security concerns Australia blocked the company from tendering for contracts in its A$38bn high- speed broadband network Canada – Prime Minister’s Office signalled that the company would be ‘excluded’ from government contracts Is Canada Falling Behind….. Canada: $155 million in cyber security funding Wednesday U.K….it will put an extra £650 million ($1.05 billion) into cyber security over five years 2008, the U.S. began to plough more than $10 billion into cyber defence, and has since announced other cyber programs with multibillion-dollar budgets.
Internal Malicious Developer at Goldman Sachs responsible for firm's high-frequency trading Systems generate millions of dollars per year in profits Last day working at Goldman Sachs—Employee from his desk at Goldman Sachs, transferred proprietary computer code to an outside computer server in Germany. After transferring the files, he attempted to delete evidence. Developer flew to Chicago, Illinois, to attend meetings at Teza’s offices, bringing with him his laptop computer and another storage device, each of which contained Goldman Sachs’ proprietary source code.
Summary IT Risk builds upon the foundations established by Information Security Engagement with the business is paramount to focusing on the right risks Continue to Educate the business Develop Risk Acceptance – place accountability on the asset owner