100 likes | 194 Vues
British Computer Society in Upper Canada IT Risk in the context of Data Privacy & Information Security Presented by Jason Hall Head of IT Risk RBC Capital Markets. IT Risk – The Root of Information Security & Privacy. A REBRANDING OF INFORMATION SECURITY?.
E N D
British Computer Society in Upper Canada IT Risk in the context of Data Privacy & Information Security Presented by Jason Hall Head of IT Risk RBC Capital Markets
IT Risk – The Root of Information Security & Privacy A REBRANDING OF INFORMATION SECURITY?
Historically – Information Security synonymous with Information Technology Risks IT Risk – Information Security is once facet of a multitude of risk/controls that are relevant to your business Includes Disaster Recovery/Resiliency, Change Management, etc… Constraints on a system/process Integrated approaches are required to managing Technology related risks in your organization Business involvement is critical IT Risk IT Risk defined: the potential that a threat exploits weaknesses of an asset resulting in loss/harm to the organization
Business Drivers define which Risks are important to your organization External Malicious Internal Malicious • Categories: • Industrial Espionage • State Sponsored Terrorism • Organized Crime • Motivation • For Profit • Competitive Advantage • ….because we can… • Categories: • Extortion (Organized Crime) • State Sponsored Terrorism • Motivation • For Profit • Pressure/Compromised Individuals • ….because I’m smarter than you think… External Non-Malicious Internal Non-Malicious • Categories: • Mother Nature • Regulatory Requirements • Motivation • Mother Nature • Regulation • Categories: • Error in judgement • Speed to market • Simple Mistake • Motivation • Speed to Market • Unaware of consequences 8th & Ave C
Change Management IT Continuity Facilities Vendor Management Operational Support IT Risk Information Security Logical Access Development Lifecycle Training AwarenessResponse Right Size the Control Environment • Business Drivers focus the organization • Broad coverage covering ‘constraints that are important’ • Concept of Risk Acceptance is a foundational ‘Tool’ for IT Risk • Example… • Business Driver - Intellectual Property provides a competitive advantage • Business Problem: Transfer files from corporate laptop to client PCs • Technology Solution: $150 for each encrypted USB Keys ensure that if a USB is lost/stolen – data is protected • Business willing to accept the risk or pay to ensure that if a USB Key is stolen – IP is secure?
Challenges faced by NY based FIs Manhattan based Data Centre Regional DR/WAR Centres Global Applications required for Market Open in SYD, HKG, LDN Work Area Recovery Locations Impacted External Non-Malicious – Sandy asks challenging questions of organizations Questions asked by Organizations • All the plans of war go out the window after the first shot is fired - Napoleon • Perfect Storm and/or Sequential Failures • Tertiary Facilities/Bunkers/WAR Locations • Vendors/Third Parties contractual obligations • Staffing - get the right people to the right location
Challenges Faced By Knight Capital: Direct Financial Loss: ~$440MM; Reputational Loss: Unknown; Market Cap: see below Software Error resulted in the release of unintended trades on August. No restriction on volumes Software Error occurred in first minutes 35 Minutes – lack of ‘Kill Switch’ – stops processing when limits are reached Internal Non-Malicious Challenges asked of Organizations • Integrated Testing Strategies • Technology understanding Business’ Risk Profile • Independent Testing/Approvals
Huawei Largest Telecommunications equipment maker in the world Purported ties to China’s People’s Liberation Army and Communist Party US Congressional committee has urged firms to stop doing business with Huawei based on security concerns Australia blocked the company from tendering for contracts in its A$38bn high-speed broadband network Canada – Prime Minister’s Office signalled that the company would be ‘excluded’ from government contracts External Malicious • Is Canada Falling Behind….. • Canada: $155 million in cyber security funding Wednesday • U.K….it will put an extra £650 million ($1.05 billion) into cyber security over five years • 2008, the U.S. began to plough more than $10 billion into cyber defence, and has since announced other cyber programs with multibillion-dollar budgets.
Developer at Goldman Sachs responsible for firm's high-frequency trading Systems generate millions of dollars per year in profits Last day working at Goldman Sachs—Employee from his desk at Goldman Sachs, transferred proprietary computer code to an outside computer server in Germany. After transferring the files, he attempted to delete evidence. Developer flew to Chicago, Illinois, to attend meetings at Teza’s offices, bringing with him his laptop computer and another storage device, each of which contained Goldman Sachs’ proprietary source code. Internal Malicious
IT Risk builds upon the foundations established by Information Security Engagement with the business is paramount to focusing on the right risks Continue to Educate the business Develop Risk Acceptance – place accountability on the asset owner Summary