Click to edit Master title Information Security: A Discussion Wednesday, December 6, 2006 Bob Steadman Director, National IT Security Sobeys

December 6, 2006Iroquois Ridge High School Agenda 1.Why protect information and computer systems? 2.Briefly describe methods of protection. 3.What are the major privacy and security issues related to information and technology? 4.Identify the specific security measures e-businesses provide for consumers. 5.Highlight a current security issue.

December 6, 2006Iroquois Ridge High School Security Made Easy

December 6, 2006Iroquois Ridge High School 1. Why protect information and computer systems? When we leave for work in the morning, we automatically lock our doors. We need to have the same automatic locks for our computers.

December 6, 2006Iroquois Ridge High School It only happens to others...doesn’t it?

December 6, 2006Iroquois Ridge High School

December 6, 2006Iroquois Ridge High School

December 6, 2006Iroquois Ridge High School

December 6, 2006Iroquois Ridge High School

December 6, 2006Iroquois Ridge High School

December 6, 2006Iroquois Ridge High School 1. Why protect information and computer systems? Evolution of Hacking Historical (websites – playful disruption) Present (cyber terrorism) Hollywood Hype: War Games; Hackers; Firewall Business Impact Direct / Indirect Financial Loss Corporate Image and Market Impact

December 6, 2006Iroquois Ridge High School 2. Briefly describe methods of protection. Security Strategy Security Architecture: Policies, People & Process Preventive Controls: Technology, Tools & Techniques Detective Controls: Management Monitoring & Review Convergence of Control

December 6, 2006Iroquois Ridge High School 3. Major privacy/security issues related to information & technology? Compliance SOX Bill 198 PCI Privacy PIPEDA Identity Theft Confidentiality Litigation

December 6, 2006Iroquois Ridge High School Canadian Rules Bill 198 (Ontario) –Amends Canadian Securities Act –Broadens OSC powers –Penalties for non- compliance –Directs regulators to enhance investor confidence CANADIAN INVESTOR CONFIDENCE MEASURES: –National Instrument Auditor Oversight –Multilateral Instrument –Multilateral Instrument (Similar to various rules from SEC/PCAOB) Audit Committees Multilateral Instrument

December 6, 2006Iroquois Ridge High School 4. Identify specific security measures e-businesses provide consumers. Privacy Policy Encryption (SSL) Insurance mitigation Apologies –Banks –Visa –Amex

December 6, 2006Iroquois Ridge High School 5. Highlight a current security issue. Risk Gap Enemy Within (still highest%) ATM / Gas Station Protecting Customer Data/Information Viruses / Spam / Spyware / Adware McAfee –Bots; MPEG; Mobile Phone; Malware Identity Theft Wireless

December 6, 2006Iroquois Ridge High School RISK GAP unmitigated exposures (threats) and missed opportunities CONTROL REQUIREMENTS increasing rate of change increased change brings increased risk increases control requirements TIME Quality of Controls Time-to-market pressures leave companies uncertain over the quality of controls that they have in place. >> need to identify the nature of the “Risk Gap” …and provide recommendations for closing the gap! The “Risk Gap” in Technology Environments

December 6, 2006Iroquois Ridge High School In organizations' scramble for competitive advantage and the haste to quickly utilize information technology, issues of control are sometimes subverted by operational priorities Facilitating Strategic IT Investment Decisions

December 6, 2006Iroquois Ridge High School The Security Balance Security is a balancing act between ease of access to information and protecting that information from increasing threats

December 6, 2006Iroquois Ridge High School SEC- -Y The key to security awareness is embedded in the word security Awareness Message

December 6, 2006Iroquois Ridge High School