Scenario:The Big Bad Bank, is a tier one chartered bank headquartered in the Greater Toronto Area.The CIO of the consumer lending division has asked your team to help them with the issue of “technology debt” as one of their key credit scoring applications is a 30 year old DOS application. The application works (which is why it has never been replaced), however it is limiting the process of loan applications as it runs overnight in batch and means a 24 hour cycle time between the submission of the customers information and an approved/not-approved response. The bank would like to move to instant loan approvals for its retail customers to compete with the fin-tech startups providing a similar service. It is imperative that as this approval service moves to real-time, there is no interruption or outage to loan approvals, as this is a key service at the bank.Requirements:Please read the framework attached in the power point slides (Slides 9-21 and Pg 38-42) and apply those two frameworks mentioned to this hypothetical bank’s current IT system and the new recommended IT proposal. The answer can be in bullet points or paragraphs. Feel free to use any diagrams . Max (500 words)Assumptions:Feel free to use any assumptions on the security risks for current system in the bank and the new system. I am also attaching Xerox Loan processing system file which can be used as a new recommended software.Deliverable:Applied F
it_slides.pdf
loan_application_processing.pdf
Unformatted Attachment Preview
MBUS 853: Maximizing Return from the IT
Investment
Security and Operations
Queen’s Accelerated MBA for Business Graduates
Session Six
Prof. David Markwell
Agenda – Sunday, April 17, 2016
2:00pm – 2:10pm
‐ Welcome + Housekeeping
2:10pm – 3:00pm
‐ Lecture 6 – Part 1 – Security and Privacy
3:00pm – 3:15pm
‐ Break 1
3:15pm – 3:35pm
‐ Case 1 Discussion – Security Breach at TJX (Team Calgary B ‐ prevention)
3:35pm – 3:55pm
‐ Case 1 Discussion – Security Breach at TJX (Team Toronto D – response)
3:55pm – 4:35pm
‐ Lecture 6 – Part 2 – “Keeping the Lights On” – Infrastructure and
Operations
4:35pm – 4:50pm
‐ Break 2
4:50pm – 5:15pm
‐ Case 2 Discussion – SAP2014 Reaching for the Cloud (Team Markham)
5:15pm – 5:30pm
‐ Wrap‐Up
2
Lecture 6 Preparation
Topic of the lecture is: Security, Privacy & Keeping the Lights On – Infrastructure and Operations
• Read Lecture 6 slides
1) Security and Privacy
– Gain an understanding of IT Security concepts
– Understand how implementing a robust IT Security Roadmap can protect your organization
– Understand how and why your organization will be cyber‐attacked
2) Operations
– Gain an understanding of Operations “Keeping the Lights On” – key concepts
– Understand how effective Operations can enable business strategy
•
Read the (2) Cases for lecture 6:
1) Security Breach at TJX
• Team (Calgary B) will look at the case from a security perspective up to the to the breach
(what could have been done differently from a prevention perspective)
• Team (Toronto D) will look at the case from a security perspective post breach (what could
have been different from a response perspective)
2) SAP 2014 – Reaching for the Cloud – Team (Markham) will look at the case in term of operations
©2017
3
Review of Lecture # 5 – Key Concepts
IT Architecture
• The choices you make through the layers of the IT Architecture will
determine the final: Cost, Complexity and Success, of your IT system and
project and how well you satisfy your desired business outcomes.
• There are 4 primary layers to be considered in IT architecture:
• Technology “where the software runs” (centralized, decentralized, SAS
or Cloud)
• Application “how the software works and is constructed” (build or buy,
tight or loose integration, ERP or best of breed)
• Data “what data the software uses” (where the data resides, how the
data is accessed, security and retention levels)
• Business Process “enablement and adoption of the software” (standard
versus customer processes, user adoption and changes management,
supporting organizational design)
4
Review of Lecture #5 (2) –
Application Portfolio Management
• Understanding your company’s application portfolio current
state is important to manage: risk, capability and spending.
• The purpose of application portfolio management is to:
– Enable Business Capabilities and Business Value
– Reduce overall complexity
– Provide Reliable and Cost Effective IT Solutions
• There are a number of tools that can be used to both assess
and visualize your portfolio:
– Business Capability Model
– Heat Map
– Application Risk Assessment
– 2×2 Planning Matrix
5
Final Assignment – Overview –
Team Case Assignment
•
Team captain please send me an email with your team name in the subject line
– Example “MBUS853 – Final Assignment – XXXXX”
– I will forward you your team’s case by tomorrow
•
Each team will prepare a strategy to achieve the IT department’s stated strategic
objective in the case using the frameworks from the course. Not all will apply but a
lot will be applicable. Think about:
– The business strategy + the IT Strategy
– How they will get there; which projects, resources, funding, enabling structures
they will require
– Risks, timelines, technologies
– Recommendations
– *** (state all assumptions)
•
Each team will:
1. Submit ‐ a PowerPoint Presentation detailing the strategy (with any analyses
in the appendix) ‐ worth 40% of your final mark
2. Present – the highlights of the analysis and recommendations for 8 mins
during class 8 – worth 20% of your final mark (running order of presentations
will be provided in class 7)
6
Discussion – Security
• Let’s set the stage with a video: https://youtu.be/l_XOrcBxy‐E
(about 5 mins)
• What thoughts on security do you have after watching the
video?
©2017
7
Lecture 6 – Part 1 – Security and Privacy
IT Security (FRAMEWORK)
There are three main capability areas in an IT Security Framework:
• Awareness: do your employees know what they should and
shouldn’t do
• Prevention: do you have technologies in place to prevent
attacks, is your technology hygiene up to current standards
(patching, technology currency, visibility to traffic on your
network)
• Detection and Response: do your technologies and operating
processes, enable your organization to properly assess and
respond to a threat in an appropriate time period
9
Awareness
Breaking News (2014 – A Bad Year for IT Security!)
“Attackers obtained
employee log‐in
credentials”
They are asking all 112 million users
to change their passwords.
This was the result of a phishing
attack.
“Target CEO resigns
after security breach”
40 million compromised debit and
credit cards.
70 million customers with
compromised personal information.
$100 million dollars‐ spent to settle
claims + damage to reputation and
lost sales.
11
As Individuals
“You are the
target!”
• One person’s login information
compromised Target.
• Any login information can open the door.
• Security Awareness can help companies
teach their employees what they should
or shouldn’t do.
12
Information Security – Phishing – The Fastest
Way to Your Info
A third‐party consultant conducted a
phishing exercise at a large company:
• 30% of sample employees clicked on
the link in the email
• 24% of sample employees provided
their username and password
A test of password strength was also
conducted:
• 70% of passwords (75,960 of 109,291)
were cracked in an 8‐hour window.
• That means almost 3 passwords
cracked per second!
“Phish” noun,ˈfish: an attempt to acquire secure information by masquerading as a
trustworthy person or organization
13
IT Security – Awareness – DOs and DON’Ts
Beware what you share.
Avoid putting sensitive
information on USB keys
Secure/lock away
documents in your office
Choose a difficult
password
(i.e. Cr@veM0re!)
Report any suspicious
activity or messages; you
are an attractive target
14
Prevention
Security Prevention Starts ‐ with a Strong
Operating Model
CATEGORY
Security
Governance
and Design
Security
Operations
Service
Description
Security Governance and Awareness
Oversight and development of security policies
and standards.
Risk and Compliance Management
Risk assessments and monitoring of compliance
to regulatory requirements.
Security Consulting
Definition of security requirements and design
reviews.
IT Audit Oversight and Remediation
Tracking and facilitating all technology related
audit activities and remediation tasks.
Access Control and Employee
Onboarding Coordination
Provisioning of user access and facilitating
technology onboarding for new hires.
Security Operations
Oversight of security technologies and processes
(e.g. firewall approvals, anti‐virus).
Incident Investigation and Forensics
Review and coordination of investigations related
to any perceived security breaches.
Security Incident and Event Monitoring
Ongoing monitoring and escalation of
infrastructure and application security events.
16
Security Prevention is Enhanced – with Technology
Support
Security
Measures
Intrusion
prevention
IPS – captures malicious signatures traffic going across the network
(protect the company from the outside)
Data Loss
Protection
DLP – protecting sensitive date from leaving the network (protect
the company from the inside – employees)
Firewalls
Firewalls – protects from malicious inbound and outbound traffic
(ensure only authorized traffic travels in and out of the company)
Security
Operations
Centre
SOC – outside firewall, third party, gather all the logs, attempts to
long‐on, investigations, security intelligence
17
Prevention is Further Enhanced with External
Cyber Intelligence
Security, corporate and government agencies collaborate to assess and respond to
external threats. Below is a summary of the threat condition levels:
Threat Condition Level
Criteria
LOW
The ThreatCon level is LOW when there is no known threat of cyber attack or only a
general concern about hacker activity that warrants only routine security procedures.
Any cyber security measures applied should be maintainable indefinitely and without
adverse impact to businesses or expenses which may be equivalent to normal daily
conditions.
GUARDED
The ThreatCon level is GUARDED when there is a general threat of increased cyber
(hacker intrusions, viruses, etc.) activity with no specific threat directed toward the
financial services sector. Additional cyber security measures may be necessary, and if
initiated they should be maintainable for an indefinite period of time within minimum
impact on normal business or expenses.
ELEVATED
The ThreatCon level is ELEVATED when a general threat exists of cyber activity that
could disrupt the financial services sector. Implementation of additional cyber security
measures is expected. Such measures are anticipated to last for an indefinite period of
time.
HIGH
SEVERE
The ThreatCon level is HIGH when a credible threat exists of cyber activity that will
disrupt the financial services sector. Additional cyber security measures have been
implemented. Business entities need to be aware that corporate resources will be
required above and beyond those required for normal business or expenses.
The ThreatCon level is SEVERE applies when an incident occurs or credible intelligence
information is received by the FS/ISAC indicating a cyber attack that will adversely affect
the financial services sector is imminent or has occurred. Maximum cyber security
measures are necessary. Implementation of such measures could cause hardships on
personnel and seriously impact facility business and security activities.
18
Detection and Response
What are the “Bad Guys” after? Who are they?
• What are they after?
– Theft of Intellectual Property
– Financial Fraud
– Reputation Damage
– Business Disruption
– Destruction of Critical Infrastructure
– Threats to Health and Safety
• Who are they?
– Cyber Criminals
– Hacktivists (agenda driven)
– Nation States
– Insiders
– Competitors
– Skilled individual hackers (just because they can)
20
To Detect and Protect – You Must First
Understand
• Common External Security Threats:
– DDoS: Denial of Service – meant to disrupt operations
– Botnets: remote access attempts meant to exploit
weaknesses and gain access to a network
– Mobile or Web Platform Malware: meant to install malicious
software on your computer or mobile phone
– Worms/Trojans: malicious software meant to replicate,
disrupt and destroy
21
Additional Access Vectors and Incident Patterns
• Access Vectors:
– Phishing and malware: Email, VPN, Browser Add‐ons
– Physical: IT Supply Chain, Theft and Replacement, keystroke
capture
– Intrusion: drive by downloads, wifi networks, insecure websites or
mobile services, man in middle intercept attacks
– 3rd Parties: access through a vendor or 3rd party providing services
to your company
• Incident Patterns:
– POS Intrusion (mostly in the US – lack of chip and pin and
encryption)
– Web App Attacks
– Insider Misuse
– Cyber Espionage
– Card Skimmers
22
Kill Chain –Common Structure of an Intrusion
(Remember the Video)
1.
2.
3.
4.
5.
6.
7.
Recon
Weaponization
Delivery
Exploitation
Installation
Command and Control
Action and Persist
In response, and in security, you don’t have to be the best, just not
the weakest, and they will hopefully move on.
23
Cyber Risk Program Response (FRAMEWORK)
• Secure: are controls in place to guard against known or
emerging threats
• Vigilant: can we detect malicious or unauthorized activity,
including the unknown?
• Resilient: can we act and recover quickly to minimize impact?
Think about this framework as you read through the TJX case and
prepare for next week’s discussion.
24
Example ‐ Cyber Risk and Response ‐ Case Studies
March 2014, a vulnerability known as Heart Bleed was announced globally
Heartbleed Bug
Weakness in common encryption software
Introduced in encryption software in December 2011 but not discovered until 2014
Response
Conducted internal/external vulnerability scanning and technology reviews – No major
issues identified
Within 24 hours all systems had been checked, and within 72 hours all critical systems
had been patched or mitigated
25
Threat Condition Summary: June 2015 ‐ Example
From 27 Billion Events collected in the
month of June, 25 cases were prioritized as
“important”, were investigated and closed.
Security Detection and Response is about
assessing risk quickly and at scale.
•3: Critical Data Loss Prevention [Severity 2]
RESOLVED
•11: Moderate Data Loss Prevention
[Severity 3] RESOLVED
•6: Malicious outbound data to a malicious
command and control site [Severity 3]
RESOLVED
•1: Creation of user accounts on a local
machine
[Severity 3] CLOSED
•1: User accessing improper content on
internet [Severity 4] CLOSED
•1: Report of users accessing Hola external
insecure servers [Severity 4] ON‐GOING
•1: Sabre account failed logon attempts
[Severity 4] CLOSED
•1: Blue Coat Proxy (TCP_DENIED) related
events causing in High Severity events
[Severity 4] CLOSED
26
Break 1
Please be back by 3:15pm
Case Discussion – Security Breach at TJX – Part 1
Team (Calgary B) will look at the case from a security perspective
up to the to the breach (what could have been done differently
from a prevention perspective)
28
Case Discussion – Security Breach at TJX – Part 2
Team (Toronto D) will look at the case from a security perspective
post breach (what could have been different from a response
perspective)
29
Lecture 6 – Part 2 – “Keeping the Lights On”
– Infrastructure and Operations
What Does the Business want from Infrastructure
Operations “KTLO” (FRAMEWORK)
There are 4 key themes that business leaders want from their IT
Infrastructures:
• Simplicity
• Capability
• Reliability
• Value for Money
The technology landscape is changing rapidly, forcing IT
departments to look at their operations differently, in order to
enable the business strategies:
• Infrastructure Delivery Models
• Consumerisation of IT
• Flexible and responsive capabilities
• Best cost
31
What Makes Up “Infrastructure”
The physical computing devices that run your business:
•
•
•
•
•
•
Data Centers – servers, storage, network, backup, security
Networks
Mobile Devices
Laptops/Desktops
Utility Software like: mail, office productivity tools, anti‐virus
Equipment: manufacturing, POS, ATMs
These devices provide the “eco‐system” for users to interact with
software and applications.
32
A Fun Video on Infrastructure and “The Cloud”
• https://ca.screen.yahoo.com/yahoo‐news‐katie‐couric/now‐
cloud‐223437934.html?soc_src=unv‐sh&soc_trk=ma
About 4 mins, but also think about all the implications we have
talked about over the past few weeks:
‐ Security
‐ Control
‐ Privacy
‐ Ownership
‐ Cost
‐ Market trends
These are the factors that need to be considered when thinking
about your “infrastructure”.
33
Infrastructure Models
34
Description of External Infrastructure Service
Models
Public Cloud
IaaS
Public Cloud
PaaS
Public Cloud
SaaS
Managed Service
• In the IaaS model, the
provider hosts virtualized and
physical computing resources
over the internet.
• IaaS handle administrative
tasks including system
maintenance, backup and
resiliency planning.
• IaaS platforms offer highly
scalable resources that can be
adjusted on‐demand.
• Other characteristics of IaaS
environments include the
automation of administrative
tasks, and dynamic scaling.
• IaaS customers pay on a per‐
use basis, this pay‐as‐you‐go
model eliminates the capital
expense of deploying in‐house
hardware and software.
• Cloud PaaS is a public cloud
service model where the
provider owns and manages
software services.
• These are consumed by
applications owned by the
enterprise and managed by
the enterprise IT organization.
• PaaS services are generally
paid for on a subscription
basis with customer
ultimately paying just for what
they use.
• Customers also benefit from
the economies of scale that
arise from the sharing of the
underlying physical
infrastructure between users,
and that results in lower costs.
• Software as a service (or SaaS)
is a way of delivering
applications over the
Internet—as a service.
• Instead of installing and
maintaining software, you
simply access it via the
Internet.
• SaaS applications are
sometimes called Web‐based
software, on‐demand
software, or hosted software.
• SaaS applications run on a
SaaS provider’s servers. The
provider manages access to
the application, including
security, availability, and
performance.
• In this model, the
infrastructure and platforms
are managed by the service
provider
• The applications, services,
servers and storage are
managed by the service
provider either with
employees on‐site at the
enterprise’s data center or
through remote system
management
• Managed service providers fall
in to the following
subcategories:
• Outsourced private
IaaS
• Managed on‐premise
• Managed remote
• Hosted private IaaS
• Full‐service host
35
Consumerization of IT is Changing the Way
Employees and Customers Engage
Processes & Applications
Social
Mobile
Analytics
New processes & Replatformed Applications
The new infrastructure platform: Dynamic, Adaptive, Elastic
Hybrid, Public & Private Cloud
Infrastructure services
High Responsiveness
An IT infrastructure that is dynamic and adaptive enough to flex with the needs of the
business
A business‐oriented services catalog that offers a wide range of services to the enterprise,
from applications to basic computing
All elements of security and privacy concerns addressed
36
Core Features of a Flexible Infrastructure
Transform IT strategy
easily (flexibility)
Ease of adding and
reducing capacity
1. New scale
New
economics
scale
economics
3. Mass customization
Mass
Differentiation
Meet specialized
requirements
2. Active strategy
Active strategy
4. Business expansion
Capability
Expansion
Go beyond core
competencies
(capability)
37
IT Infrastructure Leaders Must Focus on Three Core
Levers to be Relevant to the Business (FRAMEWORK)
Drive Simplification
Making IT easier to Partner with
Build Progressive Solutions
(Capability)
Ensuring IT is an Enabler and Not an Inhibitor
Run Predictable Operations
(Reliability and Cost)
Managing Risk and Ensuring Business Continuity
Domain based integrated application and
infrastructure services
Service catalogue based engagement model
Sourcing model aligned to the outcomes
Design and build next generation services:
» Enterprise Cloud and Data Center
transformation
» NextGen Workplace transformation
Consistent and measurable SLAs
Move from reactive to predictive operations
Significant focus on Automation
38
The Choices and Outcomes from Driving
Simplification
Drive Simplification
Making IT easier to Partner with
Build Progressive Solutions
Ensuring IT is an Enabler and Not an Inhibitor
Multi‐year Roadmaps that layer
incremental capabilities and outcomes
e.g. Inception, Functioning Perfor …
Purchase answer to see full
attachment
Recent Comments