If you could turn to slide 12 in your Internal Audit section of the materials we can get started.

I will be going over

Background , Scope and objectives, Conclusion, Key improvements since last assessment, Key gaps identified
Feel free to stop and ask me questions at any point. I will do my best to keep the content as simple as possible as it is a
complex and technical subject matter.

Stephen will then walk us through the latest IT Security roadmap that addresses the key action plans.

Background:
In 2015, in response to significant increase in retail security breaches, IT proactively adopted National Institute of
Standards and Technologys Cybersecurity Framework to help manage cybersecurity risk.

Although no framework is perfect, they serve as a good measuring stick. IT chose this one due to its comprehensive
nature and cybersecurity focus. It also incorporates common set of standards from multiple established IT frameworks.

After the adoption of the framework, both IT and IA performed assessments in FY15 highlighting areas with control gaps

In Q3 of this fiscal year, IT Management and IA selected a 3rd party firm, DHG, to perform an external assessment of the
current control environment at the request of the AC.

Scope & Objectives:

- Assess existence and effectiveness of all controls mapped against the framework
- Determine level of improvement made since FY15 assessment against the maturity scale
- Leverage DHGs IT security expertise to do a deep dive testing in high risk areas
o Example: Controls around Security Operations Center function

Conclusion: (please turn to slide 13)

- IT efforts and investments resulted in an Improved control environment since FY15
- 17 of 22 categories improved and 5 remained the same
- Overall maturity rating (Slide 58) at the top improved from repeatable but intuitive to defined meaning
most of our controls are better defined and performed regularly but there are still some gaps that need to be
addressed.
- There is a roadmap of actions to get us to the desired state of managed and measurable by FY18
o Effective risk & control management; more automation, KPIs and monitoring; detecting and remediating
issues timely.

Key improvements that contributed to the maturity level increase include:

- Implementation of the security operations center tour in Q4
- Enhanced processes around vendor risk and contract management
- Implementation of the Incident Respond Plan & 3rd party forensic investigations
- Implementation of protective technologies such as enhanced firewalls and content filtering (better defined what
traffic we allow through our network)

Key gaps that contributed to not reaching the desired maturity state include:
- Not knowing where all of our critical data is beyond CC data (confidential, restricted, etc. SSN, Customer
data, etc) which makes it hard to properly protect or segregate, detect it when it is shared or stolen, and
properly respond to & recover from the incident
- Regularly scanning systems for vulnerabilities and remediating them
o Vulnerability system flaws or weaknesses
- Evolution of the SOC - Effective and Comprehensive security log collection and monitoring
- BCDR This was the primary call out during the last assessment. Steering Committee meets bi-weekly to
address actions. A tool has been purchased to help build the plans and a dedicated DR resource hired. A
separate roadmap has been built for BCDR specifically. Update will be provided next quarter.