North America ISRM 2013 Presentations and Descriptions 

 

Track 1: Cybersecurity

111—Hot Topic: SCADA/NERC CIP

Jo Stewart-RattrayJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
Director of Information Security & IT Assurance
BRM Holdich

 

 

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

Jeff SpiveyJeff M. Spivey, CRISC, CPP
President
Security Risk Management Inc.

 

 

SCADA systems have been around for a long time but never have they become the focus of security professionals, as they are now. The last few years have brought SCADA out of the realm of “security by obscurity” and into the spotlight. Stuxnet, Duqu and Flame have brought about this significant change. For the first time, SCADA systems are in the world media’s spotlight.

Three panellists, three regions of the world represented, three different perspectives on securing critical infrastructure.  This will be an interesting discussion between 3 security specialists working in the world of real and near real time systems.


 

121—Hot Topic: Cloud Maturity Survey

Ron HaleRon Hale Ph.D. CISM
Acting Chief Executive Officer
ISACA/ITGI

 

 

After completing this session, you will be able to:

  • Understand how your organizations compares with others who are anticipating to use or are using cloud computing solutions
  • Comprehend cloud maturity and the impact on user / provider innovation
  • Be able to make informed cloud implementation and integration decisions based upon an understand the current level of provider / user maturity

131—Advances in Incident Management

Download Presentation

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

After completing this session, you will be able to:

  • Respond to incidents related to cyber security, and to APT attacks
  • Work in the context of typical business continuity, IT service continuity and crisis management frameworks
  • Contain the technical and business impact of incidents
  • Manage cybersecurity and organizational defenses in a decisive manner, using COBIT 5 as a toolset for ensuring good governance, appropriate risk management and assurance

141—Modern Cyberthreats

  Download Presentation

Leighton JohnsonLeighton Johnson, CISA, CISM, CRISC
CIO, Senior Security Instructor
ISFMT

 

 

After completing this session, you will be able to:

  • Define the current cyberthreats across the Internet
  • Determine what is really vulnerable in your network
  • Describe threats to managers and corporate executives
  • Utilize the tools, techniques, and tactics to combat threats

211—Cybersecurity: What's Your Plan?

Download Presentation

James O. Holley
Executive Director
Ernst & Young

After completing this session, you will be able to:

  • Get an overview of the current 'landscape' of cyberthreats
  • Spotlight the threat 'actors'; APT, hacktivism and organized crime
  • Assess the 'threat vectors' and why these actors are so successful
  • Address the challenges involved in detecting and stopping this activity

221—Automating the 20 Critical Security Controls

  Download Presentation New

Wolfgang Kandek
CTO
Qualys

Andrew Wild
Chief Security Officer
Qualys

After completing this session, you will be able to:

  • Describe the 20 Critical Security Control effort
  • Understand the feasibility for automation in the 20 Critical Security Controls
  • Prioritize implementation of the controls that make up the 20 Critical Security Controls
  • Review systems that support the implementation of the 20 Critical Security Controls

231—Digital Forensics: Bringing It In-House

  Download Presentation

Andrew NealAndrew Neal, CISM, CRISC
Regional Director
TransPerfect Digital Forensics

 

 

After completing this session, you will be able to:

  • Discuss the benefits and risks of bringing a digital forensics capability to their organizations
  • Identify the costs and organizational risk in using outsourced digital forensics
  • List the hardware, software and training necessary to perform in-house forensic operations
  • Perform a cost-benefit analysis comparing in-house digital forensics to using a third party provider

241 and 251 (2-part series)—Cybersecurity with COBIT 5

Download Presentation

Jo Stewart-RattrayJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
Director of Information Security & IT Assurance
BRM Holdich

 

 

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

After completing this 2-part session, you will be able to:

  • Determine the synergies between information security and cybersecurity while gaining an appreciation of the impact that cybercrime can have on business and society
  • Differentiate between the varying risk categories; Appreciate how COBIT 5 can be applied to transform cybersecurity governance
  • Recognize the guiding principles for transforming cybersecurity

311—All Quiet on the Cyber Front: Monitoring & Breaches

Download Presentation

John "Jack" CallaghanJohn "Jack" Callaghan, CISM
Sr. Manager
SilverSky Engineering

 

 

After completing this session, you will be able to:

  • Assess current monitoring resources and their weaknesses including: IDPS, WAF, DLP, SIEM, and UTM, giving you a realistic matrix for applying these tools to meet business needs in a realistic fashion
  • Apply the matrix against 3 business environments' security-in-depth. Determine the effectiveness and scope required to achieve coverage and ROI necessary to defend the business
  • Evaluate current regulatory requirements and deliverables, while meeting both auditable needs and maintain monitoring sufficient to actually defend the infrastructure
  • Review of 3 classic cases of real and attempted compromise, highlighting the recon, attack, and level of success for both primary attacks and infrastructure exploitation to achieve the intruders’ prize
  • Perform real time examples/exercises (w/guided audience participation) to dissect greatest defenses and risks in 3 major industries
  • Compare latest (June/July/August) exploits/cases against matrix (objective 1 & 2) to assess effectiveness of matrix to mitigate said threats

Return to Event Page

 

Track 2: Privacy/Security

112—Big Data & Privacy By Design

  Download Presentation

Doron RotmanDoron Rotman, CISA, CISM, CGEIT, CRISC
Advisory Managing Director
KPMG, LLP

 

 

After completing this session, you will be able to:

  • Understand privacy considerations in Big Data Projects
  • Comprehend current and emerging privacy regulatory environment in the Big Data space
  • Identify potential ways to address Privacy Concern in the design of Big Data Initiative
  • Integrate Privacy by Design in Big Data projects

122—Cybersecurity: An Advanced Innovative Approach to Advanced Persistent Threats

  Download Presentation

Brent ConranBrent Conran, CISA, CISM
Chief Security Officer Global
McAfee

 

 

After completing this session, you will be able to:

  • Understand the nature and evolution of Advanced Persistent Threats, and why it is so difficult to deal with them in today’s enterprise
  • Learn how SIEM, Global Threat Intelligence and real-time endpoint protection work together to provide situational awareness, a key component for countering APT
  • Hear about innovative ways to learn what is normal in the network, and how prevention, detection and response can be automated
  • Comprehend the value of near-real-time data and automated analysis and validation for rapid containment, blocking threats before they do harm

132—Addressing Vendor Risk

  Download Presentation

Kenneth NewmanKenneth Newman, CISM, CRISC
Senior Vice President, Information Security
Central Pacific Bank

 

 

After completing this session, you will be able to:

  • Identify risk gaps from vendor due diligence
  • Map risk gaps to mitigating controls
  • Communicate residual risk to business
  • Document risk treatment for due diligence

142—Data Privacy and Protecting Personal Information

  Download Presentation

Charlie BlanchardCharlie Blanchard, CISA, CISM, CRISC
Director
Amgen Inc.

 

 

After completing this session, you will be able to:

  • Understand common requirements in privacy laws – the right of individuals, controls on the information, information lifecycle and management
  • Analyze the typical information security requirements of a privacy law and align with other regulatory compliance requirements
  • Bring the concept of ‘Privacy by Design’ to system development in order to proactively build in privacy controls from inception through decommissioning

212—Don't Let Your Apples Fall Far from the Tree—Understanding iOS Deployment Risk

  Download Presentation 

Robert SnyderRobert Snyder, CISA
IT Internal Audit Consultant
UNUM Group

 

 

After completing this session, you will be able to:

  • Understand the three (3) primary Apple iOS deployment strategies (Out of the Box, Lion Server, and 3rd Party Mobile Device Management [“MDM”]) and related security control frameworks
  • Based on Apple iOS deployment strategy, identify the primary risk categories (physical, organizational, and technical) and associated vulnerabilities and threats
  • Provide specific examples of technical risks, and associated controls, with the use of Apple iOS devices (i.e. iPhone, iPad, iPod)—including device, data, and network security risks
  • Understand how the technical risk landscape changes based upon the Apple iOS deployment strategy
  • Review security risks and controls associated with application deployment on Apple iOS6
  • Provide specific examples of emerging security concerns and newly added security controls for Apple iOS6

222—Forensics and Big Data

  Download Presentation

Leighton JohnsonLeighton Johnson, CISA, CISM, CRISC
CTO, Senior Security Instructor
ISFMT

Every day 2.5 quintillion bytes of data are generated from new and traditional sources including climate sensors, social media sites, digital pictures & videos, purchase transaction records, cellphone GPS signals, and more. Big data is any type of data—structured and unstructured—such as text, sensor data, audio, video, clickstreams, log files and more. Forrester Research defines big data as “a set of skills, techniques, and technologies for handling data on an extreme scale with agility and affordability.” Gartner defines big data as follows: “Big data in general is defined as high volume, velocity and variety of information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.

After completing this session, you will be able to:

  • Delineate the Key Components of Big Data
  • Define and Review a Digital Forensics Investigation into Big Data
  • Review the Steps to a Forensics Investigation in Today’s Big Data World
  • Identify the Forensics Techniques for Big Data Investigations
  • Implement Best Practices for Investigations and Examinations

232—Creating a Culture of Continuous Compliance via IAG

  Download Presentation

Jay O’DonnellJay O’Donnell
CEO and Founder
N8 Identity

 

 

After completing this session, you will be able to:

  • Identify the compliance responsibilities and motivators for each organizational role: the IT department, the HR department, compliance professionals and the business managers
  • Understand and describe the differences between reactive and proactive approaches to compliance
  • Recognize best practices for maintaining continuous compliance through his or her IAM program
  • Discover the relationship between business and IT in driving compliance

242—Resistance in a Cyber Cold War: Security as a Service

John "Jack" CallaghanJohn "Jack" Callaghan, CISM
Sr. Manager
SilverSky Engineering

 

 

After completing this session, you will be able to:

  • Assess the current resources/services required to protect your business/infrastructure based on rational monitoring of credible risks to your operation.
  • Identify areas of exposure/risk for your enterprise, and the necessary services to effectively defend them
  • Take a practical approach to capturing, maintaining, and managing your businesses’ IP in light of the 'real' cyberthreats
  • Review key information sources to regularly gauge: immediate, short term, long term, and industry-focused threats to your environment
  • Create a matrix of deliverables and acceptable costs to assess SAAS offerings

252—PCI DSS 3.0, What Does It Mean For All of Us?

  Download Presentation: PCI DSS Version 3, November 2013 New
  Download Presentation

Thomas BortonThomas Borton, CISA, CISM, CRISC
Director, IT Security and Compliance
Cost Plus

 

 

Jeffrey Sanchez, CISA, CISM
Managing Director
Protiviti

Lauren HollowayLauren Holloway, CISA, CISM
Director, Data Security Standards
PCI Security Standards Council

 

 

After completing this session, you will be able to:

  • Understand PCI DSS 3.0 and the changes from version 2.0
  • Learn from one retailer’s experience in successful PCI compliance
  • Gain insights through a topical PCI discussion with retail, banking and QSAs sharing experiential knowledge in PCI compliance

312—Hackers Get Personal: New Face of Email Security

  Download Presentation

David KnightDavid Knight
Executive Vice President of Product Management
Proofpoint

 

 

After completing this session, you will be able to:

  • Understand how email security attacks have changed in recent years, including the increase in customized email attacks, the power behind massive security attacks and the new cost/volume trade-off for hackers
  • Grasp the severity of the consequences that email attacks can have, including the vulnerabilities and attacks on browser, PDF and Java, which can be set off with no user action required beyond clicking on emailed URLs
  • Increase awareness of the personal data that we share online, which can be potentially harmful when used in targeted email attacks
  • Educate your organization about how to identify and protect against security threats and how to safeguard personal and enterprise information
  • Understand the tools that can help prevent against phishing scams and identify what solutions and procedures will work best for organizations of various sizes to protect against and prepare for targeted attacks

Return to Event Page

 

Track 3: Risk Management

113—Vendor Supply Chain Management

  Download Presentation

Kenneth NewmanKenneth Newman, CISM, CRISC
Senior Vice President, Information Security
Central Pacific Bank

 

 

After completing this session, you will be able to:

  • Examine the myth of the supply chain
  • Identify multiple vendor supply chains
  • Extend vendor due diligence through the supply chain
  • Understand common control limitations for supply chains

123—Hot Topic: COBIT 5 for Risk

Download Presentation

Steve ReznikSteve Reznik, CISA
Operational Risk Program Manager
ADP, Inc.

 

 

After completing this session, you will be able to:

  • Understand the business drivers for IT-related risk management
  • Summarize important risk management practices
  • Discuss the enablers of effective risk governance and management
  • Identify methods to communicate risk and risk response options in terms that decision makers can understand

133—Towards Trustworthy Cloud Computing

  Download Presentation

Steve OrrinSteve Orrin
Senior Security Architect and Principal Engineer
Intel Corp

 

 

After completing this session, you will be able to:

  • Evaluate the trust/security properties that can be provided by a CSP or in a Private Cloud
  • Better evaluate the offerings of Cloud Service Providers to meet compliance and policy requirements
  • Define/enforce better policy controls for workloads in private and public Clouds
  • Understand new infrastructures/capabilities for audit and reporting on Cloud Trust and Security

143—BYOD Risk Management

  Download Presentation New

John Tannahill, CISM, CGEIT, CRISC
Management Consultant
John Tannahill & Associates

After completing this session, you will be able to:

  • Recognize current risks in mobile security
  • Increase awareness of BYOD risks
  • Discuss security and audit tools

213—Social Media — Managing Key Organizational Risks

  Download Presentation

Donald GallienDonald Gallien, CISA, CISM
VP & Audit Leader
American Express

 

 

Gary PollackGary Pollack, CISA
VP, Assurance Services Leader
American Express

 

 

After completing this session, you will be able to:

  • Identify and mitigate strategic and operational social media risks
  • Discover common tools used to manage social media content and risks
  • Understand areas of increased risk over traditional communication channels
  • Complete a Case Study that includes typical concerns inherent to social media deployments

223—Business Continuity in Emerging Technologies

  Download Presentation

Marlin NessMarlin Ness, CGEIT, CRISC
Executive Director
Ernst & Young, LLP

 

 

Nazir Vellani
Director
Ernst & Young, LLP

After completing this session, you will be able to:

  • Understand cloud and mobile based technologies and how their adoption is changing the IT landscape
  • Review how cloud and mobile based technologies are being leveraged to enable business continuity and disaster recovery capabilities
  • Discover guidance for deployment of cloud based DR and emerging technology capabilities to avoid violating compliance requirements
  • Appreciate the key technology emerging technology audit risks and their linkages to COBIT

233—Stored Data…Time to Say Goodbye

Download Presentation

Glenn WilsonGlenn Wilson, CRISC
ERS Manager
Deloitte & Touche, LLP

 

 

Jeffrey HudesmanJeffrey Hudesman, CISSP, CEH, CISA
Senior Consultant, Technology Risk | Security & Privacy Services
Deloitte and Touche, LLP

 

 

After completing this session, you will be able to:

  • Gain insight into leading practices for data retention
  • Understand the importance of defensible destruction
  • Consider how a “big bucket” approach to data retention may be a better fit for your organization
  • Understand the risks of not retaining information long enough and the privacy pitfalls of keeping it too long

243—Hot Topic: Assessing & Managing Info Risk in an Outsourced Environment

Download Presentation

Renee MurphyRenee Murphy
Sr. Analyst
Forrester Research

Defining and enforcing controls among third-party suppliers and other partners continues to be one of the biggest challenges among security leaders. Process and technology solutions have done little to alleviate this situation. Join Renee Murphy, senior risk and compliance analyst and IT auditor, as she presents current research and trends in the third party risk management space as well as techniques to prioritize controls, minimize assessment time, and streamline assurance processes.

After completing this session, you will be able to:

  • Better understand current trends and regulation regarding the risk of working with third-parties.
  • Tips for evolving the third party risk management program for enterprise acceptance and implementation.
  • Gain a better understanding of the risk associated with outsourced solutions and how to remediate against them.

253—Operational Risk Management

  Download Presentation

Lisa YoungLisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

After completing this session, you will be able to:

  • Understand operational risk in the broader context of enterprise risk
  • Explore what elements are needed to develop risk measurement for your organization
  • Have a working knowledge of different types of operational risk and the connection between information security, business continuity, disaster recovery, and IT operations
  • Understand the connection between key risk indicators and key performance indicators
  • Explore a continuous risk management process; tailor the process to current security challenges

313—Deploying Information Risk Management Globally and Avoiding the Pitfalls

  Download Presentation

Theresa C. MartillanoTheresa C. Martillano, CRISC
Managing Director, IRM Enterprise Services/ Regional IRM - Latin America
Bank of New York Mellon

 

 

Allen UretaAllen Ureta, CISA, CISM, CGEIT, CRISC
Executive Director
Deltamine, Inc.

 

 

After completing this session, you will be able to:

  • Understand the essentials of deploying enterprise risk management within and outside the U.S.
  • Comprehend the strategic imperatives of utilizing a risk-based approach towards accomplishing program objectives
  • Appreciate the integrated requirements of infrastructure management (people/process/technology) with supplier management
  • Recognize the importance of providing governance for the overall information risk management program at inception

Return to Event Page

 

Track 4: Compliance

114—RX for Healthy Security

  Download Presentation

Todd FitzgeraldTodd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director of Information Security
Grant Thornton International, Ltd.

 

 

After completing this session, you will be able to:

  • Understand the current events driving healthcare security practices
  • Develop a roadmap for your own healthcare organization
  • Approach a government audit with preparation vs. surprise
  • Apply NIST 800-53 standards to healthcare security
  • Determine appropriate risk levels of audit issues
  • Apply technical and non-technical security solutions to key problem areas

124—FISMA — The Private Sector Impact

  Download Presentation

John MoynihanJohn Moynihan, CGEIT, CRISC
President, Minuteman Governance
Minuteman Governance

If your company does business with the U.S. Government, this session is critical! 

 

After completing this session, you will be able to:

  • Gain a comprehensive, yet practical, description the core requirements of FISMA.
  • Learn how federal agencies have recently adopted a more aggressive approach toward third-party FISMA compliance how the law impacts government contractors.
  • Understand how FISMA's framework is derived from NIST and what specific elements must be addressed by government contractors.
  • Recognize the major misconceptions associated with FISMA and the potential impact of non-compliance.

134—Security Metrics

  Download Presentation

Lisa YoungLisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

After completing this session, you will be able to:

  • Determine which measures are most important: key questions to ask
  • Articulate 10 key measures that better illustrate your current state of security
  • Put measures in place so they stick around
  • Communicate with business leaders in their language

144—SOC 2SM at Age 2

  Download Presentation

Chris HaltermanChris Halterman
Executive Director
Ernst & Young

 

 

After completing this session, you will be able to:

  • Present the purpose and uses of SOC 2 to management of their organization
  • Integrate SOC 2 reports into a vendor management process and a COBIT®-based program
  • Facilitate a discussion between service organization and user regarding the contents and scope of a SOC 2 report
  • Assess the impact of the changes to the Trust Services Principles and Criteria and SOC 2 Guidance

214—Compliance in the Cloud

Download Presentation

Phil LageschultePhil Lageschulte, CGEIT
Partner
KPMG

 

 

Sham Vaidya
CTO, Cloud Center of Competency, IBM Distinguished Engineer
IBM Corporation

After completing this session, you will be able to:

  • Discuss industry trends with the multiple evolving cloud compliance frameworks and industry standards (i.e. PCI, SOC 2, NIST 800-53, ISO 27001, CloudAudit)
  • Deliver an approach and strategies for prioritization of frameworks and standards
  • Provide case examples of how CSP and user entities have implemented Cloud Compliance Programs

224—Forensics and eDiscovery: Managing Risk and Privacy

  Download Presentation

Andrew NealAndrew Neal, CISM, CRISC
Regional Director
TransPerfect Digital Forensics

 

 

After completing this session, you will be able to:

  • Describe the basic process of forensics and e-discovery triggered by an internal incident or legal action
  • Identify the information assets that may be subject to a forensics examination or e-discovery collection
  • Discuss the risk that forensics/e-discovery may introduce to an organizations information security program
  • Implement strategies to help control risk during and after a forensics or discovery event
  • Participate in the management of the forensics or e-discovery engagement

234—Security Managers Understanding Privacy

  Download Presentation

Charlie BlanchardCharlie Blanchard, CISA, CISM, CRISC
Director
AMGEN, Inc.

This presentation looks to explain the complexity and challenges of maintaining a secure network environment while remaining compliant with international data privacy law.

 

After completing this session, you will be able to:

  • Understand differences in regional approaches to privacy around the globe
  • Analyze the secrecy of correspondence principle and understand how it relates to employee monitoring
  • Apply core privacy principles, including the OECD Fair Information Principles and the EU Data Protection Directive, to information security controls
  • Develop a Privacy Impact Assessment framework

244—SSH User Key Mismanagement in Today’s Large Enterprise

  Download Presentation

Jonathan LewisJonathan Lewis
Director of Product Marketing
SSH Communications Security

 

 

After completing this session, you will be able to:

  • Understand what SSH is and how it’s used in the network environment
  • Describe how SSH key mismanagement presents a clear cybersecurity and compliance risk to his or her organization
  • Name best practices for identifying and removing SSH key mismanagement-related risks in the network environment
  • Describe upcoming industry and federal standards aimed at addressing widespread SSH key mismanagement and reducing associated risks

254—Certified ISO 31000 Risk Manager

  Download Presentation

Peter DavisPeter Davis, CISA, CISM, CGEIT
Principal
Peter Davis & Associates

 

 

After completing this session, you will be able to:

  • Understand the concepts, approaches, methods and techniques allowing an effective risk management according to ISO 31000
  • Acquire the competence to effectively advise organizations on the best practices in risk management
  • Understand the relationship between the risk management and the compliance with the requirements of different stakeholders of an organization
  • Acquire the competence to implement, maintain and manage an ongoing risk management program according to ISO 31000

314—ISO 27001—What You Need to Know About Recent Changes

  Download Presentation

Peter DavisPeter Davis, CISA, CISM, CGEIT
Principal
Peter Davis & Associates

 

 

After completing this session, you will be able to:

  • Understand the implementation of an Information Security Management System in accordance with ISO27001
  • Understand the relationship between an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
  • Know the concepts, approaches, standards, methods and techniques allowing to effectively manage an Information Security Management System
  • Acquire the necessary knowledge to contribute implementing an Information Security Management System (ISMS) as specified in ISO 27001

Return to Event Page

 

Track 5: Forums

115—Responding to Cyberattacks Forum

  Download Presentation

Panelists

Bryan YorkBryan York
Manager, Advisory Services
Ernst & Young, LLP

 

 

James O. Holley
Executive Director
Ernst & Young

Jenna C. McAuley
Senior Manager, Advanced Security Center
Ernst & Young, LLP


Moderator

James Phillippe
Executive Director - EY's Threat & Vulnerability Management Leader for the US
Ernst & Young

After completing this session, you will be able to:

  • Apply the concepts of Complicate, Detect, and Respond
  • Understand the importance of real Threat Intelligence
  • Address questions related to the responsibilities of Security Monitoring and Incident Response
  • Gain insight on how Red Teaming adds context to Vulnerability Identification
  • Appreciate the value of maturing and integrating components of your Security Operation

125—Megatrend Session: The Evolving Threat Landscape — Microsoft Security Intelligence Report

  Download Presentation

Sponsored by Microsoft

Nam NgNam Ng
Senior Program Manager
Microsoft, Trustworthy Computing Group

Threats have changed in dramatic and unexpected ways over the past year as attackers continue to hone and evolve their strategies and tactics, and Internet-connected devices proliferate. Using the latest data from billions of systems around the world, join Nam Ng for this session where he will provide a unique perspective on the global threat landscape.

After completing this session, you will be able to:

  • Understand the latest trends in security threats
  • Examine the emerging online threats used by criminals today
  • Identify best practices for securing networks, software and customers

135—Megatrend Session: Time for BCM? Why and When to Include BCM in Broader Risk Management Efforts

  Download Presentation New

Sponsored by Modulo

Carlos KrauseCarlos Krause, CISA
Manager of Professional Services
Modulo

Modern organizations depend heavily on IT infrastructure to deliver products and services. The availability of servers, networks, applications, and – of course – the Internet are now crucial to daily operations and success. Maturing information security departments perceive Business Continuity Management (BCM) as an important component of broader governance, risk, and compliance management programs. How do you know your organization is ready to implement BCM automation? 

After completing this session, you will be able to:

  • Determine why and when to include Business Continuity Management (BCM) into Risk Management efforts
  • Understand how BCM benefits larger Governance, Risk, and Compliance (GRC) programs
  • Develop a process for mapping assets (technology, information, vendors, personnel) to supporting applications and lines of business
  • More effectively relay the necessity and role of technology assets with respect to the continuity of enterprise-wide operations

145—COBIT 5 Forum

Moderators

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

Jo Stewart-RattrayJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
Director of Information Security & IT Assurance
BRM Holdich

 

 

Developing the most current content. Please check back soon!


215—Cybersecurity Forum

Moderators

Edward SchwartzEddie Schwartz, CISA, CISM
Vice President of Global Security Solutions
Verizon Enterprise Solutions

 

 

Shannon Donahue PhD, CISM, CISSP
Director of Information Security Practices
ISACA/ITGI

Developing the most current content. Please check back soon!


225—Industry Analyst Forum 

Speakers

Renee MurphyRenee Murphy
Senior Analyst
Forrester Research

 

 

Jarad CarletonJarad Carleton
Principal Consultant, ICT Growth Consulting Practice
Frost & Sullivan

 

 

Developing the most current content. To be announced via Mobile App!


235—OMG! Boomers, Gen X, Gen Y and Traditionalists

  Download Presentation

Todd FitzgeraldTodd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director of Information Security
Grant Thornton International, Ltd.

 

 

After completing this session, you will be able to:

  • Understand and appreciate the differences between the 4 different generations in the workforce today (Traditionalists, Boomers, Gen X, and Gen Y)
  • Examine how to work together within the workforce now that the differences are understood
  • Understand the ramifications to information security and risks that the organization is experiencing with different approaches to security and the work environment

245—Megatrend Session: Next Generation Security and Compliance Programs

  Download Presentation

Sponsored by RSA

Mason KarrerMason Karrer, CISSP, CISA
Principle GRC Strategist, Policy and Compliance
RSA, The Security Division of EMC

Threat vectors come in many forms both within and beyond traditional security boundary layers. Shifting business climates, regulatory bloat, and ideological actors are just a sliver of what organizations are facing in this era of enterprise risk. Join Mason Karrer to explore new and innovative ways leading organizations are tackling governance, risk, and compliance challenges through a combination of cutting edge technology, ingenuity, and common sense. 

After completing this session, you will be able to:

  • Gain an informative understanding of what GRC is (and isn’t) and why it’s becoming one of the best ways for data center voices to reach boardroom ears.
  • Learn how to laser focus security and compliance efforts through the lens of operational risk.
  • Identify key qualities that next generation security and compliance programs will possess to maximize efficiency and effectiveness in complex control environments.

255—Risk Forum

Download Presentation

Moderator

Marlin NessMarlin Ness, CGEIT, CRISC
Executive Director
Ernst & Young

 

 

Expert Panelists

Theresa C. MartillanoTheresa C. Martillano, CRISC
Managing Director, IRM Enterprise Services/ Regional IRM - Latin America
Bank of New York Mellon

 

 

Gary PollackGary Pollack, CISA
VP, Assurance Services Leader
American Express

 

 

David TaylorDavid Taylor
Business Executive – Technology
TI Transformation Program Operational Excellence & Change Delivery
Global Network & Infrastructure Solutions

Bank of America

 

 

Developing the most current content. Please check back soon!

 


315—Is Your Data Safer in the Cloud?

James SnowJames Snow
Product Strategist
Google Enterprise

Cloud computing represents a significant opportunity for businesses to reduce costs and improve worker productivity. In particular, public cloud messaging and collaboration applications like Google Apps can enable users to communicate from anywhere on any device, while reducing the amount of infrastructure the IT team needs to support. In this session we will explore opportunities to deploy cloud computing solutions, how to assess security, privacy and other risk factors and how Google addresses these issues.

Return to Event Page

 

Pre-Conference Workshops

WS1—COBIT 5 for Security

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

After completing this workshop, you will be able to:

  • Understand the major drivers for placing a security lens over COBIT 5
  • Be aware of the business benefits of using COBIT 5 for Information Security
  • Articulate how COBIT 5 for Information Security is aligned with globally accepted standards
  • Define how the 5 Key Principles of COBIT 5 can be leveraged from an information security perspective
  • Learn how COBIT 5 can help your enterprise to govern and manage information security effectively to support the enterprise

WS2—COBIT 5 for Risk

Steve ReznikSteve Reznik, CISA
Operational Risk Program Manager
ADP, Inc.

 

 

After completing this workshop, you will be able to:

  • Understand the business drivers for IT-related risk management
  • Discuss important risk management practices and activities
  • Articulate IT risk scenarios and communicate impact in terms that decision makers can understand
  • Discuss the enablers of effective risk governance and management
  • Develop strategies to progress from “gap identification” to “risk triage” to quantitative comparisons of risk response options

WS3—Data Privacy Risks

Lisa YoungLisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

After completing this workshop, you will be able to:

  • Articulate key questions to ask about privacy and security in your organization
  • Understand techniques to quantify the exposure of a data breach
  • Set generally acceptable privacy principles
  • Complete a Privacy Impact Assessment (PIA) checklist

WS4—Innovate your Cybersecurity Solutions: Understand and Respond to Current Threats and Incidents

Rolf Von RoessingRolf von Roessing, CISA, CISM, CGEIT
President
FORFA AG

 

 

After completing this workshop, you will be able to:

  • Understand what the cybersecurity threat landscape currently looks like
  • Learn about the differences in traditional threats versus APT
  • Identify how to recognize a cybersecurity attack
  • Learn best practices to contain a cyberattack and mitigate impact

WS5—A Practical Approach to Network Vulnerability Assessment

WS5 has sold out, please contact the conference department to add your name to the waiting list.

John Tannahill, CISM, CGEIT, CRISC
Management Consultant
John Tannahill & Associates

This purpose of this seminar is to provide participants with a practical methodology and approach to performing network vulnerability assessments.

After completing this workshop, you will be able to:

  • Experience a live network infrastructure environment used for demonstration and discussion purposes
  • View a demonstration of tools and techniques
  • Participate in a detailed discussion of output obtained from each part of the assessment
  • Sample network vulnerability assessment report outline
  • Acquire a listing of reference material for network vulnerability assessment methodologies, techniques and tools

Laptop is required with the following minimum requirements:

  • Windows XP or Windows 7 operating system
  • Minimum 2Gb memory (4Gb recommended)
  • Minimum 20Gb free disk space
  • DVD Drive

Participants are required to install VMPlayer or equivalent prior to class:

  1. Download and install VMPlayer (available from vmware.com). Prior to the session, participants will be responsible for installing VMPlayer. VMPlayer is available on the VMware website. The download is a 32-bit/64-bit version for Windows XP; Vista; Windows 7. VMplayer is not required if participants already have installed VMWare Workstation (commercial product).
  2. Participants will be provided with necessary Virtual Machines containing tools and environments for session purposes (DVD format)

WS6—BYOD: Securing Mobile Technologies

WS6 has sold out, please contact the conference department to add your name to the waiting list.

John Tannahill, CISM, CGEIT, CRISC
Management Consultant
John Tannahill & Associates

After completing this workshop, you will be able to:

  • Gain an overview of current mobile security risk and control issues
  • Raise awareness of key risks relating to BYOD (Bring Your Own Device) within the organization
  • Evaluate current Mobile Device Management components and controls
  • Present security and audit tools and techniques with confidence and knowledge

WS7—Tools & Techniques of Digital Forensics and eDiscovery

Leighton JohnsonLeighton Johnson, CISA, CISM, CRISC
CTO, Senior Security Instructor
ISFMT

We will present the concepts and principles that security professionals and auditors need to know to review, conduct or participate in a forensics investigation. Ares to be explored include:

  • What is digital forensics and how is it performed in today’s dynamic world
  • Most of the current forensics tools, tactics and procedures for conducting these activities
  • How eDiscovery is different than Forensics and how it is the same
  • Ensuring that proven policies and procedures are established and followed, along with critical chains of evidence collection and custody in each investigation
  • The laws, ethics, regulations and boundaries (both technical and political) for investigations and the investigators are next presented to help clarify positions and policies
  • Forensics and e-discovery case studies and student participation in a mock investigation and examination.

After completing this workshop, you will be able to:

  • Define and Review a Digital Forensics Investigation
  • Delineate the Key Steps to a Forensics Investigation
  • Review the E-Discovery Requirements in Today’s World
  • Identify the Tools, Techniques, and Tactics for Forensics and E-Discovery
  • Implement Best Practices for Investigations and Examinations

Return to Event Page

 

Spotlight Educational Sessions

SP1—GRC Information Security Management for Data Privacy, Cloud and Enterprise

Sponsored by AdaptiveGRC™

Raef MeeuwisseRaef Meeuwisse, CISA
Functional Architect
AdaptiveGRC™

Cloud systems, mobile devices, suppliers and social networks – all this usually means that your organization is now responsible for data that is very often outside of your network but still inside your ownership and responsibility. For large organizations, an average single data loss event can now cost over $7m. Find out how you can successfully track and monitor your governance, risk and compliance requirements in the modern enterprise where your data is often residing in systems and devices that belong to others.


SP2—Building a Security Program that Protects an Organization’s Most Critical Assets

Sponsored by BEW Global

Rob Eggebrecht
President and CEO
BEW Global

Organizations are swimming in data and becoming more interconnected with partners and vendors on the “Global Electronic Nervous System” every day. Because of that, companies need to plan, implement and maintain a Critical Asset Protection Program that clearly defines what assets are deemed most important to the organization based on revenue, income, reputation and core operational impact.

Join BEW Global President/CEO, Robert Eggebrecht as he discusses the step-by-step process and methodology to building a risk-based, cost-effective program.

After completing this session, you will be able to:

  • Obtaining executive level program buy-in
  • Designing, building and maintaining an Information Security Management Systems (ISMS)
  • Identifying critical assets and how they are created, stored, used and transmitted
  • Evaluating existing technologies and opportunities for new security tools

SP3—How Data Classification can Harness the Value of Big Data

  Download Presentation

Sponsored by BoldonJames

Tony Gilbert
Channel Director, Americas
BoldonJames

The amount of information that needs to be secured is already growing faster than our ability to secure it. Gartner predicts that by 2015, 80% of enterprise information will be unstructured material that does not conform to traditional data models and spans all forms of content.

When you combine this with poor levels of user awareness and new and easier communications methods like social media, chat and the ever present e-mail the propensity for staff members to misplace or lose valuable IPR, or to leak sensitive information, increases exponentially.

We look at how Data Classification solutions can help harness the value of Big Data and increase business efficiency. The session will focus on a customer case study covering the background to why they implemented a Data Classification solution, the challenges they encountered, how they succeeded and the business benefit it delivered.


SP4—Impact of PCI DSS 3.0

Sponsored by FishNet Security

Mark Carney
Vice President Strategic Services
FishNet Security

Matt Sharp
Director of Strategic Services - IA
FishNet Security

FishNet Security is excited to present, based on years of practical experience and participation in PCI Special Interest Groups, a review of the evolution of the Payment Card Industry Data Security Standard (PCI DSS), along with the most recent changes in the new PCI DSS 3.0 draft release.


SP5—Risk Management 2.0 - From Information Security to Enterprise Risk Management

Download Presentation

Sponsored by Modulo

Portia MillsPortia Mills
Head of Marketing
Modulo

Learn how information security officers have evolved IT risk management programs to incorporate expand risk management objectives and report risk on a higher and broader level. Case studies describe how security officers have begun by automating vulnerability and threat management, IT control assessments, and vendor risk management into enterprise and built enterprise-level risk management programs.

 

Modulo Lunch & Learn

LL1—Embracing Shadow IT - How to Encourage Innovation Within a Secure Shadow IT infrastructure

  Download Presentation

John AmbraJohn Ambra, CISA
Director of Technical Services
Modulo

Shadow IT, a term used to describe IT systems and solutions deployed within organizations by departments outside the IT department, can serve as an important source of innovation but it can also present significant risks to an organizations information security. Learn about techniques to best control Shadow IT without stifling it.

After completing this session, you will be able to:

  • Understand Shadow IT's pros and cons
  • Manage risk within a Shadow IT infrastructure
  • Know when and how to allow for innovation and growth

Return to Event Page