What we missed at the data centre audit
Robert Findlay - Global Head of IT Audit at Glanbia Ireland
This session is based on practical experience of running data centres and being on the receiving end and carrying out data centre audits. Too many key risks are being overlooked and auditors are not targeting the issues that actually matter and the risks that actually bring down data centres.
Making friends with Internal Audit!
Andrea Simmons - i3GRC Managing Consultant
The aims of the Security team and the Internal Audit team are not diametrically opposed; rather they are entirely aligned when it comes to Enterprise Risk Management. Every effort should go into ensuring much closer working relationships that are positive for your environment and your clients, customers or stakeholders, rather than behaving in an abrasive, negative or counter-productive manner. It's not a battle ground between the two disciplines! This session will discuss the overlap and articulate ways in which to improve the dynamic for better results for all. The easy extrapolation is then from achieving harmony with internal audit to maintaining successful external audit ratings too - nirvana is only 25 mins away!
Increasing Your Audit Relevance Using COBIT 5
Barry Lewis, CISSP, CISM, CRISC, CGEIT - President at Cerberus ISC Inc
Auditors need the skills and techniques that will hep them perform effective and efficient audits. This seminar will show that even new auditors can provide detailed governance audits by optimising their use of the various details that COBIT 5 offers. From high level gap analysis to detailed fairly technical audits COBIT provides the auditor with the details they need. Using processes, practices and activities the new auditor has an number of detail levels to choose from. Add in some experience and audits begin to shine.
Role of Information Security Professional in tackling terror
DR. Vishnu Kanhere - Consultant at V. K. KANHERE & CO / KCPL
Anatomy of terror and crime 2.Information systems - enabler, medium, technology for cyber crime, cyber war and cyber terror - the challenge of the cyber criminal and cyber terrorist 3.Role of Information Security in tackling terror 4.Framework for anti terror initiatives - early warning systems, Key Terrorism Indicators and Signatures, Tools & Techniques, Monitoring, reporting and Response. 5.Road Map and shape of things to come Terrorism is on the rise the world over. The reach, effectiveness and scale of terrorist attacks, cyber-warfare and cyber crime have acquired a new dimension with the advent of Information technology as a medium, enabler and tool in the world of terrorism.
A comprehensive Information security framework as a state initiative with private partnership will prove effective in dealing with this menace. The emerging threats to public networks, SCADA systems, energy, water, transport and communication infrastructure can be effectively neutralized by deploying information security framework with appropriate people, processes and technology. The author had occasion to study the Mumbai terror attacks and will share insights with the participants. The author suggests a strategy and outlines a solution based on early warning systems, monitoring, and response teams."
New Cyber Defense Management Regulation for Banks in Israel - Lessons Learned From Implementing One of the World's First Cyber Defense Management Regulations
Ophir Zilbiger - SECOZ CEO
"It is clear to every professional dealing with the management of cyber related risks that there's a need for change. Classic information security methods just don't do the job. The Supervisor of Banks at the Bank of Israel is one of the first financial sector regulators to realize this by issuing "Directive 361", Cyber Defense Management aimed at banks and credit card companies. The directive is divided into two complementing parts - Cyber Defense Management and Cyber Risk Management (note the Israeli banking system has adopted Basel II as the risk management foundation). Two very important aspects of the directive are the appointment of a Chief Cyber Defense Officer (CCDO - as referred to in the directive) and clearly defining the responsibilities of the board of directors in the cyber realm.
This session focuses on the actual, real world experience gained from the implementation of directive 361 in some of Israel's leading banks. The challenges of defining the difference between Cyber Defense and Information Security and the difference between the CISO role and the newly defined role of the CCDO. Directive 361 and its implementation carry important lessons that professionals responsible with managing cyber risks need to know in order to prepare for upcoming cyber defense regulations that would be issued by regulators in different countries and across various industries."
2016 and Beyond: New Vulnerabilities, Bad Actors and What You Can Do About Them
John Linkous - CEO, InterPoint Group
This presentation presents a strong case that we need to be concerned about emerging vulnerability trends, such as kinetic threats, the "Internet of Things", mobile and cloud technologies. Relying on statistics and anecdotal evidence from trusted sources, John demonstrates clearly that cybersecurity attack vectors, methods and motivations are changing... and we need to be prepared.
Is Protecting the Balance Sheet Really Enough?
Joseph Mayo - President, J. W. Mayo Consulting, LLC
"This session examines 4 recent ERM lapses (defective GM sensor, defective Toyota speed control, Anthem data breach, Heathcare.gov) to show how safety and reputation risks can impact an organization. Organizational culture was a large contributing factor in these ERM lapses and compounded the risk impact. Mr. Mayo will discuss the role of the Enterprise Risk Management Organization (ERM), the effect of organizational culture on ERM, and the need for a holistic approach to Enterprise risks. This session will explore High Reliability Organizations (HRO) and how HRO characteristics can be introduced into the organizational culture to achieve a high performing ERM organization that can more effectively identify and manage lapses in the risk management process. Mr. Mayo will demonstrate how to use risk scenarios from the COBIT Governance framework to enhance existing ERM processes. Risk scenarios help drive an ERM organization to a more holistic risk management approach. Risk scenarios combined with HRO characteristics will yield a highly effective ERM organization that can more effectively manage mission, safety, and reputation risk in addition to conventional financial risks.
Attendees will learn how safety risks costing pennies to treat can result in billions of dollars in exposure if left untreated. Attendees will learn how to enhance ERM processes to include mission, safety and reputation risks in addition to conventional financial risks. Finally, attendees will learn how to develop risk scenarios and integrate them with existing ERM processes."
How to Make Rubbish risk Decisions
Michael Barwise - CEO, Integrated InfoSec
The influence of psychology on decision making is hardly ever considered in the infosec risk space, despite its powerful influence on the quality and consistency of judgement. However there is a small but influential set of mental heuristics that bias judgement, largely regardless of the issue being assessed. The speaker will take a practical look at these heuristics and the biases they contribute to, with examples from real world events, and suggest ways of reducing their influence.
A Question of Trust
Wendy Goucher - Information Secureity Specialist for Goucher Consulting Ltd.
When a device attempts to connect to a network that network needs to establish if that device is a trusted device. If it is then it can proceed to check if the user is trusted by means of identification and authentication. If all is ok then, in most cases, access is gained. Humans are different. Take your neighbours. You may trust them to come to a party, but would you lend them your new car/house or smartphone? Possibly, "maybe", or "it depends" are the most likely answers. Trust in the technical world is binary. They trust or they don't. In the biological world trust is much more granulated. One of the hardest lessons for teenagers to learn is that most people are trustworthy in some situations, but maybe not in others. Finding the boundaries of that trust is often painful trial and error until experience powers judgement.
When we issue a directive or policy that says "do not use public WiFi for working on sensitive business documents". That may seem straightforward. We know what is sensitive and we understand enough of the threats from public WiFi. But the user might say "but what about if the boss rings and demands I send this email before I get on my flight in 15 minutes?" or any of a thousand other "What if?"s. They are probably not being difficult, they simply see trust in a less straightforward way.
This presentation aims to make you to consider how some of our 'common sense' messages may not lead to secure action - and considers some solutions.
My Data My Responsibility
Jenai Nissim - Data Protection Manager at Capital One (Europe) Plc
Whilst we all know what's happening to data within our organisation, the minute it is passed to third parties we start to lose control. This session is to talk about the practical controls and monitoring arrangements you can put in place to ensure that your data is safe once it is passed or shared with a third party.
Are you ready? The hitchhiker's guide to the integration of privacy and security
Gerard Smits - Founder, NedPrivacy
Risk assessments regarding security risks are a quite common practice. With the General Data Protection Regulation (GDPR) on the horizon privacy risks are entering the board room. The financial consequences are getting higher if you are not in control. But there is more...
- What about the reputational damage, potential liability?
- Do you have done your due diligence when looking at privacy risk assessments?
- Are you in control and prepared?
- Is your executive aware of the potential risks?
During this presentation, you will be taken onboard for a journey in building trust, integrating security and the understanding of potential harm for staying ahead of the game. In other words: see what you can do by using privacy risk assessments to be and stay competitive and regain your agility. Time for acting is now, be prepared!
- How to determine privacy related risks
- Integration of security and privacy (not so different after all)
- Steps to prepare your organization
- How to communicate privacy and security risks in the boardroom
Legal solutions to technical privacy problems.
David Fagan - Commercial Lawyer, Business Legal
For almost all personal data Privacy issues, including Security issues, there are Legal Solutions as well as technical ones. The best results are often found with a mix of technical solutions and legal solutions. In this session David will take you through common legal solutions for Privacy issues. Solutions which can reduce technical spend, and require less concentration of scarce technical resources. Ultimately, data privacy is an issue arsing almost entirely from the need for statutory compliance. From this session, you will have a grasp of the various tools available to you to navigate through the privacy and data security area, in a practical cost effective way.
Shadow IT risk - empirical evidence from multiple case studies
Christopher Rentrop - Professor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)
In many organizations, business departments and users autonomously implement Information Technology (IT) without integrating these systems in the formal IT service management. Shadow IT, which partly evolved from non-transparent and unapproved end-user computing (EUC), is a term used to refer to the phenomenon. It challenges IT controllability and can compromise business goals. Therefore it is becoming a major topic in the field of IT Governance, risk and compliance. Based on multiple case studies our research group has undertaken an in-depth analysis of the role of Shadow IT in companies.
In these studies Shadow IT instances were surveyed by interviews. In a next step the quality of the solutions found has been assessed. Furthermore necessary measures were derived for each single Shadow IT system. In the presentation a detailed insight to the usage patterns, related risks and typical measures will be given. For example we found between 6 and 52 Shadow IT systems in every department, whereof 40% were used to make operational or strategic decisions. Across all industries more than 60% of the instances needed management attention. As a result of the analysis implications for the design of a companies' internal control system will be derived.
Getting Started With GEIT
Peter Tessin - Technical Research Manager at ISACA
Getting access to frameworks and standards to assist with governance is easy, applying those materials to everyday business problems isn't always! Join us for a discussion on the practical application of applying governance and COBIT to real-world business problems. Learn how to work through identification of an issue to documentation of resolution. We will focus on a specific business issue and work through:
- how to communicate to upper management what approach we're going to take
- how to identify the key requirements to resolve the issue
- applying a systematic approach to ensuring all necessary resources are identified
- designing a solution
- documenting the entire effort
How to talk about IT Governance with your boss in the elevator?
Bruno Horta Soares - Founder & Senior Advisor at GOVaaS - Governance Advisors as a Service
Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help organizations delivering value and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons learned from projects and initiatives developed to improve IT savviness at small medium enterprises in "small medium country" like Portugal.
DevOps / Application Security
Understanding Today's Mobile App Store Ecosystem and Why You're at Risk
Jeff Lenton - Solutions Architect at RiskIQ EMEA
The on-going creation of mobile apps and the rapid proliferation of mobile app stores make it difficult, if not impossible, to keep tabs on all the apps created by you or created in your name. As secondary app stores step in and grab apps from official stores and re-deploy them to their sites without your knowledge, the threat of your apps being exploited, attacked or copied becomes even greater. In this session we will explore the complexities of the worldwide app store ecosystem and examine recent examples of malware, app re-packaging, data leakage and intellectual property violations presented by fraudulent and unauthorised apps. We'll show how you can take a proactive stance against malicious and rogue apps to take them down before they compromise your organisation or your customers.
Threat Modeling: Finding Security threats Before They Happen
Jeff Kalwerisky - VP & Director of Technical Training at CPE Intearctive, Inc
Threat Modeling is a formal methodology to identify risks and vulnerabilities as early as possible in the lifecycle of complex technology processes, including software and hardware systems and even financial systems. This approach helps the auditor, information security, internal control, or risk professional to identify, classify, rank, and mitigate enterprise threats in complex systems, without "getting down in the weeds."
The documentation in a Threat Model forms an important component of an Enterprise Risk Management System (ERMS). The model is also an excellent communication tool to describe risk in a common format for different audiences: software developers, hardware engineers, business users, auditors, security practitioners, IT staff, and senior management.
All of this information can be stored in a database which forms an electronic trail, over the entire lifecycle of the application or system, of the vulnerabilities and control weaknesses inherent in the system and the corresponding resolution or corrective action. Review of the database records can then be mapped to continuous monitoring and continuous auditing processes. This session provides an overview of building a Threat Model, using data flow diagrams, a standard taxonomy of threats and vulnerabilities ("STRIDE"), and a more objective way to rank threats and vulnerabilities for remedial action ("DREAD".)
A Case Study: Standard Bank's journey into security and DevOps.
Jock Forrester - Head of IT Cyber Security at Standard Bank
Ever read the Phoenix Project and wondered if John the security guy was "you"? You know, the guy who always says no, is seen to be driving an agenda against the flow of the business and holds everyone back. Then everyone wants to use "Agile" as the silver bullet to respond to customer demands faster and put features straight into production and as that guy, are you being bypassed? "Agile is not an excuse to be stupid!" How does one change the approach to security in the SDLC to not only support but encourage a continuous delivery pipeline and therefore an Agile methodology?
The answer is:
- Get more involved further left in the SDLC
- Expand and automate your security testing capabilities
- Embrace and exploit the velocity that a DevOps train brings