Conferences that solve current IT challenges

Enterprise Risk / Security Management

Strategies for adopting a comprehensive IT GRC (Governance/Risk Management/Compliance) approach to managing information adhering to business needs

February 7, 2013

9:00am-5:00pm

7 CPE / 0.7 CEU / CISSP / 7 PDU Credits Awarded

Register

Conference location: Donald E. Stephens Convention Center Rosemont (O'Hare) Illinois

Overview

In today’s highly regulatory environment it is essential that you have a clear understanding of risk across the enterprise. A risk management framework can bring visibility to key business and compliance risks and enable a company to make decisions on where to prioritize its limited resources. It is through a risk management framework that real value to the business can be achieved.

With all of these challenges, how do you make this happen?

In this one day conference, attendees will be provided with examples of approaches to managing information and compliance risk through a risk management framework.

What You Will Learn

In this one day conference attendees will learn:

  • IT Risk & Social Engineering: Establishing Metrics to Manage the Human Layers

  • How to Design an Effective Risk Assessment

  • How Security and the CSO Can Provide Business Value

  • How to Reduce the Risk of Data Loss and Audit Failures: Implementing a Response Plan

  • Mobile Technology in the Enterprise: How to Manage Security Risks of BYOD

  • Big Data - Didn't We Used to Call it SEIM?

Conference Program

8:00am - 9:00am - Registration and Continental Breakfast

Chapman

9:00am-10:00am

IT Risk & Social Engineering: Establishing Metrics to Manage the Human Layer

Mark T. Chapman, CFE CISSP CISM CRISC, President and Founder, PhishLine.com

The most damaging information security attacks often use low-tech social-engineering methods to trick users into sharing sensitive information. In spite of the significant money spent on email and web content filtering technologies, organizations ultimately must rely on the generally unreliable “human firewall” to thwart phishing attempts. For such an important class of critical security controls, it is surprisingly rare to formally configure and manage the human layer beyond ad-hoc techniques based on anecdotal, incomplete and inaccurate information.

There are now ways to safely use some of the methods employed by attackers to provide objective, understandable and actionable metrics to proactively measure, manage and improve the effectiveness of the last line of defense.

Objectives:

  • Take a real-world look at “configuring” the human firewall in the enterprise beyond generic security awareness training.
  • Define objective, understandable and actionable metrics around social engineering.
  • Discuss stories-from-the-trenches with examples that measured and improved the effectiveness of people, process and technology controls.
  • Help establish an “Information Security Awareness Operational Plan”, where employees thwart unauthorized attempts to obtain sensitive information.

10:00am -10:30am - Refreshment Break

Cronin

10:30am-11:30am

How to Design an Effective Risk Assessment

Chris Cronin, Governance & Strategy Consultant, ISO 27001 Auditor, HALOCK Security Labs

Risk Assessments are now required by laws, regulations and standards (such as PCI DSS 2.0, HIPAA, CMR 17.00 and many others).

Many options exist in pursuing completion of a risk assessment and implementation of a risk management framework. In this session attendees will learn specifics of an asset-based Risk Assessment and identify how it can:

  • Maximize effectiveness of IT Security spend
  • Reduce or eliminate ad-hoc security and risk decisions being made out in the field
  • Align Executive Management, IT Management, and IT Staff with common security goals and objectives
  • Meet PCI DSS v2.0, section 12.1.2 compliance
  • Meet HIPAA & CMR 17 risk assessment needs
  • Provide the foundation for the PLAN Phase of an ISMS base on ISO 27001
  • Provide a framework for evaluating risk of new business units, IT functionality, or company acquisitions and mergers
  • Provide the Board of Directors specific business justification for IT spending
  • Provide the foundation for a "right sized" Information Security Management System

 

 

11:30am-12:30pm

How Security and the CSO Can Provide Business Value (Panel)

Panelists:
CISOs/Security Directors from Enterprise IT Departments

In this session, attendees will learn from a panel of IT security executives as to the strategies they are leveraging to insure their efforts are in sync with business priorities.

Topics covered:

  • How to identify leverage the following areas of value: reputation, regulation, revenue, resilience, and recession for continued investment and security spending
  • How to assess, understand and define security’s current and future roles in the extended enterprise
  • Where are security investments being made on personnel, processes, and technologies
  • What does security need to specifically achieve for the enterprise in terms of protecting current business processes and enhancing future revenue growth

12:30pm - 1:30pm Luncheon

Skehan

1:30pm-2:30pm

How to Reduce the Risk of Data Loss and Audit Failures: Implementing a Response Plan

Joe Skehan, Sr. Director, Product Management, Venafi

In today's fast-paced, high tech ‘cloud’ and ‘BYOD’ world, encryption keys and digital certificates serve as the primary security mechanisms (authentication & encryption) for protecting usernames, passwords, and other sensitive data transferred in and out of corporate networks and between computers.

Most organizations today are unprepared to handle the day-to-day security, operational and compliance risks related to managing their encryption keys and certificates. What will happen to your company or government agency when (NOT IF) your Certificate Authority is compromised?

In 2011, for the first time publically recorded in history, 4 public CA’s were compromised, forcing public and private sector organizations to immediately and manually locate, revoke and replace the compromised certificates.

Notably, the Dutch government was crippled by the DigiNotar CA compromise which disabled all secure online operations for a prolonged period of time. This incident caused the Dutch government the expensive and embarrassing action of informing their citizens to “only use pen and paper, or fax” as a means of secure communication.

This session provides a risk overview, security best practices and lessons learned from recent CA compromises on a global scale. The session will also provide guidance to organizations looking to implement a CA compromise response plan.

2:30pm - 3:00pm - Refreshment Break

 

 

3:00pm-4:00pm

Mobile Technology in the Enterprise: How to Manage Security Risks of BYOD (Panel)

Speakers will include:
Greg Bee, CISO, Country Financial and other
CISOs/security leaders sharing their experiences and lessons learned

As employees become increasingly mobile through consumer technologies, IT systems and information become more vulnerable to security risks and breaches. The major challenge becomes how to effectively manage these risks while maximizing employee productivity.
In this session, attendees will learn from a group of seasoned IT security executives as to how they are handling these challenges.

Milroy

4:00pm-5:00pm

Big Data - Didn't We Used to Call it SEIM?

Derek Milroy, Senior IS Security Engineer, U.S. Cellular

This presentation will examine what Big Data is/may be as it relates to Information Security. Many times, there is a lot of data that must be optimized/put in use, prior to implementing Big Data. The presentation will then focus on steps to reaching a point where Big Data analytics may be possible. A structured approach will be presented so that Organizations can optimize and use existing data while preparing for a Big Data initiative or implementation.


Conference Price: $269.00 per person


Each attendee will receive a certificate awarding 7 CPE credits for CISSP continuing education, in addition to 0.7 CEUs and 7 PDUs. CISSP is a registered certification mark of (ISC)², Inc.

Exhibits

As is always the case at CAMP IT Conferences events, the talks will not include product presentations.  During the continental breakfast, coffee breaks, and the luncheon break you will have the opportunity to informally meet representatives from the following sponsoring companies, who have solutions in the area of the conference.