| CSI/ISE National Executive Forum
Monday, November 5, 2007
Ritz Carlton, Pentagon City
Washington, D.C.
10:30 AM - 12:30 PM
Do you have Advance Questions for a Guest Host Moderator?
If you would like to ask a Guest Host Moderator a question on their thought leadership topic in advance of the CSI/ISE National Executive Forum, please send your question via email to iseNational@infosecaward.com. Be sure to include in the Subject Line: Question for Guest Host Moderator at CSI/ISE National Executive Forum. In the body of the email, please let us know the name of the guest host moderator, thought leadership topic and your question. We will send your question over to the Guest Host Moderator to be answered at the CSI/ISE National Executive Forum. Thank you.
Global Moderator
Guest Host Moderators for Day 1
Executive Forum Global and Thought Leadership Global Topic
Bringing Security Into The Boardroom
 Global Topic Led By: Bruce Bonsall - Vice President and Chief Information Security Officer, MassMutual Financial Group, ISE National Awards 2006 Winner, ISE New England Awards 2006 Winner
Bruce will discuss his personal experience on how he gained access to the board of directors at MassMutual over a course of a year and worked with his CIO and security team to bring an informative business message into the board room. He will share how he effectively communicated with the board and how he reinforced his image as the head of information security to raise the importance of the funding the information security programs at MassMutual. Bruce will share his strategies on how to make a positive impact in the board room and what types of communication formats are effective for a group of people looking to maintain shareholder value and protect the companies interests vs. the bits and bytes of technology.
Discussion points:
- Discuss how you get invited to conduct a proactive and security friendly board presentation
- Communication methods and formats that are most effective for this audience
- How to convey a concise and precise as well as informative message that demonstrates value to the business without too much technical jargon
Back to Top
Bringing a Structured Approach to Unstructured Information
Information is critical to the success of any business. Accessing the right information and ensuring its proper protection is of paramount concern. Most companies have focused their information management efforts on structured data, but business critical information is now just as likely to be contained in unstructured data.
Research shows that 80% of all enterprise information is unstructured. For example, documents, spreadsheets, presentations, and images are types of unstructured data that a typical enterprise business stores in its data environment. The reality is that unstructured data is stored in files with liberal permissions. Furthermore, the problem is that sensitive data can be compromised regardless of the user's intent.
Discuss with your peers at this executive roundtable:
- The importance of protecting unstructured data
- Effective ways of securing unstructured data
- Risks of inadequate data access controls
Back to Top
Untethered Workers-Untethered Data! Securing Data on Mobile Devices
Mobility is key to business productivity. Wireless solutions help improve efficiency, drive revenue, and help you maintain relationships that are vital to your business. Wireless solutions can also create data security challenges.
Data security breach disclosure laws, such as California 's SB 1386 and similar legislation being enacted in other states have dramatically increased the risks associated with handling personal electronic records. As a result, organizations are now being forced to spend millions of dollars reacting to data breaches involving the personal information of consumers and employees. Many of these incidents result from the theft of laptop PCs and the theft or loss of other portable endpoint devices including: smart phones, USB flash drives, iPods/MP3 players. To avoid the costs associated with data breach disclosures, organizations need solutions that protect personal information stored on devices vulnerable to loss or theft.
Discuss with your peers at this executive roundtable:
- Strategies, methods, policies, and processes for protecting corporate data and ensuring the secure use of mobile devices
- Protecting corporate data and mobile resources from unauthorized access
- Increasing visibility and control over managed and unmanaged end-point devices
- Ensuring end user compliance
Back to Top
Managing Security Operations: Pros and Cons of Using a Managed Security Service Provider (MSSP)
Securing operations from internal and external threats demands around-the-clock real-time services. These services are required to enhance an organization's information security posture through continuous monitoring and management, expert analysis, compliance reporting and immediate response to potential security threats.
The challenge of securing and managing resources and running a 24/7 environment can be daunting and costly for many organizations. One solution is to employ a managed security service provider (MSSP), which can offer companies low-cost security solutions.
MSSPs have evolved in various ways and can handle system changes, modifications, and upgrades. Some traditional ISPs, noting the increasing
demand for Internet security in recent years, have added managed security to their services. A few security vendors have added Internet access, thus becoming MSSPs. Still other MSSPs have come into existence as brand new entities.
Many companies, especially financial services and other highly regulated organizations, require a MSSP to verify that their process is credible and that they have controls in place to provide a consistent, stable, and secure environment. Some companies are reluctant to give up complete security control of their systems and sensitive customer data.
Discuss with your peers at this executive roundtable:
- The considerations, pros, and cons of utilizing a MSSP
- The advantages and disadvantages to outsourcing parts of your security operations to a MSSP while other parts are managed by internal resources
- Best practices for delivering integrated event archiving and management, improved compliance reporting, and strong administration
- Solutions that detect and prevent sophisticated online fraud and identity theft attacks from internal and external sources
Back to Top
Addressing Vulnerabilities in Your Business Applications
Applications have become increasingly complex in reaction to the rapidly changing regulatory environment, new technology, and the dynamic nature of the business environment. This complexity brings vulnerabilities that must be addressed. Given the number of applications in a typical organization, what seems like a daunting task can be accomplished with the right people, processes, and technology.
Discuss with your peers at this executive roundtable:
- Tools and technologies for identifying web application vulnerabilities
- Roles and responsibilities of the application quality assurance (QA) teams, information security staff, audit professionals, and developers in ensuring secure applications
- Ways of firmly entrenching application security in all stages of the Software Development Life Cycle (SDLC).
- Building and maintaining focus on the security of applications
- Ways of dealing with attacks that target software and web application vulnerabilities
Back to Top
Keeping Your Data Safe While in the Hands of Third-Party Providers
In the world of security today it's all about protecting your data. Not only do you have to worry about insider threats and outsider threats to your data when it resides within your network, but even more critical is the need to ensure your data is protected when it's in your third-party vendor's hands.
Many companies are working with their internal business partners to ensure that the vendors they do business with have proper security controls in place if they are exchanging PII or PHI. More and more companies are requiring language to be written into contracts that also include agreement on security standards by their vendors. A robust vendor risk management program can include onsite visits to key vendors and requires resources and funding to ensure it is successful.
Today's business environment demands the free flow of information between organizations. Yet there are significant regulatory and legal obligations for ensuring the protection of information exchanged with third-party providers-whether they are service providers, suppliers, vendors, or partners.
Discuss with your peers at this roundtable:
- Strategies for working with third-party providers to protect information
- Identifying and mapping data exchanges
- Creating risk rating criteria for vendor assessments and prioritizing risks
- Identifying and engaging internal stakeholders in the management of risk
Back to Top
Addressing Legal Discovery Challenges
Given the new Federal Rules of Civil Procedure, information security executives are often involved in collaborating with their legal partners in the legal discovery process. Companies face an increasing number of requests to produce records due to litigation or regulatory requirements and failing to find records can be costly. Even if security executives do not have direct responsibilities for data retention and retrieval, there is an increasing role for information security executives to help the Legal department with forensics and the development of a cost-effective process for conducting searches for information, especially e-mail.
Discuss with your peers at this roundtable:
- How information security executives can be involved in legal discovery and provide insight into best practices.
- Ways of building internal collaboration with your legal, privacy, records management, and IT partners around E-discovery.
- Tools and technology that can be used to expedite the forensics and archiving requirements of the federal laws of civil procedure.
Back to Top
|
Home > CSI/ISE National Executive Forum 2007 - Day 1
