CSI/ISE National Executive Forum

Tuesday, November 6, 2007
Ritz Carlton, Pentagon City
Washington, D.C.
10:30 AM - 12:30 PM
 

Eric Litt Chief Information Security Officer General Motors Corporation ISE Central People's Choice Award Winner 2006, ISE West Awards 2006 Judge, ISE National/CSI Member's Choice Award Winner 2006, ISE National Awards 2007 Judge Biography >

Keeping Information Security a "top of mind" priority for your business partners Topic 6: Building Customer Confidence - Protecting Customers from the Next Generation of Threats Targeting Personal Information and Interactions

Guest Host Moderators for Day 2

	Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer National Government Services, LLC (NGS) ISE Central Awards 2006 Judge, ISE West Awards 2006 Master of Ceremonies, ISE Midwest Awards 2005 Finalist Biography >	Topic 1. Deciphering the Encryption Puzzle
	Paul Huesken Director, Information Assurance The Coca-Cola Company ISE National Awards 2006 Judge Biography >	Topic 3. Staying Afloat by Plugging Up and Preventing Data Leakage
	Joseph Lee Director, AARP Information Security Services AARP Biography >	Topic 2. Authentication, Authorization, Automation�cthe three A's of Identity Management
	Georgia Newhall, CISSP, ISSMP, IAM Director of Information Security Operations Northrop Grumman Corporation Biography>	Topic 4. Measuring the Value of Security
	Jane Scott Norris, CISSP, CISM, CAP DEAN, School of Applied Information Technology, Foreign Service Institute U.S. Department of State ISE National Award Finalist 2004 and 2005 Biography >	Topic 5. Addressing and Managing the Global Compliance and Security Issues

Keeping Information Security a "top of mind" priority for your business partners

Global Topic Led By: Eric Litt - Chief Information Security Officer, General Motors Corporation, ISE Central People's Choice Award Winner 2006, ISE West Awards 2006 Judge, ISE National/CSI Member's Choice Award Winner 2006, ISE National Awards 2007 Judge

Several years ago, the proliferation of worms and viruses were negatively impacting the ability for businesses to continue to provide services, and in some cases businesses were shut down for hours and even days. Information security and business resiliency were top of mind priorities for the business.

Today, with less visibility of these types of threats, how do CISO's keep the organization sensitized to the need to do more and to help executives and senior management understand the need to continue to invest in information security to protect their business?

The role of the CISO is changing. CISO's must now be much more involved in the business, learn the business, and work with the business on strategic plans, business goals and objectives. CISO's must help make sure security is part of the normal day-to-day business flow, the processes, the conversations, executive staff meetings...and education is key.

Topics to be discussed include:

• How to raise awareness of threat management with executive teams
• How CISO's can help the business to understand the impact that vulnerabilities to the information systems will have on the business processes that enable the business to run
• How to talk to the business in language they will understand to keep their attention on the value of information security
• How to turn the investment in information security into a real return for the business

Back to Top

Deciphering the Encryption Puzzle


Privacy regulations, PCI standards, state breach notifications laws, and the steady stream of data leaks and laptop losses are creating a rush to increase the use of encryption for data-at-rest, data in transit, and data in use.

Every enterprise stores sensitive data in application database files. This sensitive information might be credit card numbers, social security numbers, birth dates, zip codes, proprietary intellectual property, or other information. Preventing unauthorized access to this information is important to protect stakeholder value, meet regulatory requirements, minimize legal liability, and protect customer information. Enterprises will use a variety of techniques and measures to prevent unauthorized access. Encrypting the sensitive data directly in the database fields and columns where it is stored is one important way to achieve this protection.

Securing data on mobile devices is also a top concern for all organizations. Some common approaches to mobile data encryption are: full device, file/folder, and field. How do you know which of these approaches is appropriate or necessary for your business? There are many considerations when deploying encryption solutions on mobile devices including performance, backup, restore, and maintenance.

Encrypting sensitive data directly in the database fields and columns where it is stored is even more complex and the technology solutions to support this work are not yet mature.

Discuss with your peers at this executive roundtable:

• The financial, legal, and regulatory drivers that lead companies to encrypt mobile devices
• The risks companies face when data is stored unprotected on mobile devices
• Common approaches for implementing encryption on mobile devices and in data bases
• The challenges of implementing encryption solutions

Back to Top

Authentication, Authorization, Automation...the Three A's of Identity Management

Identity management is a complex issue: Its technology, its policies, and its checks and balances by IT and Security professionals. And, in these days of heightened security, identity management is becoming more prominent in the security value chain. Properly identifying users of your systems, whether they are within your organization or external is key to protecting your data and business.

Identity management can help companies simplify identity and password management systems while building new capabilities to integrate their efforts with partners and other organizations. Key benefits include:

• Centrally managing identities across multiple platforms saving time, money, and resources.
• Automating the provisioning process for new users enabling the business to get up and running faster
• Automating the de-provisioning process for better security
• Managing enterprise-wide password policies reducing costly calls to the help desk
• Improving adherence to compliance regulations and internal security policies

Discuss with your peers at this executive round table:

• How identity management can play a significant role in enabling organizations to meet today's demands for security and compliance
• Best practices for rolling out information management initiatives for all phases of the identity lifecycle
• How companies create, manage, store, authenticate, authorize, and control user identities and broker services based on internal identities and external users
• How identity management initiatives can bring significant cost savings and competitive advantage to businesses
• How integrating risk management or identity provider metrics into the equation can allow for the development of reports to improve processes, measure organizational efficiency, and provide dashboards and scorecards for your organization
• How automating centralized management of sensitive information can enable effective and efficient regulat ory compliance and reporting

Back to Top

Staying Afloat by Plugging Up and Preventing Data Leakage

E-mail has emerged as the most important medium for communications both inside and outside the enterprise. But e-mail as a business communications tool has exposed companies to a wide variety of new risks associated with outbound e-mail. Now, more than ever, organizations are concerned about ensuring that e-mail cannot be used to disseminate confidential or proprietary information.

There are many tools on the market that can examine the content of outbound data, and ultimately decide what can leave the company, and in some cases block it. However, before doing anything, it is critical to understand what data needs to be protected, and the level of risk.

Discuss with you peers at this executive roundtable:

• The importance of classifying data and prioritizing risk of loss or exposure.
• Ways of creating data classification levels for all of your company's data.
• Strategies for ranking data types based on the risk of loss or exposure.

Back to Top

Measuring the Value of Security

There has been a drastic shift in the importance of and interest in Information Security at the higher levels of organizations in recent years. Increasingly, organizations are finding that the amount of information needing protection is changing. Also, the increased regulatory climate has increased the risk that corporate officers have to accept. As a result, corporate officers are becoming insistent on being directly involved in the review and implementation of security within their organization.

In order to accurately portray the current security posture of the organization, it is essential to have a centralized repository of information that can be used to compute metrics. Metrics provide a mechanism to accurately measure the success of security initiatives and investments in the context of the business. A report might track the total number of incidents that occurred in a given month. A metric, on the other hand, can be developed to show the relationship between the number of and types of attacks or alerts and the number of and severity of incidents resulting from those attacks. The latter is a more accurate measure of effectiveness in reducing the number of and impact of incidents on the business. Simply having the ability to state with certainty that the number and severity of incidents has decreased over a specified time period is a much more useful metric than a list or count of incidents.

Reporting alone doesn't clearly express the value security provides to an organization. Without context, most reports on security events and incidents provide little value as key performance indicators. Many organizations have a variety of disparate security technologies and management consoles each generating volumes of data. This data, analyzed and consolidated, can provide a valuable source of information for making essential decisions on protecting customer information, patient records or the integrity of financial transactions. The concept of positioning this information in the context of risk policy, policy enforcement and business imperatives requires metrics that can measure the success of security programs against management objectives.

• Sources of possible increase in security from executive management
• How to convey and communicate value from security investments
• Developing performance indicators and using dashboards

Back to Top

Addressing and Managing Global Compliance and Security Issues

Compliance legislation has many faces, many jurisdictions. For global companies, there's a hodgepodge of U.S. legislation, but there's also the E.U. Safe Harbor privacy principles and a maze of rules in other countries such as Australia (with its Data Privacy Act), Japan (Personal Information Law), and Canada (PIPEDA and PHIPA). Discuss with your peers what they are dealing with in their international operations and security initiatives and what are best practices for staying out of trouble abroad. Furthermore, explore how U.S. regulations are affecting business and security operations abroad.

Discuss with you peers at this executive roundtable:

• Compliance developments that have arisen in the last 6 months to 12 months? (Discuss developments in U.S. , Europe, Australia and Asia )
• How are you avoiding international backlash?
• How are you importing security and compliance into the international M&A context?
• How are you managing compliance, security and ethics programs across frontiers; "parent versus subsidiaries" issues; extent of global consistency?
• What kinds of conflict are you seeing between the requirements of SOX and EU data privacy laws? What are you doing to correct this issue at your organization?
• How are you dealing with international suppliers and business partners?
• How are you managing customer data across geographic boundaries?

Back to Top

Building Customer Confidence - Protecting Customers from the Next Generation of Threats Targeting Personal Information and Interactions

The battleground for security is no longer just the computer, or even a corporate network. Protecting information and interactions online requires more sophisticated security processes and technologies. Businesses , government agencies and academic institutions are all at risk of data breaches. These breaches are often widely publicized and can damage an organization's reputation as well as expose millions of people to identity fraud. Consumers and enterprises alike need to feel confident that their information is safe and their interactions are secure. Discuss with your peers the latest solutions that you have implemented or are considering to utilize that provide real-time fraud and data leak detection as well as auditing capabilities.

Discuss with you peers at this executive roundtable:

• How organizations are addressing issues around identity theft and phishing to protect customer information and brand identity
• Opening and maintaining lines of communication with lines of business leaders, executive team, board of directors and other key stake holders about customer protection security practices and policies
• Effective methods for protecting customer data in systems that you have limited access to or do not own

Back to Top