ISE Northeast Executive Forum Topics and Moderators

Date: Thursday, October 4, 2007
Marriott Marquis Times Square Hotel
Marriott Marquis Times Square Hotel
1535 Broadway
New York, New York 10036

Duffy and Columbia Room
Scheduled Time: 2:30 PM - 5:00 PM

Bruce Bonsall Chief Information Security Officer and Second Vice President MassMutual Financial Group ISE National Awards 2006 Winner, ISE New England Awards 2006 Winner Biography>

Global Topic: Defending Security - Protecting Businesses and Customers from the Next Generation of Threats Topic 4. Mitigating Risks and Assessing Vulnerabilities in Software and Web Applications

Guest Host Moderators

	Dave Bixler Chief Information Security Officer Siemens IT Solutions and Services, Inc. ISE National Awards 2007 Nominee Biography>	Topic 7. Providing Security from an Expanding Digital Infrastructure
	Tim Callahan, CISSP, CISM First Vice President, Technology Risk Management and Chief Information Security Officer People's United Bank ISE Southeast People's Choice Award 2006 Winner, ISE Southeast Awards 2006 Finalist Biography >	Topic 6. Complying with Government Legislation and Regulatory Standards - Best Practices for Archiving and Protecting Business Data
	André Gold Head of Technology Risk Management for ING - U.S. Financial Services ING ISE Central Awards 2007 Nominee Biography >	Topic 2. Managing Security Operations: Pros and Cons of Using a Managed Security Service Provider (MSSP)
	Theresa Ho, CISSP, CISA, CISM, PMP Director McGraw-Hill Companies Biography >	Topic 1. Mobile and Wireless Security: Enforcing Endpoint Security for a Growing Mobile Workforce
	Sharon Kaufman, CISM, CISA AVP Strategic Planning - LOB Support The Bank of New York Mellon ISE Northeast Awards 2007 Nominee Biography >	Topic 3. Identity Management: Securing Sensitive Information While Achieving Compliance in Today's Global Economy
	Anthony Passaniti Senior Information Security Officer, Head of Information Security - Americas Swiss Reinsurance ISE Tri-State People's Choice Award Winner 2006, ISE Tristate Awards 2006 Finalist Biography >	Topic 5. Inside the Network Perimeter - Protecting Your Data and Network from the Inside

Defending Security - Protecting Businesses and Customers from the Next Generation of Threats

Global Topic Led By: Bruce Bonsall - Chief Information Security Officer and Second Vice President, MassMutual Financial Group, ISE National Awards 2006 Winner, ISE New England Awards 2006 Winner

Protecting information in 2007 and beyond requires a budget, sophisticated processes, skillful awareness, and proactive means to combat the foreseeable threats associated with new and emerging Information technology.

All businesses - global enterprises, government agencies, financial and academic institutions, and even local shops - are vulnerable to potential data breaches, wireless hacking, mobile virus attacks, insider violations, and flaws in new software. The damage caused by these types of threats are often widely publicized and can destroy an organization's reputation as well as expose millions of people to identity fraud.

To help combat the war on IT security threats, governments have revised laws, mandated audits, modified standards and policies, and implemented regulations to which businesses are required to comply. These regulations and laws have added even more challenges for the IT security professionals already demanding business strategy.

In an interactive format, Bruce Bonsall and Marc Sokol will share their methods and insights to solutions against the next generation of IT security threats.

Topics to be discussed include:

• How to raise awareness of threat management with executive teams
• How organizations are addressing issues around identity theft and phishing to protect customer information and brand identity
• How other areas of your company can work together to ensure that its IT environment is secure for customers, partners and suppliers
• Effective methods for protecting customer data in systems that you have limited access to or do not own
• Implementing automated processes to manage and archive data
• Protecting sensitive customer and company information to meet regulatory requirements for reporting and disclosure Ensuring compliance with industry standards

Back to Top

Mobile and Wireless Security: Enforcing Endpoint Security for a Growing Mobile Workforce

While businesses grow in a competitive international marketplace, and as customers and employees become more remote, IT leaders find it necessary to provide additional online services to accommodate customer satisfaction that is closely tied to trust and loyalty. These services also allow employees to improve productivity while working away from their desks.

Mobile and wireless technology has enabled employees and customers to connect to corporate networks on a daily basis using laptops, cell phones, smartphones, PDAs, thumb drives, and other hand held computer devices. Users can download or upload any file from most mobile devices. Although end users may deploy safeguards against viruses and other potential exploits, they are not diligent in updating these safeguards.

As exciting new features continue to transform mobile devices into cameras, MP3 players, videos, and banks, so has the temptation for hackers to produce newer mobile threats, such as mobile keyloggers, snoopware and more recently text messaging, Bluetooth, and Wi-Fi access attacks.

Topics to be discussed include:

• Processes and solutions that you have implemented to deal with endpoint security
• Options that are available to help businesses keep a balance between security and their mobile workforce and customer support
• How to develop and solidify confidence in customers who remotely access networks
• Solutions to ensure end users are updating anti-virus and firewall protection on their mobile devices
• Methods to protecting corporate data as well as increasing visibility and control over managed and unmanaged endpoints

Back to Top

Managing Security Operations: Pros and Cons of Using a Managed Security Service Provider (MSSP)

Securing operations from internal and external threats demands around-the-clock real-time services. These services are required to enhance an organization's information security posture through continuous monitoring and management, expert analysis, compliance reporting and immediate response to potential security threats.

The challenge of securing and managing resources and running a 24/7 environment can be daunting and costly for many organizations. One solution is to employ a managed security service provider (MSSP), which can offer companies low-cost security solutions.

MSSPs have evolved in various ways and can handle system changes, modifications, and upgrades. Some traditional ISPs, noting the increasing demand for Internet security in recent years, have added managed security to their services. A few security vendors have added Internet access, thus becoming MSSPs. Still other MSSPs have come into existence as brand new entities.

Many companies, especially financial services and other highly regulated organizations, require a MSSP to verify that their process is credible and that they have controls in place to provide a consistent, stable, and secure environment. Some companies are reluctant to give up complete security control of their systems and sensitive customer data.

Topics to be discussed include:

• The considerations, pros, and cons of utilizing a MSSP
• The advantages and disadvantages to outsourcing parts of your security operations to a MSSP while other parts are managed by internal resources
• Best practices for delivering integrated event archiving and management, improved compliance reporting, and strong administration
• Solutions that detect and prevent sophisticated online fraud and identity theft attacks from internal and external sources

Back to Top

Identity Management: Securing Sensitive Information While Achieving Compliance in Today's Global Economy

Ensuring the security of sensitive information and complying with global regulatory requirements are among the most critical and daunting challenges facing organizations today. Successfully intersecting infrastructure, security, and business applications involves a multitude of components, such as authentication, user provisioning and de-provisioning, network and system-level access control, directory services and authorization mechanisms, to name a few.

Identity management has emerged as a compelling solution for addressing the technological and economic obstacles that can thwart efforts to securing information. Identity management can effectively mitigate risks that emerge during the identification lifecycle as well as compliance issues including regulations, privacy initiatives, the crossing of geo-political borders that exhibit dissimilar values, and evolved concepts of data stewardship.

Securing and integrating disparate information that accesses the network while managing the identity of customers, partners, consultants, vendors and others has become more and more difficult as the IT industry grows.

Topics to be discussed include:

• How identity management can play a significant role in enabling organizations to meet today's demands for security and compliance
• Best practices for rolling out information management initiatives for all phases of the identity lifecycle
• How companies create, manage, store, authenticate, authorize, and control user identities and broker services based on internal identities and external users
• How identity management initiatives can bring significant cost savings and competitive advantage to businesses
• How integrating risk management or identity provider metrics into the equation can allow for the development of reports to improve processes, measure organizational efficiency, and provide dashboards and scorecards for your organization
• How automating centralized management of sensitive information can enable effective and efficient regulatory compliance and reporting

Back to Top

Mitigating Risks and Assessing Vulnerabilities in Software and Web Applications

Gartner estimates that 75 percent of attacks on Web security today are aimed straight at the application layer. Web-based attacks can lead to lost revenue, theft of customers' personally identifiable financial information, and non-compliance of government and industry mandates, such as the Payment Card Industry Data Security Standard (PCI) which includes sections specifically dedicated to Web security.

No matter how many firewalls or filtering devices your security solution runs on your infrastructure, the only thing attackers have to do to bring down your network is to take advantage of poor coding in the custom application running on the Web server, which lets the intruder retrieve entire tables of sensitive data. Why is it so simple? Attacks happened on an application level and not on a network level.

One way to mitigate risks and protect the availability, confidentiality, and integrity of your data is to test Web applications for mistakes in application logic, configurations, and software coding.

Although security executives are experts at utilizing network security controls to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software, they are now required to deal with new attacks that target software and Web application vulnerabilities.

Topics to be discussed include:

• Which Web applications should be tested and why
• Alternatives to sending sensitive data over the Web
• Security vulnerabilities in software such as poor software development practices, new modes of attacks, application misconfigurations, or unsecured links between systems.
• Using input validation frameworks during development to reduce risks such as Cross-site Scripting.
• Certain Web application threats, such as Remote code execution, SQL injection, Format string vulnerabilities, Cross Site Scripting (XSS), and username enumeration

Back to Top

Inside the Network Perimeter - Protecting Your Data and Network from the Inside

With a defined perimeter becoming blurred if not transparent due to next generation and wireless networking technologies, networks and systems alike have become easily accessible to end users. Wherever end users are and whichever device they are using, the network is where the line of defense must be drawn. These lines of defense are in constant motion as people connect from device to device and network to network, thus altering the typical approach of protecting the network from outside threats to inside threats.

Threats from the inside can come about through sheer ignorance and negligence with the use of company IT resources, or from authorized individuals intending is to commit a crime. Insiders pose a substantial threat because of their knowledge and ability to access employer systems and databases. Remote users may unknowingly infect the corporate network by allowing family and friends to use the company laptop or PC to access the Internet. Regardless of how users connect to the network, whether on site or remotely, your data and network must be protected.

There are various ways of approaching data protection and controlling network access. It can be done at the network, endpoint, user level, or a combination of all three.

Topics to be discussed include:

• Understanding the risk of the insider threats at your organization
• Solutions for insider attacks from shared and privileged access
• How to build the business case for deploying solutions to address the threat from the inside
• Sharing of best practices for deploying identity management, anomaly detection, endpoint security, and network access control technologies
• End user remediation methods
• Discuss balancing vulnerabilities, risk, and costs with operational needs
• Solutions for insider attacks from shared and privileged access.

Back to Top

Complying with Government Legislation and Regulatory Standards - Best Practices for Archiving and Protecting Business Data

An unprecedented increase in litigation and government regulations and investigations involving electronic business records has forced enterprises to comply with a plethora of electronic data standards and laws. To avoid fines and in some cases jail time, companies must follow best practice processes to build an IT architecture that will support all legislation requirements.

Complying with new legislation set forth in security standards, such as ISO/IEC 27002, HIPPA, Sarbanes-Oxley Act and Basel II, as well as mandates such as Payment Card Industry Data Security Standard (PCI) for merchants, can be a major challenge to IT security executives. In an effort to meet compliance requirements, many organizations have deployed rudimentary policies with intentions of improving them at a later date. Some security executives are simply unsure what data they should store and how they should store it to comply.

Private and public companies continue to face compelling reasons to find ways to improve their electronic records management standard of performance, and concurrently, find cost-effective solutions to reduce their legal, regulatory, and business risks for the capture, storage, protection, management, and production of their electronic information assets.

• Best practices for the widespread operational changes involved with building a compliant IT infrastructure, such as, policy management, training, analysis, and reporting, while meeting the requirements set forth by government regulations and landmark litigation.
• Archiving and protecting data while maintaining compliance.
• Identifying significant roles, responsibilities, authority, and accountability of the individuals who should carry out the set of regulation guidelines.
• Current data processes and security practices, including networks, facilities, and hardware. What is being stored and backed up on the network and for how long.
• Discovering security gaps and developing a plan to secure them.
• Periodically testing and evaluating the effectiveness and vulnerability of security policies and procedures

Back to Top

Providing Security from an Expanding Digital Infrastructure

Many would agree that digital infrastructures are changing and expanding to accommodate customer preferences. Customers want technology to help them arrange their lives and they want it at their fingertips, in one place, and at any time.

Protecting customers from threats associated with digital internet broadband and mobile applications that provide on-demand and interactive services can be daunting for IT security professionals. The next generation of media services, network broadcasting, ISPs, Telco's, and Cable and Mobile companies are providing interactivity as never seen before and are often doing so without any safeguards intact for unsuspecting end users.

The digital infrastructure enables people to watch television, talk on the phone, search the Web, listen to the radio, download movies, schedule events, shop for dinner, manage banking needs, play games, gamble, organize transportation, and for some, commit crimes.

Discuss with your peers at this executive roundtable:

• Emerging crucial security issues as a result of the expanding digital infrastructure
• Methods that can protect networks from internet broadband and mobile application threats
• Identifying and trusting digital signatures
• Digital certificates and other methods to establish credentials from digital sources
• Applying secure credentials to existing applications and how it can reduce risks
• Applying password authentication
• Laws and regulations - are there any?

Back to Top