Executive Alliance Leadership Summit Featuring the ISE Southeast Awards

Thursday, March 22, 2007
Sheraton Atlanta Downtown Hotel
Atlanta, Georgia
2:30 PM - 5:00 PM
 

Getting Ahead of the Curve -Building Business Value and Mastering Enterprise Risk Management

Global Topic Led By: Ed Sarama - Vice President, Chief Security Officer, CheckFree

In today's business climate, enterprise risk management is no longer a theory - rather it has become a number one priority. In addition, new legislation and the best security practices set forth in BS7799 and ISO-17799 point to information risk analysis as the cornerstone of any program designed to safeguard information assets.

Enterprise Risk Management (ERM) is a structured and disciplined approach to managing risk. ISE Southeast Winner 2006, Ed Sarama, will share with you how Checkfree is aligning the organization's strategies, processes, technology and knowledge with the purpose of improving its ability to evaluate and manage risk on an enterprise-wide basis to create business value.

In an interactive format, Ed will lead the discussions on how to baseline the risk-sensitivity of your organization and reduce the inevitable functional, departmental and cultural barriers that exist in most organizations. He will also share how he is able to integrate a forward-looking and process-orientated approach to managing all key business risks and opportunities - not just financial ones - with the intent of maximizing value for the enterprise as a whole.

Led by:
	Ed Sarama Vice President, Chief Security Officer CheckFree ISE Southeast Award Winner 2006 Biography>

Back to Top

Topic 5	Mark Burnette, CISSP, CISM, CISA Director of IT Security Compliance Gaylord Entertainment ISE Southeast Award Winner 2005 Biography >	Topic 3	Christopher Ray 2nd VP Information Security AFLAC ISE Southeast Award Nominee 2006 Biography >
Topic 6	Jeffrey N. Reich CISSP, CHS-III, CTM, Information Security Officer CompuCredit ISE Southeast Award Nominee 2006 Biography>	Topic 7	Ed Sarama Vice President, Chief Security Officer CheckFree ISE Southeast Award Winner 2006 Biography>
Topic 1	Gene Scriven, CISSP Director, Information Risk Management & Compliance - Information Security The Home Depot ISE Southeast Award Judge 2007 Biography>	Topic 2	Tony Spinelli Chief Security & Compliance Officer Equifax ISE Southeast Award Nominee 2007 Biography >
Topic 4	David Vordick Chief Information Officer USEC, Inc ISE Mid-Atlantic Award Nominee 2006 Biography >

Taking your Organization to Proactive Mindset from a Reactive Risk Management Posture
Led by: Gene Scriven, Director, Information Risk Management & Compliance, Information Security, The Home Depot

Today's enterprise faces a tough challenge in meeting requirements of a variety of technical standards, IT governance frameworks, and laws related to security administration. Complying with governance standards, frameworks like ISO 17799, and laws such as the Sarbanes-Oxley Act and Basel II is a major challenge?it is often hard to think about staying ahead of the curve. Furthermore, in an effort to meet compliance requirements, many organizations have deployed rudimentary policies with intentions of improving them at a later date. Discuss with your peers what processes and solutions you have implemented to-date and what your plans are for the future with compliance being an ongoing effort. And discuss how you can take your organization from a reactive risk management posture to a proactive mindset where you can adopt a stance that can help achieve good governance by implementing a best practices framework within the enterprise.

Discuss with your peers at this executive roundtable:

• How to define IT policy compliance at your organization
• Where the management of this function should go
• Effective ways to identify threats that can make your organization non-compliant

Back to Top

Information Management: Data Loss Prevention, Electronic Discovery and Audit
Led by: Tony Spinelli, Chief Security & Compliance Officer, Equifax

Optimal use of information can be a key differentiator for enterprises in today's business environment. However, the amount of electronic information being generated and stored in messaging and collaboration systems has increased and become more broadly distributed. IT and security organizations are increasingly impacted by governance mandates and content retention policies. In addition, a rapidly changing threat landscape, increased compliance and legal discovery requirements have created significant risks which enterprises must now manage more effectively. IT and security executives are playing a more dominant role in the e-discovery process than ever before. Furthermore, the loss of sensitive content such as customer data and intellectual property has become a significant risk as businesses become more collaborative and information is more broadly distributed. Finally, many enterprises face regulatory requirements to ensure sensitive information is protected.

Discuss with your peers at this executive roundtable:

• How to identify sensitive content and ensure that it does not leave the information environment inappropriately
• Time efficient techniques in getting through audits and sifting through large amounts of data
• Developing retention and archiving policies for email, instant messaging, portal content, files and documents

Back to Top

Measuring the Value of Security
Led by: Christopher Ray, Second Vice President Information Security, AFLAC

There has been a drastic shift in the importance of and interest in Information Security at the higher levels of organizations in recent years. Increasingly, organizations are finding that the amount of information needing protection is changing. Also, the increased regulatory climate has increased the risk that corporate officers have to accept. As a result, corporate officers are becoming insistent on being directly involved in the review and implementation of security within their organization.

In order to accurately portray the current security posture of the organization, it is essential to have a centralized repository of information that can be used to compute metrics. Metrics provide a mechanism to accurately measure the success of security initiatives and investments in the context of the business. A report might track the total number of incidents that occurred in a given month. A metric, on the other hand, can be developed to show the relationship between the number of and types of attacks or alerts and the number of and severity of incidents resulting from those attacks. The latter is a more accurate measure of effectiveness in reducing the number of and impact of incidents on the business. Simply having the ability to state with certainty that the number and severity of incidents has decreased over a specified time period is a much more useful metric than a list or count of incidents.

Reporting alone doesn't clearly express the value security provides to an organization. Without context, most reports on security events and incidents provide little value as key performance indicators. Many organizations have a variety of disparate security technologies and management consoles each generating volumes of data. This data, analyzed and consolidated, can provide a valuable source of information for making essential decisions on protecting customer information, patient records or the integrity of financial transactions. The concept of positioning this information in the context of risk policy, policy enforcement and business imperatives requires metrics that can measure the success of security programs against management objectives.

Discuss with your peers at this executive roundtable:

• Sources of possible increase in security from executive management
• How to convey and communicate value from security investments
• Developing performance indicators and using dashboards

Back to Top

Effective Security and Mitigating Risk in a Virtual World
Led by: David Vordick, Chief Information Officer, USEC, Inc.

With virtualization being the ability to deliver any application or data to anybody at any time over any device , security executives need to ensure that their organizations have proper controls in place so that users can access only what they should and data are protected properly. Security is one of the biggest fields where virtualization can serve, isolating unstable or compromised applications, providing fast disaster recovery solutions, offering powerful forensic analysis capabilities, as well as increases the need for intrusion detection and identity management applications.

Mobile workers need access more than ever to their critical applications. Whether working onsite at an office via a desktop, or on a laptop in a hotel room, or working from home on a personal PC or at a cafe via a wireless device, the demand for virtualization is there and continues to grow. However, it can be extremely costly for IT organizations to deliver this by installing client software on every device and can be extremely challenging for security executives to meet compliance requirements as well as mitigate risks and prevent data leakage. Virtualization is a solution that not only enables this access, but does so in a far more inexpensive manner and without bogging down network performance.

In this roundtable, discuss with your peers what types of policies, procedures as well as technologies that you can put in place that ensure users only have access to the applications and data that they should based on their job or role in the organization. Discuss how to limit data leakage, implement automated provisioning techniques and maintain network access control.

Discuss with your peers at this executive roundtable:

• How your organization is utilizing or planning on using virtualization
• Use of user based policies and procedures for accessing applications and data
• Effective identification and deployment of security technologies needed in virtualization
• Lessons learned and better preparation for future endeavors

Back to Top

Building Customer Confidence - Protecting Customers from the Next Generation of Threats Targeting Personal Information and Interactions
Led by: Mark Burnette, Director, IT Security Compliance, Gaylord Entertainment

The battleground for security is no longer just the computer, or even a corporate network. Protecting information and interactions online requires more sophisticated security processes and technologies. Businesses , government agencies and academic institutions are all at risk of data breaches. These breaches are often widely publicized and can damage an organization's reputation as well as expose millions of people to identity fraud. Consumers and enterprises alike need to feel confident that their information is safe and their interactions are secure. Discuss with your peers the latest solutions that you have implemented or are considering to utilize that provide real-time fraud and data leak detection as well as auditing capabilities.

Discuss with your peers at this executive roundtable:

• How organizations are addressing issues around identity theft and phishing to protect customer information and brand identity
• Opening and maintaining lines of communication with lines of business leaders, executive team, board of directors and other key stake holders about customer protection security practices and policies
• Effective methods for protecting customer data in systems that you have limited access to or do not own
   

Back to Top

Addressing and Managing Global Compliance and Security Issues
Led by: Jeff Reich, Information Security Officer, CompuCredit Corporation

Compliance legislation has many faces, many jurisdictions. For global companies, there's a hodgepodge of U.S. legislation, but there's also the E.U. Safe Harbor privacy principles and a maze of rules in other countries such as Australia (with its Data Privacy Act), Japan (Personal Information Law), and Canada (PIPEDA and PHIPA). Discuss with your peers what they are required to accommodate in their international operations, in their international security initiatives. Learn their best practices for staying out of trouble �gover there.�h Furthermore, explore how U.S. regulations are affecting business and security operations abroad.

Discuss with your peers at this executive roundtable:

• What compliance developments (within US, EU, Australia and Asia ) have arisen for you in the last 6 to 12 months?)
• How are you avoiding international backlash?
• How are you importing security and compliance into the international M&A context?
• How are you managing compliance, security and ethics programs across frontiers; "parent versus subsidiaries" issues; extent of global consistency?
• What kinds of conflict are you seeing between the requirements of SOX and EU data privacy laws? What are you doing to correct this issue at your organization?
• How are you dealing with international suppliers and business partners?
• How are you managing customer data across geographic boundaries?
   

Back to Top

Mitigating Risks and Vulnerabilities in Software, Enterprise and Web Applications
Led by: Ed Sarama, Vice President, Chief Security Officer, CheckFree

Security executives have an expertise in utilizing network security controls to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software. However, many recent targeted attacks and widely publicized security breaches point to software vulnerabilities as a greater, but less understood, source of risk. These security vulnerabilities are at the center of many of the major data breaches that resulted in the theft of customer records.

Vulnerabilities in operating systems, software applications and websites render an otherwise secure environment insecure. Any operating system or application added to a secure environment that has exploitable security vulnerabilities affects the security of the whole environment. An otherwise secure system can be compromised easily if the system or application software on it, or on a linked system, has vulnerabilities. Therefore, it is critical that software on networked computer systems be free from security vulnerabilities. Discuss with your peers how security vulnerabilities in software can arise from a number of development factors where these vulnerabilities can be located. These vulnerabilities could be identified in poor software development practices or new modes of attacks and application mis-configurations to unsecured links between systems. Once they are identified, what can be done about them?

Discuss with your peers at this executive roundtable:

• What types of software security assessment instruments can aid in providing a greater level of assurance? (i.e., that software is not exposed to vulnerabilities as a result of defective software requirements, designs, code or exposures)
• Assessing and assuring the security of software and web applications in the development and maintenance lifecycles