Executive Alliance Leadership Summit Featuring the ISE Southeast Awards

Friday, March 23, 2007
Sheraton Atlanta Downtown Hotel
Atlanta, Georgia
9:30 AM - 11:15 AM
 

Successful Leadership: Building a Balance between Infrastructure and the Business

Global Topic Led By: Tim Callahan, First Vice President, Technology Risk Management and Chief Information Security Officer, People's Bank

One of the biggest challenges to any successful security program is getting the infrastructure side and the business side to understand each other. The successful ISE of today and tomorrow will work closely with technology experts and business stakeholders ensuring that the engineers understand business needs and that business managers, legal departments, auditors, and finance departments, among others, understand important technical security issues uncovered by IT.

ISE Southeast People's Choice Winner 2006 - Tim Callahan will discuss that IT security is not replaced by information security and that the technology of perimeter controls, or network protections - will be superseded by the "higher view" of information security - that view is, the processes and technologies of achieving and measuring compliance to regulations, ensuring protection of proprietary information, and basically being concerned with softer or less technical security and risk management problems.

Tim will share the big picture with you and discuss how to take a holistic view aligning your security program to your business management.

Led by:
	Tim Callahan, CISSP First Vice President, Technology Risk Management and Chief Information Security Officer People's Bank ISE Southeast People's Choice Award Winner 2006 Biography >

Back to Top

Topic 5	Phil Agcaoili, CISSP, CISM Sr. Manager, Global Information Security and Compliance - Consulting Dell ISE Central Award Judge 2007 Biography>	Topic 6	Tim Callahan, CISSP First Vice President, Technology Risk Management and Chief Information Security Officer People's Bank ISE Southeast People's Choice Award Winner 2006 Biography >
Topic 2	Tammy L. Clark, CISSP, CISM, CISA Chief Information Security Officer Georgia State University ISE Southeast Award Finalist 2006 Biography>	Topic 4	Paul Huesken Director, Information Assurance The Coca-Cola Company ISE National Award Special Guest 2006 Biography >
Topic 1	John Penrod Chief Information Security Officer The Weather Channel ISE Southeast Award Finalist 2006 Biography >	Topic 3	Tony Spurlin Senior Manager, Information Risk Management and Compliance The Home Depot ISE/CSI Member's Choice Award Winner 2005 Biography >

Staying Ahead of the Curve in Online Fraud and Identity Theft - Beating Phishing, Pharming, Man in The Middle (MITM) Attacks and Cross-Scripting Attacks
Led by: John Penrod, Chief Information Security Officer, The Weather Channel

Since 2004, online fraud and identity theft have evolved from simple Phishing to Pharming to Man in the Middle (MITM) attacks and Cross-Scripting Attacks. Simple Phishing could be mitigated with basic fraud detection techniques (IP Geo, Device Fingerprinting), weak second factors such as cookies, and user education programs to prevent users from logins via email. In 2005, the realm of sophistication increased with the introduction of Pharming, where users automatically redirected without the end user clicking on a link. In late 2005 and 2006 it continued to get worse where Man in the Middle attacks defeated one time passwords (OTPs) (Tokens and Scratch Cards) and other forms of shared secrets at large U.S. and European banks. It is predicted that the next step in the evolution of online fraud will likely be Man in the Browser (MITB) attacks that can defeat even Smart Cards and PKI by modifying the transaction in the browser after the user authentication has taken place.

Discuss with your peers at this executive roundtable:

• Types of attacks seen and how one has become aware of them
• Solutions that are able to detect and prevent sophisticated online fraud and identity theft attacks
• Communication and education best practices for customers, management, employees and other key stakeholders
• Compensation for the victim
• The impact on the brand and company's reputation

Back to Top

The Threat from the Inside --Protecting Your Data and Critical Transactions by Verifying User Identity and Managing Network Access
Led by: Tammy Clark, Chief Information Security Officer, Georgia State University

Today there is no boundaries and limits on how businesses and consumers access technology but the expectations for a stable infrastructure, reliable information and secure interactions increase with each smart phone, laptop and Blackberry. The reality is people are the new network perimeter making it more even more challenging for security executives to find the right solutions for an ever changing digital landscape. Wherever they are and through whichever device they are accessing the network is where the line of defense must be drawn. And these lines are in constant motion as people connect from device to device and network to network.

With a defined perimeter becoming transparent if not blurred due to next generation and wireless networking technologies and for them to become a part of the infrastructure, networks and systems alike have become easily accessible to employees, partners, and customers. The insider threat has become top of mind for many enterprises-from business, government and higher education. The insider threat is now recognized as one of the greatest and most damaging of security risks. With that security executives are being asked to protect their crucial data without inhibiting the business and adding more staff. There are various ways of approaching data protection and managing the insider threat. It can be done at the network, at the end point, and with the user---or a combination of all three.

Discuss with your peers at this executive roundtable:

• Understanding the risk of the insider threat at your organization -where it can come from and how
• How to build the business case for deploying solutions to address the threat from the inside
• Sharing of best practices for deploying identity management, anomaly detection, endpoint security and network access control technologies.
• Types of Acceptable Use Policies (AUP) to have in place at your organization
• Where are you seeing the greatest area of risk from the insider at your organization-is it from the customer, end-user (employee), supplier (business partner) or other sources?
• What are you doing to mitigate this type of risk?
• What kinds of technologies are you using? (identity management, anomaly detection, endpoint security and Network Access Control (NAC) technologies)
• What kinds of results have you seen? Please share some examples.
• What do you recommend that your peers do if they are in a similar situation?
• How do you prioritize these challenges?
• How do you incorporate these types of technologies into your existing architecture?
• What kinds of Acceptable Use Policies (AUP) do you have in place at your organization?

Back to Top

Keeping Security Transparent but Effective with the Advancement of IT
Led by: Tony Spurlin, Senior Manager - Information Risk Management and Compliance, The Home Depot

There are a number of IT challenges today coming from all aspects of real life. It is not just security threats coming through your firewall or hackers attacking your wireless network. It can be as simple as human error that occurs during a system patch or a migration of servers or networks. We all know that much of this information flows through a Windows platform and t he need to protect information and systems remains a critical business challenge. Further, with the release of Vista , a whole new set of business and technology challenges can come into play.

Discuss with your peers at this executive roundtable:

• How the latest IT advances put corporate information at risk
•   What hardware, OS, Application and Data are at risk if our ability to reach, transact, confirm, validate and recover the information in real time is compromised.
• Share your plans on upgrading to Vista

Back to Top

Deep Dive: Pros and Cons of Using a Managed Security Service Provider (MSSP)
Led by: Paul Huesken, Director, Information Assurance, The Coca-Cola Company

Securing information assets from internal and external threats has become a highly complex IT function, demanding significant investment in expertise, systems, infrastructure, and 24/7 oversight. The challenge of retaining resources and running a 24x7 environment on your own may not be cost effective for your organization. One of the solutions to this challenge is employing a managed security service provider (MSSP). Consider with your peers the pros and cons of utilizing an MSSP. Also, discuss the advantages and disadvantages to a dual approach (having part of your security operations outsourced to an MSSP and other parts managed by internal resources.)

Discuss with your peers at this executive roundtable:

• Do you currently work with an MSSP? How has this experience been for your organization? If so, what the advantages or disadvantages?
• What inspired your decision to have this type of service vs. managing your security operations internally?
• With the recent consolidation of MSSP players in the market place, what are you looking for in an MSSP?
• Do you have any hybrid situations - i.e. a part of your business manages security operations internally but is outsourcing the majority of the security operations to an MSSP. (Disney for example manages the security and IT operations for its cruise ships internally but has outsourced the rest of their IT and security operations.)
• Outsourcing does not have to mean out of control. What do you have in place that helps you manage the environment at an executive level? What about operational level?
• Does your MSSP audit all elements of security infrastructure to determine if your systems are in compliance with corporate policies and/or industry regulations?

What kind of reporting do you get and find to be useful? Do these reports help you identify areas of vulnerability with prioritized recommendations to bring systems into compliance? What kind of improvements have you been able to make at your organization with this type of information? Have you been able to share it with other business leaders and executives at your organization? What have you found to be the most effective?

Back to Top

Managing Security Here and Halfway Around the World
Led by: Phil Agcaoili, Director of Security, Dell

Information Security Executives (ISE's) in global companies face many challenges when managing security in several global locations. These challenges include cultural differences, unstable political environments, language barriers, different work ethics and multiple time zones. At some organizations, a good number of your security managers and staff may reside in functions other than information security, so security is often a part of the job description.

Discuss with your peers at this executive roundtable:

• What kind of security department your company has in place vs. what it needs to be
• Integration into other areas of IT and risk management
• Techniques for staying in close contact with employees
• Educating lines of business leaders on how security can add value and lower risk
• Types of training and professional development to offer new and existing staff
• Keeping the information flow across the times zones, cultures and geographic boundaries?
• Measuring and assessing the security program from country to country
   

Back to Top

Data Protection: Keeping Your Secrets Safe and Secure - or Not at All?
Led by: Tim Callahan, First Vice President, Technology Risk Management and Chief Information Security Officer, People's Bank

Ever since California passed SB1386 and other states passing similar laws, organization after organization has had to disclose that critical data banks have been compromised by hackers, couriers or consultants. The causes range from lost backup tapes to lost laptops to network hacks. What most of these cases have in common is the lack of strong technical measures to protect data that is by its nature highly sensitive. From these and other cases we've learned that many companies seem to believe they can adequately protect their information with a combination of locked doors, firewalls and access controls but may ignore simple process and procedure. Or the problem can be more sophisticated -where an attacker can bypass mechanisms and send raw commands directly to a database server.

Discuss with your peers at this executive roundtable:

• The best approaches to collect sensitive data or debate whether or not to collect sensitive data at all
• Encryption techniques - i.e. partial encryption
• Technology solutions available for data protection and encryption

Back to Top