| ISE West Executive Forum
Friday, October 19, 2007
W Hotel San Francisco
181 3rd Street
San Francisco, California 94103
415-777-5300
Great Room 1
9:00 AM - 10:30 AM
Download to print ISE West Executive Forum and Awards 2007 Event Schedule (PDF: 43KB)
| 9:00 AM |
Welcoming Remarks and Introductions of Guest Host Moderators
Marci McCarthy, CEO, Executive Alliance |
| 9:05 AM |
Interactive Global Discussion
Keeping Your Data Safe in the Hands of Third-Party Providers
Kim Van Nostern, Resident Information Security Executive, Executive Alliance
|
| 9:35 AM |
Thought Leadership Topics
Led by Guest Host Moderators |
| 10:15 AM |
Roundtable Debriefs |
| 10:30 AM |
Closing Remarks
Marci McCarthy |
Do you have Advance Questions for a Guest Host Moderator?
If you would like to ask a Guest Host Moderator a question on their thought leadership topic in advance of the ISE West Executive Forum, please send your question via email to iseWest@infosecaward.com. Be sure to include in the Subject Line: Question for Guest Host Moderator at ISE West Executive Forum. In the body of the email, please let us know the name of the guest host moderator, thought leadership topic and your question. We will send your question over to the Guest Host Moderator to be answered at the ISE West Executive Forum. Thank you.
Global Moderator
Guest Host Moderators
 |
Bob Frank, CISSP
Chief Information Security Officer
California State Automobile Association
ISE West Awards 2007 Nominee
Biography > |
Topic 4. Providing Security from an Expanding Digital Infrastructure |
 |
Jason Hoffman
Director of Information Security Assurance
Kaiser Permanente
ISE West People's Choice Award Winner 2006, ISE West Awards 2006 Finalist
Biography > |
Topic 3. Measuring the Value of Security - Aligning Security Metrics with Key Business Drivers |
 |
David R. Matthews, CISSP, CISM, GSEC, CCFE, CPM, A+
Deputy Chief Information Security Officer
City of Seattle, Washington
ISE West Awards 2007 Nominee
Biography > |
Topic 2. Information Management: Data Loss Prevention, Electronic Discovery and Audit |
 |
Radha Thompson
First Vice President Security Operations and Card Services Risk
Washington Mutual (WAMU)
ISE West Awards 2007 Nominee
Biography > |
Topic 1. Taking your Organization to Proactive Mindset from a Reactive Risk Management Posture |
Executive Forum Global and Thought Leadership Global Topic
Keeping Your Data Safe in the Hands of Third-Party Providers
 Global Topic Led By: Kimberly Van Nostern - Resident Information Security Executive, Executive Alliance, ISE Midwest Awards 2005 Winner, ISE Midwest People's Choice Award 2005 Winner
In the world of security today it's all about protecting your data. Not only do you have to worry about insider threats and outsider threats to your data when it resides within your network, but even more critical is the need to ensure your data is protected when it's in your third-party vendor's hands.
Many companies are working with their internal business partners to ensure that the vendors they do business with have proper security controls in place if they are exchanging PII or PHI. More and more companies are requiring language to be written into contracts that also include agreement on security standards by their vendors. A robust vendor risk management program can include onsite visits to key vendors and requires resources and funding to ensure it is successful.
Today's business environment demands the free flow of information between organizations. Yet there are significant regulatory and legal obligations for ensuring the protection of information exchanged with third-party providers parties...whether they are service providers, suppliers, vendors, or partners.
In an interactive format, Kim Van Nostern will share methods, insights and solutions for keeping your data safe in the hands of third-party providers.
Topics to be discussed include:
- Best strategies for working with third-parties to protect information
- Developing agreements that will hold third-party providers accountable for securing data
- Enforcing standards third-party providers uphold
- Identifying and mapping data exchanges
- Creating risk rating criteria for vendor assessments and prioritizing risks
- Identifying and engaging internal stakeholders in the management of risk
Back to Top
Taking your Organization to Proactive Mindset from a Reactive Risk Management Posture
Today's enterprise faces a tough challenge in meeting requirements of a variety of technical standards, IT governance frameworks, and laws related to security administration. Complying with governance standards, frameworks like ISO 17799, and laws such as the Sarbanes-Oxley Act and Basel II is a major challenge:it is often hard to think about staying ahead of the curve. Furthermore, in an effort to meet compliance requirements, many organizations have deployed rudimentary policies with intentions of improving them at a later date. Discuss with your peers what processes and solutions you have implemented to-date and what your plans are for the future with compliance being an ongoing effort. And discuss how you can take your organization from a reactive risk management posture to a proactive mindset where you can adopt a stance that can help achieve good governance by implementing a best practices framework within the enterprise.
Topics to be Discussed Include:
- How to define IT policy compliance at your organization
- Where the management of this function should go
- Effective ways to identify threats that can make your organization non-compliant
Back to Top
Information Management: Data Loss Prevention, Electronic Discovery and Audit
Optimal use of information can be a key differentiator for enterprises in today's business environment. However, the amount of electronic information being generated and stored in messaging and collaboration systems has increased and become more broadly distributed. IT and security organizations are increasingly impacted by governance mandates and content retention policies. In addition, a rapidly changing threat landscape, increased compliance and legal discovery requirements have created significant risks which enterprises must now manage more effectively. IT and security executives are playing a more dominant role in the e-discovery process than ever before. Furthermore, the loss of sensitive content such as customer data and intellectual property has become a significant risk as businesses become more collaborative and information is more broadly distributed. Finally, many enterprises face regulatory requirements to ensure sensitive information is protected.
Topics to be Discussed Include:
- How to identify sensitive content and ensure that it does not leave the information environment inappropriately
- Time efficient techniques in getting through audits and sifting through large amounts of data
- Developing retention and archiving policies for email, instant messaging, portal content, files and documents
Back to Top
Measuring the Value of Security: Aligning Security Metrics with Key Business Drivers
There has been a drastic shift in the importance of Information Security at the higher levels of organizations in recent years. Increasingly, organizations are finding that the amount of information needing protection is changing. Also, the increased regulatory climate has increased the risk that corporate officers have to accept. As a result, corporate officers are becoming insistent on being directly involved in the review and implementation of security within their organization.
In order to accurately portray the current security posture of the organization, it is essential to have a centralized repository of information that can be used to compute metrics. Metrics provide a mechanism to accurately measure the success of security initiatives and investments in the context of the business. A report might track the total number of incidents that occurred in a given month. A metric, on the other hand, can be developed to show the relationship between the number of and types of attacks or alerts and the number of and severity of incidents resulting from those attacks. The latter is a more accurate measure of effectiveness in reducing the number of and impact of incidents on the business. Simply having the ability to state with certainty that the number and severity of incidents has decreased over a specified time period is a much more useful metric than a list or count of incidents.
Reporting alone doesn't clearly express the value security provides to an organization. Without context, most reports on security events and incidents provide little value as key performance indicators. Many organizations have a variety of disparate security technologies and management consoles each generating volumes of data. This data, analyzed and consolidated, can provide a valuable source of information for making essential decisions on protecting customer information, patient records or the integrity of financial transactions. The concept of positioning this information in the context of risk policy, policy enforcement and business imperatives requires metrics that can measure the success of security programs against management objectives.
Topics to be Discussed Include:
- Sources of possible increase in security from executive management
- How to convey and communicate value from security investments
- Developing performance indicators and using dashboards
Back to Top
Providing Security from an Expanding Digital Infrastructure
Many would agree that digital infrastructures are changing and expanding to accommodate customer preferences. Customers want technology to help them arrange their lives and they want it at their fingertips, in one place, and at any time.
Protecting customers from threats associated with digital internet broadband and mobile applications that provide on-demand and interactive services can be daunting for IT security professionals. The next generation of media services, network broadcasting, ISPs, Telco's, and Cable and Mobile companies are providing interactivity as never seen before and are often doing so without any safeguards intact for unsuspecting end users.
The digital infrastructure enables people to watch television, talk on the phone, search the Web, listen to the radio, download movies, schedule events, shop for dinner, manage banking needs, play games, gamble, organize transportation, and for some, commit crimes.
Topics to be Discussed Include:
- Emerging crucial security issues as a result of the expanding digital infrastructure
- Methods that can protect networks from internet broadband and mobile application threats
- Identifying and trusting digital signatures
- Digital certificates and other methods to establish credentials from digital sources
- Applying secure credentials to existing applications and how it can reduce risks
- Applying password authentication
- Laws and regulations? are there any?
Back to Top
Dodging a Bullet: Avoiding a Disaster When a Security Breach Occurs
Over the past year, we have seen many examples of breach notifications ranging up to millions of victims. Looking further into the business impact of the post-breach process we can quickly see that the way an organization reacts to a security breach can make a difference between minor and major financial impact and a complete meltdown. Often it has been sited and many of us have experienced first-hand that a firm's failure to communicate effectively after a security breach can be more destructive than the breach itself.
Topics to be Discussed Include:
- Best practices for avoiding the aftermath of a security breach
- Training employees to efficiently deal with security breaches in a timely and professional manner
- Methods to effectively communicate with company and customers after a security breach
- Maintaining custom confidence after a security breach occurs
Back to Top |
Home > ISE West Awards Executive Forum 2007 - Day 2
