Home | About Us | Contact Us | FAQ  
Infomation Security Executive of the Year Award   Executive Alliance, Inc
Infomation Security Executive of the Year Award
ISE AwardNominationsSponsorshipArchivesPress / Media
Home > ISE North America Awards Executive Forum
ISE North America Home
About the ISE Award
Special Guests
Nominations
Commercial Executive
Nominees
Government
Executive Nominees
Academic Executive
Nominees
Commercial Project
Nominees
Government
Project Nominees
Academic Project
Nominees
Judges
Sponsorship
North America Sponsors
Testimonials
Schedule of Events - Day1
Schedule of Events - Day2
Executive Forum 2008
Schedule of Events - Day3
 
ISE North America Executive Forum 2008

Monday, November 17, 2008
Gaylord National Resort
Washington, DC
10:15 AM - 11:45 AM
 

Led by:
Marci McCarthy
 Marci McCarthy
CEO
Executive Alliance
Biography>

Guest Host Moderators

Eric Schmidt
 Eric W. Schmidt
Chief Security Officer
Indiana University School of Medicine, Indiana University
ISE Midwest Awards 2005 Finalist
Biography >
 Topic 1: Data Loss Prevention... Identifying, Monitoring, and Protecting Data at Rest, in Motion, and in Use
Suzanne Hall
 Suzanne Hall, CPA, CISA, CISM
Chief Information Officer
Lerner Enterprises/Washington Nationals
ISE Mid-Atlantic People's Choice Award Winner 2006
Biography > 		Topic 2: Building Trusted Relationships thru Federated Identity Management Solutions
Krizi Trivisani
 Krizi Trivisani, CISSP
Director of Systems Security Operations, Chief Security Officer
The George Washington University
ISE National Awards 2007 Academic Category Finalist, ISE National Member's Choice Award 2007 Winner, ISE Mid-Atlantic Awards 2007 Finalist, ISE Mid-Atlantic People's Choice Award 2007 Winner
Biography >
Topic 3: Virtualization and the Security Risks of Protecting Systems and Web Applications
Paul Huesken
 Paul Huesken
Director, Information Assurance
The Coca-Cola Company
Biography > 		Topic 4: Instant Insecurity: The Challenges and Risks of E-Mail and Instant Messaging in Today's World
Karl West
 Karl West
 Chief Information Security Officer
Intermountain Healthcare
ISE West 2008 Project of the Year Winner
Biography >
 Topic 5: Attaining Compliance with PCI Requirements in 2008 by Protecting Web-Facing Applications Against Known Attacks
Lynda Fleury
 Lynda Fleury, CISM
Assistant Vice President and Chief Information Security Officer, Enterprise Information Security & Risk Management
Unum
ISE Southeast Awards 2008 Winner
Biography >
 Topic 6: Protecting Data from the Inside Out by Knowing Where your Software and Web Applications are Vulnerable
Todd Fitzgerald
 Todd Fitzgerald, CISSP, CISA, CISM
Medicare Systems Security Officer
National Government Services, LLC (NGS)
ISE Midwest Awards 2005 Finalist
Biography >
Topic 7: The Security Risks of Social Networking and What it Means for Global Organizations

Thought Leadership Topic One:

Data Loss Prevention... Identifying, Monitoring, and Protecting Data at Rest, in Motion, and in Use

Organizations everywhere now rely on high-speed networks and mobile computing to more easily share and access information. Unfortunately, this wide open world also presents new challenges for information security executives-how to prevent the loss of the most sensitive data.

Breaches of personal data have reached epidemic proportions. What's more, the loss of intellectual property poses a real threat to every business. Security solutions, designed to protect the network or limit information access, simply do not address the fundamental questions of where sensitive information is stored, how it is used, and how best to prevent its loss.

Security practitioners have always dealt with data leakage issues from email, IM, and other Internet channels, but now with the proliferation of mobile technology, it's easier than ever for data loss to occur, whether accidentally or maliciously. Protecting data on laptops and other mobile devices such as USB keys, Bluetooth devices, or removable CD drives presents a huge challenge.

Enterprise security executives, more now than ever, understand how critical it is to discover and protect data wherever it is stored, as well as monitor and prevent it from being used inappropriately across multiple channels.

Discuss with your peers at this executive roundtable:

  • Effective methods of protecting sensitive customer and company information
  • Strategies for ensuring your data is safe when exchanged with third-party providers
  • Processes and solutions that you have implemented to deal with endpoint security
  • Technologies that you have implemented to help prevent data leakage
  • Challenges and solutions for protecting data on mobile devices
  • Ways to identify sensitive data, evaluate risk, and apply data classification standards

Back to Top

Thought Leadership Topic Two:

Building Trusted Relationships thru Federated Identity Management Solutions

Exchanging critical information across company boundaries - among customers, suppliers and partners - is a necessity in today's fast-paced world. End users expect to access all services via a single interface, user name and password. Yet the proliferation of the more flexible and open service oriented architecture (SOA) and Web 2.0 environments creates its own set of identity management and compliance challenges. Collaborating and managing user and services identities across a business ecosystem places substantial demand on enterprise IT infrastructures. With an ever-increasing amount of vital information contained in different security domains, using federated single sign-on (SSO) techniques to help integrate this information can provide quick benefits and savings.

Identity management can help companies simplify identity and password management systems while building new capabilities to integrate their efforts with partners and other organizations. Key benefits include:

  • Centrally managing identities across multiple platforms saving time, money, and resources.
  • Automating the provisioning process for new users enabling the business to get up and running faster
  • Automating the de-provisioning process for better security
  • Managing enterprise-wide password policies reducing costly calls to the help desk
  • Improving adherence to compliance regulations and internal security policies

Discuss with your peers at this executive roundtable:

  • How identity management can play a significant role in enabling organizations to meet today's demands for security and compliance
  • How identity management initiatives can bring significant cost savings and competitive advantage to businesses
  • Best practices for rolling out information management initiatives for all phases of the Identity lifecycle
  • Challenges in the implementation of identity management systems such as NAC and provisioning
  • The benefits and savings of implementing single sign-on in your organization

Back to Top

Thought Leadership Topic Three:

Virtualization and the Security Risks of Protecting Systems and Web Applications

Many organizations are embracing virtualization technologies and are actively moving forward with large scale implementations. Virtualization brings us new ways of doing things from managing desktop operating systems to consolidating servers. Virtualization has become a way to deconstruct fixed and relatively inflexible architectures and reassemble them into dynamic, flexible and scalable infrastructures.

Virtualization offers organizations the opportunity to reduce costs and increase agility, however, if this is done without implementing best practices for security, virtualization may actually increase costs and reduce agility, according to Gartner Inc. "Virtualization, as with any emerging technology, will be the target of new security threats," said Neil MacDonald, vice president and Gartner Fellow.

In addition, one of the biggest challenges in securing Web applications in a virtualized world is how to test the applications in an environment that is identical to that of the live application without risking data corruption or disruptions to customers.

Other Security issues include the following:

  • Patching and reboots in virtualized platforms
  • Keeping track of security on two tiers, the physical host security and the virtual machine security
  • The loss of segregation of duties for administrative tasks
  • Immature and incomplete security and management tools
  • Conducting security assessments on virtualized applications

The need for cross-platform virtual security to secure both virtualized and physical environments is clear. New emerging technologies for virtual machine security are an investment that must be considered before this technology outruns security best practices even further.

Discuss with your peers at this executive roundtable:

How companies are dealing with complicated maintenance windows in a virtual server environment, and if their ability to apply patches has significantly changed because of this environment.

  • How companies are securing virtual machines and how existing configuration guidelines have changed or should be changed.
  • What tools and technologies enterprises are using to help manage the security in this new environment.
  • How companies are dealing with segregation of duties issues for administrative tasks.
  • How to conduct vulnerability assessments on virtualized applications and the concept of virtual testing.

Back to Top

Thought Leadership Topic Four:

Instant Insecurity: The Challenges and Risks of E-Mail and Instant Messaging in Today's World

For most organizations today, e-mail is the single most critical channel for internal and external communication. With increases in network bandwidth, the use of e-mail as a vehicle for rich media has exploded. Beyond simple text, e-mail is now used to send rich media including HTML, graphics, audio, and video. Having become critical for corporations in the 1990's, e-mail is now a vital form of business record.

Of course, e-mail is no longer the only form of electronic messaging and collaboration. In recent years, instant messaging (IM) has caught on in many organizations. Users at most organizations now use IM - even if it isn't supported by the IT department. It's even been estimated that IM may overtake e-mail as soon as this year in terms of the number of messages sent between users.

But, just as with e-mail, the ease and power of IM have caused a number of risks and challenges to arise. IM is increasingly the target for attackers to propagate IM-born viruses, worms, malware and phishing attacks. These attacks have grown exponentially over the past three years, increasing the need for real-time threat response for IM and peer-to-peer (P2P) applications.
The ongoing issue facing security executives, then, is how to preserve the value of messaging in light of these escalating security threats.

Discuss with your peers at this executive roundtable:

  • The challenges that you face as a security executive with a strong reliance on e-mail and instant messaging communications for your business.
  • The different types of technologies, solutions, and business processes that you are using for secure messaging today at your organization.
  • How you are logging and monitoring the use of these communications.
  • Policies and standards around the use of these communication vehicles.
  • How IM and E-mail has improved or hindered the effectiveness and productivity in your organization.

Back to Top

Thought Leadership Topic Five:

Attaining Compliance with PCI Requirements in 2008 by Protecting Web-Facing Applications Against Known Attacks

Effective June 30, 2008, the PCI Security Standards Council released Requirement 6.6 to ensure the protection of Web applications for organizations that process credit card transactions. The requirement provides two options for implementation that are intended to address common threats to cardholder data. These options are source code review and application firewalls.

The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding Web application vulnerabilities. The council wrote in its guidance, "Proper implementation of both options would provide the best multi-layered defense; however, PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations. It should be possible to apply at least one of the alternatives described in this paper and proper implementation can meet the intent of the requirement"

For organizations considering the application code review option, the PCI SSC laid out four options for code reviews that meet Requirement 6.6 which include:

  • Manual review of application source code
  • Proper use of automated application source code analyzer tools
  • Manual Web application security vulnerability assessment
  • Proper use of automated Web application security vulnerability assessment tools

In the context of Requirement 6.6, an "application firewall" is a web application firewall (WAF), which is a security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware running in an appliance device or in a typical server running a common operating system.

Many organizations are working on how to meet this requirement before their next "Annual Report on Compliance "questionnaire is due.

Discuss with your peers at this executive roundtable:

  • How your organization is interpreting this new PCI requirement
  • Whether source code analysis or web application firewalls or both are currently being used or will be implemented in your environment
  • How your organization is ensuring security is part of the SDLC (system development lifecycle)

 

Thought Leadership Topic Six:

Protecting Data from the Inside Out by Knowing Where your Software and Web Applications are Vulnerable

Data privacy. Outsourced Development. Security in the SDLC. There has never been a greater reason to secure your critical data, and it is your applications - the foundation upon which organizations function that are putting that data at risk.

Although analyzing applications for insight into risk may seem daunting, the path to knowing where your software and web applications are most vulnerable and remediating those vulnerabilities is critical to understanding and managing your business risk.

The ongoing epidemic of data breaches and regulations and compliance standards such as the Payment Card Industry Standards (PCI) have painfully highlighted the insecurity of many of today's applications. How, then, can organizations ensure their applications are secure, and avoid the cost , stock price downturn, or worse, having to explain to consumers and regulators how code defects allowed attackers to steal sensitive information?

Historically, the focus has been on one of the following two approaches to securing software:

  • Manual Security Code Review which, while providing a thorough analysis, has issues of efficiency, repeatability, reliability and cost, while also requiring highly skilled security expertise.
  • Penetration Testing which is only focused on web front ends and exposed interfaces. Pen testing is considered an "Outside-In" approach, and requires a functionally complete application to analyze, so it cannot be built into the SDLC process.

While both of these approaches have their value, automated software risk analysis tools now allow organizations to approach secure code development in a more systematic, automated, and predictable manner. These tools can greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle, precisely locating vulnerabilities in the line of code and providing detailed information about the type of flaw, the risk it poses, and how to fix it.

Discuss with your peers at this executive roundtable:

  • Tools and technologies for identifying web application vulnerabilities
  • Benefits of automating code review to ensure compliance
  • Ways of firmly entrenching application security in all stages of the Software Development Life Cycle (SDLC)
  • Roles and responsibilities of the application quality assurance (QA) teams, information security staff, audit professionals, and developers in ensuring secure applications
  • Methods and processes to deal with attacks that target software and web application vulnerabilities
  • Providing training for application developers in writing secure code

Back to Top

Thought Leadership Topic Seven:

The Security Risks of Social Networking and What it Means for Global Organizations

Social networking sites are one of the most remarkable technological phenomena of the 21st Century. They are becoming among the most visited websites globally. For example, as of June 2007, MySpace was the most visited website with more than 114 million global visitors, representing a 72% increase over 2006. Face book increased its global unique visitors by 270% by June 2007.

Social websites have significant business value because of the marketing applications they offer. Global enterprises are under pressure to open up these sites to more and more employees to keep up with the competition. As with every fast-growing technology, however, security and privacy have not been the first priority in the development of these social networking sites, and as a result, significant privacy and security risks have emerged. Major threats include social networking for the purpose of corporate espionage, information leakage by employees, escalated attacks by viruses and worms, and increased spam.

Security executives are tasked with understanding the major threats when they open up these websites in their organizations and the solutions for ensuring that individual and corporate data are protected from these threats.

Discuss with your peers at this executive round table:

  • The benefits and challenges of opening up social networking in your organization
  • Policies and processes that are needed to ensure corporate Data is protected
  • Technologies that can be implemented to help prevent data loss and identify and block malicious sites from being accessed
  • Education and awareness techniques to ensure employees understand the risks of social networking

 
Privacy Policy  |   Security Policy  |   Purchase Policy © 2003 - 2008 Executive Alliance, Inc. All rights reserved.