Thursday, June 12, 2008
Ritz-Carlton, Pentagon City
Washington, DC
2:00 PM - 3:30 PM
 

	David Vordick Chief Information Officer USEC, Inc ISE Mid-Atlantic Awards 2006 Nominee Biography >	Topic 1: Endpoint Security - Protecting Your Organization from Zero Day Attacks and the Next Generation of Risks
	Kent Podvin Director of Information Technology Capital BlueCross ISE Mid-Atlantic Awards 2007 Finalist Biography >	Topic 2: Protecting Data from the Inside Out - Knowing Your Software and Web Application Vulnerabilities
	Jane Scott Norris, CISSP, CISM, CAP DEAN, School of Applied Information Technology, Foreign Service Institute U.S. Department of State ISE National Award Finalist 2004 and 2005 Biography >	Topic 3: Achieving FISMA Compliance
	Krizi Trivisani, CISSP Director of Systems Security Operations, Chief Security Officer The George Washington University ISE National Awards 2007 Academic Category Finalist, ISE National Member's Choice Award 2007 Winner, ISE Mid-Atlantic Awards 2007 Finalist, ISE Mid-Atlantic People's Choice Award 2007 Winner Biography >	Topic 4: Protecting Data - A Task of Increasing Complexity with the Proliferation of Regulations and Emerging Technologies
	Jim Lemieux Director of Information Protection CIGNA Biography >	Topic 5: The Benefits and Challenges of Implementing Identity Management Solutions Including Network Access Control and Provisioning

Endpoint Security - Protecting Your Organization from Zero Day Attacks and the Next Generation of Risks

Organizations today face a threatening landscape that involves stealthy, targeted, and financially motivated attacks that exploit vulnerabilities in endpoint devices. Many of these sophisticated threats can evade traditional security solutions, leaving organizations vulnerable to data theft and manipulation, disruption of business-critical services, and damage to corporate brand and reputation.

Organizations must advance their endpoint protection efforts to combat and stay ahead of this emerging breed of stealthy and resilient security threats. Toward this end, they need to augment traditional antivirus and anti-spyware solutions with network threat protection that combines state-of-the-art intrusion prevention and sophisticated network communications control. This enables organizations to protect against blended threats, as well as inhibit network outbreaks. They also need to leverage proactive threat protection solutions, which safeguard against unknown and zero-day threats.

In addition, with the rapid adoption and sweeping growth of smart phones, PDA's, USB flash drives, iPods, MP3 players and other mobile devices, it is critical that organizations implement solutions that protect personal information stored on these devices which are vulnerable to loss or theft.

Discuss with your peers at this executive roundtable:

• How to stay ahead of the emerging threats to your enterprise
• What tools and technologies, processes and solutions are you using today or looking at using in the future to protect endpoint devices
• Protecting confidential data on laptops and other mobile devices
• Increasing visibility and control over managed and unmanaged endpoint devices

Back to Top

Protecting Data from the Inside Out - Knowing Your Software and Web Application Vulnerabilities

Data privacy, regulatory compliance, outsourced development, security in the software development lifecycle (SDLC).... There has never been a greater reason to secure your critical data, and it is your applications - the foundation upon which organizations and government entities function - that are putting that data at risk.

Although analyzing your applications for risk may seem daunting, knowing where your software and web applications are most vulnerable and remediating those vulnerabilities is critical to understanding and managing your business risk.

The ongoing epidemic of data breaches and the resulting notification requirements forced by today's data breach disclosure laws and compliance standards has painfully highlighted the insecurity of many of today's applications. How, then, can organizations and governments ensure their applications are secure, avoid the cost, stock price downturn, or worse - having to explain to consumers and regulators how code defects allowed attackers to steal sensitive information?

Historically, the focus has been on one of the following two approaches to securing software:

• Manual Security Code Review - while providing a thorough analysis, it has issues of efficiency, repeatability, reliability and cost, while also requiring highly skilled security expertise.
• Penetration Testing - is only focused on web front ends and exposed interfaces. Pen testing is considered an "Outside-In" approach, and requires a functionally complete application to analyze, so it cannot be built into the SDLC process.

While both of these approaches have their value, automated software risk analysis tools now allow organizations to approach secure code development in a more systematic, automated and predictable manner. These tools can greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle, precisely locating vulnerabilities in the line of code and providing detailed information about the type of flaw, the risk it poses, and how to fix it.

Discuss with your peers at this executive roundtable:

• Tools and technologies for identifying web application vulnerabilities
• Methods of firmly entrenching application security in all stages of the SDLC
• Roles and responsibilities of the application quality assurance (QA) teams, information security staff, audit professionals, and developers in ensuring secure applications
• Methods and processes to deal with attacks that target software and web application vulnerabilities
• Providing training for application developers in writing secure code

Back to Top

Achieving FISMA Compliance

All federal agencies are required to comply with the Federal Information Security Management Act (FISMA) guidelines for IT systems security. Failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight of your agency, computer breaches, and even a reduction in the IT budget.

FISMA provides a framework for ensuring the protection of government information, operations and assets. The legislation requires agency officials to implement policies, procedures and practices to strengthen information security, and reduce security risks. FISMA compliance requires agencies to:

• Implement and adhere to security configuration standards developed by NIST
• Identify and resolve risks
• Perform ongoing assessment and testing
• Conduct annual reviews on the effectiveness of the agency's information security and privacy programs, and report the results to the OMB annually.

Protecting the privacy and security of federal information and systems, and complying with FISMA requirements is a significant challenge to federal agencies. Faced with cost-effectively meeting FISMA compliance requirements, while achieving business objectives and mission, agencies must be efficient to balance both demands.

Such a solution instills accountability, proactive protection, integrity, and continuous improvement.

Discuss with your peers at this executive roundtable:

• Key steps in achieving FISMA compliance
• Tools that can help you meet FISMA requirements
• Strategies, methods, policies, and processes for complying with the regulations
• Identifying and prioritizing where to start to meet the new law.

Back to Top

Protecting Data - A Task of Increasing Complexity with the Proliferation of Regulations and Emerging Technologies

Organizations of all sizes and across industry lines face similar issues when it comes to keeping data and systems protected and available. Data protection is emerging as one of the most critical tasks for information security, IT, and the business. Exponential data growth, along with recently imposed regulatory requirements for data retention, availability, and privacy are happening against a backdrop of increasing threats.

Addressing compliance and the appropriate handling of compliance-related privacy data, such as Social Security Numbers (SSN), credit card numbers, personally identifiable information, protected health information, and financial data, is critical for maintaining a strong public reputation, protecting corporate brand identity, and minimizing financial risk.

The need for protecting compliance-related privacy data and other sensitive data is clear, as risks can evolve from a variety of sources, including:

• A malicious insider
• Corporate espionage
• End-user errors
• Broken business processes
• Misconfigured IT systems

Solutions for protecting sensitive data can include encryption, network access control (NAC) and network segmentation, including new products that are software based to create secure zones.

Security practitioners have always had to deal with data leakage issues that arise from email, IM and other Internet channels, but now with the proliferation of mobile technology, it's easier for data loss to occur, whether accidentally or maliciously. Protecting data on laptops and other mobile devices such as USB keys, Bluetooth devices, or removable CD drives presents a huge challenge.

Discuss with your peers at this round table:

• How businesses and federal government agencies are segmenting their network to create secure zones and the challenges of using firewalls and NAC versus a software based approach
• Effective methods of protecting sensitive customer and company information
• Strategies for ensuring your data is safe when exchanged with third-party providers
• Processes and solutions that you have implemented to deal with endpoint security
• Technologies that you have implemented to help prevent data leakage
• Challenges and solutions for protecting data on mobile devices
• Ways to identify sensitive data, evaluate risk, and apply data classification standards

Back to Top

The Benefits and Challenges of Implementing Identity Management Solutions Including Network Access Control and Provisioning

Recent and ongoing legislation relating to corporate governance and privacy protection, regardless of the specific law and jurisdiction, generally require the same basic controls:

• Strong authentication of all trusted users and contractors
• Customer data, sensitive corporate data, and government data are protected through access controls, encryption, etc
• Effective controls over who has access to data based on need (internal users, customers, contractors)
• Audit trails that support discovery of what users have access to key data and business functions

Identity management plays a key role in providing an effective compliance infrastructure to ensure these controls are in place, and it's becoming more prominent in the security value chain. It's a complex issue, but can help companies and government entities simplify identity and password management systems while building new capabilities to integrate their efforts with partners and other organizations. Some of the key benefits include the ability to centrally manage identities across multiple platforms, automate the provisioning and de-provisioning process, and manage enterprise-wide password policies, and control access to networks, systems, and data.

Discuss with your peers at this executive round table:

• How identity management can play a significant role in enabling organizations and government entities to meet today's demands for security and compliance
• How identity management initiatives can bring significant cost savings sand competitive advantage to businesses
• Best practices for rolling out information management initiatives for all phases of the Identity lifecycle
• Challenges in the implementation of identity management systems such as NAC and provisioning
• How automating centralized management of sensitive information can enable effective and efficient regulatory compliance and reporting

Back to Top