Thursday, October 16, 2008
Marriott Marquis Times Square
New York City, NY
2:00 PM - 3:30 PM
 

	Eric W. Schmidt Chief Security Officer Indiana University School of Medicine, Indiana University ISE Midwest Awards 2005 Finalist Biography >	Topic 1: Data Loss Prevention... Identifying, Monitoring, and Protecting Data at Rest, in Motion, and in Use
	Steve Attias, CISSP, CISM First Vice President and Chief Information Security Officer New York Life Insurance Company ISE Northeast Awards 2008 Nominee Biography >	Topic 2: Building Trusted Relationships thru Federated Identity Management Solutions
	Anthony Passaniti Senior Information Security Officer and Vice President of Global IT Swiss Reinsurance ISE Tri-State People's Choice Award Winner 2006, ISE Tristate Awards 2006 Finalist Biography >	Topic 3: Virtualization and the Security Risks of Protecting Systems and Web Applications
	Dennis Brixius Vice President and Chief Security Officer The McGraw-Hill Companies ISE Northeast Awards 2007 Finalist, ISE Northeast People's Choice Award Winner, ISE National Awards 2007 Nominee Biography >	Topic 4: Instant Insecurity: The Challenges and Risks of E-Mail and Instant Messaging in Today's World
	André Gold Formerly with ING ISE Central Awards 2007 Nominee Biography >	Topic 5: Attaining Compliance with PCI Requirements in 2008 by Protecting Web-Facing Applications Against Known Attacks
	Tim Callahan, CISSP, CISM First Vice President, Technology Risk Management and Chief Information Security Officer People's United Bank ISE National Awards 2007 Nominee, ISE Southeast People's Choice Award Winner 2006 Biography >	Topic 6: Defending Against Attacks by Trusted Insiders and Achieving Regulatory Compliance
	Marc S. Sokol, CISM, CHS-III Vice President, Chief Security Officer and Head of Operational Risk The Guardian Life Insurance Company of America ISE Tri-State Awards 2006 Winner, ISE Tri-State People's Choice Award Winner 2005 Biography >	Topic 7: Using Convergence and Integration to Transform Security from a Technology Issue to a Business Operational Risk Management Issue

Data Loss Prevention... Identifying, Monitoring, and Protecting Data at Rest, in Motion, and in Use

Organizations everywhere now rely on high-speed networks and mobile computing to more easily share and access information. Unfortunately, this wide open world also presents new challenges for information security executives-how to prevent the loss of the most sensitive data.

Breaches of personal data have reached epidemic proportions. What's more, the loss of intellectual property poses a real threat to every business. Security solutions, designed to protect the network or limit information access, simply do not address the fundamental questions of where sensitive information is stored, how it is used, and how best to prevent its loss.

Security practitioners have always dealt with data leakage issues from email, IM, and other Internet channels, but now with the proliferation of mobile technology, it's easier than ever for data loss to occur, whether accidentally or maliciously. Protecting data on laptops and other mobile devices such as USB keys, Bluetooth devices, or removable CD drives presents a huge challenge.

Enterprise security executives, more now than ever, understand how critical it is to discover and protect data wherever it is stored, as well as monitor and prevent it from being used inappropriately across multiple channels.

Discuss with your peers at this executive roundtable:

• Effective methods of protecting sensitive customer and company information
• Strategies for ensuring your data is safe when exchanged with third-party providers
• Processes and solutions that you have implemented to deal with endpoint security
• Technologies that you have implemented to help prevent data leakage
• Challenges and solutions for protecting data on mobile devices
• Ways to identify sensitive data, evaluate risk, and apply data classification standards

Back to Top

Building Trusted Relationships thru Federated Identity Management Solutions

Exchanging critical information across company boundaries - among customers, suppliers and partners - is a necessity in today's fast-paced world. End users expect to access all services via a single interface, user name and password. Yet the proliferation of the more flexible and open service oriented architecture (SOA) and Web 2.0 environments creates its own set of identity management and compliance challenges. Collaborating and managing user and services identities across a business ecosystem places substantial demand on enterprise IT infrastructures. With an ever-increasing amount of vital information contained in different security domains, using federated single sign-on (SSO) techniques to help integrate this information can provide quick benefits and savings.

Identity management can help companies simplify identity and password management systems while building new capabilities to integrate their efforts with partners and other organizations. Key benefits include:

• Centrally managing identities across multiple platforms saving time, money, and resources.
• Automating the provisioning process for new users enabling the business to get up and running faster
• Automating the de-provisioning process for better security
• Managing enterprise-wide password policies reducing costly calls to the help desk
• Improving adherence to compliance regulations and internal security policies

Discuss with your peers at this executive roundtable:

• How identity management can play a significant role in enabling organizations to meet today's demands for security and compliance
• How identity management initiatives can bring significant cost savings and competitive advantage to businesses
• Best practices for rolling out information management initiatives for all phases of the Identity lifecycle
• Challenges in the implementation of identity management systems such as NAC and provisioning
• The benefits and savings of implementing single sign-on in your organization

Back to Top

Virtualization and the Security Risks of Protecting Systems and Web Applications

Many organizations are embracing virtualization technologies and are actively moving forward with large scale implementations. Virtualization brings us new ways of doing things from managing desktop operating systems to consolidating servers. Virtualization has become a way to deconstruct fixed and relatively inflexible architectures and reassemble them into dynamic, flexible and scalable infrastructures.

Virtualization offers organizations the opportunity to reduce costs and increase agility, however, if this is done without implementing best practices for security, virtualization may actually increase costs and reduce agility, according to Gartner Inc. "Virtualization, as with any emerging technology, will be the target of new security threats," said Neil MacDonald, vice president and Gartner Fellow.

In addition, one of the biggest challenges in securing Web applications in a virtualized world is how to test the applications in an environment that is identical to that of the live application without risking data corruption or disruptions to customers.

Other Security issues include the following:

• Patching and reboots in virtualized platforms
• Keeping track of security on two tiers, the physical host security and the virtual machine security
• The loss of segregation of duties for administrative tasks
• Immature and incomplete security and management tools
• Conducting security assessments on virtualized applications

The need for cross-platform virtual security to secure both virtualized and physical environments is clear. New emerging technologies for virtual machine security are an investment that must be considered before this technology outruns security best practices even further.

Discuss with your peers at this executive roundtable:

How companies are dealing with complicated maintenance windows in a virtual server environment, and if their ability to apply patches has significantly changed because of this environment.

• How companies are securing virtual machines and how existing configuration guidelines have changed or should be changed.
• What tools and technologies enterprises are using to help manage the security in this new environment.
• How companies are dealing with segregation of duties issues for administrative tasks.
• How to conduct vulnerability assessments on virtualized applications and the concept of virtual testing.

Back to Top

Instant Insecurity: The Challenges and Risks of E-Mail and Instant Messaging in Today's World

For most organizations today, e-mail is the single most critical channel for internal and external communication. With increases in network bandwidth, the use of e-mail as a vehicle for rich media has exploded. Beyond simple text, e-mail is now used to send rich media including HTML, graphics, audio, and video. Having become critical for corporations in the 1990's, e-mail is now a vital form of business record.

Of course, e-mail is no longer the only form of electronic messaging and collaboration. In recent years, instant messaging (IM) has caught on in many organizations. Users at most organizations now use IM - even if it isn't supported by the IT department. It's even been estimated that IM may overtake e-mail as soon as this year in terms of the number of messages sent between users.

But, just as with e-mail, the ease and power of IM have caused a number of risks and challenges to arise. IM is increasingly the target for attackers to propagate IM-born viruses, worms, malware and phishing attacks. These attacks have grown exponentially over the past three years, increasing the need for real-time threat response for IM and peer-to-peer (P2P) applications.
The ongoing issue facing security executives, then, is how to preserve the value of messaging in light of these escalating security threats.

Discuss with your peers at this executive roundtable:

• The challenges that you face as a security executive with a strong reliance on e-mail and instant messaging communications for your business.
• The different types of technologies, solutions, and business processes that you are using for secure messaging today at your organization.
• How you are logging and monitoring the use of these communications.
• Policies and standards around the use of these communication vehicles.
• How IM and E-mail has improved or hindered the effectiveness and productivity in your organization.

Back to Top

Attaining Compliance with PCI Requirements in 2008 by Protecting Web-Facing Applications Against Known Attacks

Effective June 30, 2008, the PCI Security Standards Council released Requirement 6.6 to ensure the protection of Web applications for organizations that process credit card transactions. The requirement provides two options for implementation that are intended to address common threats to cardholder data. These options are source code review and application firewalls.

The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding Web application vulnerabilities. The council wrote in its guidance, "Proper implementation of both options would provide the best multi-layered defense; however, PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations. It should be possible to apply at least one of the alternatives described in this paper and proper implementation can meet the intent of the requirement"

For organizations considering the application code review option, the PCI SSC laid out four options for code reviews that meet Requirement 6.6 which include:

• Manual review of application source code
• Proper use of automated application source code analyzer tools
• Manual Web application security vulnerability assessment
• Proper use of automated Web application security vulnerability assessment tools

In the context of Requirement 6.6, an "application firewall" is a web application firewall (WAF), which is a security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware running in an appliance device or in a typical server running a common operating system.

Many organizations are working on how to meet this requirement before their next "Annual Report on Compliance "questionnaire is due.

Discuss with your peers at this executive roundtable:

• How your organization is interpreting this new PCI requirement
• Whether source code analysis or web application firewalls or both are currently being used or will be implemented in your environment
• How your organization is ensuring security is part of the SDLC (system development lifecycle)

Back to Top

Defending Against Attacks by Trusted Insiders and Achieving Regulatory Compliance

A recent survey by the Poneman Institute of senior information security professionals found that attacks by trusted insiders was cited as their most serious concern. Moreover, a majority of these professionals stated that they "do not believe that they have taken adequate measures to protect against data loss."
A recent study by the US Secret Service found that most insider attacks are planned well in advance. While the premeditated nature of insider attacks may make them more sophisticated, it also increases the opportunity for organizations to detect and prevent such attacks using the right technology and techniques.

To help prevent insider attacks, good access governance requires the regular review and certification of user entitlements and roles to ensure that access rights to enterprise information assets are appropriate and meet regulatory mandates and guidelines. It is critical to know who has access to sensitive information, if this access is appropriate, and who approved this access.

Discuss with your peers at this executive round table:

• How your organization creates and enforces access controls that ensure employees only have access to the information they need to do their jobs
• Employ tools and techniques that are engineered to detect malicious activities both inside and outside the enterprise
• How your organization conducts revalidation of user access either manually or in an automated fashion
• What technologies and techniques you deploy to detect and monitor insider threats resulting from access violations
• How you automate real-time monitoring and reporting to achieve ongoing compliance around threat management

Back to Top

Using Convergence and Integration to Transform Security from a Technology Issue to a Business Operational Risk Management Issue

Companies are faced with a plethora of issues... regulatory compliance, physical security, people safety, terrorism, awareness, the human factor (people and process), the insider threat, the third party service provider, fraud, information security, privacy, crisis mgmt, records management, process and service quality management, and more! How do we enable the business to see the forest from the trees and prioritize all these risks and issues in a more optimized and productive manner? How do we achieve operations excellence, seek new business opportunities, understand and illustrate risk concentration areas more effectively, and reduce risk in a measured, but reasonable and practical way by making investments in people, process, and technology - where the greatest return can be realized.

Discuss with your peers at this roundtable discussion:

• How to focus on maximizing and integrating security with a company's overall enterprise risk management program.
• How to experience better governance, process and operations optimization, holistic operational risk management and prioritization.
• How to add greater value to the bottom line and achieve greater success in the organization