Executive Alliance Leadership Summit Featuring the ISE Southeast Awards

Thursday, March 13, 2008
Grand Hyatt Atlanta in Buckhead
Atlanta, Georgia
2:00 PM
 

Led by:
	Kimberly Van Nostern, CISSP Resident Information Security Executive Executive Alliance ISE Midwest Awards 2005 Winner, ISE Midwest People's Choice Award 2005 Winner Biography >

Back to Top

	Paul Huesken Director, Information Assurance The Coca-Cola Company Biography >	Topic 1: Protecting Data....A Task of Increasing Complexity with the Proliferation of Regulations and Emerging Technologies
	Mark Johnson, CISSP Chief Information Security Officer Vanderbilt University & Medical Center ISE National Awards 2007 Academic Category Winner Biography >	Topic 3: Virtualization and the Security Risks of Protecting Systems and Web Applications
	John Penrod Chief Information, Security Officer The Weather Channel ISE Southeast Award Finalist 2006 Biography >	Topic 4: Leveraging your Security investments.... Choosing between Best-of-breed New Products or Moving to an Integrated Suite
	Lynn Goodendorf Vice President, Information Privacy Protection, Head of Data Privacy InterContinental Hotels Group ISE UK and Ireland Awards 2007 Judge Biography >	Topic 5: The Changing Role of the Information Security Executive (ISE) from an Operations focus to a Risk Management Business Partner

Protecting Data....A Task of Increasing Complexity with the Proliferation of Regulations and Emerging Technologies

Businesses of all sizes face similar issues when it comes to keeping data and systems protected and available. Data protection is emerging as one of the most critical tasks for Information Security, IT, and the Business. Exponential data growth, along with recently imposed regulatory requirements for data retention, availability, and privacy are happening against a backdrop of increasing threats.

Addressing compliance and the appropriate handling of compliance-related privacy data, such as Social Security numbers, credit card numbers, personally identifiable information, protected health information, and financial data, is critical for maintaining a strong public reputation, protecting corporate brand identity, and minimizing financial risk.

The need for protecting compliance-related privacy data and other sensitive data is clear, as risks can evolve from a variety of sources, including:

• A malicious insider
• Corporate espionage
• End-user errors
• Broken business processes
• Misconfigured IT systems

Solutions for protecting sensitive data can include encryption, network access control (NAC) and network segmentation, including new products that are software based to create secure zones.

Security practitioners have always had to deal with data leakage issues that arise from email, IM and other Internet channels, but now with the proliferation of mobile technology, it's easier than ever for data loss to occur, whether accidentally or maliciously. Protecting data on laptops and other mobile devices such as USB keys, Bluetooth devices, or removable CD drives presents a huge challenge.

Discuss with your peers at this round table:

• How companies are segmenting their network to create secure zones and the challenges of using firewalls and NAC versus a software based approach
• Effective methods of protecting sensitive customer and company information
• Strategies for ensuring your data is safe when exchanged with third-party providers
• Processes and solutions that you have implemented to deal with endpoint security
• Technologies that you have implemented to help prevent data leakage
• Challenges and solutions for protecting data on mobile devices
• Ways to identify sensitive data, evaluate risk, and apply data classification standards

Back to Top

The Benefits and Challenges of Implementing Identity Management Solutions Including Network Access Control and Provisioning

Recent and ongoing legislation relating to corporate governance and privacy protection, regardless of the specific law and jurisdiction, generally require the same basic controls:

• Strong authentication of all trusted users
• Customer data and sensitive corporate data are protected through access controls, encryption, etc
• Effective controls over who has access to corporate and identity (internal users, customers) data
• Audit trails that support discovery of what users have access to key data and business functions

Identity management plays a key role in providing an effective compliance infrastructure to ensure these controls are in place, and it's becoming more prominent in the security value chain. It's a complex issue, but can help companies simplify identity and password management systems while building new capabilities to integrate their efforts with partners and other organizations. Some of the key benefits are the ability to centrally manage identities across multiple platforms, automate the provisioning and de-provisioning process, and manage enterprise-wide password policies, and control access to networks, systems, and data.

Discuss with your peers at this executive round table:

• How identity management can play a significant role in enabling organizations to meet today's demands for security and compliance
• How identity management initiatives can bring significant cost savings sand competitive advantage to businesses
• Best practices for rolling out information management initiatives for all phases of the Identity lifecycle
• Challenges in the implementation of identity management systems such as NAC and provisioning
• How automating centralized management of sensitive information can enable effective and efficient regulatory compliance and reporting

Back to Top

Virtualization and the Security Risks of Protecting Systems and Web Applications

Many organizations are embracing virtualization technologies and are actively moving forward with large scale implementations. Virtualization brings us new ways of doing things from managing desktop operating systems to consolidating servers. Virtualization has become a way to deconstruct fixed and relatively inflexible architectures and reassemble them into dynamic, flexible and scalable infrastructures.

Virtualization offers organizations the opportunity to reduce costs and increase agility, however, if this is done without implementing best practices for security, virtualization may actually increase costs and reduce agility, according to Gartner Inc. "Virtualization, as with any emerging technology, will be the target of new security threats," said Neil MacDonald, vice president and Gartner Fellow.

In addition, one of the biggest challenges in securing Web applications in a virtualized world is how to test the applications in an environment that is identical to that of the live application without risking data corruption or disruptions to customers.

Other Security issues include the following:

• Patching and reboots in virtualized platforms
• Keeping track of security on two tiers, the physical host security and the virtual machine security
• The loss of segregation of duties for administrative tasks
• Immature and incomplete security and management tools
• Conducting security assessments on virtualized applications

Discuss with your peers at this executive round table:

• How companies are dealing with complicated maintenance windows in a virtual server environment, and if their ability to apply patches has significantly changed because of this environment.
• How companies are securing virtual machines and how existing configuration guidelines have changed or should be changed.
• What tools and technologies enterprises are using to help manage the security in this new environment.
• How companies are dealing with segregation of duties issues for administrative tasks.
• How to conduct vulnerability assessments on virtualized applications and the concept of virtual testing.

Back to Top

Leveraging your Security investments.... Choosing between Best-of-breed New Products or Moving to an Integrated Suite

Maintaining security using tactical point solutions introduces complexity and inconsistency, but integrating security throughout the network with an integrated set of products can be just as intimidating.

We all strive for the following three advantages:

• A secure network platform with integrated security to which you can easily add advanced security technologies and services
• Threat control services focused on antivirus protection and policy enforcement that continuously monitor network activity and prevent or mitigate problems
• Secure communication services that maintain the privacy and confidentiality of sensitive data, voice, video, and wireless communications while cost-effectively extending the reach of your network

The problem is that many of us, Information Security Executives (ISE's) have had to purchase emerging technologies and point solutions to keep up with the threats that keep emerging in our new technology environment.

The other challenge is that big technology and security companies are buying up all the small security guys and trying to merge their products into an integrated suite. The dilemma then is whether to continue to go with best-of-breed new emerging technologies, or rip out some or all of the point solutions and go with the big vendors.

Discuss with your peers at this executive round table:

• The advantages and disadvantages of implementing best-of-breed "emerging technology" solutions, or relying on the big security vendors for all of your needs
• Concerns when you have purchased and implemented a point solution, and then this vendor is acquired by a larger company
• What would be defining factors and requirements for your enterprise to de-install products such as Anti-Virus and Mail security and reinstall with a new vendor
• The advantages and/or disadvantage of implementing one vendor's solutions versus having multiple vendors in place

Back to Top

The Changing Role of the Information Security Executive (ISE) from an Operations focus to a Risk Management Business Partner

Most Information Security Executives (ISE) have been responsible for running Information Security organizations that were largely operational with staff responsible for firewalls, intrusion detection, and forensics. Many companies are now migrating security operations to other well-established groups in IT that perform similar operations. Reorganization may include - Network Intrusion Detection and Firewall Management under Network Operations, Server Hardening and Monitoring under Systems Administration, and Application Development Teams taking on responsibility for Application Security.

These major changes are enabling the ISE role to be more aligned with the business strategy of the organization. The role of the ISE is increasingly focused on risk management, and as a facilitator between operations and the business units. ISE's are becoming more risk-management officers able to understand risks from a technical point of view, but more importantly understanding risks from a business point of view. Compliance initiatives are also becoming a major responsibility of the ISE position and collaboration with executives in privacy, legal, and core business units is key to continued success.

Discuss with your peers at this roundtable:

• How your role as an Information Security Executive has changed in the past few years.
• What your major challenges are and what you are doing to align more closely with your company's strategic business initiatives.
• The benefits and /or concerns with moving Security operations into the IT organization.
• Ways of building internal collaboration with your legal, privacy, and business partners around compliance initiatives.
• The major roles and responsibilities of the Information Security Executive position today, and what you see for the future 

Back to Top