EXECUTIVE SUMMIT & ROUNDTABLE 2009 - MIS Training
EXECUTIVE SUMMIT & ROUNDTABLE 2009 - MIS Training
EXECUTIVE SUMMIT & ROUNDTABLE 2009 - MIS Training
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CISO <strong>EXECUTIVE</strong> <strong>SUMMIT</strong> & <strong>ROUNDTABLE</strong> <strong>2009</strong><br />
DELIVERING PRAGMATIC & VALUE-ADDING SECURITY: REALISTIC SECURITY FOR BUSINESS REALITIES<br />
“Definitely worth the money within the first half day" IT Security Officer, European Court of Auditors<br />
MARRIOTT HOTEL, LISBON<br />
10 – 12 JUNE <strong>2009</strong><br />
CASE STUDY<br />
CASE STUDY<br />
PANEL KEY INSIGHTS<br />
CASE STUDY<br />
DAY TWO: THURSDAY 11TH JUNE <strong>2009</strong><br />
INFORMATION SECURITY RISK: A COMPREHENSIVE & BALANCED RISK MANAGEMENT APPROACH<br />
08:15 WELCOME BREAKFAST KINDLY SPONSORED BY:<br />
08:40 CHAIRMAN’S RE-OPENING<br />
Charles V. Pask, Managing Director, ITSEC Associates Ltd<br />
08:45 PATCH MANAGEMENT: INCREASINGLY A FACET OF EFFECTIVE RISK MANAGEMENT<br />
Patch management is nothing new; by now we should have moved away from<br />
the 'install & forget' days of old to a position of comprehensive patch<br />
management across the enterprise. Nevertheless, we still see the exploitation of<br />
vulnerabilities hitting the headlines with many organisations not only vulnerable<br />
to attack but successfully attacked & exploited. In this presentation we examine<br />
the increasingly critical role of Patch Management in the overall risk<br />
management framework & in doing so we look at:<br />
• The underlying trends driving the need for Patch Management to be proactive<br />
& preventative, not reactive & curative<br />
• What effective Patch Management looks like & what key considerations need<br />
to be taken into account<br />
• Why Patch Management in isolation is ineffective & how it fits into the bigger<br />
scheme of things<br />
• How people & process play as important a role as technology in making<br />
effective Patch Management a reality<br />
Marcus Alldrick, CISO, Lloyd's<br />
09:20 MANAGING THIRD PARTY DATA SECURITY<br />
• Importance of managing data security across third parties & supply chain<br />
• Understand ownership & main responsibilities<br />
• Key contractual requirements<br />
• Future and trends in managing data security throughout the supply chain<br />
Daniel Barriuso, Head of IT Risk EMEA,Credit Suisse<br />
Daniel Barriuso is the Head of IT Risk for EMEA and Global Asset Management at Credit Suisse. He<br />
is responsible for managing IT Risk and Information Security across more than 18 countries in<br />
Europe, Middle East and Africa, as well as globally for the Asset Management Division. Prior to<br />
joining Credit Suisse, Daniel was the Director of the Europe Information Security and Technology<br />
Risk Assessment departments at ABN AMRO Bank N.V. in London, where he developed and<br />
pioneered successful risk assessment methodologies. Daniel also dedicates his time as a professor<br />
in the Security Post-Graduate Master course at the "Universidad Politecnica de Madrid", where he<br />
teaches and researches in the areas of IT governance and management of security investment. He is<br />
currently a member of the Investment Banking Information Security Group (IB SIG) and is a frequent<br />
speaker and contributor in IT risk forums and events.<br />
09:50 WHAT EVERY CISO SHOULD KNOW ABOUT INDUSTRIAL ESPIONAGE:<br />
MANAGING THE BROADER THREATS TO INFORMATION SECURITY<br />
Tony Crilly, Managing Director, Saladin Technical Services plc<br />
Following on from a distinguished career in the British Army (which included five years in Northern<br />
Ireland on surveillance tasks involving the use of specialist technology on counter terrorist<br />
operations), Tony joined the commercial sector in 1988 & management consultancy in 1991. He has<br />
held a number of senior positions within the industry & has worked in countless countries worldwide<br />
on complex investigations & assignments including protective security during the critical<br />
negotiations for the multi-billion Al Yamamah II deal & for the world premier of the Eurofighter<br />
Typhoon Aircraft. More recently, in addition to managing Saladin Technical Services, he has been<br />
involved in the development of standards within the Security Industry & on International approaches<br />
to Nuclear and Radiological Security (non-proliferation), working in association with NATO, the NNSA<br />
(USA) & MinAtom (Russian Federation).<br />
10:20 MORNING COFFEE BREAK & EXHIBITION<br />
10:50 WHAT ARE THE KEY EMERGING SECURITY & E-CRIME RISKS?<br />
DETECTING MASSIVE CONTROL FAILURES – IS THIS A ROLE FOR<br />
TODAY’S SECURITY CHIEFS?<br />
Heads of Information Security & experts list their top ‘hot buttons’ & focus for<br />
<strong>2009</strong> & beyond, sharing the latest threats they face, as well as their planned<br />
security strategy going forward & key lessons for other industry sectors.<br />
• What are the top 3 technology risks & trends on your priority list?<br />
• How has the global financial crisis & the uncovering of recent high profile<br />
frauds impacted your approach to security?<br />
• How to manage social networking vulnerabilities<br />
• The threat of social engineering to hijack sensitive information<br />
• How far to police or trust staff, & how to maintain thought leadership across<br />
highly networked groups of staff<br />
• How will emerging risks (malware & attack vectors, viruses) affect your organisation?<br />
• What are your plans to test your security strategy & take a proactive stance?<br />
• Recommendations going forward<br />
• Protecting your organisation from the greed of top execs: a valid role for today’s CISO?<br />
Chaired by: Paul Wood, Group Chief Security Officer, Aviva<br />
Panellists: Philippe Huard, Seagate Technology; Jorge Pinto, Chief Security<br />
Officer, InfoSec.ONline.pt, Portugal;<br />
Edward P. Gibson, FBCS*, Chief Cyber Security Advisor, Microsoft Ltd (UK);<br />
Sarb Sembhi, President, ISACA London Chapter; Robert Coles, Global CISO,<br />
Merrill Lynch Neil Jarvis, Head of IT Security, IT Risk and Business<br />
Continuity, DHL Exel Supply Chain<br />
11:35 AWARENESS RAISING: MAKING ‘THE RISK, OUR INFORMATION, YOUR<br />
RESPONSIBILITY’ & OTHER AWARENESS MATERIAL<br />
As you know, raising the awareness of colleagues about information risks is<br />
becoming increasingly important. However, the impact of many of the older<br />
ways of doing this has declined, perhaps given that they have become rather<br />
tied & dated. One of Mark’s responsibilities has been to address this, which has<br />
involved the making of a film, road shows, poster campaigns etc. The Barclays<br />
approach has been different & innovative, & these initiatives have attracted a<br />
number of awards. This is a multimedia presentation that will grab your attention<br />
& will stimulate further debate amongst the audience<br />
• Our approach<br />
• The impact it’s had<br />
• The lessons learned<br />
• Next steps<br />
Mark Logsdon, Information Risk Management, Barclays<br />
12:35 WHY SECURE CODING IS NOT ENOUGH<br />
John Colley, Managing Director EMEA, (ISC)2 EMEA<br />
13:10 LUNCH<br />
14:15 INTERACTIVE SESSION – PLEASE SELECT YOUR PREFERRED BREAK-<br />
OUT….<br />
BREAK-OUT A: HOW HACKERS GET & CRACK PASSWORDS?<br />
Jason Hart<br />
BREAK-OUT B: THE CONVERGING WORLDS OF PHYSICAL & DIGITAL<br />
SECURITY – INTERACTIVE SESSION!<br />
An interactive session - participants will examine some of the processes where<br />
convergence can cause conflict. You will work in small groups & consider<br />
processes such as investigations & physical/digital access control. How are<br />
operational boundaries defined? How are responsibilities managed? Who controls<br />
the budget & resources? What are the key steps for a CISO to take?<br />
Dr. Frank Marsh, Associate, BurrillGreen Ltd<br />
14:55 PRIVACY ENHANCING TECHNOLOGIES (PET's)<br />
Although privacy enhancing technologies have been researched for the past 20<br />
years, it's only recently that they have found a new & enthusiastic audience,<br />
spurred on by data breaches in the public & private sector. The UK's Information<br />
Commissioners Office has embedded their use into their privacy by design<br />
initiative & the European Commission publicly backs the development &<br />
application of these technologies within industry & through its research<br />
programme. PET's: What are they anyway? Why should I care? What options are<br />
available to me now? How are they likely to develop in the short to medium term?<br />
What tools are available to me enable them to be embedded into my organisation?<br />
Paul Hopkins, Head of Network Vulnerability Intelligence e-Security Group,<br />
University of Warwick<br />
15:30 AFTERNOON TEA BREAK & SPONSORS’ PRIZE DRAW<br />
15:50 SECURITY VS. PRIVACY<br />
The panel will discuss how to deal with areas of potential conflict between<br />
privacy & security.<br />
• What do we mean by privacy? Information about us? Information belonging<br />
to us? Space we regard as ours like a phone or bag? Our physical privacy -<br />
searches?<br />
• What is the privacy role of the CISO?<br />
• Should there be a "privacy officer" separately from the Security team?<br />
• How does a CISO balance the need for privacy during investigations?<br />
• Do you prevent, allow and monitor or allow & not monitor? Who sets the rules?<br />
Chaired by: Dr. Frank Marsh, Associate, BurrillGreen Ltd<br />
Panellists: Michael Colao, Global CISO & Director Information Management,<br />
Dresdner Kleinwort; Marcus Alldrick, CISO, Lloyd's; Paul Hopkins, Head of<br />
Network Vulnerability Intelligence e-Security Group, University of Warwick;<br />
Mark Chapman, Senior Research Consultant, Information Security Forum;<br />
Janet Day, IT Director, Berwin Leighton Paisner LLP<br />
16:30 CONSUMER APPLICATIONS: CREATING SECURITY PROBLEMS?<br />
Consumer applications such as Skype & Gmail have caught the imagination of<br />
the corporate world. With easy access & zero cost many organisations are<br />
assessing these applications for use internally. Users are also demanding<br />
access to some of these applications on the basis of productivity, ease of use &<br />
personal experience. Whilst there are business versions of these applications the<br />
uptake may be via the consumer products. This presentation explores the risks<br />
that organisations may be exposed to by adopting these applications or allowing<br />
users to access these applications with insufficient guidelines.<br />
Neil Jarvis, Head of IT Security, IT Risk and Business Continuity, DHL Exel<br />
Supply Chain<br />
With over 14 years experience in both commercial & government information systems security & a proven track record in the<br />
specification, design & implementation of complex IT & security infrastructure solutions to meet business requirements. Neil’s<br />
experience includes network infrastructure, server infrastructure, operating systems security, application security, information<br />
security, penetration testing, disaster recovery, business continuity, business requirements gathering, analysis, interpretation &<br />
delivery of pragmatic cost effective solutions.<br />
17:10 PROTECTING INFORMATION IN THE END USER ENVIRONMENT<br />
Mark Chaplin, Senior Research Consultant, Information Security Forum<br />
17:50 SINTRA DINNER - KINDLY SPONSORED BY:<br />
Networking Diary at CISO Summit <strong>2009</strong>!<br />
Meeting your information security peers to exchange ideas & build trust-based<br />
networks is an integral part of the CISO Summit. As such, <strong>MIS</strong> & Sponsors have<br />
set aside dedicated time for networking, which will allow you to enjoy your time in<br />
Lisbon. Activities listed below are provisional. Further details will be announced<br />
soon!<br />
9TH JUNE <strong>2009</strong> - Welcome Drinks in the Garden of the Marriott Lisbon Hotel Meet<br />
& make strong first impressions as participants arrive the evening before the summit<br />
starts!<br />
10TH JUNE <strong>2009</strong><br />
CISO Port & Wine Tasting Reception, Lisbon: Kindly Sponsored by<br />
Taste a selection of ports & wines with security peers at an historical Pombal cellar in<br />
the heart of Lisbon historical city centre, with a presentation on the Portuguese<br />
vineyard, different regions, different types of Port wines & the Portuguese<br />
grape varieties.<br />
Followed by CISO Fado Dinner, Lisbon Join the group for dinner at one of<br />
the most reputable & authentic Fado Houses, where several singers will<br />
perform during the course of the evening.<br />
11TH JUNE <strong>2009</strong><br />
Sintra Evening Tour & Dinner Overlooking the Beach: Kindly<br />
Sponsored by<br />
Sample the rich history & culture that the region has to offer with peers in rustic<br />
Sintra, just outside Lisbon. Explore the charming picturesque town of Sintra,<br />
stopping off for drinks at one of the quaint bars for a reception. A short drive<br />
away, a delicious fish dinner will then be served in a restaurant overlooking the<br />
sea.<br />
ACADEMIC INSIGHT<br />
PANEL<br />
CASE STUDY