The Annual Meeting of the Chapter Membership is the Chapter's signature event and provides a broad spectrum of topics in high risk and emerging areas of IT management, audit, and security. The Chapter Board also provides an update on Chapter activities for the year and a glimpse at the year ahead. Afterwards, there will be a networking mixer where you will have the opportunity to meet and greet speakers, Chapter board members, and other IT professionals.
Networking Mixer Afterwards
Join us immediately after the Annual Meeting for a networking mixer in the Rooftop Restaurant atop the Holiday Inn Rosslyn.
Next Generation NIST Security and Privacy Standards and Guidelines: 2018 and Beyond– Dr. Ron Ross
As we push computers to “the edge” building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission essential operations and assets in the public and private sectors. There is an urgent need to further strengthen the underlying systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States. NIST is undertaking a multi-year project to update its key FISMA publications to align with the Cybersecurity Framework, integrate privacy, and promote closer collaboration between the C-suite and system implementers and operators. The ultimate objective is to make the systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.
Automotive Cybersecurity in the Connected World– Dr. Gedare Bloom
The security of every vehicle on the road is necessary to ensure the safety of every person on or near roadways, whether a motorist, bicyclist, or pedestrian. Features such as infotainment, telematics, and driver assistance greatly increase the complexity of vehicles: top-of- the-line cars contain over 200 computers and 100 million lines of software code. With rising complexity comes rising costs to ensure
safety and security. This talk discusses the capabilities of remotely launched cyber attacks against a moving automobile, identifies challenges inherent in responding to those attacks in a manner that ensures the safety of humans in close proximity to the vehicle, and explores emerging methods to improve vehicular security through cryptography and in-vehicle network intrusion detection systems (IDS).
Upgrade the IT Audit Process with Python– Daniel Shorstein
This session will discuss the basics of the open source Python language, provide some example use cases, then go through a live demonstration of using Python to import and validate user control access data, perform testing, and document the process and results.
Watch and learn how Python, on a Jupyter Notebook, can be used to perform nearly all steps of the audit process, including documenting procedures performed, the Python code, results, and conclusion, all contained in one file that can be published and saved as audit documentation. Then, see how the same code can point to a new source data, and be re-run to update with new data, maintaining the documentation and format with minimal effort.
Secure Agile Development and FISMA Compliance: Making It Actually Work Well– Matthew Flick
Agile is currently the premier software development model for the near foreseeable future. It provides solutions to many of the problems and speed bumps in older SDLC models that hampered development. Unfortunately, security is not one of them…at least not by default. But it does not have to stay that way.
In fact, an agile SDLC could enhance an organization’s application security posture due to agile development’s inherent agility (hence the name). To attain this advantage, organizations must adapt their application security personnel, processes, and tools to work seamlessly with the development side of the house to make secure agile development (SAD) a reality. It is even possible to incorporate FISMA and other regulatory compliance reviews within SAD. In this presentation, we will cover these topics that could have a significant impact on implementing a secure agile development environment, ensuring continuous monitoring and compliance, and recommendations for success.
Confessions of a lifetime auditor – Loren Schwartz
This session will be a fun and interactive discussion of Mr. Schwartz’s professional experience as an auditor. Mr. Schwartz will discuss some tricks of the trade and what red flags an auditor should look for that might be signs of an audit finding. Also the presenter will discuss some “lesser known tactics” for identifying audit findings. This fun and lively sessions is appropriate for all auditors (and even those who get audited).
Building Risk based Cybersecurity Program – Doug Howard
Companies around the world are spending $B on technologies without ever properly operationalizing their IT Security purchases. With hundreds of customer engagements ranging from small to the largest companies in the world, experiences will be drawn to show how an investments (people and technology) without systematic plan with defined goals based on both the business objectives and aligned to reducing risk will fail. Create successful outcomes by leveraging industry standards and approaches. Lessons learned and useful approaches as to how to align business and risk in a prioritized approach resulting in optimal use of your limited resources.
- Risk management and cybersecurity can be leverage to help achieve business goals. Hear ideas on how successful security executives have been apple to align with the priorities of company visions, organizational missions and show true value to the organization.
- Prioritized shot-term, high value items that provide immediate risk reduction
- Alignment of industry and geographical regulatory requirements in a tiered fashion so as to leverage commonality
- Automate what can be automated … evaluate what is avoidable and unavoidable
- Everything is measurable in some way … defining success, measuring relentlessly and promoting success are key factors in ongoing sustainable program
- Roadmap commonalities in processes and risk reduction for long-term success
ERM and IT: An Integral Partnership– Thomas Brandt
While technology-related risks are inherent in any organization, Federal agencies are confronted with significant risks resulting from an array of unique challenges and demands in an era of constrained resources, increasing expectations, heightened consequences, and intensive scrutiny and oversight. In this session, learn how ERM can provide opportunities to better focus internal and external attention on key IT-related risks that impact an agency’s mission, helping to build awareness and understanding of risks, and garnering greater support for key mitigation investments and approaches.
Security Monitoring & Incident Response– Susan Carter, Sushila Nair
Effective critical incident response, CIR is a fundamental component of minimizing loss and destruction, mitigating weaknesses and building resilience. This session covers detecting security incidents using monitoring and responding effectively. The session will cover:
• Security threat detection models
• Components of effective security monitoring
• Tools for incident investigation & response
• Best practices for critical incident response, CIR
Yehuda Schmidt joined Cotton & Company’s Information Assurance (IA) group in January 2015 as a senior manager with more than 27 years’ experience in assisting federal government agencies with finance, accounting, business process improvement, information technology internal controls, and program management. He has extensive experience in managing reviews of internal controls over financial reporting, operational controls, and risk management in compliance with Office of Management and Budget (OMB) Circular A-123. He is results-oriented senior manager with extensive experience in assisting agencies preparing for external audits and working closely with agency management, external auditors and agency Inspectors General resulting in the agencies obtaining clean annual audit opinions, improving control effectiveness and reducing costs of compliance.
Yehuda joined ISACA in 1997 and served as ISACA-GWDC CISA Review Course Coordinator, ISACA-GWDC chapter’s President in 2000-2001, and the Annual Conference Coordinator for over 15 years.
Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act
(FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information
Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800- 37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 (systems security engineering), and SP 800-171
(security requirements for nonfederal systems and organizations). Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.
Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the
international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country including the Massachusetts Institute of Technology, Dartmouth College, Stanford University, the George Washington University, and the Naval Postgraduate School. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a four-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Presidential Rank Award. He has also received the Department of Commerce Gold and Silver Medal Awards and has been inducted into the Information Systems Security Association Hall of Fame and given its highest honor of Distinguished Fellow. In addition, Dr. Ross has been inducted into the National Cyber Security Hall of Fame.
Dr. Ross has received numerous private sector cybersecurity awards including the Partnership for Public Service Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Applied Computer Security Associates Distinguished Practitioner Award, Government Computer News Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries, (ISC) 2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and three-time Top 10 Influencers in Government IT Security. During his military career, Dr. Ross served as a White House aide and a senior technical advisor to the Department of the Army. He is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.
Dr. Gedare Bloom is an assistant professor in the Department of Electrical Engineering and Computer Science at Howard University where he directs the Embedded Systems Security Lab. He holds the Ph.D. in Computer Science from The George Washington University in 2013, and joined Howard University in
2015. His research expertise is computer system security with particular focus on real-time embedded systems used in critical infrastructure that have measurable lifetimes in decades. The techniques he applies to solve problems along the hardware-software interface range from computer architecture, computer security, cryptography, operating systems, and real-time analysis. Dr. Bloom is also a maintainer for the RTEMS open-source hard real-time operating system, which is used in robotics frameworks, unmanned vehicles, satellites and space probes, automotive, defense, building automation, medical devices, industrial controllers, and more. He has published more than 30 peer-reviewed articles in scholarly venues and routinely serves on conference and workshop program committees. Dr. Bloom is a member of the ACM (SIGARCH, SIGBED, SIGCSE, SIGOPS, and SIGSAC) and IEEE (Computer Society, Technical Committee on Real-Time Systems).
Daniel Shorstein is a manager at Deloitte & Touche LLP in its Federal Risk and Financial Advisory practice. Daniel has more than 12 years of experience providing accounting, auditing, tax, and consulting services, specializing in developing data analyses around financial and related operational data for audit readiness, audit remediation, and business process reengineering. Mr. Shorstein has spoken at the national Association for Governmental Accounting (AGA) conference, and has had an article published as the cover story in Florida CPA Today. Daniel is growing financial reporting and analytic capabilities of Deloitte practitioners through developing and teaching a Federal Accounting Learning Program, and developing and delivering a series of Python courses. Daniel creates innovative data-driven insights using open data made available through the DATA Act, with the goal of
providing agencies and the public with new and interesting ways to benefit from the DATA Act.
Matthew Flick is a Managing Principal at FYRM Associates with over sixteen years of professional experience in information assurance. Mr. Flick’s background is in application security and secure development, security assessments, security program development, and regulatory compliance. He has assisted numerous Fortune 1000 companies and Federal Government agencies in building mature application security and information security programs in accordance with industry standards and regulatory mandates. During the last seven years, Mr. Flick has instructed nearly 1000 developers and application security professionals, has presented on application security research at Black Hat DC, DEFCON, and several OWASP chapters and universities, and has been utilized by media outlets including Forbes, Technology Review, and Dark Reading.
Melody Balcet (@MelodyBalcet) is the Director, Global Cybersecurity at The AES Corporation, a US-based Fortune 200 Energy company operating in 15 countries. Previously, she spent over eleven years with IBM's Public Sector Cybersecurity and Biometrics service area leading its Defense and Intelligence Cybersecurity capture activities and serving government clients in both Defense and Civilian agencies, most recently as an advisor on DoD-wide FISMA and cybersecurity performance metrics activities under the DoD Deputy Chief Information Officer for Cybersecurity. Outside of the ISACA GWDC, she has held numerous roles with ISACA as well as other non-profit organizations. Ms. Balcet achieved an MA w/ Merit from the University of Manchester, Institute of Development Policy and Management (IDPM) and a BA from The College of William and Mary. She actively holds the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. Ms. Balcet co-authored a chapter in “Protecting Our Future: Educating a Cybersecurity Workforce” and regularly speaks on GRC, FISMA, cybersecurity measurement, workforce, and leadership topics.
Loren Schwartz joined Cotton & Company in May 2002 and was elected a partner in April 2003. Loren has more than 20 years of diversified information system audit, financial and operational audit, privacy, and risk management consulting experience. He directs many of the firm’s major information technology reviews and audits.
Loren’s experience includes directing and participating in a wide range of system reviews, Federal Information Security Management Act (FISMA) audits, financial statement audits, process re-engineering improvement projects, and audits of internal management controls of automated information systems. He has directed projects with clients ranging in size from start-up entrepreneurial organizations to Fortune 500 organizations. His industry experience includes both commercial and governmental clients. He also has conducted speaking engagements for well-known industry organizations on a variety of Information Technology (IT) -related topics.
Loren holds a Bachelor of Science degree in Accounting from Virginia Polytechnic Institute and State University. He is a Certified Public Accountant (CPA), a Certified Information Systems Security Professional (CISSP), and a Certified Information Systems Auditor (CISA). He is an active member of the following professional organizations, including:
-American Institute of Certified Public Accountants (AICPA)Information
-System -Audit and Control Association (ISACA) (Washington, DC Chapter)
He also is a Board Member at Ronald McDonald House Charities® of Greater Washington, DC.
Mr. Schwartz resides in Northern Virginia with his wife and three children. He enjoys spending time with his family and traveling.
Doug Howard is Vice President of Global Services leading a team of nearly 750 employees and 250 contractors across RSA’s Risk and Cybersecurity Practice, the RSA Advanced Cyber Defense, the RSA Incident Response Practice, Customer Support, Customer Success, Professional Services and RSA University. Doug has 25 years of experience and a track record of leading organizations through times of transformation, establishing growth, and often turnaround, enabling the organizations to better diversify revenue, reach profitability, and achieve market recognition as leaders in their industries. His career spans leadership roles at SAVANTURE, VBrick, BAE SilverSky, BT Counterpane, AT&T and Flag Telecom. Doug also proudly served in the US Air Force.
Thomas (Tom) Brandt serves as the IRS’s Chief Risk Officer. He leads the agency’s enterprise risk management program, enabling the identification, prioritization, evaluation and mitigation of key risks to achieving the IRS mission. Previously, Tom was the Director of Planning, Analysis, Inventory and Research in the IRS’s Large Business and International Division, with responsibility for the Division’s workload selection and compliance risk identification programs. He has held various other positions at the IRS in the areas of planning, performance management, and evaluation.
In 2016, Tom served as the Head of the Tax Administration Unit at the Organization for Economic Cooperation and Development (OECD) in Paris, France where he led the work of the Forum on Tax Administration (FTA), a unique body that brings together the leaders of tax administrations from 50 countries to identify, discuss and influence relevant global trends and develop new ideas to enhance tax administration around the world.
From 2005-2007, Tom worked for Maricopa County, Arizona where he coordinated the County’s Managing for Results program. He has also provided tax administration advisory and capacity building assistance to numerous tax administrations through projects of the International Monetary Fund and OECD.
Tom earned his master’s degree in public administration from American University in Washington, D.C. and his bachelor’s degree in political science from the State University of New York at Geneseo.
Susan Carter is a member of NTT Security Inc. Consulting Services and the Global Threat Intelligence team and has more than 25 years of information services and computer security experience. Susan was a key contributor in building out legacy Solutionary’s Incident Response Services and is still very active in the day-to-day operations. Prior to working for NTT Security, Susan was a Cyber Security Analyst for a managing contractor to the Department of Energy/National Nuclear Security Administration (NNSA) where she developed the sites computer incident response plans and procedures. She also served as an Incident Response Coordinator and Lead Computer Forensic Analyst. In this role, Susan was responsible for incident response and forensic analysis support, including Human Resource type investigations with the NNSA and Department of Energy.
Sushila Nair is the senior director at NTT DATA. NTT is one of the world’s largest technology services companies, ranked 65 in the Fortune 500 and is one of the most valuable brands in the world. Sushila has over twenty year's experience in computing infrastructure, business and security and has worked in a number of diverse areas — risk analysis, threat modelling, credit card fraud, mobile security and real time security monitoring. Sushila owned and managed her own business for 10 years delivering professional services to large financial organizations. She worked with the insurance industry in Europe and America on methods of underwriting e-risk insurance based on ISO27001. She volunteers with several non-profit organizations, notably serving as the Marketing Director of the ISACA Greater Washington DC Chapter. She has published numerous articles in the computing press, and has spoken at CACS, SEGURINFO, BrightTALK, FinSec and many other global technical events on diverse subjects ranging from mobile security to threat modelling.
All Students: Please bring your student identification
ISACA Members from Other Chapters: You will need to bring your ISACA Membership Card to the event to verify your ISACA Membership.
If you require assistance for an audio, visual, or other disability, please contact the event planner to discuss your needs as soon as possible. We need as much advance notice as possible to determine whether requests can be accommodated.
Conference presentations are posted to the Presentations Library when permission is received from the presenter and their organization. In some cases, permission is not received.
Earn up to 8 Continuing Professional Education (CPE) credits in the area of Specialized Knowledge. The ISACA® GWDC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: http://www.learningmarket.org.
CPE's will be distributed via e-mail along with the event evaluation survey after the completion of the event. Attendees must be present the full day to receive full CPE credit.