The Annual Meeting of the Chapter Membership is the Chapter's signature event and provides a broad spectrum of topics in high risk and emerging areas of IT management, audit, and security. The Chapter Board also provides an update on Chapter activities for the year and a glimpse at the year ahead. Afterwards, there will be a networking mixer where you will have the opportunity to meet and greet speakers, Chapter board members, and other IT professionals.
Networking Mixer Afterwards
Join us immediately after the Annual Meeting for a networking mixer in the Rooftop Restaurant atop the Holiday Inn Rosslyn.
Next Gen Controls for Security and Privacy in the Internet of Things; The Evolution of NIST SP 800-53, Revision 5
"As we push computers to “the edge” building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission essential operations and assets in the public and private sectors.
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”
There is an urgent need to further strengthen the underlying systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States. NIST Special Publication 800-53 responds to the call by the Defense Science Board by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of systems, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and IoT devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.
Secure Agile Development and FISMA Compliance: Making It Actually Work Well
Agile is currently the premier software development model for the near foreseeable future. It provides solutions to many of the problems and speed bumps in older SDLC models that hampered development. Unfortunately, security is not one of them…at least not by default. But it does not have to stay that way.
In fact, an agile SDLC could enhance an organization’s application security posture due to agile development’s inherent agility (hence the name). To attain this advantage, organizations must adapt their application security personnel, processes, and tools to work seamlessly with the development side of the house to make secure agile development (SAD) a reality. It is even possible to incorporate FISMA and other regulatory compliance reviews within SAD. In this presentation, we will cover these topics that could have a significant impact on implementing a secure agile development environment, ensuring continuous monitoring and compliance, and recommendations for success.
Upgrade the IT Audit Process with Python
This session will discuss the basics of the open source Python language, provide some example use cases, then go through a live demonstration of using Python to import and validate user control access data, perform testing, and document the process and results.
Watch and learn how Python, on a Jupyter Notebook, can be used to perform nearly all steps of the audit process, including documenting procedures performed, the Python code, results, and conclusion, all contained in one file that can be published and saved as audit documentation. Then, see how the same code can point to a new source data, and be re-run to update with new data, maintaining the documentation and format with minimal effort.
Automotive Cybersecurity in the Connected World
The security of every vehicle on the road is necessary to ensure the safety of every person on or near roadways, whether a motorist, bicyclist, or pedestrian. Features such as infotainment, telematics, and driver assistance greatly increase the complexity of vehicles: top-of- the-line cars contain over 200 computers and 100 million lines of software code. With rising complexity comes rising costs to ensure
safety and security. This talk discusses the capabilities of remotely launched cyber attacks against a moving automobile, identifies challenges inherent in responding to those attacks in a manner that ensures the safety of humans in close proximity to the vehicle, and explores emerging methods to improve vehicular security through cryptography and in-vehicle network intrusion detection systems (IDS).
LINK TO AGENDA IN PDF FORMAT
Matthew Flick is a Managing Principal at FYRM Associates with over sixteen years of professional
experience in information assurance. Mr. Flick’s background is in application security and secure development, security assessments, security program development, and regulatory compliance. He has assisted numerous Fortune 1000 companies and Federal Government agencies in building mature application security and information security programs in accordance with industry standards and regulatory mandates. During the last seven years, Mr. Flick has instructed nearly 1000 developers and application security professionals, has presented on application security research at Black Hat DC, DEFCON, and several OWASP chapters and universities, and has been utilized by media outlets including Forbes, Technology Review, and Dark Reading.
Daniel Shorstein is a manager at Deloitte & Touche LLP in its Federal Risk and Financial Advisory practice. Daniel has more than 12 years of experience providing accounting, auditing, tax, and consulting services, specializing in developing data analyses around financial and related operational data for audit readiness, audit remediation, and business process reengineering. Mr. Shorstein has spoken at the national Association for Governmental Accounting (AGA) conference, and has had an article published as the cover story in Florida CPA Today. Daniel is growing financial reporting and analytic capabilities of Deloitte practitioners through developing and teaching a Federal Accounting Learning Program, and developing and delivering a series of Python courses. Daniel creates innovative data-driven insights using open data made available through the DATA Act, with the goal of
providing agencies and the public with new and interesting ways to benefit from the DATA Act.
Dr. Gedare Bloom is an assistant professor in the Department of Electrical Engineering and Computer Science at Howard University where he directs the Embedded Systems Security Lab. He holds the Ph.D. in Computer Science from The George Washington University in 2013, and joined Howard University in
2015. His research expertise is computer system security with particular focus on real-time embedded systems used in critical infrastructure that have measurable lifetimes in decades. The techniques he applies to solve problems along the hardware-software interface range from computer architecture, computer security, cryptography, operating systems, and real-time analysis. Dr. Bloom is also a maintainer for the RTEMS open-source hard real-time operating system, which is used in robotics frameworks, unmanned vehicles, satellites and space probes, automotive, defense, building automation, medical devices, industrial controllers, and more. He has published more than 30 peer-reviewed articles in scholarly venues and routinely serves on conference and workshop program committees. Dr. Bloom is a member of the ACM (SIGARCH, SIGBED, SIGCSE, SIGOPS, and SIGSAC) and IEEE (Computer Society, Technical Committee on Real-Time Systems).
Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act
(FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information
Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800- 37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 (systems security engineering), and SP 800-171
(security requirements for nonfederal systems and organizations). Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.
Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the
international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country including the Massachusetts Institute of Technology, Dartmouth College, Stanford University, the George Washington University, and the Naval Postgraduate School. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a four-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Presidential Rank Award. He has also received the Department of Commerce Gold and Silver Medal Awards and has been inducted into the Information Systems Security Association Hall of Fame and given its highest honor of Distinguished Fellow. In addition, Dr. Ross has been inducted into the National Cyber Security Hall of Fame.
Dr. Ross has received numerous private sector cybersecurity awards including the Partnership for Public Service Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Applied Computer Security Associates Distinguished Practitioner Award, Government Computer News Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries, (ISC) 2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and three-time Top 10 Influencers in Government IT Security. During his military career, Dr. Ross served as a White House aide and a senior technical advisor to the Department of the Army. He is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.
All Students: Please bring your student identification
ISACA Members from Other Chapters: You will need to bring your ISACA Membership Card to the event to verify your ISACA Membership.
Conference presentations are posted to the Presentations Library when permission is received from the presenter and their organization. In some cases, permission is not received.
Earn up to 8 Continuing Professional Education (CPE) credits in the area of Specialized Knowledge. The ISACA® NCAC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: http://www.learningmarket.org.
CPE's will be distributed via e-mail along with the event evaluation survey after the completion of the event. Attendees must be present the full day to receive full CPE credit.