In any business or government agency, the leaders seek to achieve their mission objectives and not get caught up in technical details. Threats from malicious cyber actors and sometimes careless employees can disable or destroy entire electronic information and SCADA systems. While the inclination to learn more about cyber-based threats and environmental losses to availability are at perhaps an all-time high in C-Suites and with Federal Government agency directors, there is precious little time to waste in enabling smart and useful cybersecurity programs in our workplaces. We can help these leaders by being the bridge between the technical underpinnings that support their mission objectives, and the technical workforces that spend their time enabling and defending those systems. This topic is for managers and executives that find themselves either too technical or too aligned with the business operations to make all of the necessary connections that lead to effective cybersecurity outcomes.
While there is significant time and investments made by the CISO and Privacy offices to assure that user data is not leaked from the network, users’ data- often their most sensitive- is being leaked to third-parties by the myriad of analytics tools that are added to web applications even after they have passed their security testing and privacy impact assessments, thus creating a blind spot for those who are actually responsible for security and privacy.
This talk will provide information to privacy and security professionals on how to identify third-party tracking code that has been added to their applications, how to assess the severity of the issue, and how to articulate the problem to their leadership.
12:30 PM – 01:30 PM
Cloud Computing System Implementations: Risk & Governance Audit Considerations
Organizations are increasingly moving financial systems to cloud environments, which raises potential risk and governance concerns, particularly with respect to financial statement audits. During this session the speaker will provide a brief overview of cloud computing followed by risk considerations with respect to cloud migrations addressing areas of project governance, user security, data migration, and control integration.
Allan Alford President & CISO, Allan Alford Consulting
With twenty+ years in information security, Allan has served as CISO five times in five industries, with a strong history in technology, manufacturing, telecommunications, litigation, education, cybersecurity and more – at companies ranging from 5 to 50,000 employees.
Allan parlayed an IT career into a product security career and then ultimately fused the two disciplines. This unique background means that Allan approaches the CISO role with a highly business-aligned focus and an understanding of an organization’s greater goals, drivers, methods, and practices. Allan seeks at all turns to positively impact the top and bottom lines.
Allan holds a Master of Information Systems & Security and a Bachelor of Liberal Arts with a focus on Leadership.
Allan gives back to the security community via The Cyber Ranch Podcast, by authoring articles, speaking at conferences and teaching.
Scott Rubin Director, FED CIO Advisory @ KMPG
Scott Rubin is a Director at KPMG where he leads consulting programs that span the systems engineering spectrum from specific operational capabilities to the enterprise. Scott’s professional career began in the United States Air Force working with electronic cryptographic communication systems. After his military service, Scott would serve on the staff at the Defense Advanced Research Projects Agency (DARPA) as their inaugural Chief of Information Security, where he was responsible for the Agency’s operational cyber mission. His career progression spans from working inside of discreet-component TTL and CMOS systems up to designing and deploying large-scale interconnected information system environments in the cloud.
Scott is also an Adjunct Lecturer in Georgetown University’s School of Continuing Studies, teaching graduate courses in Cybersecurity Risk Management and the Applied Intelligence program. Before Scott came to Georgetown, he was an Adjunct Professor/Lecturer at George Washington University in the graduate Cybersecurity Policy and Compliance track.
Scott provides instruction across the Cybersecurity and Intelligence landscapes, from policy and management concepts and practices as well as the complex technical aspects that exist in networked systems. Scott’s instructional coursework experience includes:
Auditing, Monitoring, and Intrusion Detection for Information Security Managers
Management of Information and Systems Security
Managing the Protection of Information Assets and Systems
Cybercrime for Information Security Managers
Advanced Analytic Techniques in Intelligence
Cybersecurity Governance Frameworks
Scott brings over 30 years of professional experience into the classroom environment, from the leading edges of the Department of Defense, to federally funded research and development programs in the Intelligence Community, and across the commercial consulting industry. Scott ties in real-world examples and modern technical and managerial challenges to broaden the course experience.
When Scott is outside of the classroom or not consulting with clients, he is an active father to his kids Cassandra, Oliver, and Miriam, and doing all he can to keep up with his wife of twenty years, Brigitta. A graduate from George Washington University with a Master of Engineering in Cybersecurity Policy and Compliance, Scott keeps active in hobbies that helped launch his career, including the restoration of classic arcade pinball machine and video games.
David Cole Owner @ SysAudits.com CPA, CISA, CRISC
Mr. Cole has an extensive and diverse leadership and management experience covering IT security, cyber assessments, regulatory assessments, IT audits, and IT operations support. Mr. Cole is currently the owner of SysAudits.com.
Mr. Cole held numerous Director of IS Audit positions at:
U.S. House of Representatives Office of Inspector General
Department of Education, Office of Inspector General
Smithsonian Office of Inspector General
Regulatory assessments (ITAR, FISMA, and HIPPA) of company and government IT operations, contract compliance, outsourced data centers, and IAAS, PAAS, and SAAS cloud operations
Drafted national cybersecurity policy for the National Industrial Security Program (NISP) under the Director of National Intelligence
C-Suite presentations and Congressional testimony
Technical testing and training – pentesting, disaster recovery, and others
Forensic and technical support to Federal Agent cybercrimes investigations
Mr. Cole held numerous IT Operations positions:
Chief Information Officer, Defense Security Service (DSS): Executive leadership and management oversight for all IT operations to include multiple datacenters, systems engineering, application development, cybersecurity, IT policy, budget and resource planning. Responsible for a $100 million+ annual IT budget and 150+ technical staff supporting 70+ locations.
Director Designated Approving Authority, DSS – CISO for cleared industry with responsibility for certification and accreditation under the NISP of 40,000+ information systems at 14,000+ locations.
Mike Landeck Director of Security Consulting @ NTT Data
Mike Landeck led the security implementation and then operationalized two of the Country’s largest cloud-based healthcare IT projects. Mike has been responsible for the overall security of systems with financial transactions of over $4 billion per month, as well security programs regulated by HIPAA, SOX, PCI, FISMA (NIST 800-53) the IRS and FedRAMP.
Mike is a frequent conference speaker and workshop presenter focusing on such topics as software security testing and security program management.
John Heath Director, Audit, Technology Assurance @ KPMG LLP
John Heath is an IT director in KPMG’s Federal practice and has more than 17 years of experience providing audit and advisory services to the Federal Government, commercial organizations, and not-for-profit organizations. His career has mainly focused on IT support for financial statement audits and system and organization control (SOC) examinations.
Virtual Meeting Information
This event will be presented through Zoom.
Prior to the event, participants must install the Zoom app on their respective devices or use the web-based Zoom. Calling via the phone may not be entitled to CPE credits.
Participants must respond to all the poll questions via the Zoom polling feature or chat log in order to receive NASBA CPE credits.
The ISACA Greater Washington, D.C. Chapter will not be responsible for the participant’s inability to respond to the polls.
If you have CPE questions after the event has concluded, please contact the chapter using the CPE Contact Form.
Cancellation and Refund Policy
Cancellation and refund for advance registrations is allowed if cancellations are submitted through the registration system. Refunds vary depending on the date of cancellation. See ISACA GWDC Event Policies for details.
If ISACA GWDC cancels the event, all registrants will be notified as soon as possible through email at the email address provided during registration. Full refunds will be provided.
The GWDC welcomes your comments, complaints, suggestions, questions, and other feedback concerning our website information and services. All complaints should be submitted through the Registration Contact Form.
Earn up to 5 Continuing Professional Education (CPE) credit in the area of Information Technology. The ISACA® Greater Washington, D.C. Chapter is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.NASBARegistry.org
CPE Distribution and Evaluation Survey
CPEs will be distributed via e-mail along with the event evaluation survey after the completion of the event. Attendees must be present for the full event to receive full CPE credit.
Learning Objective: After this conference, attendees will have a better understanding of current trends and practices in risk management and governance.
Advance Preparation: None
Program Knowledge Level: Basic
Delivery Method: Group Internet Based
Field of Study: Information Technology – Technical