October is Cybersecurity Awareness Month!
Come to our 2021 Cybersecurity Conference on October 7th! Information and data security threats continue to headline every day on organizational and personal breaches. Information security has been designated as a government-wide high-risk area since 1997. In 2021 alone, at least 45 states have introduced or considered 250 bills or resolutions pertaining to cybersecurity and the President issued Executive Order 14028 charging multiple agencies with enhancing cybersecurity. ISACA-GWDC Chapter invites you to our 2021 Cybersecurity Conference to engage with our speakers to increase awareness and efforts to minimize and prevent cyber security threats; so we can guide and help focus our organization on securing cyber infrastructure. Our 2021 Cybersecurity Conference is virtual this year.
Who Should Attend?
Cybersecurity professionals, IT advisory or audit professionals, Business executives, students or professionals interested in learning more about cybersecurity.
- 0830-0930: NIST SP 800-210: General Access Control Guidance for Cloud Systems
- 0930-1030: Zero Trust for Hybrid Cloud
- 1030-1130: Cybersecurity Framework Profile for Ransomware Risk Management
- 1130-1230: Critical Infrastructure Protection: TSA Is Taking Steps to Address Some Pipeline Security Program Weaknesses
Thursday; October 7, 2021 @ 0830 to 1230 EDT
Four (4) NASBA CPE credits
Get a Discount!
Enjoy discounted or free event pricing and other benefits all year round! Join ISACA GWDC Today!
Check out our calendar of upcoming events for more ISACA GWDC and partner activities. Don't forget to follow ISACA GWDC on LinkedIn, Twitter, and Facebook for the latest news and information from ISACA GWDC, ISACA, and the audit, governance, and security profession.
TOPICS OF THE 2021 CYBERSECURITY CONFERENCE
NIST SP 800-210: General Access Control Guidance for Cloud Systems
Presented by Dr. Antonios Gouglidis, Lancaster University
Dr. Antonios Gouglidis, co-author of NIST Special Publication (SP) 800-210 (General Access Control Guidance for Cloud Systems), will discuss the guidance. NIST SP 800-210 presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Different service delivery models require managing different types of access on offered service components. Such service models can be considered hierarchical, thus the access control guidance of functional components in a lower-level service model are also applicable to the same functional components in a higher-level service model. In general, access control guidance for IaaS is also applicable to PaaS and SaaS, and access control guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.
NIST SP 800-210 can be found here.
Zero Trust for Hybrid Cloud
Presented by William Malik (Trend Micro)
Although the hybrid cloud now handles much that was formerly done by the in-house IT organization several challenges remain.
We begin this talk by discussing the elements of conventional I&O that must remain – although transformed – when migrating increasing portions of an organization’s workload to hybrid cloud. We consider the split between previously amalgamated technologies and processes that now requires clear segregation between technical operations (e.g., backing up the file) and supervisory oversight. We will delve into why the separation from technical performance of various tasks (some of which are still in-house on others of which use cloud) requires a consistent way to see what’s being done, by whom, and how it’s being verified – a problem that has challenged some cybersecurity teams for a long time.
Second, the session will focus on the architectural challenge that zero trust (a successor to network access control) places on conventional information security architectures, procedures, staffing, and audit. We will examine why adding zero trust as an architectural principle puts similar stress on conventional tasks such as provisioning, procurement, network segmentation, IT/OT integration, encryption, key management, certificate management, and continuity of operations.
Next, we consider zero trust’s enablement of hybrid cloud and mixed environments and why zero trust is becoming recognized as the most robust cybersecurity architecture for the heterogeneous, hybrid cloud world, with natural adaptation to industrial IoT and OT networks in general. We will outline good practices for zero trust incorporation, and some pitfalls to avoid as workloads migrate to hybrid cloud.
Finally, will close with some tips to smooth the passage to this cybersecurity approach.
Cybersecurity Framework Profile for Ransomware Risk Management
Presented by William (Bill) Fischer, National Institute of Standards and Technology (NIST)
Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. In some instances, ransomware may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target organizations’ data or critical infrastructure, disrupting or halting operations.
This report defines a Ransomware Profile, which identifies security objectives from the NIST Cybersecurity Framework that support preventing, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping gauge an organization’s level of readiness to mitigate ransomware threats and to react to the potential impact of events.
This presentation will discuss the draft NISTIR 8374 (Cybersecurity Framework Profile for Ransomware Risk Management), which was revised In September 2021 incorporating the public comments from the preliminary draft released in June 2021. The draft NISTIR 874 can be found here.
Critical Infrastructure Protection: Observations on Pipeline Security
Presented by Leslie Gordon, Kaelin Kuhn and Orin (Ben) Atwater, United States Government Accountability Office (GAO)
In May, Colonial Pipeline Company announced that it was the victim of a ransomware attack that led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast U.S. The attack on Colonial Pipeline highlights the urgent need to address long-standing cybersecurity challenges facing the nation. The federal government must take immediate steps to prevent, more quickly detect, and mitigate the damage of future cyberattacks. In particular, GAO’s testimony on July 27th highlighted the need for the government to develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. We also testified that TSA is making new requirements for pipeline owners to improve their cybersecurity and prevent attacks, and had addressed some previous GAO recommendations from our pipeline security work in 2018 and 2019.
This session will discuss GAO-21-105263 reporting on the progress of TSA, which is primarily responsible for pipeline security, to improve cybersecurity and prevent attacks of pipeline owners. GAO-21-105263 can be found here.
MEET THE PRESENTERS
Bill Fisher is a security engineer at the National Cybersecurity Center of Excellence (NCCoE). In this role, he is responsible for leading a team of engineers that work collaboratively with industry partners to address cybersecurity business challenges facing the nation. He leads the center’s Attribute Based Access Control (ABAC) project, Mobile Application Single Sign On (SSO) for the Public Safety and First Responder Sector, and is part of the ITL Cybersecurity for IoT program. The NCCoE is a collaborative hub where businesses, government agencies, and academia work together to address broad cybersecurity problems of national importance. As part of the National Institute of Standards and Technology, the NCCoE uses standards, best practices, and commercially available secure technologies to demonstrate how cybersecurity can be applied in the real world. Ultimately, the NCCoE helps promote widespread adoption of cybersecurity technologies by developing example solutions to cybersecurity problems that affect whole sectors of industry, or even multiple sectors. Prior to his work at the NCCoE, Mr. Fisher was a program security advisor for the System High Corporation in support of the Network Security Deployment division at the Department of Homeland Security. He holds a bachelor’s degree in business administration from American University and a master’s degree in cybersecurity from Johns Hopkins University.
Acting Director, United States Government Accountability Office (GAO)
Leslie V. Gordon is an Acting Director in GAO’s Health Care team. She oversees GAO’s work on the Medicare program. Leslie joined GAO in January 2000 as a member of the Health Care team, where she led work on the Medicaid and Medicare programs and other health policy topics. Prior to joining GAO, Leslie worked as a project director at the National Center for Education in Maternal and Child Health. Leslie earned a master’s degree in public policy from Georgetown University. Leslie earned a bachelor’s degree in American studies and computer applications from the University of Notre Dame.
Ben Atwater is an Assistant Director in GAO’s Homeland Security and Justice team. For the past 5 years, he has focused on critical infrastructure protection issues, including pipeline and chemical facility security.
Bill helps clients achieve an effective information security posture spanning endpoints, networks, servers, cloud, and the Internet of Things. This involves technology, policy, and procedures, and impacts acquisition/development through deployment, operations, maintenance, and replacement or retirement.
During his four-decade IT career, Bill has worked as an application programmer with the John Hancock Insurance company; an OS developer, tester, and planner with IBM; a research director and manager at Gartner for the Information Security Strategies service and the Application Integration and Middleware service, and served as CTO of Waveset, an identity management vendor acquired by Sun. He ran his own consulting business providing information security, disaster recovery, identity management, and enterprise solution architecture services for clients including Motorola, AIG, and Silver Lake Partners. Bill has over 160 publications and has spoken at numerous events worldwide.
Bill attended MIT, majoring in Mathematics. He is a member of CT InfraGard and ISACA.
- Group Internet-Based. Zoom link delivered with registration.
- Prior to the event, participants must install the Zoom app on their respective devices. Participants using the web-based Zoom or calling via the phone may not be entitled to CPE credits.
- Participants must respond to all the poll questions via the Zoom polling feature or chat log in order to receive NASBA CPE credits.
- ISACA Greater Washington, D.C. will not be responsible for the participant’s inability to respond to the polls.
Conference presentations are posted to the Presentations Library if permission is received from the presenter and their organization. In some cases, permission is not received.
Sponsor this Event:
Cancellation and Refund Policy:
Cancellation and refund for advance registrations is allowed if cancellations are submitted through the registration system. Refunds vary depending on the date of cancellation. See ISACA GWDC Event Policies for details.
If ISACA GWDC cancels the event, all registrants will be notified as soon as possible through email at the email address provided during registration. Full refunds will be provided.
Earn up to 4 Continuing Professional Education (CPE) credits in the area of Information Technology. The ISACA® Greater Washington, D.C. is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.NASBARegistry.org.
CPE Distribution and Evaluation Survey:
CPEs will be distributed via e-mail along with the event evaluation survey after the completion of the event. Attendees must be present the full day and respond to polling questions to receive full CPE credit.
- Prerequisites and Advance Preparation: None
- Program Knowledge Level: Basic
- Delivery Method: Group Internet based
- Field of Study: Information Technology - Technical
The GWDC welcomes your comments, complaints, suggestions, questions, and other feedback concerning our website information and services. All complaints should be directed to the Associate Director of Registrations at firstname.lastname@example.org.