Welcome to the ISACA Atlanta Chapter web site. We are transitioning 2022 virtual events. For more information please go to ISACA Atlanta Chapter website. Thank you for your understanding. 

Link to ISACA Atlanta Chapter website - https://engage.isaca.org/atlantachapter/home

Discussion on the Journey to the Centre of Data Privacy and into the Interior of Data Security. I am painting a picture, and a vision for this time in history that is transformative with new ways to think about data privacy. We will review use cases from different industries and discuss data protection options and best practices. I will share projects that was inspiring, and unforgettable in a journey in Data Privacy and Security with IBM, Oracle, Coca Cola, Microsoft, American Express, and Protegrity.

-  We will review use cases in financial services and other industries that are finding a balance between new technology impact, regulatory compliance, and commercial business opportunity.

-  We will discuss how new privacy-preserving and privacy-enhanced techniques can provide practical security for data in use and data sharing.

- You will position technologies like pseudonymization, anonymization, tokenization, encryption, masking and privacy preservation in analytics and business intelligence are used in Analytics and Machine Learning.

Chat on Controlling Privacy and the Use of Data Assets

Organizations are pulling out all the stops in a concerted effort to cut the growing number of third-party related security breaches. Increasing budget and time are devoted to third party risk management efforts and, at the same time, identity security is taking a leading role to secure organization assets and resources. In this session, we’ll discuss why it’s imperative that these initiatives not only work in parallel, but also in conjunction with one another, informing decisions throughout a third-party’s involvement with an organization.

Identity and Third-Party Risk Management: A Powerful Alliance

3Analytics has developed a platform that aggregates AE data sets from multiple sources (FDA, EMA, Epidemiology, Twitter etc.) and also leverages its own mobile app for data collection. The platform includes AI algorithms and a communication module as well (for periodic follow-ups with patients & alerts to all stakeholders). The main objective is to enable real time safety monitoring, mitigate AE risks and allay safety concerns.

Bringing AI into Vaccine Safety & Saving Lives

Join this panel discussion wrapping up the ISACA Atlanta Chapter GRC Conference 2021.

Featuring:
Christian Hyatt, Managing Director & Co-Founder, risk3sixty
David Muxfeld, Director of IT GRC, www.davidmuxfeld.com
Ben Sady, Principal, Dixon Hughes Goodman LLP
Kevin Carlson, Partner | CTO, TechCXO
Mosi Platt, Security Partner for Governance, Risk, Compliance & Assurance, Netflix
Jewel Hefner, Manager, Cloud Compliance & Risk Management, Citrix

Discussion on GRC Trends

Major trends discussed will include ransomware, phishing and email tactics of bad actors. Common tactics, measures and recommended practices will be included.

Cybersecurity Risk Trends

Technology and data play a crucial role in today’s organization. Compliance with industry frameworks and regulations within your company and also within your third parties is essential to managing and reducing your risk. The objective of our discussion will be to outline the current landscape, hot topics, and opportunities to organize the many moving parts of technology compliance.

IT Compliance Hot Topics

Introduction and Welcome (10 min)

IT Governance: Organizing the Chaos (50 min)
 
IT governance, functioning as a component of enterprise governance, can provide assurance as to the sound management of risks, resource utilization, and delivery of organizational objectives. With increasing regulatory scrutiny and board-level expectations, the need for effective IT governance has become more critical. This presentation will discuss how to navigate a chaotic IT environment while designing and enabling an effective IT governance program.

Featuring:
Brian Albertson, Director of Programs, ISACA Atlanta Chapter
David Muxfeld, Director of IT GRC, www.davidmuxfeld.com

Introduction and IT Governance

Today’s talk will dive into the guidance released in April 2021 from the DOL related to Employee Benefit Plans and the responsibilities of plan fiduciaries.​

Department of Labor’s Guidance on Cybersecurity Best Practices ​

The US Government is the world's largest buyer of goods and services! The government annual budget exceeds $1000 billion!
There is certainly a piece of the pie waiting for your company if you can provide services or products to the government. The opportunities are infinite but the number of successful players in this field are still very low. It is not popular knowledge that providing services or products to the government is quite different from selling to the commercial sector. What is also less known is the benefits any business reaps once they get to become a strong player. Government contracts can guarantee ongoing revenue to your business, a stable cash flow and business development opportunities.

Is Government Contracting Worth It?

The Demand for Skilled Talent is your look into the technology hiring trends making noise across the country. Learn why strong job optimism among U.S. workers is signaling career moves on the horizon. Explore the new hiring and retention challenges employers are facing as they adapt to the needs of a more mobile workforce. This presentation also delves into the latest numbers on hiring, hybrid work and the cost of a bad hire.

The Demand for Skilled Talent

Bug Bounties, Security Research, and Smoking Mirrors.  Research or simply Crowd Sourced Penetration Testing that Placates Security Budgets?  Tales around vulnerability research, responsible disclosure, and failures not commonly shared in the industry. 

 In this talk, we’ll speak on the perception vs. reality between bug bounties, security research, and responsible disclosure.  We’ll examine both sides of the vulnerability equation – the researcher and the product owner.  We’ll explore the modern bug bounty formats and if they live up to the definition of vulnerability research and if MNCs investing in this service are getting what they were expecting.  We’ll also explore the residual risks that companies may be sitting back with as blackhats continue to hold prized vulns for more lucrative online/ offline markets vs. cashing in for smaller payouts in bug bounty programs.

Bug Bounties, Security Research, and Smoking Mirrors.

Linear Enterprise Endpoint Management  -  "You think you know your enterprise?   What you don't know really can hurt (and cost) you"

Endpoint management, including both servers and workstations, is one of the greatest challenges IT organizations face today.  As IT make the digital transformation from on-prem data centers to hybrid cloud environment, including ephemeral servers and containers, not to mention all the users “working from anywhere”, IT has found itself stretched thin trying to manage all the devices, and their comings, goings and mobility.  In the past, IT has relied on a plethora of tools, installed on the endpoints, to provide this visibility, but in today’s highly dynamic IT world, those tools simply don’t work anymore.  Ask most any CTO, or CIO, a question like, “how many devices are connected to your network right now?”, and usually the response is a “range” of numbers.  Other dynamic processes like Patching, Compliance/Vulnerability scanning and remediation, Performance monitoring, among others are just too complicated to manage in today’s enterprises using existing point solutions.  What’s needed is a paradigm shift in how endpoints are managed.  This discussion will explore the available possibilities for just such a shift.

Linear Enterprise Endpoint Management...

Attackers may already be in your environment and constantly find new ways to avoid detection. Attacks involving Phishing, Ransomware, Misconfiguration, Stolen credentials, and Mis-delivery continued to increase in 2020 according to Verizon DBIR and 10% of all breaches involved ransomware.

The U.S. Secret Service noted that most organizations had adequate data backup, but cyber actors shifted their focus to the exfiltration of sensitive data and threatening to publicize the data unless additional ransom was paid. In early 2021 ransomware hit for example hit COLONIAL PIPELINE, QUANTA, NATIONAL BASKETBALL ASSOCIATION (NBA), BRENNTAG, ACER, JBS FOODS, AXA, and other victims according to Illinois.touro.edu. A ransom of between $7.5 million and $50 million US Dollars was demanded in several of these attacks and the hacker group disrupted gas supplies all along the East Coast of the United States, gained access to more than 3 TB of data including  Apple product blueprints and other confidential data.
 
We will discuss how to use the “NIST CYBERSECURITY FRAMEWORK FOR RANSOMWARE” to Prevent Attacks and Recover after Attacks. 80% of all attacks in 2020 involved servers and 53% target WEB servers according to Verizon DBIR. We will discuss the Top 10 Web Application Security Risks according to OWASP and the Top Ten Proactive Controls that describes the most important control and control categories that every architect and developer should include in every project.

Make sure that your data is private and protected in transit, in use, in memory, and at rest. Sensitive data can be secured and protected by a robust data backup plan so systems can quickly be restored. A multi-layered defense can help to create a good security posture and how to discover unusual activity on your sensitive data.

Ransomware and other Attacks

APIs are software glue that is revolutionizing our digital worlds by helping enable the next industrial revolution driven by AI/ML and IoT. Implications of APIs are profound on organizations both positive (innovation, newer business models, competitive differentiation etc.) and negative (hidden attack vector, business continuity impact etc.).

Industry Trends...
96% of applications contain some Open Source. Source: Black Duck 2020;
83% of internet traffic is via APIs vs 17% HTML. Source: Akamai 2019;
By 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019. Source: Gartner.
By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. Source: Gartner Research, "How to Build an Effective Security Strategy".

Given these trends it is imperative for Security, Compliance and Audit professionals to get a handle on APIs before things get out of control, if not already, by managing API risks proactively. 
This session will provide an overview of an effective governance framework that enterprises can adopt to manage their API security and compliance risks. This framework includes best practices, both manual and automated, with relevant tools recommendation. Participants will have an opportunity to exercise use case(s) using existing technologies.

Workshop on API Governance & Risk Management

Cybersecurity is a strategic business enterprise risk. Double extortion ransomware is the latest iteration of cybercrime that literally keeps the C-suite up at night. The gaps in your privacy program are laid bare in a ransomware situation. 

What do you do when your IT director calls and tells you your network has been encrypted and there is a ransom note demanding $1,000,000? Did the threat actor access or exfiltrate data? Do you contact the threat actor and how do you negotiate? What do you tell your customers and employees while you try to get your network restarted? When do you call law enforcement? How long will your forensic investigation take? Will you get a not so lovely letter from the state Attorney General? 

Join Justin Daniels, a cybersecurity and business attorney, as he weaves for you a ransomware tale that has become commonplace in 2021. He will discuss the people, processes, and technology that help you respond thoughtfully and resiliently.

A Ransomware Tale

Machine Learning and Artificial Intelligence are changing the way businesses gather, relate to, and act on data.  Much of that data comes from you or your company, aka users. What are your rights with regard to how your data is used to construct and train a machine learning model? Do you have the right to ask that your data not be used or that an existing model exclude your data in the future? How can seemingly innocuous data lead to models that may be inherently biased? We'll discuss those and other topics as well as how you can protect yourself from unintended use of your data and your company's data.

Machine Learning Ethics

Jim will discuss how to secure and audit the Azure environment.  You will walk away with an understanding of the cloud service model, Azure terminology, redundancy and backup strategies, key security roles, and logging.

Auditing the Cloud: Azure

Overwhelmed by the volume of manual effort required to manage global oversight of their enterprise risk management program, a leader in global financial services sought to increase operational efficiency while decreasing risk exposure. By applying process automation to their workflows and driving insights from custom real-time reports, this global enterprise took its risk management program to the next level, creating a 20% increase in employee efficiencies and 100% visibility into compliance and third-party risk.

Scaling Enterprise Risk Management

The presentation articulates the needs of the enterprise to transition from “cybersecurity” to “cyberresiliency”.  Cyberresilience refers to the ability to constantly deliver intended outcomes despite negative cyber events. It is keeping business intact through the ability to effectively restore normal operations in the areas of information systems, business functions and supply chain management. In simple terms, it is the return to a normal state.

Cyberresiliency is the extrapolation of cybersecurity, and it has progressed to enable enterprises to withstand and rapidly recover from cyber-attacks with criminal intent to induce harm, cripple and extort enterprises. Cyberresiliency is a board-level responsibility with high business content. It is based on initiatives under the auspices of corporate governance, enterprise cyber programs and supply chain network.

In addition, the presentation describes a business-oriented model as how to an enterprise may develop a framework of a cyberresiliency decision model (CRDM).  The proposed business model quantifies and compares the degree of impact of each proposed cyberresiliency initiative on any of the enterprise-stated goals and objectives and develops a prioritized road map to the containment of the cyber threats.

Determining the portfolio of cyberresiliency investment and the realized value of such initiatives is highly correlated to an organization’s willingness to articulate the following

-     The risk of potential costs of security incidents that the enterprise is willing to bear
-     The level of risk that the enterprise is willing to accept when running its business
-     The enterprise’s recognition that investment in cyberresiliency ought to be mapped and prioritized to the desired outcome and types of threats

Enterprise Transformation to Cyberresiliency

Presented by

About this talk

More from this channel