Bring Your Own Device – Security and Privacy Legal Risks (M)
Speaker: David Navetta & Chris Paschke

Session Description:
Organizations, by choice or due to a natural evolution, are allowing their employees to connect their personal computing devices to company networks, and store, process and transmit sensitive data on personal devices. A "Bring Your Own Device" IT strategy poses privacy, security and information management risks, which can lead to legal concerns. This session explores privacy and security issues around BYOD and the legal risk they pose, and discusses methods for addressing that risk.

Learner Objectives:

• Understand privacy-related issues arising out of a BYOD strategy
• Understand security-related issues arising out of a BYOD strategy
• Understand information management issues arising out of a BYOD strategy
• Identify legal risks associated with privacy, security and information management issues associated with a BYOD strategy
• Understand steps to address and mitigate BYOD risks

Speaker Bio:
David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law for over fourteen years, including technology, privacy, information security and intellectual property law. He is also a Certified Information Privacy Professional through the International Association of Privacy Professionals.

David has enjoyed a wide variety of legal experiences over his career that have provided him with a unique perspective and legal skill set, including work at a large international law firm, in-house experience at a multinational financial institution, and an entrepreneurial endeavor running his own law firm.

Prior to co-founding the Information Law Group, David established InfoSecCompliance LLC ("ISC"), a law firm focusing on information technology-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. Mr. Navetta previously worked for over three years in New York as assistant general counsel for a major insurer's eBusiness Risk Solutions Group. While there David analyzed and forecasted information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transfer transactions. David engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.

David currently serves as a Co-Chair of the American Bar Association's Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Mr. Navetta previously served as the Chairman of the ABA's Information Security Committee's Information Security Contracting & Risk Management Working Group. He has spoken and written frequently concerning technology, privacy and data security legal issues.

David has worked on transactions and licensing, privacy and security compliance issues, litigation, and breach notice and incident response.

Cloud Control: Assurance in a Massively Scalable World (M,A)
Speaker: Ben Tomhave

Session Description:
Ubiquitous access to data and applications is here. No longer are our resources confined to enterprise networks and data centers of our own making. Rather, applications and platforms are now available on-demand, anywhere, anytime, to virtually anybody. Moreover, these environments can scale on demand, automating what has traditionally required expertise in system design and capacity planning. Assuring security in this environment poses new and evolving challenges. While they may resemble the same obstacles we've been managing for decades, they are increasingly more difficult to address. Now, more than ever, companies need to extend their governance, risk, and compliance initiatives to take cloud-related strategies and initiatives into account to proactively protect their data and their bottom line.

Learner Objectives:

• Understand the role of governance and risk management processes as applied to cloud security.
• Review a brief history of computing and how it arrives at the cloud computing model.
• Learn about fundamental security challenges when using cloud-based services.

Speaker Bio:Ben Tomhave, MS, CISSP, helps global enterprises, SMBs and service partners unlock the real promise of integrated governance, risk and compliance in his current role as Principal Consultant for LockPath, a market-changing GRC software company. A distinguished author and experienced speaker, he currently serves on the OWASP NoVA chapter board, the Society of Information Risk Analysts board, and as the co-vice-chair of the ABA InfoSec Committee. He is also a member of ISSA and the IEEE Computer Society, and earned a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.

Introducing COBIT 5 (A)
Speaker: Bob Frelinger

Session Description:
Get an introduction to COBIT 5. Building on more than 15 years of practical application, ISACA designed COBIT 5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to IT.

Learner Objectives:

• Appreciate the background behind COBIT 5
• Understand the five principles that underpin COBIT 5
• Understand the seven enablers upon which COBIT 5 is based
• Know how to navigate the "COBIT 5: Framework" and the "COBIT 5: Process Reference Guide"

Speaker Bio:Bob is currently manager of the Process Management Program for Oracle's Global IT group. Before joining Oracle he served in a similar position at Sun Microsystems, Inc. He was a board member of the ISACA Denver Chapter and is Certified in the Governance of Enterprise IT®. He has been leveraging COBIT, ITIL, Six Sigma, PRINCE2, and other industry-accepted practices since 2003, and is a strong proponent of drawing on the strengths of each. Bob contributed to the development of COBIT 4 and 4.1, and was part of the development group working on COBIT 5.

Mapping the Penetration Tester's Mind: 0 to Root in 60 Minutes (E)
Speaker: Kizz MyAnthia

Session Description:
"Mapping The Penetration Tester's Mind" will present tools, methodologies, standards, and frameworks that are used during an active security engagement. This will give the attendees a broad understanding of how a penetration tester locates and determines what is a target, how vulnerabilities are located, what a penetration tester does to actively gain access, and how one small vulnerability can lead to complete infrastructure breach. Many participants understand the importance of having penetration testing performed, but do not understand what is actively done during the engagement. The presentation will provide a good base of information into the penetration tester's mindset and allow all participants an opportunity to have a deeper understanding of how to provide guidance to their clients for a successful assessment."

Learner Objectives:A requirement for most of the high level compliances is to have a penetration test performed. Most organizations understand that this is a neccessity and have it performed, but do not understand the fundamentals behind why it is important or what is actually done. "Mapping The Penetration Tester's Mind" will bridge the gap between the C Level executives and the "techies" in the trench offering valid insight and content to anyone that is currently in the information security world.

Speaker Bio:Infosec specialist whose qualifications include an indepth understanding of security principals and practices; C|EH, MCSE+Security designations; and detailed knowledge of security tools, technologies and development. 10 years of security experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations, with over 12 years overall in the industry. I have spoken at NotACON, SecurityBSides (LOTS), Secure360, DeepSec, and many more. I currently conduct training and educational events for Rapid7.

Whose Fault Is It That I Didn't Know It Wasn't You – A Discussion of Commercially Reasonable Security (M E, R)
Speaker: Hoyt L Kesterson II

Session Description:
A conundrum – a ruling against a bank using token-based two-factor authentication but the other bank, using what most security experts would call a weak authentication method, wins its case. In 2011 two judicial decisions were announced on the claims of two small businesses that their banks processed fraudulent funds transfer requests. A bench verdict found for the customer that the bank did not act in good faith but in the other case the magistrate judge found that the bank's security practices were commercially reasonable. The talk will examine the technical and legal implications of these decisions.

Learner Objectives:

Speaker Bio:
Hoyt L. Kesterson II is a Senior Security Architect with Terra Verde Services in Scottsdale, Arizona. He has more than 40 years of experience in information security and related technologies. For 21 years he chaired the international standards group that created the X.509 digital signature certificate, a fundamental component in digital signature and securing web transactions. He is a founding member and vice-chair of the American Bar Association's eDiscovery and Digital Evidence Committee and a founding member of the Information Security Committee. He is a testifying expert. He is a frequent and top-rated speaker at the RSA Conference. He has participated on ALI-ABA and ABA CLE web-casts on a variety of topics and lectured on data breach at the ABA 2008 Annual meeting. He is an acknowledged contributor to a book on e-discovery and a book on digital data and the rules of evidence, both published by the ABA.