2019 Fall GRITSS
Governance, Risk and IT Security Summit (GRITTS) Training Session
When: September 4-5, 2019 - 8:00 AM - 4:00 PM
Where: Wake Tech Community College RTP Campus
ISACA-RTC Members - One day $75, two days $150 (Log in to register to ensure discounted fee)
Affiliated Organizations (IIA, ISSA, Othe ISACA Chapters) - One day $100, two days $200
All Others: One day $125, two days $250
CPEs: Up to 14
Handouts: Will be uploaded when available
Wednesday Sept 4th – Regulation Day
8:15 – 9:30 – Rob Valdez – Keynote speaker
Summary. In response to the increasing speed of disruptive developments in technology, professionals and organizations are assessing their approaches to agility and resilience. Effective change management is enhanced through a comprehensive understanding of one's approach to identifying changes, assessing threats and opportunities, responding to change, and monitoring the responses; however, the pace and context of this exercise is accelerating and old responses to new approaches and risks are sometimes insufficient. This presentation provides an overview of current disruptive technology topics, such as those related to artificial intelligence, blockchain, and cybersecurity as well as examples of best practices and important considerations for change management in the context of compliance frameworks.
Learning Objectives. After attending this presentation, participants will understand:
- Concepts in artificial intelligence, blockchain, and cybersecurity
- Current trends in change management approaches
- Risks and benefits related to disruptive technology
9:30 – 9:45 – Break
9:45 – 11:30 – Joseph Kirkpatrick – Managing Risk in Healthcare through HIPAA and HITRUST
Part One: Why is Healthcare Prone to Breaches?
OCR “Wall of Shame”
Part Two: Risk Management Best Practices
- Why should you care about a risk management?
- Planning, using, and conducting a risk analysis
Part Three: Lessons Learned from Information Security Frameworks and Standards
- What is HIPAA – Sets a national standard for the protection of consumers’ PHI and
- ePHI by mandating risk management best practices and physical, administrative, and technical safeguards
- What is the HITRUST CSF – A certifiable security framework that incorporates and leverages existing security requirements, including requirements of federal, state, third party, and other government agencies
Part Four: Risk Management Best Practices Continued
- Case studies
- Reducing risks through strong controls
- Cloud environment risk
11:30 – 1:00 – Lunch
1:00 – 2:30 – Patrick Lynch – Veronis – GDPR, CCPA, SC Law (see below)
Going into effect January 1st, 2020, the California Consumer Privacy Act promises to make a big splash among state data privacy laws nationwide. In the wake of major data breaches from Equifax to Yahoo, the CCPA is the farthest-reaching effort yet by any state to tighten data security standards and obligations for data processors, and the first in the US to be modelled on the European Union’s General Data Protection Regulation (GDPR). The CCPA won’t just affect California businesses, though: anyone who processes data from citizens of the Golden state will need to demonstrate that they can keep consumer data safe. During this talk, we’ll dive into the CCPA and its precedents like GDPR, focusing on the risks and obligations associated with unstructured data, and what steps an organization should take to protect data from the inside out.
2:30 – 2:45 – Break
2:45 – 4:00 –Dr. Michael Owens, BISO at Equifax
Thursday Sept 5th – Cybersecurity Day
8:15 – 9:15 – Ian Sterrett – Project Risk Reviews
Major projects occur regularly in today’s organizations. Whether the project is an implementation of a new system, a product release, or a new process, it is the job of audit and risk professionals to help understand and assess the project’s risks and controls for the organization. This can be done by executing a project risk review, which provides the organization with an objective assessment of the project processes and outputs in near real-time. During this presentation we’ll discuss the intended benefits of project risk reviews, how to get involved earlier in the process, common risks and issues associated with large projects, activities to perform, and lessons learned. This will be an interactive session that asks the audience to share their experiences with project risk reviews.
9:15 – 9:30 – Break
9:30 – 11:30 – Kimberly Baily – Identity and Access Management 101
This session/workshop/seminar introduces the core Identity and Access Management (IAM) technologies and illustrates how they address security challenges and enhance the user experience. Topics include lifecycle management access management, single sign-on, and multi-factor authentication systems and processes.
11:30 – 1:00 – Lunch
1:00 – 2:30 – Dr. Katina Blue - Auditing Network Security
A network security audit helps to determine the effectiveness of network security to resolving underlying network security issues. It is part of an overall information systems audit framework and includes application software audit, operation system audit, and business audit. Dr. Blue will participate in a high-level discussion of the protocols and procedures she recently went through in such a rigorous audit.
2:30 – 2:45 – Break
2:45 – 4:00 – Rob Valdez – Key Note Closing.
Roberto Valdez, CISA, CISM, CPA, Manager, Kaufman Rossin
Roberto Valdez, CISA, CISM, CPA is a Manager with Kaufman Rossin’s Risk Advisory Services. Rob’s engagements balance business needs with requirements of compliance frameworks such as SOC 1,23, HIPAA, SOX, FINRA, and FFIEC. In addition, he spearheads PhishNet by Kaufman Rossin, a security education training and awareness program delivered through simulated phishing attacks.
President of ISACA South Florida, Rob is a motivated advocate for building trust in technology through community development and education. He is an adjunct professor with Florida Atlantic University, an industry advisor to University of Miami’s College of Engineering, and he has been featured in the Wall Street Journal, TechRepublic, Healthcare Business, and other publications.
Kimberly A Bailey, Senior Security Program Manager, Clorox
Kimberly A. Bailey is Senior Security Program Manager at The Clorox Company in Durham, NC. She currently drives delivery of the corporate cybersecurity strategic plan, which implements new technology that mitigate risks for the company’s Global IT applications and infrastructure. Kimberly has more than 20 years of experience translating corporate business needs into comprehensive strategies, road maps, and implementation plans. She has numerous accomplishments in full lifecycle architecture design, development, testing, and launch of new and next generation products, platforms, and solutions for IT.
Patrick Lynch has spent the past ten years been helping businesses deal with ever-increasing amounts of data – from digital transformation to business process to data protection. As a Solution Architect with Varonis, Patrick educates and advises customers on how to address security and compliance challenges around unstructured data.
Ian Sterrett, IT Audit Manager, Duke University Health System
Ian Sterrett is the Health System IT Audit Manager for Duke University Health System (DUHS). He is responsible for leading audits that focus on governance, security and other high-risk areas throughout the health system. Ian has over 12 years of experience providing IT audit and advisory services as both an internal and external auditor. Prior to joining Duke, Ian was Senior Manager of IT Internal Audit at Luxottica, where he was responsible for managing IT audit projects that covered topics such as mobile device management, disaster recovery, and PCI compliance. His other previous employers include KPMG and Ernst & Young, where he focused on SOX and SOC engagements.
Ian holds a Bachelor of Business Administration in Information Systems from The College of William and Mary. He is a Certified Information Systems Auditor (CISA) and a certified Project Management Professional (PMP). He has previously presented conference sessions and webinars for the Association of Healthcare Internal Auditors (AHIA) and the Association of College and University Auditors (ACUA).
Dr. Michael Owens, BIS Equifax
Dr. Michael Owens is the Interim Vice President of Information Security and Business Information Security Officer for U.S. Information Solutions with Equifax. He serves as part of the Global Security Leadership team and the USIS Senior Leadership Team responsible for leading security consulting teams in support of business drivers; and providing guidance and support to reduce insecure business practices, review and decision policy exceptions, tool and technology implementations, vulnerabilities, and maintain oversight of overall security program and initiatives.
Before joining Equifax, Michael worked for Ernst & Young, Cisco Systems, Fidelity Investments and has provided security consultation services with his own firm for Delta Air Lines, Cox Communications and The Coca-Cola Company. Michael is a US Marine Corps veteran, trained in military communications and network systems as well as counter-terrorism that is well recognized in the security industry. He was most recently selected as one of the 16 international security professionals featured to speak at the Global Cybersecurity Summit in Kiev, Ukraine.
Michael, has extensive experience in strategic consulting, cybersecurity, cyberwafare, technology and cyber policy creation and legislation. He the founder of the U.S. Global Center for Cyber Policy and serves on various board and committees including being appointed to the State Advisory Board of the U.S. Global Leadership Coalition. In 2018, Dr. Owens received his Certificate of Leader Development in National Security and Strategy as part of the United States Army War College’s 64th National Security Program where he focused on the role of cybersecurity in protecting private sector, military and government networks. Michael’s academic background includes a BS - Computer & Electronic Technology from NC A&T State University. A masters’ degree from the Business School at Georgia Institute of Technology and a Doctorate of Business Administration from CalUniversity. Michael was also selected into and attended the first ever Emerging Leaders Program class at Harvard University’s, Kennedy School of Government. His post doctorate studies include work in International Security and Government at Harvard University.
As Founder and President of KirkpatrickPrice, Joseph Kirkpatrick has spent over a decade developing the firm’s trailblazing initiatives in information security audit delivery and ethical hacking. Under his leadership, KirkpatrickPrice has delivered thousands of audit reports and information security engagements to clients of all sizes worldwide. Joseph enjoys educating, empowering, and inspiring clients by navigating them through the complex maze of compliance and regulatory requirements. Joseph is a CPA with over 25 years of experience in information technology. He holds CISSP, CISA, CGEIT, CRISC, and QSA certifications, specializing in data security, cybersecurity, IT governance, and regulatory compliance. Look out for Joseph at industry conferences and learn from his expertise in our webinars, videos, and blog!