News

• Association
• Events
• Surveys
• Press Room
• Award Honorees
• E-News

E-News Archive

• 2010-3-11
• 2010-2-18
• 2010-2-4
• 2010-1-21
• 2010-1-4
• 2009-12-21
• 2009-12-17
• 2009-12-03
• 2009-11-19
• 2009-11-05
• 2009-10-22
• 2009-10-01
• 2009-09-24
• 2009-09-17
• 2009-09-10
• 2009-09-03
• 2009-08-27
• 2009-08-13
• 2009-08-06
• 2009-07-30
• 2009-07-23
• 2009-07-16
• 2009-07-02
• 2009-06-25
• 2009-06-11
• 2009-06-04
• 2009-05-28
• 2009-05-14
• 2009-05-07
• 2009-04-30
• 2009-04-16
• 2009-04-09
• 2009-04-02
• 2009-03-26
• 2009-03-12
• 2009-03-03
• 2009-02-26
• 2009-02-12
• 2009-01-29
• 2009-01-15
• Previous E-News Issues

ISSA E-News: September 3, 2009

In this Issue

1. September ISSA Journal Now Online
2. Elasticity: Will your organization bend or break?
3. Call for Journal Articles - Information Security in the Popular Press and Online News
4. Celebrating 25 Years
5. Security Stars Shine for our Silver Anniversary
6. Educating Information Security Professionals for the Next Decade
7. ASIS 2009: September 21 - 24, 2009, Anaheim, CA
8. Industry On-Demand Webcasts
9. ISSA Events
10. Industry Events

Sponsors

GuardianEdge: The Leader in Endpoint Data Protection www.guardianedge.com

Introducing the World's Only FIPS 140-2 Level 3 USB Flash Drive, with AES 256-bit Hardware Encryption

September ISSA Journal Now Online

The theme of the September ISSA Journal is "Risk Management - Risk Analysis".

• Elasticity: Will your organization bend or break?
• Risk Management in the Web 2.0 Environment
• Beyond the Perimeter
• The Future of Security Standards and Laws
• How to Succeed with IT Security Using SCAP
• Dysfunction Junction: Do standards function?
• The $LogFile and Device Alteration: An experiment
• Managing the Risk of Public Information Systems

CLICK HERE to read one or all of the September articles online today - two to three weeks before it arrives in your mailbox. Download the PDF to your smart phone, and take it with you to the airport or your child's sporting event.

CLICK HERE to download the entire September issue now.

Elasticity: Will your organization bend or break?

By Benjamin Tomhave - ISSA member, Phoenix, USA Chapter

Abstract:

Enterprises often jump into risk assessment and mitigation (treatment) with both feet, but to what end? Just because an enterprise assesses and mitigates "risk": does not mean that a risk-tolerant program in place. Bad data, poor communication, excessive reliance on technology, and bias all impact how elastic the enterprise will be when faced with pressure from increasing risks.

There seems to be a common misconception in risk management these days. In particular, there seems to be a lot of focus on the assessment and treatment of risk, but on what basis? That is, how can organizations effectively manage their risk exposure without first defining what risk means in their context and understanding their tolerance for risk.

This concept of tolerance has been gaining some headway in the last couple years. You might have heard about it, but possibly by a different name, such as survivability or resiliency. Whatever you call it, the same fundamental principles apply:

• How do you define risk in your context?
• What levels of risk are palatable in your context?
• What prioritization approach is optimal in your context?

Risk management itself can be problematic for organizations, even just as a concept. Looking into the space, most of the focus has historically been on financial and business risk management (notice how well that worked out for Wall Street). It seems that the basic concepts are similar and sound, but there are some very complex definitional challenges that can make or break your own practices (not the least of which being gathering and using quality data).

In the context of this article, we are talking about information risk management. As a sub–field within risk management, information risk management is relatively young and under–developed. As luck would have it, there are a few efforts in play that can be leveraged to help address some of these foundational concerns, such as the NIST Risk Management Framework the COSO Enterprise Risk Management Framework, and the EDUCAUSE/Internet2 Framework. ISO 27005 also lays claim to "risk management" guidance, but we will exclude that here for the sake of clarity.

What most frameworks share in common is an approach where you first model the risk management program, then perform an assessment, remediate ("treat"), and finally analyze the results to evaluate the effectiveness of your controls (essentially gap analysis between expected and actual results from the implemented controls).

Of particular interest here, however, is the tendency for most risk management programs to skip the first and last steps in that process. If you perform an Internet search, you will see many examples of risk assessment methodologies, but the search results pertaining to formal, complete risk management programs are sparse. Look at a variety of professional services firms and the services they offer. What you will find is a strong tendency toward assessment and remediation without first putting risk into a properly customized context. Case-in-point, consider a penetration testing report received from a consultant that assigns "risk" ratings (minimally High, Medium, and Low) to each finding. How does this consultant know what is or is not a "high" risk in your context? Did they define it in a way that was specific to your environment? More often than not, the risk level is based on generalizations and has no basis in your organization.

To continue reading this and other articles featured in the September ISSA Journal CLICK HERE.

Call for Journal Articles – Information Security in the Popular Press and Online News

Our work in information security is influenced by how we and our work are depicted in the popular press and online news. Legislators and their staffs, the president and his administration, our own management and users, and the security products and services industry are influenced by what they hear and read. The press certainly influenced some of the content of computer crime laws, GLBA, HIPAA, and privacy legislation. We also must pay attention to the popular press to know what to expect from our enemies and stakeholders. When we go in to work each morning, we face the people we serve who may have a different slant on security by what they read or heard the previous night.

Can you tell us any of your experiences with journalists and provide guidance on how we should respond to their queries? How much should we reveal to the public through journalists about our security and victimizations knowing the enemy is listening. Many of our employers have public affairs departments. Do you consult with them or get their approval? Are you required to adhere to organization policies in talking to news gatherers? How and to what extent should we seek publicity and about what? What are the dangers and benefits? We are all waiting to hear from you.

CLICK HERE to submit your articles to the Editor. Deadline for submissions: September 11.

Celebrating 25 Years

A quarter of a century ago Sandra Lambert and Nancy Woolsey brought together 25 colleagues at Pacific Security Bank in Los Angeles and launched the Information Systems Security Association. The goal was to bring together those working in the emerging field of information security to discuss issues and share solutions. From that first gathering, ISSA has grown to 141 chapters with nearly 10,000 members in 70 countries worldwide.

On Sunday, September 20, we will pay tribute to our California roots and celebrate our collective achievements and the evolution of our profession during the Anniversary Gala in Anaheim, California. Two information security visionaries – Mischel Kwon and Martin Roesch – will highlight the growth of our field and their views on the next generation of security. The gala is free for ISSA members. Non-members and guests are welcome, tickets are $75. Attire is black tie optional. CLICK HERE to RSVP.

Several new initiatives - including ISSA Connect, our online collaboration and networking community - will be inaugurated in honor of the 25th anniversary. Members who are not able to travel to Anaheim will have the opportunity to celebrate and learn more about these initiatives via a webcast.

For questions or additional information, please contact Dana Paulino, 1 866 349 5818 (toll-free within the US), +206 388 4584 (international), extension 103.

Security Stars Shine for our Silver Anniversary

Thank you to all of you who submitted your security star moments in honor of our 25th Anniversary Celebration. Leading up to our Silver Anniversary Gala, we will feature several of our Stars like Ann Garrett, Raleigh Chapter of ISSA.

Ann Garrett, Raleigh Chapter of ISSA

"In November 2004, I was the recipient of the first Information Security Executive of the Year 2004 National Award sponsored by the Executive Alliance, at the CSI annual conference. It was an honor to be nominated and a wonderful surprise to win. North Carolina made a commitment to improving information security. With limited budget and resources we were able to work smart and implement an ambitious plan. We proved that an ant really can move the rubber tree plant."

Visit the website for a glimpse of your colleagues' proudest career accomplishments. Although the contest has ended, we would love to add your star moment to our galaxy on the website, CLICK HERE.

Educating Information Security Professionals for the Next Decade

September 29, 2009 – ISSA Web Conference

Join your peers as they listen to industry leaders:

• Denise Hucke – Director, Risk Management and Information Security, Merck Inc.
• Chrys Pistillo, M. Ed – Dean of Student Affairs, University of Advancing Technology (UAT)
• Stefano Zanero – CTO and Founder, Secure Network S.r.l.

ISSA International web conferences offer education on today's most important issues. ISSA Members will be eligible for a certificate of attendance, after successful completion of a post event quiz, to submit CPE credits for various certifications.

CLICK HERE to register now for this upcoming event.

ASIS 2009: September 21 – 24, 2009, Anaheim, CA

The ASIS International 55th Annual Seminar and Exhibits is the most comprehensive education and networking event in the security industry - and the leading show dedicated to security. This year ASIS International is partnering with ISSA to offer a track of information security sessions as part of the ASIS 2009 program. To learn more about these 30 high-quality sessions, CLICK HERE.

Discount to ISSA Members: Receive ASIS member pricing. CLICK HERE to register.
(The ISSA branded registration form ensures you receive member pricing before you submit payment.)

See hundreds of leading-edge technologies, products, and services at the ASIS Expo.
FREE Expo Pass registration, CLICK HERE

Industry On-Demand Webcasts

Role Based Access Governance

August 14, 2009
Sponsored by: Aveksa

CLICK HERE to register and begin viewing on-demand. 

Best Practices in Securing the Mobile Workforce

August 13, 2009
Sponsored by: SonicWALL

CLICK HERE to register and begin viewing on-demand.

ISSA Events

Have an event to post? Let us know!

ISSA 25th Anniversary Celebration

ISSA International

• Sunday, September 20, 2009
• 4:30 p.m. US Pacific Time
• Anaheim, CA, USA

For event details CLICK HERE

For event registration CLICK HERE

The 2009 Verizon Data Breach Investigations Report

NY Metro Chapter of ISSA

• September 24, 2009
• 4:00 p.m. – 7:30 p.m.
• Bank of NY Mellon, 101 Barclay Street
• New York, NY, USA

Cost: Free for members. Non-members $35

For event details and registration CLICK HERE

NAC Deployment on Speed: How (Not) To Do NAC In The NOC

Raleigh Chapter of ISSA

• Thursday, October 1, 2009
• NCSU McKimmon Center
• Raleigh, NC, USA

Cost: Guests are $10; Members: Free

For event details and registration CLICK HERE

7th Annual ISSA Louisville Metro InfoSec Conference

Kentuckiana Chapter of ISSA

• Thursday, October 8, 2009
• 7:30 a.m. – 5:00 p.m.
• Churchill Downs
• Louisville, Kentucky, USA

Cost: $99
Discount to ISSA Members: Save $20 (Cost = $79)

For event details and registration CLICK HERE

Cornerstones of Trust 2009 Conference
"Meeting Security Challenges in Changing Times"

San Francisco Bay Chapter of ISSA
Silicon Valley Chapter of ISSA

• Wednesday, October 14, 2009
• The Crowne Plaza Hotel
• Foster City, CA, USA

Cost: $60 Members, $90 Associate Members, $120 Non-Members if you register on-line, an extra $10 at the door.

For event details and sponsorship opportunities CLICK HERE

ISSA Hawaii 16th Annual Discover Security Conference

Hawaii Chapter of ISSA

• October 14 – 15, 2009
• 8:00 a.m. – 5:30 p.m., registration begins at 7:15am
• Halekoa Hotel, 2055 Kalia Road, Honolulu, HI

Cost: $70
Discount to ISSA Members: $35, must be a current ISSA Member at time of registration

For event details and registrations CLICK HERE

2009 Triangle InfoSeCon

Raleigh Chapter of ISSA

• Thursday, October 15, 2009
• 7:30 a.m. – 4:30 p.m.
• North Carolina St Univ, McKimmon Conference Center
• Raleigh, NC, USA

Cost: ISSA Members - $30.00; Standard Registration - $85.00

For event registration CLICK HERE

Check us out...Reserve your sponsorship slot or register now!

Application Security

St. Louis Chapter of ISSA

• Tuesday, October 20, 2009
• Pujols 5 Restaurant
• 342 Westport Plaza
• St. Louis, MO, USA

Cost: Free to ISSA Members and Guests

For event details and registration CLICK HERE

4th Annual Security Summit

Rochester (NY) Chapter of ISSA

• October 28 – 29, 2009
• Woodcliff Hotel and Spa Conference Center
• Fairport, NY, USA

Cost: $120
Discount to ISSA Members: 10%, Early bird discounts also available.

For details and registration CLICK HERE

The 24th Annual 2009 ISSA SoCal Security Symposium

Orange County Chapter of ISSA

• Thursday, October 29, 2009
• Hyatt Regency Long Beach
• Long Beach, CA, USA

Cost: ISSA Members – $75
Non-members – $95

For event details and registration CLICK HERE

Magnify Your Security – GA ISSA Annual Meeting

Metro Atlanta Chapter of ISSA

• Wednesday, November 11, 2009
• Loudermilk Convention Center
• Atlanta, GA, USA

Cost: ISSA Members - $65.00, Student ISSA Members - $59.00, Non-ISSA Members - $100.00, Student Non-ISSA Members - $75.00
Discount Code: 2009earlybirdspecialmember

For event details CLICK HERE

For event registration CLICK HERE

ISSA CISO Executive Forum

*CISO Forum dates and locations are subject to change.

Anaheim, CA	September 19 - 20, 2009 Theme: Cyber Crime
Las Vegas, NV	November 12 - 13, 2009 Theme: Looking forward; What the CISO Will Need to Know in The Next Decade

For details on the CISO Forum please visit http://ciso.issa.org.

*CISO Executive Memberships are subject to approval. Applicants and guests must be executive level information security professionals; reporting directly to the CEO, CFO, CIO, and be responsible for internal security for their organization. Complete membership criteria is available at: http://ciso.issa.org/Membership/Membership-Criteria.html

Industry Events

Zscaler IDC Webcast

Learn from Gartner's Peter Firstbrook about the challenges and benefits of SaaS Web Security. Then hear a firsthand account from a health care customer who found a Data Leakage issue right after turning on the service. Finally Michael Sutton VP of Research at Zscaler explains why AV signatures are not sufficient and what is needed to protect yourself in a Web 2.0 world.

Cost: Free

CLICK HERE to register and begin viewing

McAfee's FOCUS 09 Security Conference

• October 6 – 9, 2009
• The Venetian and The Palazzo Congress Center
• Las Vegas, NV, USA

For event details and registration CLICK HERE

Hacker Halted USA 2009

• September 20 – 25, 2009
• Hilton Miami Downtown
• Miami, FL, USA

Cost: $899
Discount Code: HH-SP-ISSA

For event details and registration CLICK HERE

SECUREWORLD EXPO

September 16 – 17, 2009

• Bay Area SecureWorld
• Santa Clara, CA, USA

September 29 - 30, 2009

• Detroit SecureWorld
• Detroit, MI, USA

October 28 - 29, 2009

• Seattle SecureWorld
• Seattle, WA, USA

November 4 - 5, 2009

• Dallas SecureWorld
• Dallas, TX, USA

ISSA MEMBERS are offered a $100 discount off the $245 conference pass which includes access to the Conference Sessions, Conference Breakfast Keynote, Exhibits & Open Sessions (Includes Lunch) and 12 CPE credits. Register on-line using code ISSNWS9.

SecureWorld+  Extended Training 2009 includes 4+ hours of intense training worth 16 CPE credits and full access to the complete SecureWorld conference program. SecureWorld+ Pass is only $495 with special ISSA member discount, register using code ISSNWS9.

For event details and registration CLICK HERE

Technical Management Program

• September 13 – 18, 2009
• UCLA Covel Commons

Cost: $3,295
Discount to ISSA Members: 15%

For details and registration CLICK HERE

ASIS International 55th Annual Seminar & Exhibits

• September 21 – 24, 2009
• Anaheim, CA, USA

Discount to ISSA Members: Receive the ASIS member price
For ISSA Member discount registration CLICK HERE

ASIS Keynotes/General Sessions Overview CLICK HERE
Download Complete Seminar Overview (pdf) CLICK HERE

Securecon

• October 4 – 7, 2009
• JW Marriott Hotel
• Dubai, UAE

Cost: US$ 2,599.00
Discount to ISSA Members: US$ 1,899.00
Discount Code: A1029ISSA

For event details and registration CLICK HERE

SC World Congress

• October 13 – 14, 2009
• Sheraton New York Hotel & Towers
• New York, NY, USA

Discount to ISSA Members: $200 off the prevailing rate at time of registration (2 day conference pass only) and/or free exhibits admission
Discount Code: ISSA

For event details and registration CLICK HERE

OWASP AppSecDC

National Capital Chapter of ISSA

• November 10 – 13, 2009
• Walter E. Washington Convention Center
• Washington, D.C., USA

Cost: $345 until September 25th, then $395
Discount to ISSA Members: $50
Discount Code: ISSA09

For event details CLICK HERE
For event registration CLICK HERE

DeepSec In–Depth Security Conference (IDSC)

• November 17 – 20, 2009
• The Imperial Riding School Vienna - A Renaissance Hotel
• Ungargasse 60, Vienna 1030
• Vienna, Austria

Cost: Conference Early Bird Booking (L)595, Regular Booking (L)645, On-Site Registration (November 19-20) (L)695; workshops Early Bird Booking (L)1295, Regular Booking (L)1495, On-Site Registration (November 17) (L)1695; package conference + workshops Early Bird Booking (L)1595, Regular Booking (L)1795, On-Site Registration (November 17) (L)1995
Discount to ISSA Members: 20%
Discount Code: issa-Xieph9

For event details and registration CLICK HERE

International Conference on Cloud Computing and Virtualization 2009

• November 25 – 26, 2009
• Suntec International Convention and Exhibition Centre
• Singapore

Cost: S$1499 (Regular Fee) and S$1299 (Early Bird Fee)
Discount to ISSA Members: 10%
Discount Code: ISSA

For event details and registration CLICK HERE
Or contact Gynn Ho at: + 65 6327 0166, or by Email

GTRA Council Meeting (Including NEW DefenseGOV Program)

• December 6 – 8, 2009
• Bedford Springs, PA, USA

Cost: Government ISSA Members receive special $599 rate
Discount Code: ISSA599

For event details and registration CLICK HERE

American Conference Institute 9th National Symposium on Privacy & Security of Consumer & Employee Information

• January 27 – 28, 2010
• Washington, D.C., USA

Cost: TBD
Discount to ISSA Members: $200 discount
Discount Code: "ISSA"

RSA Conference USA 2010

• March 1 – 5, 2010
• Moscone Center
• San Francisco, CA, USA

Cost: $1,495 – $2,195
Discount to ISSA Members: $150
Discount Code: CLICK HERE to request

For event details and registration CLICK HERE

CeBIT Security World

• March 2 – 6, 2010
• Hannover, Germany

Discount to ISSA Members: Discounts vary according to exhibitors' stand selection (i.e. row/corner booth, raw space/turnkey exhibit package). Hannover Fairs offers a "Newcomer special" for companies that have not exhibited at CeBIT in 2009 - this discount is also available for ISSA members. For 2010, we have reduced our pricing to (starting from) (Euro) 244.00/sqm + (Euro) 300 processing fee (excluding 19% reclaimable German VAT), with no additional fees. (Fee provided above in Euros, since the US Dollar exchange rate is subject to change)

For event details and registration CLICK HERE