Secure360° - Evolving Threats, Practical Solutions

Diamond Sponsor

Gold Sponsor

Silver Sponsor

Bronze Sponsor

2008 Conference Agenda

We live in a world where each day new and changing threats present risks to the people, processes, systems, and data we are here to protect.

Secure360° has selected a world class slate of speakers to keep executives, managers, and practitioners apprised of the “Evolving Threats, Practical Solutions” in the security world. This year we have six tracks: Business Continuity Planning, Data Privacy, Security I, Security II, Security III, and IT Governance. Please review our conference agenda as you make plans to attend.

Conference Agenda Overview - PDF

2008 Keynote Speakers

May 13th, 2008

We are pleased to announce David Lynas will also be a keynote speaker for this year’s Secure360° conference.

DAVID LYNAS is currently enjoying his twenty-fourth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent.

Sponsored by:

Click here for more information on David Lynas

May 14th, 2008

We are delighted to announce a Secure360° conference keynote presentation by:

John Fruetel
Assistant Chief of Operations
Minneapolis Fire Department

Rocco Forté
Director of Emergency Preparedness
City of Minneapolis

Sponsored by:

Minneapolis Responds: On August 1, 2007 at 6:00 PM, the unthinkable happened in downtown Minneapolis. A major 8-lane interstate bridge over the Mississippi River suddenly collapsed during rush hour. There were 190 people and over 100 vehicles on the bridge when it fell into the river. In a matter of a few seconds, thirteen people lost their lives and over 100 more were injured. The disaster captured the attention of international media and reporters from around the world were on-site within 24 hours. The response by local fire, EMS and law enforcement agencies has been described as a model of effectiveness by many inside and outside of government.

Mr. Forté and Assistant Chief Fruetel will provide an overview of the response to the I-35W Bridge Collapse, and the multi-faceted response by local, state and federal agencies. The presentation will include:

Response
National Incident Management System (NIMS)
Emergency Operations Center (EOC)
Planning, Equipment and Training Prior to August 1, 2007
Importance of Relationships and Communications
After Action Lessons Learned

Click here for more information on John Fruetel

Click here for more information on Rocco Forté

2008 Featured Speakers

Dave Abramowitz
TrendMicro Emerging Threat Specialist
Room 5, Session: SecII-2

Evolution or Revolution:
Achieving Better Enterprise Security From Cyber-Threats

David has worked in the security industry for over 10 years, beginning as a sales engineer, and presently as an Emerging Technologies Specialist for the North American Business Unit at Trend Micro. He currently focuses on hot topics such as data leak prevention, HIPS, and hosted “in-the-cloud” solutions and services. Prior to joining Trend Micro, David worked at Imperva, known for securing databases and web applications against attacks such as SQL injection, cross-site scripting, and other data theft and data destruction attacks.

Chris Andrews
Computer Forensic Specialist, Kroll Ontrack
Room 5, Session: SecII-10

Anti-Forensics Implications in the Security Environment

Anti-forensics can take on multiple meanings in varying fields. It is especially important to be aware of its implications in the security environment. This session will discuss: common methods of hiding data, falsifying timelines, ways in which users can pretend to be someone they are not, common methods for destroying information, modes operendi and ways to prove intent, and the most common signs of anti-forensic tools you may come across when conducting security investigations.

Christopher Andrews is a computer forensics specialist for Kroll Ontrack. He conducts computer forensic analysis, acquires and preserves computer media and performs data recovery on electronic media. In addition, he conducts investigations involving the analysis of electronic media for litigation and is often called upon to provide expert testimony. Mr. Andrews has over 10 years law enforcement experience in digital crimes investigations and was a Special Agent with the Northern California Computer Crimes Task Force.

Bret Arsenault
General Manager, US National Security Team
Room 5, Session: SecII-6

Optimizing and Securing your Core Infrastructure

To meet evolving business needs, your IT infrastructure must continuously adapt to support new applications and capabilities. As your systems become more sophisticated, management costs and security risks can increase and affect your ability to maintain service levels. Join us to find out how you can optimize and better secure your core infrastructure with integrated management and security solutions that reduce system complexity to help control costs, improve service levels, and increase business agility.

Bret Arsenault is Microsoft’s U.S. GM/Chief Security Advisor (CSA) leading the U.S. National Security Team. The team executes a cross-business-group and cross-audience strategy that is summed up by three simple tenets: protect the consumer, secure the enterprise (both Microsoft and other platforms), and enable developers to write secure applications. As CSA, he is responsible for all of Microsoft’s customer-facing Security activities in the U.S. including understanding the Security challenges customers face, articulating Microsoft’s direction in Security and product roadmaps, and managing Security events throughout the U.S.

Sean Barry
Data Recovery Engineer, Kroll Ontrack
Room 4, Session: SecI-8

The Challenges with Encryption

Data encryption is one way to achieve data security and is one of the most critical IT topics discussed today. With many encryption schemes available and the challenges associated with implementation, a solid plan is crucial for deploying data protection while minimizing other IT risks. For example, how does one maintain IT service quality when an encrypted drive fails? How does one plan and prepare for data loss when the information is encrypted? These are important issues to consider when formulating an encryption plan, yet they are often overlooked by companies developing policies. This presentation focuses on the challenges with encryption and data loss and key factors security teams should consider when creating an encryption plan.

Sean Barry joined Ontrack Data Recovery in 1997 and moved to the Remote Data Recovery team just as Ontrack was lunching the patented Remote Data Recovery service. He then relocated to the United Kingdom, Epsom, Surrey, office to establish the Remote Data recovery Service for the UK and France regions. After 3 years in the UK, Sean returned to Kroll Ontracks headquarters in Minnesota to focus on providing the highest data recovery solutions for computer data disasters. Sean is currently a senior data recovery engineer and training coordinator.

Royht Belani
Managing Partner, Intrepidus Group
Room 5, Session: SecII-7

Spear Phishing: Real Cases, Real Numbers

This presentation will discuss the evolution of phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a "hackers" repertoire. It has been used to hijack online brokerage accounts to aid pump 'n dump stock scams, and as a means of creating covert channels from compromised user machines to the Internet. During this session, Mr. Belani will present the techniques used by attackers to execute such attacks, along with real-world cases that he has responded to, that serve to provide perspective on the impact. He will conclude by discussing countermeasures recommended by respected bodies, such as SANS and Carnegie Mellon University, and how they can be implemented in your organization.

Royht Belani is a Managing Partner with the Intrepidus Group.

Jason Bergerson
Computer Forensic Specialist, Kroll Ontrack
Room 5, Session: SecII-10

Christopher Buse
Chief Information Security Officer, Office of Enterprise Technology, State of Minnesota
Room 7, Session: ITG-3

Building An Enterprise Security Program

This presentation will describe the process and challenges faced by the State of Minnesota as it attempts to build an enterprise-wide security program.

Christopher Buse is the Chief Information Security Officer for the State of Minnesota. In this capacity, he is responsible for designing and implementing the enterprise security architecture for state government. Before accepting this position, Christopher served as the Manager of Information Technology Audits for the Minnesota Office of the Legislative Auditor. During his 19 years as an auditor, Christopher planned and oversaw information technology audit work done on large government computer systems. Christopher Buse graduated from St. Cloud State University in 1986 with a Bachelor of Science degree in Accounting.

Tim Butler
St. Paul Fire Chief
Room 6, Session: SecIII-10

Crisis Communication and Emerging Technology

BOMA Panel

Tim Butler is a St. Paul Fire Chief.

I-Sung Chao
Architect, Midwave Corporation
Room 6, Session: SecIII-4

The Federation Implementation at BCBS of Minnesota

Joint presentation with Steve Jensen

I-Sung has led successful client engagements on federated identity and SOA security and consequently positioned Midwave as a preferred partner in front of major technology vendors and clients. She scopes projects, write statements of work, and reguarly represents Midwave to speak at conferences. Prior to Midwave, as Chief Framework Architect for SUPERVALU, I-Sung led the architecture, design and implementation of directory services, web access management and firewall perimeter design for the first Supervalu e-business portal. I-Sung has over 18 years of experiences with the Internet and Web security, with the past few years focusing on Identity and Access Management.

Anton Chuvakin
Chief Logging Evangelist, LogLogic, Inc
Room 5, Session: SecII-9

Application Logging 'Worst Practices'

This presentation will cover “worst practices” in application logging that can make systems, networks and security-specific logs absolutely useless for security and IT operations. The audience will learn a wide range of common, yet disastrous, practices and approaches related to application logging, proven to fail by your peers and guaranteed to never work (but still in wide use!). Examples include not logging when needed, logs with key information missing, and logs that are ambiguous.

Dr Anton Chuvakin, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic's product vision and strategy to the outside world, conducting logging research as well as influencing company vision and roadmap. A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He authored the book, "Security Warrior" and was a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance" and the upcoming book on logs.

Jay Cline
President, Minnesota Privacy Consultants
Room 3, Session: DP-3

Project Plan for Data Inventorying and Mapping

Whether your responsibility is data security, data privacy, or records retention, you need to know and report where the data is. This presentation will walk through the steps of a data-inventorying project plan and provide alternative ways to display data flows.

Jay Cline is President of Minnesota Privacy Consultants, a provider of global privacy compliance services. He is also past privacy officer of Carlson Companies, and has been Computerworld's privacy columnist since 2002.

Claude "Chip" Council
PhD, CGEIT, CISM, CISA Adjunct Professor, Carlson School of Management, University of MN
Room 7, Session: ITG-4

Leveraging IT Governance and COBIT: Part 1

This is the first of a two-part presentation. Part 2,
ITG-5, is offered at 3:40 PM.

Chip Council teaches in the Department of Information and Decision Sciences, at the Carlson School of Management, University of Minnesota. IT Governance and IT Audit are some of the classes he teaches at both the graduate and undergraduate level. He is also a systems engineer in Information Security at a large retail organization. He is a graduate of the University of South Florida, Nova Southeastern University, and an alumnus of the Healthcare Informatics and Telecommunications industries. IT Governance and COBIT were the focus of his doctoral dissertation.

Claude "Chip" Council
PhD, CGEIT, CISM, CISA Adjunct Professor, Carlson School of Management, University of MN
Room 7, Session: ITG-5

Leveraging IT Governance and COBIT: Part 2

This is the second of a two-part presentation.
Part 1, ITG-4, is offered at 2:40 PM.

Steve Creason
Assistant Professor, Metropolitan State University
Room 3, Session: DP-10

Data Privacy Primer

This session will provide and introduction to the current laws that plague organizations.

Steve Creason is an Assistant Professor at Metropolitan State University in St. Paul, Minnesota.

Jenny Geisler
Principal Consultant
Room 7, Session: ITG-10

Governance and Ethics: An Overview

This session will provide an overview of the need and purpose of creating a governance structure. It will address the fundamental elements and process to create a governance structure that can help you maintain and sustain progress.

Jenny Geisler is a Principal Consultant with Aeritae Consulting Group, Ltd. She has over 17 years experience in IT with a focus on process, measurement, governance & control. She is ITIL certified as an IT Service Manager and is active with itSMF USA, participating on Governance & Finance committees, and is currently the Chair of the Ethics Review Board. Jenny has her MBA from the University of St. Thomas.

Seymour (Sy) Goodman
Professor, College of Computing & The Sam Nunn School of International Affairs
Room 5, Session: SecII-1

International Dimensions of Cyber Security

Seymour (Sy) Goodman is a professor at the College of Computing and the Sam Nunn School of International Affairs, Georgia Institute of Technology

Rohit Gupta
Senior Director, Identity Management & Security products
Room 4, Session: SecI-2

Evolutions in Enterprise Needs for Identity & Access Management

This session will cover the trends and evolutions for enterprise needs in Identity & Access Management. In today’s economy, with internet-grade scale and access to enterprise content, clients look to stronger levels of access control, better ways to manage risk, and smarter techniques to model access/policy complexities using role management.

Rohit Gupta is Senior Director of Identity Management & Security Products for Oracle.

David Hager
Enterprise Security Advisor, Unisys
Room 2, Session: BCP-2

Preparing for the Impossible: Managing Business Risks in the Age of Terrorism

The tragic events of the past 6 years have taught us many hard lessons. However, as we get further away from those tragic events, the less it affects the way we view and address our business risks. Today, the risks faced by business have not diminished. We need to be prepared and have a plan for addressing all risks, not just a few.

Mike Hager has over 30 years of experience in designing and managing business risk management programs. He is an expert in the areas of building information security architectures, disaster recovery, and business continuity. He was selected by "Computer World" magazine as one of their “Top 100 IT Leaders” and has acted as a member of the editorial advisory board for "CSO" magazine. Mike is the former CISO for OppenheimerFunds and the Coors Brewing Company. He is a survivor of the 9/11 terrorist attacks on the World Trade Center, and is currently an enterprise security advisor with Unisys helping others build viable, cost effective programs that reduce their business risks to an acceptable level.

Robert Hansen
CEO, SecTheory
Room 4, Session: Sec1-1

Don't Hack Me! Building Secure Websites

Building a secure website is more than making sure you encrypt sensitive information or require a strong password. This session will provide a fast-paced drill down on: 1) some of the major threats facing websites today and 2) real world defenses and strategic fixes to some of the most prevalent attacks facing modern web applications.

Mr. Hansen has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles – from Sr. Security Architect to product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later, he worked as a director of product management for Realtor.com. Robert previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies. Mr. Hansen authors content on Dark Reading and co-authored "XSS Exploits" by Syngress publishing.

Shon Harris
President of Logical Security
Room 4, Session: SecI-6

Attaining True Security: The 360 Model – Part 1

This is the first of a two-part presentation. Part 2, SecI-7, is offered at 11:10 AM.

Shon Harris, CISSP, MCSE, is the president of Logical Security, a security consultant, a former engineer in the Air Force's Information Warfare unit, an instructor and an author. She has authored two best selling CISSP books, was a contributing author to the book, “Hacker's Challenge,” and a co-author to the book, “Gray Hat Hacking.” Shon was recognized as one of the top 25 women in the Information Security field by Information Security magazine.

Shon Harris
President of Logical Security
Room 4, Session: SecI-7

Attaining True Security: The 360 Model – Part 2

This is the second of a two-part presentation.
Part 1, SecI-6, is offered at 10:10 AM.

Shon Harris, CISSP, MCSE, is the president of Logical Security, a security consultant, a former engineer in the Air Force's Information Warfare unit, an instructor and an author. She has authored two best selling CISSP books, was a contributing author to the book, Hacker's Challenge, and a co-author to the book Gray Hat Hacking. Shon was recognized as one of the top 25 women in the Information Security field by Information Security magazine.

Rebecca Herold
CIPP, CISSP, CISM, CISA, FLMI
Owner & Principal, Rebecca Herold & Associates, LLC
Room 3, Session: DP-1

Verifying Vendor Privacy & Security Programs:

Outsourcing is becoming commonplace. When you entrust vendors with your institution's confidential data, you are placing all control of security measures for your organization's data completely into their hands. That trust cannot be blind. Many recent incidents have resulted from inadequate security & privacy practices within outsourced organizations handling another company's customer or employee data. Understanding the importance of managing the potential risks that can exist with these arrangements is important for protecting your business. You must hold your vendors to strict security & privacy standards. Learn how to take action to stay in charge of your own business data security & privacy to minimize your business risks.

Rebecca is an information privacy, security & compliance consultant, as well as author and instructor with her own company since 2004. Rebecca has over 18 years of privacy and information security experience, assisting organizations throughout the world. The information security and privacy program Rebecca created at Principal Financial Group, received the 1998 CSI Information Security Program of the Year Award. In 2007, Rebecca was named a Best Privacy Adviser in two of three categories by Computerworld magazine, and also named one of the "Top 59 Influencers in IT Security" by IT Security magazine. Rebecca is an MSIA professor, authoring her 11th book, and writes the Protecting Information multi-media security and awareness quarterly publication.

Rebecca Herold
CIPP, CISSP, CISM, CISA, FLMI,
Owner & Principal, Rebecca Herold & Associates, LLC
Room 3, Session: DP-7

Anatomy of a Privacy Breach

Privacy breaches can have devastating impacts on organizations if they do not respond to them well. There are also at least 40 U.S. state-level breach-notification laws (including the District of Columbia) that organizations must understand and follow.

This presentation will discuss: 1) why there are more privacy breaches than ever before, 2) the many different types of breaches, 3) how to plan for and respond to a breach, and 4) what the update to SB 1386 (California's privacy breach notice law) means to businesses.

Rebecca is an information privacy, security & compliance consultant, as well as author and instructor with her own company since 2004. Rebecca has over 18 years of privacy and information security experience, assisting organizations throughout the world. The information security and privacy program Rebecca created at Principal Financial Group, received the 1998 CSI Information Security Program of the Year Award. In 2007, Rebecca was named a Best Privacy Adviser in two of three categories by Computerworld magazine, and one of the "Top 59 Influencers in IT Security" by IT Security magazine. Rebecca is an MSIA professor, authoring her 11th book, and writes the Protecting Information multi-media security and awareness quarterly publication.

Kuai Hinjosa
Room 6, Session: SecIII-3

Cathlene Hockert
State Business Continuity Coordinator, State of Minnesota
Room 2, Session: BCP-10

Pandemic Planning – Partners Working Together

This presentation will outline the “planning basics” that Minnesota state agencies have completed with Pandemic Planning and how government and private industry must partner together to have a more effective and efficient response to a sustained infectious disease outbreak, such as a pandemic. Items to be discussed include: what we have done so far, where we need to go, and areas where we can partner together to make it happen. Human capital issues will be discussed as well.

Cathlene Hockert received her Bachelor of Arts degree from the University of Minnesota, Morris and Masters of Public Health from the School of Health Management, and Osteopathic Medicine, Kirksville, Missouri. Cathlene has over 15 years experience in Public Health and Emergency Preparedness Planning, serving as a Trainer/Lecturer, the Director of Environmental Health for a multi-county public health agency, and a Public Health Preparedness Consultant for the Minnesota Department of Health. She is currently the State of Minnesota Business Continuity Coordinator. Cathlene has been involved in the response efforts for natural disasters throughout Minnesota.

Douglas Holtz
Commander, Saint Paul Police
Room 2, Session: BCP-1

RNC Update

In an effort to bring local business leaders up to date with current RNC information, Doug Holtz will answer questions from the group about the Republic National Convention concerns/issues and give the group an overview on planning preparation.

Doug is the Investigative Commander at the new Western District police office. He has been a police officer since 1981 and has an undergraduate degree from the University of Minnesota School of Journalism and a Master's Degree in Leadership from the University of St. Thomas. Doug teaches Police and the media at two local universities and is the police department's Public Affairs Co-Chair for the Republican National Convention. He is a recent graduate of the FBI National Academy and has police-media experience at the Washington DC, Philadelphia and New York City Police Departments. Doug will be coordinating the Joint Information Center with the US Secret Service for the RNC and dealing with world-wide media.

Raymond Hornung
Business Continuity Planner, National Marrow Donor Program
Room 2, Session: BCP-5

Don't Forget the People

It is not just the data...critical staff recovery planning ensures that those who need to access the data have the means to do so. Pre-disaster recovery planning and investment costs for IT infrastructure are readily accepted by many organizations. Work station recovery often lacks similar investment. The NMDP continues to develop its business continuity program alongside a mature and funded DR program. We will share some common roadblocks (such as organizational politics, perceived overlap with IT, officer support, funding, and acceptance of importance) and how we worked through them to establish our Business Continuity Plan.

Raymond is a business continuity planner for the National Marrow Donor Program, a non-profit entity in Minneapolis. He possesses 25 years of experience in Homeland Security and Continuity of Operations planning. He served as the primary advisor to the commander overseeing the assessment, training and implementation of the physical security and rapid response for American military facilities in northern Germany before and after the terror attacks of 2001. Peer-reviewed journals have published his articles addressing the implementation of the Incident Command System in a non-profit Emergency Operations Center to streamline incident response.

Terri Howard
Vice President, Corporate Preparedness
Room 2, Session: BCP-7

Ready and Prepared: Your Commitment to Respect, Service, and Safety at Work

Most companies see the inherent value in any efforts to prevent, prepare for, respond to, and mitigate the effects of large-scale catastrophic events. This makes good business sense. The best companies emphasize excellence in their safety commitment through further involvement with best practice strategies in their workplaces. They address not only the possibility of high profile devastating events, but also the less visible factors that impact the workplace in an equally powerful manner. This session reminds attendees to take simple steps to prepare for crisis situations. Comprehensive continuity plans should incorporate simplicity and clarity into policies/procedures to facilitate employee investment in prevention, response, and mitigation related to workplace problems that result in an emergency.

As Vice President of Corporate Preparedness for the Crisis Prevention Institute's PrepareTraining Program, Terri focuses her efforts on improving crisis management and workplace violence prevention. During her tenure at CPI, Terri has assessed the needs of hundreds of organizations in regards to policy development, best practice, and training. Previously, Ms. Howard served as Manager of Safeness for the Target Corporation, leading a team responsible for crisis management and business continuity at Target Stores.

Brian Isle
Chief of Operations, Adventium Labs
Room 6, Session: SecIII-9

Full Circle Risk Mitigation

Vulnerability and risk assessments are key to continuity and disaster planning; however, they are almost universally time consuming, difficult to maintain, and costly to test and put into action. Automation of these processes promises more widespread and uniform application, improved results retention and maintainability, and reduced workload and costs. It is not possible to have a one size fits all process because most already have a loyal and often legislated following. Based on Department of Defense research, this presentation will describe three inefficiencies common to over eighty common and robust assessment processes and will show attendees how to overcome them in their organization.

Brian Isle is the Chief of Operations and a member of the technical staff at Adventium Labs. Adventium Labs is a Minneapolis-based research and development company with technical focuses in advanced automation and information assurance. His current technical focus is in assessment of critical infrastructure safety and security. Mr. Isle is currently supporting a Defense Department program developing approaches for automating aspects of vulnerability assessment for force protection at military bases and a Department of Homeland Security program to apply advanced cyber protection technology to control systems for critical infrastructure.

Jay Jacobs
Senior Systems Engineer, Suppressed
Room 7, Session: ITG-9

The Why, How and Huh of Security Policies

This presentation will cover the benefits of having an effective security policy, how to create one, and common misconceptions that may lead to an ineffective security policy. By identifying the key participants, establishing a clear and consistent writing style and understanding the necessary focus areas, companies will be on the path to a better security policy.

Jay Jacobs is CISSP certified with extensive experience in Information Technology and Security. His work has spanned from networking, system administration and application development to PKI, cryptography and key management. He is currently working as a Senior Systems Engineer within the Information Security and Compliance field.

Ross Janssen
Privacy and Security Officer, University of Minnesota
Room 3, Session: DP-5

Public Jobs – Private Data

This session will provide insight and practical advice on developing, implementing, and delivering a training and awareness program in a large, complex organization. The presentation will offer practical insights and suggestions for establishing a framework for developing a program that leverages collaboration and incorporates the organization's data privacy and security policies and procedures, best practices for data security, and practical, interactive scenarios to test learner knowledge.

Ross Janssen, J.D., CIPP, currently serves as Director for the University of Minnesota's Office of Privacy and Security. Mr. Janssen is responsible for the University's HIPAA privacy and security compliance program. He is a certified member of the International Association of Privacy Professionals (IAPP) and a graduate of the University of Minnesota and Hamline Law School.

Steve Jensen
Director of Information Security, Blue Cross Blue Shield of MN
Room 6, Session: SecIII-4

The Federation Implementation at Blue Cross Blue Shield of Minnesota

Customers demand federated single sign on (federation). Business wants to implement federated single sign on. Sooner or later, your organization will implement federated single sign on whether you are ready or not. Come and hear Blue Cross tell the success story how to deliver results and add business values through implementing federations. Also hear an overview of federation and how federation works, what needs to be done to implement federation, take a deeper dive into federation, and learn the good lessons from Blue Cross so you can prepare for success.

As Director of Information Security Services at Blue Cross Blue Shield of Minnesota, Steve is responsible for developing, executing and managing security initiatives. Since joining Blue Cross in 2006, Steve has promoted corporate wide security awareness, created and initiated the five-year security strategic plan, and excelled in innovative security solutions to business challenges. Prior to Blue Cross, Steve spent 4 years at Ecolab as Director of Global Security, and Director of Development supporting Sales, Service, and Marketing.

Elimu Kajunju
Data Privacy Officer, Carlson Companies, Inc.
Room 3, Session: DP-2

Building A New Privacy Program

If your organization handles large quantities of customer, client or employee data, it needs to have an effective privacy program to ensure that it is taking the appropriate steps to manage the collection, use, disclosure, retention and destruction of this data. If you don’t have a privacy program, you need to consider building one. If you have one, you need to review its adequacy. This session will help you get started down either path.

Elimu Kajunju, CISSP, CIPP, is the Data Privacy Officer for Carlson, a global group of integrated companies providing business and leisure travel, hotel, restaurant, and marketing services directly to consumers, corporations and government entities. Some of Carlson’s brands include Radisson, TGI Friday's, and Carlson Wagonlit Travel. Elimu has 11 years of privacy and security experience in the following areas: regulatory compliance, PCI compliance, security engineering, international data privacy compliance, privacy and security assessments, HIPAA privacy and security, incident investigation and response, breach notification, privacy and security awareness, workplace privacy and SPAM management.

Bob Kalka
Security Business Unit Executive, IBM Software Group
Room 6, Session: SecIII-7

Globalization of Risk

Bob Kalka is a Security Business Unit Eecutive at IBM’s Tivoli software division, headquartered in Austin, Texas. Bob is responsible for Tivoli’s portfolio for identity and access management (IAM) and security information and event management (SIEM), as well as integration with IBM Internet Security Systems (ISS) products and services. Bob has been involved in the information security industry for 14 of his 18 years with IBM. He has held a number of leadership positions in product management, sales, business development, marketing management and product development.

Ray Kaplan
Principal Consultant, Ray Kaplan & Associates
Room 5, Session: SecII-3

Spreadsheets From Hell - Measurements to Metrics

We are all busy building spreadsheets from hell to figure out what to measure to show that we are compliant with the myriad of standards, regulations, and best practices that we face. Amid this exercise, we are busily trying to translate everything into policies, processes, procedures, job descriptions, etc. All the while, the final goal is to distill measurements into the metrics that are the fodder for our organization's management and decision-making. This session presents a discussion of what measurements to make and how to translate them all into security metrics that are useful.

Ray Kaplan is a Principal Consultant with Ray Kaplan and Associates, a Minneapolis, MN-based information assurance and information security consulting organization. He has nearly 30 years of experience in the computing industry, with over 20 years in information security. He maintains CISSP-ISSAP, ISSMP, CISA, CISM, NSA IAM, ISO27001 Auditor and Implementer, and IRCA credentials. He was the recipient of the Computer Security Institute (CSI) 1999 Lifetime Achievement Award in recognition of his contributions to CSI and the industry. His wealth of experience covers the managerial, personnel, and technical aspects of information security, including architecture, policy, standards, design, implementation, management and operations.

Gene Kim
CTO, Tripwire Inc.
Room 6, Session: SecIII-1

Security Visible Ops: Create World-Class IT Operations and Information Security in Four Practical Steps

Based on 10 years of research of high performing IT operations and security organizations, the Security Visible Ops methodology describes how to link IT security and operational objectives in four practical steps. This is done by integrating security controls into IT operational, software development and project management processes, as well as appropriately scoping IT for internal control objectives for financial reporting, security and compliance, and operational effectiveness and efficiency.

Gene Kim is CTO and founder of Tripwire. In 1992 he co-authored Tripwire while at Purdue University with Dr. Gene Spafford. Since then, Tripwire has been adopted by more than 6,000 enterprises worldwide. Since 1999, he has studied high performing IT operations and security organizations, which led Gene to co-found the IT Process Institute (ITPI) in 2004, an organization dedicated to research, benchmarking and developing prescriptive guidance for IT operations, security management, and auditors. This same year, Gene co-authored the "Visible Ops Handbook: Implementing ITIL in Four Practical And Auditable Steps" which has since sold over 75,000 copies. And, he was a principal investigator on the IT Controls Performance study.

Tim Kingsely
Director of Development, American Security, LLC
Room 6, Session: SecIII-10

Crisis Communication and Emerging Technology BOMA Panel

Mr. Kingsley's experience with safety/security and business issues ranges from some of the largest security programs in the Midwest and East Coast. This experience also spans many forms and usages from private commercial programs, Department of Defense, Emergency Management and Occupational Health and Safety services. Mr. Kingsley currently serves as Director of Development for American Security, LLC.

Fred Klapetzky
Senior Vice President, Business Continuity Risk Management Practice, Marsh USA, Inc. 701 Market St, Suite 1100, St. Louis, MO 63101
Room 2, Session: BCP-6

Evolving Threats

Fred is the Marsh Risk Consulting West Area Business Continuity Management Practice Leader. He has been working in information systems design, operations, and disaster recovery/business continuity since 1981. Fred was a pioneer in Computer Crime Investigations and helped develop many of the methods and techniques in use today by federal, state and local law enforcement. He brings to us a blend of experiences in operations and security.

Fred Klapetzky Senior Vice President, Business Continuity Risk Management Practice, Marsh USA, Inc. 701 Market St, Suite 1100, St. Louis, MO 63101 Room 2, Session: BCP-8 Careers in BC/CR Fred is the Marsh Risk Consulting West Area Business Continuity Management Practice Leader. He has been working in information systems design, operations, and disaster recovery/business continuity since 1981. Fred was a pioneer in Computer Crime Investigations and helped develop many of the methods and techniques in use today by federal, state and local law enforcement. He brings to us a blend of experiences in operations and security.

Steven Klein
President, CEO, American Security & Investigations, L.L.C.
Room 6, Session: SecIII-10

Crisis Communication and Emerging Technology BOMA Panel

Steven J. Klein is President and Chief Operating Officer for American Security & Investigations, headquartered in St. Paul, Minnesota. Steve joined American Security in 2005 as its Vice President of Business Development and soon promoted to Executive Vice President and General Manager for its Armored Operations Division. In October 2006, American Security sold its Armored Operations Division but retained Steve to lead as President and COO its remaining security and investigations services businesses. Steve plans to double the size of American Security & Investigations over the next five years in order to serve customers nationally.

Arun Kothanath
Chief Security Stratigist, Integral Business Solutions
Room 4, Session: SecI-10

Managing Identity Verification – Key to Online Fraud Prevention

Arun Kothanath CISSP, has spoken nationally at ISSA, OWASP, ISACA and Oracle events on the subjects of Identity Management and Application Security. Arun has worked with companies nationally and internationally in the ROI analysis, justification, product selection and implementation of IdM frameworks and solutions.

Ron Kuriscak
Lead Security Architect, State of MN, Dept. of Human Services
Room 3, Session: DP-9 Privacy,

Do We Have a Chance?

For many of us our privacy is a treasured asset. It isn't until we receive a data breach apology letter or lost some level of our privacy that we begin to think differently. So what is this notion of privacy, its protections, failures, what are the threats, who can we trust, and what can we expect in the future of this highly charged area. Can we really expect any sense of privacy and/or protection in the future?

Ron Kuriscak is a Certified Information Systems Security Professional (CISSP) for Minnesota's Department of Human Services. He has more then 13 years of experience designing and implementing multifaceted information security solutions such as secure network architectures, applications, assessments, compliance activities, and business solutions in the public and private sector. His has held previous positions have focused on programming & development, systems analysis, and consulting.

Natalie Lambert
Senior Analyst, Forrester, Cambridge, MA 02139
Room 6, Session: SecIII-6

Next Generation Client Security

Looking back over years past, the potential of a virus or worm outbreak had most security professionals living in fear. Even hackers and spyware, which had similar security implementations, never had the same fear factor as the traditional virus. However, this year, organizations have other things on their mind - protecting their data. This means that traditional security tools, such as antivirus software, no longer meets the changing IT and business requirements. Businesses are demanding security tool sets that include not only traditional security, but functionality that will protect them against a data breach. This session will discuss the changing needs of IT organizations when it comes to client security, and what types of solutions are available.

Natalie contributes to Forrester's offerings for the IT Infrastructure & Operations professional and is a frequent contributor to the Security & Risk professional. She is a leading expert on client security and client management. Specifically, she focuses on technologies that help enterprises manage and secure their client environment. Natalie advises Forrester clients on technology investments and best practices around antimalware, patch management, software deployment, thin-client computing, and desktop and application virtualization.

Brent Lassi
Director of Security, Digital River, Inc.
Room 4, Session: SecI-4

Building a Culture of Security

Building a culture of security means more than creating a basic awareness program. It requires truly educating users on the value of information security, both at work and in their personal lives. Attendees will gain useful strategies for seeding security-focused thinking at every level of the organization, resulting in a viral spread of security knowledge, compliance, and true investment in the safety of the organization's information and operations.

Brent started his information technology career as a software developer for organizations including Land O' Lakes and Xcel Energy. He made the transition to information security when he founded Apex Technologies, a Minneapolis-based firm focusing on secure software architecture and development. Apex assisted organizations such as Wells Fargo, SuperValu and United Health Group create in-house application security practices. Later, Brent moved fully into the infosec realm as Director of Information Security for United health Group. Brent currently holds the role of Director of Security at Digital River, Inc.

David Lynas
Room 6, Session: SecIII-2

Applied Business Security Architecture

Daren Mehl
Information Security Consultant, Assurity River Group
Room 4, Session: SecI-3

Biff Myre
Director, Availability Solutions, SunGard
Room 2, Session: BCP-3 BCP

"Survivor" -- The Reality Game Show Where Anything Can Happen!

Come participate in the reality game show where anything can happen - BCP Survivor! Most companies have formal business continuity plans in place, but a significant number of these will fail in some respect due to unforeseen operational issues. Unfortunately, many of these failure points are only discovered when an event triggers the plan. This session will outline the operational readiness issues that are often overlooked during the planning process and discuss ways in which you might find and mitigate the risk of these "gotcha's" prior to the reality of a disaster! A game of BCP Survivor will be played throughout the presentation -- the reality game show where anything can happen! Audience Participation Required

Biff L. Myre has been educating the Disaster Recovery, High Availability, Business Continuity marketplace for over a decade. He has numerous articles and speaking engagements to his credit on the topics of Disaster Recovery, IT Consolidation, Risk Assessment and Business Continuity. His perspectives and recommendations on availability have been published in at least twelve countries spanning seven different languages. Mr. Myre is focused on designing Information Availability and Business Continuity programs for clients whom are looking to ensure the continuity of their operations. He has an MBA and in 2003 passed the Disaster Recovery International's Business Continuity Professionals (BCP) examination at the Master's level.

Jeff Olejnik
President, Assurity River Group
Room 4, Session: SecI-3

Target and Attack Methods of Cyber Criminals

This workshop will include a list of the Top 10 IT risks for 2008 and will include an interactive scenario-based presentation that will demonstrate how cyber criminals identify weaknesses in security policies, technology and practices in order to intrude into your organization. We will demonstrate a typical scenario for how a cyber-intruder compromises your preventive, detective and corrective controls. The discussion will demonstrate how these vulnerabilities are exploited and how the risks can be reduced. Some examples of demonstrations include; social engineering attacks, web site weaknesses, and internal system attacks.

Daren Mehl has over 10 years experience in the IT and Financial Services industry, most recently as the Vice President of Information Technology at a major correspondent bank. Daren designed a major Internet online banking system that utilized biometric authentication and speaks internationally about the deployment of the award winning system. He has designed secure networks with components such as complex firewalls, IDS and IDP systems, information security best practices and physical access controls. Because of his exposure to many community banks throughout his career, Mehl is recognized as a leader in technology and security among community banks in the Midwest and has a deep understanding of government regulations and industry best practices.

Seth Peter
Room 4, Session: SecI-5

Payment Card Industry Data Security Standards Update

In this presentation, we will discuss recent PCI DSS program changes and how they will impact organizations. Topics include: updated self assessment questionnaire, payment application best practices (PABP), application security code reviews vs. application proxy firewalls, vendor compliance, penetration testing, VISA CISP mandates and much more. The discussion will focus on implications of this program and how organizations can address the requirements.

Seth is a computer security expert with extensive experience with all aspects of information security. He was a founder of the computer forensics team at Kroll Ontrack where he provided expert witness testimony and depositions regarding high profile computer security cases. As the founder and C.T.O of NetSPI, he is a national leader in risk management and security program assessment. Seth has provided consulting to over 100 different organizations within financial services, government, health care, education, nuclear energy, and retail. Seth is a Payment Card Industry Qualified Security Assessor and Visa Qualified Payment Application Security Professional.

Gunnar Peterson
Managing Principal, Arctec Group
Room 7, Session: ITG-8

Building a Security Architecture Blueprint - A Strategic Approach to Enterprise Security

Information is a strategic asset, yet the practice of information security in firms is a patchwork of one off tactical solutions that lack a cohesive, rational framework. The purpose of the security architecture blueprint is to bring focus to the key areas of concern for the enterprise, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security.

Gunnar Peterson is a Managing Principal at Arctec Group. He focuses on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start-ups. Mr. Peterson is an internationally recognized software security expert and frequently published. He is an Associate Editor for IEEE Security & Privacy Journal on Building Security, an Associate Editor for Information Security Bulletin, a contributor to the SEI, CERT and DHS Build Security In portal on software security, leader of the OWASP XML Security Gateway Evaluation Criteria project and an in-demand speaker at security conferences. He maintains a blog at http://1raindrop.typepad.com

Mary Poquette
Chief Compliance Officer, Verifications, Inc.
Room 3, Session: DP-8

What's Hot and What's Not - Employment Screening, Privacy and Security

A fundamental component of a comprehensive security program is employment screening, controlling who is permitted access to the enterprise and its data. Given the myriad of demands placed on security professionals, screening programs are often relegated to the “no news is good news” category. At a minimum, this results in a program with marginal ROI; at a maximum, it places the enterprise and the security professional at risk. This session looks at the newest developments in screening and privacy within a security context. It provides the impetus and a framework for security professionals to evaluate the effectiveness and defensibility of their existing screening program and presents options for improvement.

Mary is a Certified Information Privacy Professional and Chief Compliance Officer for Verifications, Inc., a provider of global employment screening services. A 13-year industry veteran, she is a recognized expert in employment screening and compliance. Mary is on the Board of Directors of the National Association of the Professional Background Screeners. A frequent speaker on screening, privacy, and security, Mary addressed those topics in CNBC's Big Brother; Big Business in 2006.

Rob Ramer
Senior Consultant, Aeritae
Room 4, Session: SecI-9

Mitigating the Risks of Global Sourcing

This presentation will examine ways that global sourcing, or off shoring, increases risks and exposures to a procuring company. It will show how off shoring exacerbates risks by opening more opportunities for incursion, accident, or exposure. This session will also present ways to manage these increased risks. The aim of this presentation is not to criticize off shoring, but to raise awareness of the associated exposures and the means to mitigate these risks.

Rob Ramer is a senior consultant in Risk Management for Aeritae Consulting Group in St. Paul, MN. He has more than 25 years of IT experience and works with clients in financial services, retail and healthcare to assess and manage information security risks. Prior to joining Aeritae, Mr. Ramer built an international consulting company that provided risk management for companies engaged in global sourcing. He served on the R&E subcommittee of the ACM JMTF study.

Emily Reller
Moderator, St. Paul BOMA
Room 6, Session: SecIII-10

Crisis Communication and Emerging Technology BOMA Panel

Marc Retish
Director, New Business at North Write
Room 6, Session: SecIII-10

Crisis Communication and Emerging Technology BOMA Panel

Marc Retish is the Director of New Business at NorthWrite, a Minneapolis headquartered software provider, specializing in web-based applications for the building services industry. Marc was the first employee at NorthWrite in 2000, and played a pivotal role in steering the company into new markets.

Randall Romes
Principal, LarsonAllen, LLP
Room 5, Session: SecII-8

Information Security Trends - Attacking the End Users

Threats to information security are constantly evolving. As defensive measures improve, attackers change tactics to evade them. In most cases a well configured firewall is very difficult to compromise, so what is a hacker to do? Attack the end users! This session will focus on trends in social engineering attacks, including the latest in pre-text phone calls, email spear Phishing, and methods for bypassing physical security. It will use real life examples, combined with our first hand experience in penetration testing and incident response, to provide attendees with up to the minute attack trend information as well as practical advise to improve information security posture.

Randy is a Principal in the Information Security Services Group. Randy leads a team of technology and industry specialists providing risk assessments, compliance and IT audits, social engineering and penetration testing, incident response and computer forensics for clients. Randy is a frequent speaker at national conferences and training sessions on a wide range of security topics. He’s been a consultant at LarsonAllen for ten years. Randy has a Masters Degree in Educational Technology from the University of Saint Thomas, and a Bachelor of Science Degree in Education from the University of Wisconsin Madison.

Greg Sales Ph.D.
President and CEO
Room 3, Session: DP-5

Greg Sales has been designing and developing technology-based training for nearly 30 years. He has applied his e-learning expertise for a variety of clients including Fortune 500 companies, government agencies, and universities. In addition to recommending customized training solutions, Greg provides consultation on the development of comprehensive e-learning strategies to organizations seeking to improve training productivity while reducing costs. Prior to joining Seward Inc. fulltime in 1996, Greg was on the faculty of the University of Minnesota in the instructional design and technology program.

Stefan Salmonson
PPS President, PROtective Services, Inc.
Room 5, Session: SecII-4

Security Starts With Survival—Providing Executive/Personal Protection: Part 1

This fast-paced, audience interactive presentation will provide participants with the tools necessary to offer high quality executive/personal protection for their clients. Topics include advance work, protective team configurations and transportation considerations. Corporate security directors, government agency managers and state-wide association members have given this presentation rave reviews!

Stefan Salmonson is a licensed peace officer, licensed private detective, licensed protective agent, an experienced protective agent with extensive foreign royalty, has corporate and government agency experience, national/International security consultant, Airline Transport Pilot (ATP), and a professional speaker. His is a Member of Nine Lives Associates (NLA), ASIS, MAPI, SOTA, and INTELNET.

Stefan Salmonson
PPS President, PROtective Services, Inc.
Room 5, Session: SecII-5

Security Starts With Survival—Providing Executive/Personal Protection: Part 2

This is the second part of a two-part presentation. Part 1, SecII-4, is offered at 2:40 PM. This fast-paced, audience interactive presentation will provide participants with the tools necessary to offer high quality executive/personal protection for their clients. Topics include advance work, protective team configurations and transportation considerations. Corporate security directors, government agency managers and State-wide association members have given this rave reviews!

Matt Schmidt
MS, CISSP, CISA Adjunct Professor, Carlson School of Management, University of MN
Room 7, Session: ITG-4

Matt Schmidt teaches in the Department of Information and Decision Sciences, at the Carlson School of Management, University of Minnesota, teaching Information Security classes. He is also a Senior Information Security Consultant with a large financial services organization in Minneapolis and previously served with Target Corporation in both security consulting and audit roles and with Wells Fargo Bank in a technical security role. Matt is a Certified Information Systems Security Professional (CISSP), and a Certified Information Systems Auditor (CISA).

Matt Schmidt
MS, CISSP, CISA Adjunct Professor, Carlson School of Management, University of MN
Room 7, Session: ITG-5

Brian Selby
Director of COBIT Initiatives, ISACA/ITGI
Room 7, Session: ITG-1 ISACA

Brian Selby is Director of COBIT Initiatives for ISACA/ITG.

Brian Selby Director of COBIT Initiatives, ISACA/ITGI Room 7, Session: ITG-2 ISACA Today’s attacks are much more sophisticated thanks to continually evolving web threats. His presentation addresses the current threats, how the landscape has changed, and what technologies the security industry has available to fight back against the “bad guys”, who are no longer in it for fun.

Deborah Strebel Pierce
Retired FBI Deputy Assistant Director
Room 2, Session: BCP-1

Deborah Strebel Pierce served 27 years in the FBI before retiring in 2006 as Deputy Assistant Director of the Criminal Division. She previously served as the Special Agent in Charge of the Minneapolis FBI from 2001 - 2004. She was employed by the state of Minnesota in 2007 to coordinate the state agencies in preparation for the RNC. She is currently Director of Pierce Consulting and is teaching in the Minneapolis area.

Bob Sullivan
Application Security Manager
Room 6, Session: SecIII-3

Overview of OWASP top 10 Bob Sullivan,
with Joe Teff and Kuai Hinjosa co-presenting.

Patrick Sullivan Ph.D
Principal Consultant, JBW Group Inc.
Room 3, Session: DP-6

ISO 27001 for Chief Privacy Officers: Building Integrated Information Privacy and Security Management

Managing privacy compliance has become increasingly dependent upon systematically implemented information security management and effective coordination of policies and processes by privacy professionals with their counterparts in information security. At the same time, the ISO/IEC 27001 standard for information security management systems has become a recognized framework for implementing organizational structure, policies, processes and procedures for meeting the emerging legal and regulatory standard of “reasonable security,” as well as international information security compliance. This session will provide a comprehensive introduction to ISO/IEC 27001 for privacy professionals, with an emphasis on utilizing the standard to effectively coordinate privacy and security compliance.

Patrick F. Sullivan is an internationally recognized expert in the design and implementation of privacy and data protection compliance and risk management services. He is a BSI-qualified BS7799 implementer and has consulted with Fortune 500 companies in the financial services, telecommunications and pharmaceutical industries, as well as government agencies in the U.S. and Hong Kong. He has over 15 years of university teaching experience in Philosophy and is a published author and frequent speaker on privacy management.

Joe Teff
Room 6, Session: SecIII-3

Christopher Terzich
Vice President, Incident Management, Wells Fargo & Co
Room 2, Session: BCP-4

Crisis Management - From Board Room to Emergency Operations Center

Whether it is called Crisis, Emergency or Incident Management, companies can no longer afford to just wing it when a crisis strikes. During this session, managers and leaders in the public and private sectors will learn ways in which they can work more effectively together in response to critical incidents.

Private companies will learn how they can adopt Incident Command System (ICS) in a way that meets the goals the original creators of the ICS identified:
1) meet any size event,
2) be used on a day-to-day,
3) standard to allow different personnel to meld in a common structure, and 4) cost effective.

You’ll also learn barriers to effective partnership and how Minnesota is succeeding as it prepares for the next crisis.

Chris is responsible for Wells Fargo's emergency preparedness program including development of the company's Enterprise Incident Management Team, first used in response to September 11th. He works extensively on homeland security partnerships, serving as the current President for Infragard in Minnesota and co-founder of the Minnesota Information Sharing and Analysis Center (http://mnisac.org). As a working group member of the National Infrastructure Advisory Council (NIAC), Chris provided guidance regarding the critical infrastructure and the National Incident Management System (NIMS). This guidance became a part of a report on Cross Sector Interdependencies & Risk Assessment which was given to the President of the United States.

Darlene Tester
Consulting Professional, Jefferson Wells
Room 2, Session: BCP-9

Closing the Barn Door Before the Horse is Gone: Disaster Recovery Planning

This presentation will lay out the basics of disaster recovery planning in an environment where money for planning is scarce. It will provide for planning on a shoestring budget and give tips and ideas for selling the concept to management as you go to gather budget information after the fact. The presentation will provide a take-away of a project plan that addresses the most critical pieces of planning first, and then planning for the rest moving forward. Darlene Tester is a national speaker on legal liability and security, disaster recovery, regulatory compliance and IT Governance.

Christophe Veltsos
Assistant Professor, Minnesota State University, Mankato
Room 6, Session: SecIII-5

The Art of War Version 2.0 - Sun Tzu versus The Hackers

Sun Tzu's book, The Art of War, has long been a favorite read of information security professionals. This updated version brings the ancient warrior's wisdom into the information age. Today's wars no longer require the resources and manpower of an entire nation; instead, with the right tools or exploits and the reach of the Internet, a handful of attackers can blackmail corporations and wage wars on their enemies without firing a single shot. Find out just how relevant and timely Sun Tzu's words really are and leave with new imagery to help you communicate with executive management. If Sun Tzu were here today, he would have said, “If you know the enemy and know yourself, you can be secure and weather the cyber storms.”

Christophe Veltsos, PhD, CISSP, is an Assistant Professor in the Department of Information Systems & Technology at Minnesota State University, Mankato. He regularly teaches Information Security and Information Warfare classes as well as oversees the department's internship program. Dr. Veltsos is a Certified Information Systems Security Professional (CISSP) and a member of the Minnesota chapter of the FBI Infragard. Interests include computer forensics, incident response, and information systems auditing.

John Weaver
President and CEO, Principle Consultant, JBW Group International Inc.
Room 7, Session: ITG-6

A Standards-Based Approach to IT Service Management

Managing the delivery of IT services to internal and external customers as a complete process is gaining acceptance internationally. Organizations are using the ISO 20000 framework as a formalized process approach, including planning, implementing and delivering IT services, monitoring and measuring the delivery of IT services against documented targets, and taking corrective and preventative actions to continually improve the delivery of IT services. This presentation is a high-level overview of ISO 20000-1:2005 – interpretation, documentation and implementation requirements for a conformant IT service management system (ITSMS).

John B. Weaver is an IRCA certified ISO 27001 auditor and BSI-qualified in Information Security Management System implementation with over twenty years experience in Internet and Information Security. He directed information security for a global IP network providing architecture, policy, regulatory compliance, operational processes and security metrics for public and internal networks. He has provided security consulting services to Fortune 50 companies in Energy, Telecommunications, Financial, Healthcare, IT Services and Government verticals in the US, Canada, Japan, Mexico and Central America

John Weaver
President and CEO, Principle Consultant, JBW Group International Inc.
Room 7, Session: ITG-7

A Standards-Based Approach to IT Service Management

A formal, documented risk management process is a primary component for implementing an information security management system that conforms to ISO 27001:2005. The British Standards Institution has issued BS 7799-3:2006 as a guideline for information security risk management. This presentation is an overview of the risk management approach contained in BS 7799-3: information security risks in the organizational context, risk assessment, risk treatment, management decision making and on-going risk management activities. Informative annexes to BS 7799-3 will also be reviewed.

Grace Wiechman
Fellow R&D Systems Engineer, Boston Scientific
Room 3, Session: DP-4

International Privacy For Engineers - Tradeoffs for Development

Understanding privacy requirements in a global market can help you design products and systems that meet the customer need and reduce development time. This presentation will look at the privacy laws in the EU, Canada, Japan, Australia and other countries and explore some common security requirements that meet the needs of those geographies.

Grace Wiechman is currently a systems engineer working on remote patient monitoring designing and implementing privacy and security features for an international market. Formerly, Grace was Privacy Director at Park Nicollet, Security Director at McKesson, CISSP/ISSAP and is IAPP certified.

Jeremy Wunsch
CEO, LuciData, Inc.
Room 6, Session: SecIII-8

Forensics 101

This is an introductory presentation on Computer Forensics. Computer Forensics can be used in a wide array of situations that don’t necessarily require a computer to be the focal point of a crime. This presentation will give a basic overview of how files are deleted and recovered and what types of data can be recovered from various electronic devices.

In doing so, it will cover:
• The basics of computer forensics and what it entails.
• The basics of computer forensics and what it entails.
• Basic preservation of electronic evidence and spoliatlon issues.
• What can be recovered from a computer, laptop, PDA, cell phone, etc.
• How the new Rules of Civil Procedure impact the Forensics process

Jeremy D. Wunsch founded LuciData Inc. in 2002 and is currently its CEO and Director of Data Forensics. With more than a decade of Internal threat management and e-discovery experience, he is a leading authority in the development of internal threat management and data forensic solutions for companies and their legal counsel. Jeremy has been an expert witness for cases involving IP theft, harassment, improper use and other internal threat