Risk & Compliance and
Security Management & Operations Tracks
RC1 – Understanding New York State’s 2017 Cybersecurity Regulation
John Roman, Jenny Holmes
On February 16, 2017, the New York Department of Financial Services (DFS) released a final version of its proposed regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cyber security protections.
Nixon Peabody attorney Jenny Holmes and Nixon Peabody’s Director of IT Operations and ISO 27001 Manager John Roman will discuss the technical, administrative, and legal obligations financial organizations must comply with related to this new New York State regulation. Ms. Holmes and Mr. Roman will cover who is affected, the legal and technical requirements, and the compliance deadlines financial services companies must meet in order to be compliant.
John Roman is the director of Nixon Peabody’s Information Technology Operations and Electronic Discovery teams. He is responsible for managing a multi-million dollar firm-wide IT operation, the firm’s ISO 27001 program and a team of highly experienced electronic discovery and information technology specialists. Mr. Roman’s expertise is in planning, designing and the operational management of complex network, security, messaging, VoIP, and computing environments. In addition to his IT operational management responsibilities, Mr. Roman provides counsel to Nixon Peabody clients in terms of information security policy, procedure, and best practices development, project managing and cost containment of complex electronic discovery matters. He has over 30 years of information technology experience and has held various executive management and consulting positions throughout his career. He has been published in industry publications such as “Law Technology News”, “Litigation Support Today”, and “The ABA Criminal Justice” newsletter and contributes to Nixon Peabody’s Privacy Partner blog. He is currently an adjunct professor at Monroe Community College and Rochester Institute of Technology where he teaches legal technology, law firm practice management and information security. Mr. Roman volunteers his time serving on the board of directors of Literacy Volunteers of Rochester and the NYS Chief Justice’s Technology Task Force Working Group.
Jenny Lewis Holmes is an associate in Nixon Peabody’s Labor and Employment group, representing and counseling employers in a broad range of employment matters. She focuses her practice on discrimination suits in New York state and federal courts and before the New York State Division of Human Rights. Jenny is an active member of the firm’s Privacy and Data Protection team. She prepares privacy response plans for companies seeking protect themselves against the threat of possible data breaches and create privacy policies for companies to ensure the safe storage and usage of the personal information of employees and customers. She also advises clients in the aftermath of a privacy breach by explaining the regulatory framework of the data privacy laws while helping to craft a practical and cost-efficient response plan. Jenny counsels clients on best practices in an ever-changing cyber landscape.
RC2 – Risk Assessment and Business Impact Analysis using PMI (Project Management Institute)
Michael C. Redmond
Planning without knowing the Risks and Impacts is a waste of time. Yet, many companies do not know how to properly conduct Risks and Impact Assessments. Even well-prepared companies, such as banks, have suffered major outages due to disasters that include fires, floods, terrorism, security breaches and more.
Learn to properly use Project Management Principles to prepare for an impact to the business of any organization. We will cover how to identify, analyze and document the events and environmental surroundings that can adversely affect the organization.
Michael C. Redmond is Lead Strategic Consultant for EFPR Group’s Information Technology Consulting division. She is also a recognized as an international IT consultant, auditor, speaker, author, and trainer.
Michael has 18 certifications including being Certified as Lead Implementer: ISO/IEC 27001 Information Security Management, ISO/IEC 27032 Lead Cyber Security Manager, ISO/IEC 27035 Security Incident Response and Certified as Lead Auditor: ISO/IEC 27001 Information Security Management and ISO/IEC 22301 Business Continuity Management Systems.
Her consulting and auditing experiences includes Cyber/Information Security, HIPAA, Organizational Resilience, Business Continuity, Disaster Recovery, High Availability and ISO for clients in the Healthcare, Insurance, Financial and Manufacturing sectors. She has held executive management positions at Deloitte, KPMG, Chubb Services and Redmond Worldwide.
Michael spent four years on active duty with the U.S. Army and an additional 17 years in the National Guard and Reserves. Her assignments include Company Executive Officer, Public Relations Officer and Company Commander. She retired at the rank of Lieutenant Colonel.
Michael has three books being published in 2017; one on Mastering Your Introduction to Cyber Security, the second on Mastering Business Continuity & Disaster Recovery and the third on Mastering Work Life Balance.
RC3 – Do You Have a Pathway to Data Security and Compliance?
Regulators across all industries are mandating data-centric security and compliance as network and perimeter security solutions fail to stop mounting data breaches. Join Fasoo to learn about New York State Department of Financial Services (DFS) recent, first-in-nation, cybersecurity regulations. This session will show how to overcome shortfalls of simple encryption and how to use common Data Loss Protection approaches to close critical gaps in regulatory compliance involving unstructured data, data in-use, access control, audit trails and data life-cycle retention.
Ron Arden is Executive Vice President & COO of Fasoo, Inc. He has over 30 years of strategic planning, marketing, sales, business development, consulting and technical experience in the information technology and security industries. Prior to working for Fasoo, he was Vice President of Strategy and Marketing at eDocument Sciences, LLC where he drove document security, cloud and collaboration strategies and solutions. Ron has held executive, management and technical positions at numerous organizations, including IKON Office Solutions, Digital Equipment Corporation and Wang Laboratories.
RC4 – Farming The Land: How Adversaries Shape Your Environment To Suit Their Goals
Understanding the strategies adversaries use when persisting in an environment is essential to developing prevention, detection, and remediation strategies customized to your business and network. In this presentation, we will examine some techniques that sophisticated adversaries use to circumvent network segregation and security controls. We will also look at techniques you can use to evaluate your own security posture and help reduce risk.
During his 10 years at SecureWorks, Matt has worked as a security analyst, internal and partner trainer, sales engineer, and account manager. In his current role, Matt consults with clients across all verticals and tries to inspire them to be introspective about their programs and collaborate with all parts of their business. Matt started his information security career over 13 years ago as a forensic investigator and director of the Digital Forensics Center at the University of Rhode Island. Matt is an avid watcher of business and world affairs, has experience in a diverse range of verticals, and has a passion for teaching. Matt holds a BS in Computer Science from the University of Rhode Island.
RC5 – Too Many Cops on the Cyber Beat: the Hyper-Complexity of Cybersecurity Regulation
F. Paul Greene
As cyber attacks proliferate, so does the regulatory response. In the United States alone, over 50 separate agencies govern how we collect, store, transmit, and protect our data. These rules are hyper-complex, with overlapping and conflicting definitions, requirements, and penalties. They are also dynamic: constantly in flux as legislatures and regulators react to the latest headlines. This presentation will provide a working overview of the current state of U.S. cybersecurity regulation, which has changed significantly in 2017. Participants will leave with increased understanding of areas of regulation that may not have been front of mind, especially of concern for entities in highly regulated industries, such as healthcare or financial services.
Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP. Paul represents entities of all sizes and in various industries in relation to cybersecurity issues. From pre-breach counseling to breach coach services, Paul has been involved in all aspects of the breach preparation, response, and remediation process. As an experienced commercial litigator, he is keenly focused on the specific litigation and regulatory risks arising from cyber-security issues. Paul received a J.D. magna cum laude from Fordham University; a Ph.D. from NYU in German Literature; a B.A. in German from University of Rochester; and a Certificate in Management Studies from University of Rochester Simon School of Business.
SO1 – Practical Incident Response: An Interactive Tabletop Exercise
John D. Flory III, Jeff Miller
This session will be an interactive Incident Response exercise that discusses the preparation, containment, and response of a security breach or attack on an organization. You will learn: best practices you should use when selecting a third-party managed services IT provider, risks to bringing in only one provider proposal, how/when do you assess or put in place proper controls to monitor a third-party vendor, how to respond to security incidents and manage damage control of security incidents.
John D. Flory III, recognized cyber security expert, will be sharing his insight and experience in the realm of physical, social and cyber security concepts. During John’s 22 year tenure in the security field he has spoken at numerous conferences including key notes at the Symantec Global conference, New York State School Boards Association, New York Bankers conference, Entrepreneur Organizations, New York State Department of Homeland Security forum and several other diverse venues. John’s hands on security experience dealing with real time cyber security attacks and remediation offers a valuable resource to an organization’s cyber preparation. John’s leading edge approach has allowed him to help create human firewalls as one of the key pillars of defense.
Jeff Miller is a unique blend of engineer, teacher, and evangelist of all things cybersecurity. His roots in cybersecurity stem from his engineering degree and tenure at the nation’s second largest law firm, where he regularly defended against ransomware, the hacktivist group Anonymous, distributed denial of service attacks, and various other threats. Jeff spends much of his time educating organizations on how to adhere to both security regulations and best practices around cybersecurity. Jeff lives, breathes, and bleeds cybersecurity. It’s not just what he does; it’s who he is.
SO2 – Social Media Security Policies, the Art of Herding Cats
With billions of users logging into social media networks, it’s no surprise that most organizations and their employees have to consider how to securely leverage their online personas. We’ll go in depth on the best practices and many of the challenges that Information Security teams face on a daily basis and discuss how to build an effective Social Media Security Policy.
Chaim Sanders is the Security Lead at ZeroFOX, an organization devoted to social media security. He is also the project lead for the OWASP Core Rule Set (CRS) and a co-lead for OWASP Baltimore. Currently Chaim’s specialization centers around web application security. Chaim frequently shares his research at many conferences nationwide as well as through various blogs. Prior to his current employer, Chaim has worked for several governmental contractors, security research organizations, universities, and commercial contractors providing security driven consulting and development expertise. Chaim holds a Bachelor and a Master of Science in Information Security from the Rochester Institute of Technology (RIT), where he still lectures.
SO3 – Closing the Cybersecurity Talent Gap: An RIT Approach
Dr. Bo Yuan
It is well-known that there is a tremendous need for cybersecurity talent within the industry itself and within government agencies. According to a recent (ISC)2 report, there will be 1.8 million unfilled cybersecurity positions by 2022. There are many factors that have contributed to this shortfall. In this talk, we will examine some of these and discuss our approaches to address them. We will discuss our partnerships with industry that work to provide real world scenarios for students to practice and learn, and our MicroMasters in Cybersecurity, offered on edX to reach worldwide learners. The preliminary results regarding increasing workforce diversity and career changing students are encouraging.
Bo Yuan, Ph.D., is a professor and chair of Computing Security Department at Rochester Institute of Technology. His main interests are in cybersecurity education and research. His research areas are in computational intelligence and its application in security. Dr. Yuan is the PI of multiple cybersecurity grants including the five-year, $4 million CyberCorps® Scholarship for Service grant funded by National Science Foundation (NSF). He is also the associate director of the Center for Cybersecurity at RIT and has led to RIT recent successful designation as CAE-CD and CAE-R by NSA. Dr. Yuan is the current chair of IEEE Rochester joint chapters of computer and computational intelligence societies. Before joined RIT in 2003, Dr. Yuan was a staff scientist at Manning & Napier Information Services for six years. He received a Ph.D. in system science from Binghamton University in 1996.
SO4 – Physical Security Today & Considerations for the Future
Sean Patton will provide a checklist for self-assessment to be used as a planning tool. He will review today’s physical security threats and give a look into the future, to prepare you for leading your organization towards a safe environment over the next 3-5 years. He will review the checklist to show how to determine reasonable security solutions for today’s physical security threats and will discuss types of security products (including cameras, door access solutions, license plate recognition and more); the convergence of cyber and physical security; and how to think beyond your physical security plan and incorporate considerations for networking and VoIP that are important to maximizing your security effectiveness and allocated budget dollars.
Sean Patton is the Security Sales, Training and Engineering Leader at Frontrunner Network Systems. He has been in the IT business for 10 years. Sean is a graduate of RIT, and has held professional positions with Harris Corp, TechNet Global Services, CNC Microtech and Day Automation. He currently is the lead sales engineer for physical security projects for Frontrunner where he consults with customers on needs, and plans, designs and oversees implementation of security systems for K12, higher ed, government, healthcare, retail and commercial customers. Sean holds these certifications: Genetec Omnicast, Synergis, Security Center, AutoVu Fixed and AutoView Mobile.