conference banner

Agenda

  • 8:00AM-9:00AMRegistration And Networking Breakfast
  • sponsored by Fortify
  • 9:00AM-9:15AMOpening Remarks And Seminar Overview
  • Moderator:  Maryfran Johnson
  • Editorial Director, Executive Programs
  • CSO magazine
  • 9:15AM-10:00AMThe State Of PCI-DSS: Moving On To The Next Stage
  • Speaker:  Chris Mark, CISSP, CPISM, CIPP
  • CEO, President & Founder
  • The Aegenis Group
  • The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major card brands to combat cardholder data compromises.  With many of the original deadlines past, the standard is now moving toward a focus on application security as outlined in Requirement 6.  Visa is executing a number of risk programs to support and incent payment system participants to properly protect cardholder data and secure their applications.  In this session we'll hear from a leading security expert who will provide an overview of the current industry, regulatory and legislative environment.

    Attendees at the session will learn:
    *  What incentives does my company have to validate PCI compliance?   
    *  What potential implications of non-compliance?   
    *  What are regulators looking for in application security and what is the state of compliance?

  • 10:00AM-10:45AMBusiness Process First, Necessary Evils Second: One Company's Approach To PCI Compliance
  • Speaker:  Bruce Larson
  • Director, Security Programs
  • American Water
  • As the compliance deadline for Requirement 6.6 of the Payment Card Industry's Data Security Standard (PCI DSS) slipped by on June 30, Visa, Inc. research was still tracking that 42% of midsized to large enterprises still hadn't reached compliance with this mandate to protect Web-based applications. At American Water, Security Programs Director Bruce Larson is working on the issue from a risk management perspective -- applying a more comprehensive (and ultimately less costly) approach before racing toward the PCI compliance finish line. Companies should evaluate their needs and perform business process remediation first, he contends, to make sure their efforts toward compliance are not only necessary but won't interfere with day-to-day business. All too often, companies dive into compliance efforts assuming that systems need to be modified, when in fact it may be business processes that deserve that first pass of re-evaluation.

    From this case study, attendees will learn:
    * How to evaluate compliance needs from a business risk perspective
    * What areas can you avoid or reduce in impact while still reaching compliance?
    * Where do the costs accrue in application security?


  • 10:45AM-11:15AMNetworking Break
  • 11:15AM-11:45AMTime Goes Global With Compliance
  • Speaker:  Robert Duran
  • Information Security & Privacy Officer
  • Time Inc.
  • courtesy of Fortify Software

    Time Inc. faces a complicated corporate structure in its efforts to implement compliance standards at an international level. With a portfolio of more than 120 magazines, Time Inc. is the largest magazine publisher in the U.S., and a leading publisher in the U.K. and Mexico. That means Time's efforts were akin to achieving compliance with more than 120 discrete businesses.

    Time Inc. began addressing PCI compliance in 2003. Then it seriously ramped up its efforts the following year in 2004. During this session, you'll hear about the techniques Time Inc. used, the challenges it faced, the best practices it developed and the technologies that worked best for Time Inc. as the company strived to meet the PCI-DSS regulatory requirements.

  • 11:45AM-12:15PMBreakout Sessions
  • Security and compliance issues continue to grow rapidly in response to consumer and regulatory demands. This session will cover solutions and ideas for managing PCI compliance or application-level security initiatives.

    Open Secrets: Data Privacy Issues in PCI Compliance
    Speaker: Jack Danahy
    CTO
    Ounce Labs

    The PCI Data Security Standard has raised the bar for information security. It has also amplified the need to safeguard sensitive data and brought the tension points between data privacy and data usability into the forefront. These issues impact the manner in which organizations collect, share and use customer data.

    So far, broad requirements and "reasonable best efforts" have categorized the regulatory environment.  With the advent of PCI DSS, however, "reasonable" is no longer good enough.  PCI sets strict guidelines around compliance requirements, with particular focus on application security. This is no longer merely an optional best practice.  Full PCI compliance mandates that organizations analyze their applications for security vulnerabilities with an eye towards protecting customers' sensitive data. This session will look into these and other data privacy ramifications brought on by PCI DSS.

    PCI Compliance and Security: Reduce Complexity by Understanding Your Options
    Speaker:      Gordon Rapkin
    CEO
    Protegrity
     
    There is no simple solution when it comes to achieving compliance with PCI data and application protection requirements. The many choices available to an organization can make a fairly straightforward solution seemingly more complex. Security can be a daunting task without a solid understanding of your protection options. This briefing will:
    *  Describe how to reduce the apparent complexity of data and application protection by understanding the available alternatives
    *  Present different protection methods within the context of the typical enterprise data flow
    *  Offer important considerations in safeguarding sensitive information
     
  • 12:15PM-1:00PMLunch With Table Discussion Groups
  •  *  Funding mechanisms for PCI Compliance: How to get the dollars you need
     * Best practices in managing application security screening for PCI Compliance
     * Understanding what PCI auditors are looking for
     * Future PCI standard issues: What's coming down the road from VISA?

    Avoiding Compliance "Gotchas" in the Data Center
    Facilitator: Robert Grapes
    Chief Technical Officer
    Cloakware

    The threat of data loss and exposure is constant. So too are the looming consequences of legislation that addresses access control and policy enforcement for enterprise data centers. All this makes managing elevated privilege accounts essential. Every organization knows it's the right thing to do, but few are doing it well. They're also concerned about the staffing and downtime consequences. This discussion will explore the new compliance regulations surrounding privileged passwords, the pitfalls to watch and ways to best protect enterprise datacenters from both internal and external threats.

    Elements for PCI Compliance Success
    Facilitator: Lee Quinton
    Director, Compliance
    FishNet Security

    Learn and discuss the key elements of a successful PCI Compliance effort During this lunchtime discussion, you'll discuss the key elements of a successful PCI Compliance effort. How are other organizations tackling PCI compliance initiatives? Everyone involved in the discussion will benefit from "lessons learned" by other merchants and service providers as they worked toward compliance. You'll also discuss some of the most challenging PCI audit objective requirements, as well as:

    *  The common key elements in becoming PCI compliant
    *  Approaches to achieve and maintain PCI compliancy
    *  "C" Level Support
    *  Comprehensive Security Policy
    *  Adequate Budget
    *  Long and short term strategy
    *  Collaboration of business units and system IT groups
    *  Business systems and data flows

    Protecting Cardholder Data with Database Activity Monitoring (DAM)
    Facilitator: Marc Gamache
    TSE
    Guardium

    Many companies are struggling to meet the more challenging PCI assessment requirements, such as implementing database encryption for Requirement 3.4 (Protect Stored Data). This change can wreak havoc on existing applications and databases, as they were never designed to handle this type of encryption-at-rest without a major overhaul. Gartner states that retrofitting field-level encryption in databases may be a two-to-three-year project. Recent breaches have shown the importance of this requirement -- but re-architecting your network takes time.  How do you implement effective preventive controls in the meantime?
    This lunchtime discussion will cover these topics, as well as:
    *  Tracking and monitoring all access to cardholder data for Requirement 10
    *  Maintaining secure systems for Requirement 6
    *  How you can do strengthen data security and pass PCI audits faster and with less effort using database activity monitoring (DAM).

    Encrypting Data at Rest on Servers
    Facilitator:  Keith Hanna
    Regional Sales Manager
    nuBridges

    If you have encrypted sensitive data-at-rest, right where it's stored on your servers (in fields, files, databases and applications), a breach can be a non-event. This discussion will center on whether or not the group thinks this is an important aspect of a data protection strategy, and to what extent any companies have resolved the problem. 

    Proliferating encryption keys can become both a management nightmare and a security risk. In this session, we'll discuss challenges like:
    *  How do you effectively manage encryption keys?
    *  What obstacles come to mind when encrypting data at rest?
    *  Which organizations have solved the encryption problem and how?

    PCI Requirement 6.6: Choosing the Right Option
    Facilitator: Edward Adams
    CEO
    Security Innovation

    There are many options for compliance with the PCI-DSS Requirement 6.6 offers, each with varying levels of flexibility, application coverage and value proposition. With the June 30, 2008 deadline now passed, many are unclear on their level of exposure with this new requirement. They need to quickly understand both the requirement and acceptable solutions.

    With limited infrastructure, time, and resources, companies need to improve their overall security posture and optimize compliance efforts. Come discuss the decision making process for Requirement 6.6 and hear what others think about:
    *  The trade-offs and benefits of technologies like web application firewalls versus source code and web vulnerability scans
    *  Options for higher sustainable compliance
    *  Total cost of ownership for all options

    Lowering PCI Compliance Costs through Automation
    Facilitator: John Jacott
    Senior Solutions Architect, PCI-QSA, IRCA Lead Auditor for ISMS
    Veracode, Inc.

    PCI compliance is already exacting a financial toll. According to a leading analyst firm, spending on PCI compliance efforts by Level 1 and Level 2 U.S. merchants increased nearly fivefold during the past 18 months. And it's not just upfront costs. Card brands have already fined eight percent of retailers for failing to comply with PCI, while 22 percent have been threatened with fines. 

    As publicly traded companies learned during  six years of Sarbanes-Oxley (SOX) audits, simply increasing spending on compliance spending is neither sustainable nor effective.  Instead, consistent and repeatable processes that facilitate automation will reduce the time, money and resources required to fulfill PCI compliance. This lunchtime discussion will explore:
    *  How leading organizations are leveraging automation for lowering compliance costs
    *  Technologies and processes which enable automation
    *  Top PCI requirements which can be automated



  • 1:00PM-1:30PMBreakout Sessions
  • Security and compliance issues continue to grow rapidly in response to consumer and regulatory demands. This session will cover solutions and ideas for managing PCI compliance or application-level security initiatives.

    PCI Compliance for the Mobile Workforce
    Speaker: Charles Brown
    Product Manager
    Fiberlink Communications

    The headlines are scary: "47.5 million credit and debit card numbers stolen from TJX Companies."  "Hannaford Brothers Companies data breach results in 2,000 cases of known fraud." "GE Money mishap could affect 650,000 J.C. Penney customers."

    These and other security breaches from merchants' payment card systems have led industry leaders to take action to help prevent future data loss events and resulting financial losses due to theft and fraud. There's a wrinkle in that approach that can lead to significant security gaps, though. Sensitive customer-identifiable data originating from the cardholder environment is increasingly showing up on unprotected mobile and remote computers.

    PCI compliance isn't just about locking down servers and networks. Sensitive data with identifying cardholder details is finding its way onto  laptops and remote computers. How can enterprises extend PCI compliance to mobile systems? During this session, you'll learn how the PCI Data Security Standard requirements map to specific mobile security technologies and best practices, so you can pass your PCI audits and protect data in motion.


    Aligning Log Data and IT Controls with Compliance Mandates 
    Speaker:  Sudha Iyer
    Director, Product Management
    LogLogic

    PCI compliance initiatives are well underway, so now is the time to look at the broader potential of those enterprise control efforts. As you execute on plans for compliance, you can build enduring efficiencies with broad-reaching impact into your organization. The next phase of PCI is almost certain to include requirements for remediation and  investigation, so planning ahead can help you out there. Smart managers  also consider the logging requirements for litigation, as well as bare-bones compliance.

    This session will explore these and other best practices for maintaining, harmonizing and future-proofing PCI log management efforts. Log management and intelligence can help expedite PCI compliance projects and make them more comprehensive. You'll learn about managing business risks; maintaining compliance with multiple standards, regulations, and frameworks; synchronizing compliance, audit, and security efforts while automating, improving and ensuring continuous compliance.

  • 1:30PM-2:15PMThe Auditor Knocks Twice: Requirements For Application Security In PCI DSS
  • Speaker:  Don Horn
  • Director, Information Security
  • CareFirst BlueCross BlueShield
  • Speaker:  Rowley Molina, CISSP, CISM
  • Information Security Architect
  • CareFirst BlueCross Blue Shield
  • Requirement 6 of the PCI DSS is a fairly extensive movement towards securing organizations. While many businesses see it as an opportunity to clean up insecure applications, others struggle to find the resources and incentives to make it happen at their companies. What exactly are the requirements? What do they mean to your company? How are the expectations of PCI Auditors evolving as they engage in more and more evaluations? In this session we'll hear directly from a PCI Auditor's perspective on what needs to be done and what auditors look for so you can be prepared.

    Attendees at this session will learn:
    *  What needs to be done to meet Req. 6 compliance?
    *  How do you get buy-in at your organization to address application security requirements?
    *  What are PCI auditors looking for when they come knocking?

  • 2:15PM-2:45PMPerspectives From The PCI Security Vendor Alliance
  • Speaker:  David Taylor
  • Founder
  • PCI Knowledge Base
  • Leveraging a base of knowledge can be extremely helpful in determining how you successfully achieve compliance. In this session, we'll hear from Dave Taylor, Founder of the PCI Knowledge Base and Research Director of the PCI Security Vendor Alliance, which helps businesses like yours successfully achieve compliance. The Alliance's intimate knowledge of PCI-DSS implementation will pull together and put into broader context the focus of today's discussions.
  • 2:45PM-3:35PMTown Hall Panel Discussion: Building A Roadmap To PCI Compliance
  • Moderator:  Bill Brenner
  • Senior Editor
  • CSO magazine and CSO Online
  • Panelist:  James DeLuccia IV
  • Managing Director
  • Intellection Strategies, Inc.
  • Panelist:  Randall Gamby
  • Analyst
  • Burton Group
  • Panelist:  Gordon Rapkin
  • CEO
  • Protegrity
  • Panelist:  Robert Duran
  • Information Security & Privacy Officer
  • Time Inc.
  • So what do the experts have to say? Sometimes the best way to find a solution is to speak with those who have traveled the road many, many times. In this moderated town-hall-style discussion, three well-versed compliance consultants from leading firms will tackle your specific challenges with PCI compliance. Consultants have the advantage of living through many compliance exercises and being able to share that knowledge across different vertical industries and company sizes. This interactive session will provide not only insight but answers that will help you build a roadmap to PCI compliance for your business.

  • 3:35PM-3:45PMClosing Remarks And Summation
  • Moderator:  Maryfran Johnson
  • Editorial Director, Executive Programs
  • CSO magazine