The Odd Couple: IT Security & Audit

Brian O’Hara, CCSP, CISA, CISM, CISSP, CRISC, National Conference of Guaranty Funds

As part of the risk management universe, you might think these two groups would be in lockstep march, but in more cases than not, just the opposite has been found to be true. Typically, IT security sees the office of the chief auditor as a nemesis to be feared and fought with because “they don’t understand security.” And the financial or audit side of the house sees IT security as a sink hole for money and never-ending demands. Both lead to an atmosphere of non-trust and the development of silos.

In this session, O'Hara will examine the nature of these two often conflicting and convergent areas contained within risk management universe. He will explore the specific nature of and motivation behind each, such as regulatory compliance, data privacy, and defenses against mounting criminal forces from local and national state players.

He will also look at several examples of how these seemingly opposing forces can work together for the betterment of both sides and ultimately the organization for which they are both trying to manage risk in a sensible and effective manner.

It's time to network with colleagues and visit sponsor tables.

1. A Healthcare Ransomware Event: Case Study

   Brian O’Hara, CCSP, CISA, CISM, CISSP, CRISC, National Conference of Guaranty Funds

   In this breakout session, O'Hara will discuss issues surrounding a recent ransomware case that involved a local health care organization and review the procedures they used, and the lessons learned. He will discuss questions including:
   

   • Does your organization have a policy in place to handle such an event?
   • Do the people necessary in your organization know who to contact, and in what order, and the timeline for doing so should you encounter such a situation?
   • Does your organization have a prepared statement for the press that will adequately meet their immediate needs?
   • Do your staff know to NOT speak to anyone under any circumstances with clear NDA statement they sign at hire and annually?
   • Do you know who in law enforcement to contact and why?
   • Do you have and established relationship with counsel?
   • Do you have a contract in place for a specialty company to come in and assist at a moment’s notice?
   • Do you or your staff understand the flow of information?
   
   

    

2. Demystifying SOC Reports

   Sean Katzenberger, CISA, Crowe, LLP

   This session dives deeper into SOC reports, their purpose and what you need to know when reviewing them. Questions are welcome through the session. Topics will include:

   • SOC 1, SOC 2, SOC 3 defined
   • SOC 2 Overview
   • Benefits
   • Key parties
   • Structure of the report
   • Changes from last year
   • Timelines
   • Best practices
   • SOC 2 Types – Readiness Assessment, Type 1, Type 2
   • End User Responsibilities
   • SOC 3 Overview
   • SOC for Cybersecurity Introduction

   
   
   

It's time to network with colleagues and visit sponsor tables.



1. Cybersecurity Policies & Procedures: Why Every Organization Must Have Them

   Doriann Cain, Faegre Baker Daniels

   Policies and procedures are the foundation of any cybersecurity program. They help to minimize security incidents, set guidelines and ensure proper compliance with cybersecurity statutes. This session will provide a description of the types of policies and procedures you should have implemented and how to best combat security incidents through such documentation.
   
   

2. Social Engineering: What Is It, If Not a Degree from Purdue?

   Chris Werling, Cornerstone Information Security

   Topics will include:

   • Clever examples
   • Phishing, vishing and smishing
   • Why does it work
   • Best practices and policies to secure your and your clients' information in today's insecure world



Cyber Threat Landscape

Chris Knight and Jonny Sweeny, FBI

Topics will include:

• Introductions and overview
• Sources of cyber attacks
• State sponsored versus financially motivated
• Current trends and risks to each area
• Phishing
• Ransomware
• BEC
• IOT and SCADA
• Cryptocurrency
• Local case examples
• Realtor fraud
• Fake invoice/complaint
• Ransomware
• Future cyber risks
• How to protect and prevent
• Fraud kill chain
• Two-factor authentication
• Pivoting from one compromised account to another
• Encryption
• Be careful about attachments
• Infraguard

It's time to network with colleagues and visit sponsor tables.



1. The Wild, Wi-Ld West … of Wi-Fi?

   Chris Werling, Cornerstone Information Security

   Topics will include:

   • When is Wi-Fi insecure and how insecure is it really?
   • What can hackers do to your devices when you are connected to Wi-Fi?
   • What is "Hotspot 2.0?"
   • Best practices and policies to secure your and your clients' information in today's insecure Wi-Fi world.

   

2. GDPR at One Year Old: Has It Been a Success?

   Teresa Snedigar, CPA, CIA, CISA, MBA, Indiana Public Retirement System

   Many companies have been struggling with understanding GDPR and making sure it has been implemented correctly in their organization. This session will talk about the impact of GDPR, what results regulators are finding about the implementation of the law, and finally, what companies expect in the next couple of years in the world of data privacy.

It's time to network with colleagues and visit sponsor tables.

Ethics in Cybersecurity

Teresa Snedigar, CPA, CIA, CISA, MBA, Indiana Public Retirement System

Ethics are important in all areas of business. When it comes to cybersecurity, there can be many ethical challenges. This session will explore some of the most common ones, including:

• Challenges for cybersecurity professionals
• Data collection and data mining
• Internet of Things
• Breach responses and notification



Don't forget to turn in your CPE form at the registration desk. Look for an event survey; please give us your feedback so we can create another great conference next year!