ISC/RMI banner

Information Security Compliance and Risk Management Institute:
Where Information Technology, Law and Risk Management Converge

September 16-17, 2009

University of Washington
UW Tower Auditorium
Seattle, Washington

About the Institute

Keynote Presenters:
Rob McKenna, Washington State Attorney General
Richard (Dickie) M. George, Technical Director, Information Assurance Directorate, National Security Agency

The Information Security Compliance and Risk Management Institute (ISC-RMI) is an annual interdisciplinary event jointly sponsored by:

  • University of Washington's Center for Information Assurance and Cybersecurity

  • Shidler Center for Law, Commerce and Technology

The mission of the Institute is to bring IT and information security professionals, attorneys and auditors together with concerned academics and public officials for two days of discussion and advanced learning about the arts, sciences and laws of electronic information and IT use and protection.

Who Should Attend

  • Compliance and privacy officers
  • Information security professionals – CISSPs, CISAs, CISMs, etc.
  • Information assurance auditors
  • Attorneys for IT-dependent organizations
  • IT professionals
  • Information security professionals
  • CEOs, COOs and CFOs for IT-dependent organizations and IT services providers and vendors
  • Academic University faculty and researchers
  • Public officials, legislative and regulatory staff involved in cyberwar/critical infrastructure, privacy and security matters
  • Managers of technology and network systems
  • Systems architects and administrators
  • Network security officers
  • Financial managers
  • System administrators
  • Business development executives in the IT sector
  • Web services and software developers
  • Administrators for health or student records or student records and other sensitive records systems
Please keep me informed about ISC/RMI conference updates.
Email
Confirm your email address

The Changing Environment of Information Security:
Dealing with New Technologies, New Threats and New Laws

The information security risk environment seems to be in constant change, perhaps never more so than in 2009. New technologies and application like cloud computing, social networking, virtual worlds and ever-more-powerful smartphones have great potential benefits, but do we really know their risks and how to manage them? Cybercriminals are more organized and sophisticated than ever - are cyberwarriors coming next? And what new strategies and legal actions will the new administration pursue that may enhance, or hinder, our ability to deal with these threats and vulnerabilities?

In order to address these issues, Co-Directors John R. Christiansen and Barbara Endicott-Popovsky are pleased to announce the 2009 Information Security Compliance and Risk Management Institute. The Institute is an annual interdisciplinary event for information technology and security professionals, attorneys and auditors for advanced learning and improvement of the arts, sciences and laws of electronic information and information technology use and protection.

The Institute will be held September 16 - 17 on the University of Washington campus in Seattle. This year's Institute will focus on the identification and management of risks posed by key new technologies, emerging and growing threats to our networks and data, and new laws, legal strategies and theories which affect organizations' information security governance and management.

Attendees will have the opportunity to hear from and interact with leaders in information technology implementation, information security, law and audit, and work with them in breakout sessions to develop recommendations for governance and management strategies and public policy recommendations for dealing with the new information security environment.

This program is appropriate for anyone responsible for information technology or security, risk management and legal compliance for any organization which depends on information technology and electronic information.

Presenter Bios

Anastasi, David P.
David Anastasi was most recently Director, President & Chief Executive Officer of Captaris, Inc. After divesting several declining business lines took Captaris from $90M to $58M in annual revenue Captaris launched its document and data process automation focused strategy. This shift in strategy was instrumental in reinventing Captaris from a voice messaging and fax company to a leader in the Enterprise Content and Document Management spaces. Through a combination of organic growth and multiple domestic and international acquisitions revenue grew to over $140M annually of which over 40% was international and increased recurring revenue from $7M to over $40M annually. Anastasi was also instrumental in guiding Captaris through Sarbanes-Oxley and 404 certification. Captaris was recently acquired by Open Text a leader in Enterprise Content Management market.
He previously held the same offices with Conversay, a leader in speech recognition technologies for both mobile and traditional Internet devices. Prior to that, he was a Founder, President & CEO of the Global Chipcard Alliance (GCA), a smart card/chip technology consortium involving many of the world's major telecommunications companies, largest financial institutions and technology leaders. Anastasi was also Vice President & General Manager of the Public Access Solutions & Smart Card Division of U S WEST, where he helped developed the "people in motion" initiative for today's mobile workforce. Other key positions in his career include National Sales Manager with Neopost (formerly Friden Alcatel, a division of Alcatel Business Systems) and Marketing Group Leader with the Independent News Division of Warner Communications.
Most recently Anastasi has been assisting early stage companies develop strategy and go to market plans. Recently named to the Board of Directors of Onehub a SaaS file sharing, project management and collaboration technology initial seed funding and Series A round led by Ignition Partners. Anastasi is also an active member of the Keiretsu Forum largest North American angel network with 18 chapters and over 750 accredited investor members.
He was recently appointed a member of the Investment and Entrepreneurship Committee of the Washington State Economic Development Commission. The Washington State Legislature created the Commission to oversee the economic development strategies and policies of the Washington State Department of Community, Trade, and Economic Development (DCTED) and to provide private sector input to the state's economic development strategies and policies. The Commission is responsible of ensuring that economic development remains a priority at the state level and influences the long term strategy and the flow of money for the Washington Universities and the use of any proceeds for any intellectual property developed.
Anastasi also is a member of the Seattle University Albers School of Business Advisory Board.
Over the last 10 years Anastasi has participated in a variety of areas with the Entrepreneur program at University of Washington and Seattle University. He is an Advisory Board Member for University of Washington's Tech Transfer and LaunchPad organizations which facilitate the commercialization of new innovations arising from research through the management and licensing of intellectual property. Since its inception it has created more than 240 companies. 2008 generated $47M in revenue and managed portfolio of over 2200 issued and pending patents. He is also a regular speaker at undergrad and graduate classes at University of Washington and Seattle University.
Finally, he is a past Board Member of both the WTIA (when it was the Washington Software Association WSA) and two year Chair of the Washington Chapter of Tech America (formerly AeA) as well as on the National Board for two years.
Anastasi has a Bachelor of Science degree in marketing management from Bentley University in Boston and a Masters Degree with an emphasis in international management from the University of San Francisco.
Former Industry & Board Affiliations
  • Advisory Board, eTetra.com Internet Software Company offering web-enabling technologies allowing instant communication via Internet chat, voice VoIP, or callback via telephone.
  • Advisory Board, Echospace.com Web-based application provider for high-speed Internet access market.
  • Steering Committee, World Resources Institute - Creating a Digital Dividend Program
  • Board of Directors, Payphone Service Providers Association
  • Board of Directors, Smart Card Forum
  • Advisory Board, Telecommunications Management and Policy Program, University of San Francisco
Bailey, Kirk; CISSP
Chief Information Security Officer, University of Washington
Prior to his appointment as the CISO for the University of Washington, Mr. Bailey served as the first ever CISO for the City of Seattle. His long career as an information assurance professional has provided him an extensive background in large mainframe systems, distributed computing and network environments, and emerging technologies. For the last 20 years his professional focus has been the methodologies and technology associated with information systems control, administration, and protection. His professional responsibilities and research have provided him considerable expertise regarding issues associated with privacy protection, compliance issues, electronic crime, risk management, critical infrastructure protection and the controversial area of active response.
In response to growing concerns by professionals in the field regarding the troubling challenges posed by emerging technologies, Mr. Bailey founded "The Agora" in November of 1995. The Agora is a successful strategic association of information systems security professionals, technical experts, and officials from the private sector, public agencies, local, state, and federal government, and law enforcement.
Mr. Bailey and his work with the Agora have been reported in newspapers around the country including: The New York Times, The Wall Street Journal, The Christian Science Monitor, The Washington Post, The Los Angeles Times, The Seattle Post Intelligencer, The Seattle Times, and The Tacoma News Tribune. He has also appeared on local television news shows, and the PBS Frontline special "Hackers." In addition, Mr. Bailey's professional experiences and entertaining perspectives have made him a popular and much sought after speaker for professional forums and conferences around the country.
Christiansen, John R.; J.D.
John R. Christiansen's practice focuses on the implementation and management of healthcare information technologies, with an emphasis on electronic health and medical records, health information exchange, and privacy and security regulatory compliance and risk management. While he principally practices as a lawyer, John also acts as a consultant, and worked for a time as a HIPAA security audit lead in a major consulting firm. His clients include hospitals, health systems, physician practices and IT services providers, in the Pacific Northwest and throughout the United States.
A recognized national leader in the field, among other involvements John is currently Chair of the American Bar Association's HITECH Business Associates Task Force and the HITRUST HITECH Business Associates Work Group; and past Chair of the American Bar Association's Committees on Healthcare Information Technology; Healthcare Privacy, Security and Information Technology; and Healthcare Informatics. He is a frequent speaker and regularly publishes on healthcare technology issues; his most recent book is An Integrated Standard of Care for Healthcare Information Security: HIPAA, Risk Management and Beyond (2005), the definitive legal treatise on healthcare security. John also teaches Policy, Law and Ethics in the University of Washington Information School's graduate program, and previously taught in the Oregon Health and Sciences School of Medicine's graduate informatics program.
John received his J.D. from the University of Washington School of Law and his B.A. from the University of Colorado.
Cowperthwaite, Eric
Eric Cowperthwaite has more than 20 years experience as a Security practitioner and leader in both civilian and military settings. This includes more than 10 years of experience in healthcare security. Currently, Eric is the Chief Information Security Officer, Providence Health & Services, headquartered in Seattle, Washington. Providence has 27 hospitals and more than 50,000 employees located in five western states, including Washington, Oregon, California, Alaska and Montana. Eric's position is responsible for providing strategic and operational leadership to Providence Health and Services (PH&S) in the management and delivery of enterprise security. This includes responsibility for security plans and policy, risk assessment and mitigation, disaster recovery and emergency preparedness planning, crisis management and security investigations across the Providence enterprise.
Prior to that, Eric was the Security & Privacy Officer for Medi-Cal, the state of California's Title XIX Medicaid Insurance program. In that capacity, Eric was responsible to develop and implement security and privacy policies, standards and procedures to protect the personal health information of more than 6 million Medicaid beneficiaries, the information and assets of Medi-Cal and to maintain a safe, secure work environment for the employees. He also worked for Electronic Data Systems in a variety of capacities, including the Chief Security and Privacy Office, Network Services, Solution Architect, Security and Privacy Professional Services and Strategic Technology Transformation. Eric served in the US Army for over 10 years, including time in the Middle East, Western Europe on the "Iron Curtain" and Africa.
Eric is a member of a variety of industry organizations, including
  • Pacific Northwest CISO Forum
  • ISSA CISO Executive Forum Steering Committee
  • Security Executive Council
  • State of Washington Health Information Security & Privacy
  • Collaborative Steering Committee
  • Workgroup for Electronic Data Interchange (WEDI) SNIP Security & Privacy Workgroup.
He has been asked to speak on security topics by a variety of organizations, including Gartner, the State of California Health & Human Services agency, the Department of Homeland Security, Senator Lieberman's office, the Information Systems Security Association, SecureWorld and SANS (SysAdmin, Audit and Network Security). Eric has been published in several industry publications including, most recently, Security Technology & Design and CSO Magazine. Eric is a 2008 Computerworld Premier 100 IT Leaders honoree.
Curtin, C. Matthew; CISSP
C. Matthew Curtin is the founder of Interhack Corporation, a computer expert firm with practice areas in Information Assurance and Forensic Computing. As a forensic computer expert, Mr. Curtin analyzes information technology and electronically stored information to answer questions that arise in adjudication. He has appeared as an expert witness in both civil and criminal cases, dealing with everything from electronic discovery to assessment of information technology in practice. Since 1998, Mr. Curtin has maintained a regular academic appointment as a lecturer at The Ohio State University's Department of Computer Science and Engineering, teaching courses in the Common Lisp programming language and operating systems implementation. He frequently lectures on the topic of forensic computing to audiences of judges and attorneys.
David, Scott; J.D.
Scott David is a partner working with the electronic commerce, tax, and intellectual property practices at K&L Gates. He provides advice to firm clients on issues of international, federal, state and local taxation; intellectual property licensing and structuring; compliance with federal and state privacy and data security laws; structuring of online contracts, terms of use, privacy policies and electronic payment and tax administration systems; corporate, partnership and limited liability company organization and affiliation structuring; technology development and transfer; participation in standards setting organizations; and non–profit and tax–exempt status and related issues. He regularly counsels the firm's intellectual property, high technology, telecommunications, on–line commerce, power generation, construction, retail, manufacturing, service sector, health care, governmental, financial sector and other clients.
Eisenberg, Brian Daniel
Brian Eisenberg is a senior systems engineer at Software AG, helping to support sales reps and systems engineers with customized VMware business process management and human workflow applications. Formerly a senior product manager at webMethods and a program manager at Microsoft.
Estberg, Mark
Mark Estberg is Senior Director of Information Security Risk and Compliance Management for Microsoft's online services division. His responsibilities include risk and compliance management, audit management, policy and business continuity. Mark joined Microsoft through the acquisition of Visio Corporation in 2000. His Microsoft background includes serving as Senior Director for Microsoft Information Technology's Information Security organization. In that role he had responsibility for information security risk management, policy, awareness, strategy, engineering and governance. Mark also led Microsoft's Security Center of Excellence, which works with Microsoft enterprise customers to develop and implement security solutions. Mark was Director of Information Technology at Visio Corporation prior to joining Microsoft. His career also includes software development, management consulting and forensic economics. Mark holds a Bachelor of Arts in computer science with a minor in business administration from the University of San Diego.
George, Richard (Dickie)
Mr. George is the Technical Director, Information Assurance Directorate of the National Security Agency Mr. George began at the National Security Agency in August 1970 after graduating from Dartmouth College. He started in the Crypto-Math Intern Program, having tours in Research, the SIGINT Directorate, and the Information Assurance Directorate's (IAD) predecessor organization. Except for a tour in the Signals Intelligence Directorate and one at the Center for Communications Research in Princeton, he has worked in the IAD since 1973. He has served as technical director for organizations at various levels in the directorate, and currently serves as the Technical Director for the Information Assurance Directorate. As a technical leader, Mr. George works closely with teams and individuals giving advice and direction on specific, as well as general, technical questions; mentors; and serves on various technical boards. He advises the Director of Information Assurance and the Director of NSA on technical issues, and develops strategic direction for the Information Assurance Directorate. He has participated actively in the equity resolution process and served as a liaison to the SID and R math communities.
Geyer, Ann; J.D.
Ann Geyer is the managing director at Tunitas Groups, a California based health information technology consulting group where she specializes in IT governance and infosec compliance. Ann has been involved in a number of health information exchange projects. She was CEO of California's initial RHIO organization and has been active in developing and promoting standards for HIT. She is a former NCQA security auditor and a certified information privacy professional. Her education includes degrees in psychology, statistics, business, and law.
Hamilton, Michael
City of Seattle Chief Information Security Officer Michael Hamilton has more than twenty years of experience in Information Security as a practitioner, entrepreneur, consultant, and in governance. Employers and clients have included retail, manufacturing, defense, municipal, academic, law enforcement, publishing and financial sectors - from Fortune 1 to small non-profits. Now in the public sector, he speaks frequently on the dependence of critical infrastructure and local government. He is the architect of the PRISEM system for monitoring security events in a metropolitan region, has taken a leadership role to improve security on inter-governmental networks, and provides information security consulting to a number of cities and counties throughout the State of Washington through the Association of City and County Information Systems. Mr. Hamilton is a graduate (B.S., M.S.) of the University of Southern California.
Lowder, Jeff
Jeff Lowder is Director, Information Security for the Disney Interactive Media Group, a segment of The Walt Disney Company, a columnist for InfoSecBlog.com, and a former advisory board member for the SANS Institute. His information security experience includes senior level security roles at the U.S. Air Force Academy, Elemica, and United Online.
His primary areas of focus are information security governance, risk, and compliance; vulnerability management; and security metrics. He is currently writing a course on information security risk management for practitioners. He holds the CISSP certification.
Matthews, David; CISSP, CISM
David Matthews is currently the Deputy Chief Information Security Officer for the City of Seattle. He has worked in the Information Technology field since 1992. He began his IT career as a Network Administrator and all around IT support for a small public relations firm. He began working for the City of Seattle as the Technology Manager for the Legislative Department (City Council) in 1998. In early 2005 he was selected to be the first Deputy CISO for the City. In May, 2005, the City's CISO was hired by the University of Washington and David was made Acting CISO. He worked in that capacity until April, 2006 when the City hired a new CISO. In his work for the City he has developed and created a NIMS/ICS compliant incident response plan; updated and extensively re-written the City's Information Security Policy; developed digital investigation policies and procedures; created and taught training courses on information security policy and digital forensics processes; and created an IT primer and litigation hold procedures for the City's Law department as part of his collaboration with them on eDiscovery issues.
He is a participant and leader in regional information security organizations. He is the public sector co-chair of the US-Cert/DHS sponsored North West Alliance for Cyber Security (NWACS). With NWACS he has worked with the Pacific Northwest Economic Region non-profit (PNWER) to sponsor information security training for SCADA operators and managers; four Blue Cascades disaster scenario exercises; and is the creator and editor of a portal web-site with local information security and forensics activities; a library of best practice documents and links to information security and forensics web sites.
David is also an active participant in the Agora, Pacific CISO forum (PACISSO), Computer Technology Investigators Network (CTIN), ISSA, ISACA, InfraGard and ISC2. He participates on the local Critical Infrastructure Protection sub-committee of the Regional Homeland Security team, and also works with a national infrastructure protection group called TISP (The Infrastructure Security Partnership). He has published an article on Active Defense in the ISSA journal, and has presented at many emergency management and information security conferences. His most recent presentation on eDiscovery called "Translating Geek for Attorneys" has been presented to records managers, information technology and security audiences and was given as a continuing legal education course for the U.S. Attorney's office in Seattle and the City of Seattle's Law department.
He holds the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and a Certification in Forensics Investigation from Highline Community College.
McKenna, Rob; J.D.
The Hon. Rob McKenna, Washington State's 17th Attorney General, directs 500 attorneys and nearly 700 professional staff providing legal services to state agencies, boards and commissions. His top priorities include protecting consumers and businesses against high-tech crimes, such as cyber fraud, phishing and spyware.
Merico, Ana Maria; J.D.
Ana Maria Merico is a professor at the University of Arizona James E. Rogers College of Law, and has been a visiting professor at Universidad Carlos III in Madrid, Spain, Universidad Torcuato Di Tella, Buenos Aires, Argentina, and University of Michigan Law School. A native of Buenos Aires, Argentina, she is the author of many publications in English and Spanish. Her J.D. is from the University of Michigan Law School, and she was graduated by the University of Cincinnati with a B.A. Before teaching, she clerked for the Honorable James L. Ryan, in the United States Court of Appeals for the Sixth Circuit. Professor Merico has been a Fulbright Scholar, serves as faculty advisor for the Hispanic National Bar Association (HNBA) and is the former Regional President for the National HNBA, and is the current president of Phi Beta Kappa Alpha of Arizona.
Morrison, Bryan R.; J.D.
Special Assistant to the Deputy Assistant Secretary, Cyber Security and Communications, Department of Homeland Security
Mount, Charles
Charles is Chief Executive Officer of OneHub, Inc., and a serial entrepreneur who has founded three software startups over the last 8 years. His inspiration for Onehub came from his own need for a better way to share business information with partners and customers and the growing importance of web services for businesses.
OneHub is an on-demand web application at provides collaboration services for business users. Using Onehub, users can create virtual workspaces, called Hubs, that are customized to match the look and feel of the companies website and provide secure file sharing and collaboration tools.
Pisto, Laird
Associate General Counsel, Multicare Health System
J.D., Multicare Health System and Paul VanAmerongen, CISSP, MultiCare Health System: Legal and IT Coordination in a Complex Health System
Rasmussen, Michael; J.D.
Michael Rasmussen is one of the foremost authorities in Governance, Risk, and Compliance (GRC), and is noted for being the first analyst to define and model the GRC market for products and professional services. Michael has worked closely with large organizations and government agencies. His involvement in government initiatives has included leading roles in defining public policy and legislation on risk and compliance with contributions to US Congressional reports, boards, and committees. Michael currently serves on both the Steering Committee and Technology Council of the Open Compliance and Ethics Group. Michael is a frequent conference keynote on topics related to GRC and has been quoted extensively in the press around the world. In the June 2007 issue of Treasury & Risk, Michael was recognized as among the top 100 most influential people in finance with specific accolades noting his work in "Governance and Compliance: Saving the Planet and the Corporation."
Reavis, Jim
Jim Reavis has worked for many years in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim's innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many.
He is a member of the Business Advisory Board for PGP, Inc., the world's largest provider of encryption services, and of the Technical Advisory Board for Tyfone, Inc., a provider of mobile financial services infrastructure that encompasses a comprehensive mobile banking solution with fully integrated security features. Jim is also President of Neupart, Inc., which focuses on automating policy documentation, ISO 27001 compliance management and employee awareness of corporate policies in an integrated, software-based fashion, and of Reavis Consulting Group, which provides information security research and consulting services to a diverse clientele.
Jim is also Chief Blogging Officer at Risk Bloggers, a group which brings together the top minds from a variety of risk-based disciplines, including information security, physical security, risk management, privacy, government and the legal practice to contribute insightful blogs that will act as a strategic change agent to influence the direction of technology, policy and best practices. Jim is a past Executive Director, Board Member and Vice President of the Information Systems Security Association ("ISSA"), and co-founder of the Cloud Security Alliance.
Ryan, Daniel J.; M.B.A, J.D.
Daniel J. Ryan teaches Systems Management at the National Defense University, teaching information security, information assurance, cryptography, network security and computer forensics. He serves as research advisor to individual students on topics related to national security, and provides analyses of systems management issues significant to national security. Dan served as Corporate Vice President of Science Applications International Corporation with responsibility for information security for Government customers and commercial clients who operate worldwide and must create, store, process and communicate sensitive information and engage in electronic commerce.
Prior to joining SAIC, he served as Executive Assistant to the Director of Central Intelligence. Earlier, he was Director of Information Systems Security for the Office of the Secretary of Defense serving as the principal technical advisor for all aspects of information security. He developed information security policy for the Department of Defense and managed the creation, operation and maintenance of secure computers, systems and networks. His specific areas of responsibility spanned information systems security (INFOSEC), including classification management, communications security (COMSEC) and cryptology, computer security (COMPUSEC) and transmission security (TRANSEC), as well as TEMPEST, technical security countermeasures (TSCM), operational security (OPSEC), port security, overflight security and counterimagery. In private industry, he was at Booz Allen & Hamilton, Bolt Beranek & Newman, TRW, and he was Director of Electronic Warfare Advanced Programs at Litton's AMECOM Division. He headed a systems engineering section at Hughes Aircraft Company where he was responsible for the design, development and implementation of data processing systems. He began his career at the National Security Agency.
Mr. Ryan received his Bachelor's degree in Mathematics from Tulane University, a Master's in Mathematics from the University of Maryland, a Master's of Business Administration degree from California State University and the degree of Juris Doctor from the University of Maryland. He is admitted to the Bar in the State of Maryland and the District of Columbia, and has been admitted to practice in the United States District Court, the United States Tax Court, and the Supreme Court of the United States. He has been Certified by the United States Government as a Professional in the fields of Data Systems Analysis, Mathematics and Cryptologic Mathematics, and is CNSS 4011 certified.
Areas of Expertise: Statistical analysis, risk management, cyberlaw, information assurance, critical infrastructure protection, information operations and cyberwar, cryptology, policy analysis.
Academic Credentials:
B.S., Tulane University
M.A., University of Maryland
M.B.A., California State University
J.D., University of Maryland
Ryan, Julie; Ph.D.
George Washington University
Schaffner, Jake
Jake Schaffner currently serves as Senior Advisor for Science & Technology in the Directorate for Information Operations and Strategic Studies in the Office of the Under Secretary of Defense for Intelligence.
Mr. Schaffner, a native of San Diego, CA, was commissioned as a regular Ensign in the Navy in 1974 through the Reserve Officer Training Corps program at the University of Texas, Austin after earning a B.A. in Geography. Following Communications, Anti-Submarine Warfare, German foreign language, and Naval/Mechanical Engineer training, he served as Communications Officer on USS John S. McCain (DDG-36), Navigator on FGS Zerstoerer 4 (foreign exchange with the Federal German Navy), Chief Engineer on USS Robison (DDG-12), and Chief Engineer on USS Jouett (CG-29).
Selected to attend Naval Postgraduate School, he earned a Masters of Science in Systems Technologies (Space Systems) in 1986. His masters' thesis was "Naval Strike Applications of Transatmospheric Vehicle." He proceeded then to serve as Executive Officer of USS England (CG-22). After that tour he served on the Chief of Naval Operations staff in the Tactical Exploitation of National Capabilities (TENCAP) branch where he was project director for several research efforts that applied National Reconnaissance Office (NRO) developed technologies to the support of Navy over-the-horizon-targeting (OTHT) initiatives. Following his TENCAP tour he served as Commanding Officer, USS Mahlon S. Tisdale (FFG-27).
Mr. Schaffner reported to the Joint Staff in 1994 where he served for nearly four years in the Directorate of Operations (J3) in the Special Technical Operations (STO) division. He was initially a project officer, but advanced steadily in responsibility, eventually leading the Policy and Capabilities Division. During this time he had substantial roles in all significant national and joint information warfare planning and exercise efforts, contributing strongly to the division's eventual conversion into the J-39/Information Operations Directorate shortly before his departure.
Mr. Schaffner's final active duty assignment was on the Intelligence Community Management Staff where he served as the IC Director of Information Operations Policy from 1998-2001. Upon retirement from active duty, he joined SCITOR Corporation as a Senior Strategic Analyst. In 2002, he joined Booz Allen Hamilton as a Senior Associate. He served there as a expert in information operations policy, strategic influence, the application of advanced technologies to information operations and primarily serviced clients in the Department of Defense.
Spangenberg, Ward
IOActive, Director of PCI
In his role at IOActive, Spangenberg uses his knowledge of system and network penetration, web application analysis, and security auditing to provide clients with the requisite tools for meeting federal, industry, and PCI compliance requirements. Spangenberg is intimately familiar with NIST 800, COBIT, ISO 17799, GLBA, Sarbanes-Oxley, and HIPAA requirements; has extensive experience in information quality assurance; and is highly skilled with vulnerability assessment methodologies.
Spangenberg's broad background with security solutions enables him to determine best practices for managing confidentiality, security, and privacy issues from both business (process development, informed consent, data statistics collection) and technical (host and perimeter security, access control and monitoring) perspectives. In addition, Spangenberg has provided IT audit and internal security consulting services, participating in enterprise-level documentation, technical assessment, and remediation efforts with respect to the VISA Payment Card Industry compliance requirements.
Spiro, David E.; Ph.D.
David E. Spiro is a business consultant, and Founding Principal of The Strategy Practice, LLC, and a Visiting Scholar at the International Studies Association. From 1985-1999 he was a professor of International Political Economy, on the faculties of Columbia University, Harvard University, and the University of Arizona. He is the author of The Hidden Hand of American Hegemony: Petrodollar Recycling and International Markets (Cornell University Press, 1999) as well as articles, monographs, and book chapters. His PhD in International Political Economy is from the Department of Politics at Princeton University, where he received an AB in Near Eastern Studies. Among his honors and awards are Council on Foreign Relations Term Member, Fulbright Scholar, Ford Foundation Fellow, National Endowment for the Humanities Fellow, Research Scholar, The London School of Economics, and Guest Researcher, The Brookings Institution . He has consulted internationally to many credit card companies and banks, which bear no responsibility for the views expressed here.
Towle, Holly; J.D.
Holly K. Towle is a partner with K&L Gates, an international law firm, where she focuses on data privacy and security, use of electronics in commerce, Internet transactions and software licensing. Holly speaks and is published nationally and internationally and she is the author of The Law of Electronic Transactions (A.S. Pratt & Sons, 2003-2008 (http://www.sheshunoff.com/store/F53.html). Holly has commented on behalf of trade organizations or other clients on proposed state and federal legislation regarding computer information transactions, electronic commerce, software licensing, proposed U.C.C. revisions, and consumer protection. Holly is a member of the American Law Institute, is listed among the top 25 Information Technology lawyers in the Best of the Best USA 2008, and is included in the Guide to the World's Leading Technology, Media & Telecommunications Lawyers, in An International Who's Who of E-Commerce Lawyers and in the Financial Institutions Law section of The Best Lawyers in America.
Van Amerongen, Paul
Paul VanAmerongen, CISSP, is the Manager of Information Security Services for MultiCare Health System in Tacoma Washington. Previously he was the Manager of Information Security Engineering and Manager of the Applications and Information Security Service desk at Premera Blue Cross. Prior to Premera, he was a member of the United States Navy submarine force where he directed the information technology program and information security program for the Pacific Northwest Trident Submarine Fleet. He is a member of the Information Systems Security Association (ISSA) and InfraGard. He holds a Bachelor of Science in Computer Science from Chapman University, is a Certified Information Systems Security Professional (CISSP), holds an ITIL Foundations certification, and an ITIL Practitioner Support and Restore certification
Wald, Barbara; J.D.
University of Chicago Law School, 1981 – 1984, J.D.; Northwestern University, 1976-78, English M.A.; University of Rochester, 1969- 1973, English B.A.
JPMC (formerly Bank One), 2000–present (nationwide Technology Liaison for Litigation, VP, Assistant General Counsel); Ungaretti & Harris, 1987 – 2000 (Associate/Partner); Mayer, Brown & Platt, 1984–1987 (Associate)
Former nationwide Litigation Technology Liaison immediately upon the merger of JPMorgan Chase Bank, N.A. ("JPMC"), 2000 – 2008; litigation counsel with Axiom
Successfully have managed multi-million dollar business methods and other patent infringement litigation (including cases involving multiple patents and alleged exposures in the eight figures); enforced trademark infringement litigation; managed information technology ("IT") disputes involving bank software and hardware suppliers (including disputes involving large, nation-wide vendors that supply software and hardware bank-wide); drafted software licensing agreements and amendments thereto; provided litigation advice and expertise on technology initiatives and internet issues within the bank; and drafted settlement agreements, joint defense agreements, non-disclosure agreements, standstill agreements, etc., with software and hardware vendors.
Member of the Corporate Internet Group at the bank, and collaborated with the Data Privacy group at the bank, in addition to handling litigation and pre-litigation matters involving data privacy matters.
Co-authored "Interlocutory Appeals Under 28 U.S.C. sec. 1292," APPELLATE LAW REVIEW, Vol. 4 (Summer 1992), co-authored "The Notice of Appeal," ISBA TRIAL BRIEFS, Vol. 36, No. 2 (February 1991), Note, "Secondary Boycotts and the First Amendment," 51 U. CHI. L. REV. 811 (1984).

Agenda

Wednesday, September 16, 2009

8:25 - 8:30 a.m.Welcome and Introductions

8:30 - 9:15 a.m.Security Lessons for the Future from IT Architectures of the Past John R. Christiansen, Christiansen IT Law

9:15 - 10:15 a.m.Data Protection and "Toxic Waste" – What Common Dangers Do They Create and What are the Policy Implications? Scott David, J.D., K&L Gates
Holly Towle, J.D., K&L Gates

10:15 - 10:30 a.m.Break

10:30 - 11:30 a.m.Legal and IT Coordination in a Complex Health System Laird Pisto, J.D., Multicare Health System
Paul Van Amerongen, CISSP, MultiCare Health System

11:30 - 12:15 p.m.Seeking the True Cost of Data Breaches: Numbers. Trends. Future. Thomas Ng; Aaron Weller; Michael Davison; Wayne Glover, University of Washington Information School MSIM Program

12:15 - 1:15 p.m.Lunch

1:15 - 2:00 p.m.Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry C. Matthew Curtin, CISSP, Interhack

2:00 - 3:00 p.m.KEYNOTE PRESENTATION Rob McKenna, J.D., Washington State Attorney General

3:00 - 3:15 p.m.Break

3:15 - 4:15 p.m.Rethinking Identity in Systems and Laws Ana Maria Merico, J.D., Rogers College of Law, University of Arizona
David Spiro, Ph.D., The Strategy Practice

4:15 - 5:00 p.m.Security Breach Notification Across Multiple Jurisdictions Ann Geyer, M.B.A, J.D., The Tunitas Group

5:00 - 5:30 p.m.Moderated Audience Q&A on Security Breach Issues Moderator: David Matthews, Deputy Chief Information Security Officer, City of Seattle

5:30 - 7:00 p.m.Reception

Thursday, September 17, 2009

8:25 - 8:30 a.m.Welcome and Introductions

8:30 - 9:30 a.m.Biological Systems and Models in Information Security Daniel J. Ryan, M.B.A., J.D., Professor of Systems Engineering, National Defense University
Julie Ryan, Ph.D., George Washington University

9:30 - 10:30 a.m.Security Perspectives from "The Other Washington" Jake Schaffner, Senior Advisor for Science & Technology, U.S. Department of Defense Information Operations & Strategic Studies
Brian R. Morrison, J.D., Special Assistant to the Deputy Assistant Secretary, Cyber Security and Communications, Department of Homeland Security

10:30 - 10:45 a.m.Break

10:45 - 11:45 a.m.KEYNOTE PRESENTATION Richard (Dickie) M. George, Technical Director, Information Assurance Directorate, National Security Agency

11:45 - 12:15 p.m.Moderated Audience Q&A on Federal Security Perspectives

12:15 - 1:00 p.m.Lunch

1:00 - 1:45 p.m.Understanding the Cloud: Cloud Computing Business Models Charles Mount, CEO, OneHub
Brian Daniel Eisenberg, Software AG
David P. Anastasi, CEO, Captaris

1:45 - 2:45 p.m.Managing Third Party Risk and Compliance in the Extended Enterprise Michael Rasmussen, J.D., Corporate Integrity, LLC

2:45 - 3:00 p.m.Break

3:00 - 4:30 p.m.Security, Risk and Compliance in Cloud Computing Mark Estberg, Microsoft
Ward Spangenberg, IOActive
Barbara Wald

4:30 - 5:30 p.m.CISO Roundtable on Cloud Computing
Leading information security officers respond to cloud computing issues; CISO, presenters and audience in moderated Q&A Moderator: Jim Reavis
Kirk Bailey, CISSP, CISA, University of Washington
Jeff Lowder, CISSP, Disney Interactive
Michael Hamilton, CISSP, City of Seattle
Eric Cowperthwaite, CISSP, Providence Health & Services

2009 Presentations

Managing Risk & Compliance Across 3rd Party Relationships
Michael Rasmussen, J.D., Corporate Integrity, LLC

Is Data Like Toxic Waste? Understanding the Data Risks, System Design Requirements and Policy Implications of the Current "Reactive" Approach
Scott David, J.D. and Holly Towle, J.D., K&L Gates

Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry
C. Matthew Curtin, CISSP, Interhack

Seeking the True Cost of Data Breaches: Numbers, Trends, Future
Thomas Ng, Michael Davison and Wayne Glover, University of Washington Information School MSIM Program

Biological Systems and Models in Information Security Risk Management
Daniel J. Ryan, M.B.A., J.D., Professor of Systems Engineering, National Defense University and Julie Ryan, PhD., George Washington University

Legal and IT Coordination in a Complex Health System
Laird Pisto, J.D. and Paul Van Amerongen, CISSP, MultiCare Health System

Conference Location

UW Tower
4333 Brooklyn Ave. NE
Seattle, WA

  • Main entrance at the corner of Brooklyn Ave. NE and NE 45th St.
  • Second entrance from parking garage via skybridge over 12th Ave. NE.
Map showing UW Tower location

Driving Directions

Traveling I-5 South - Take the 45th Street exit from I-5 (exit # 169.). At the traffic light at NE 45th Street turn left heading east (towards the main UW Seattle campus.) The UW Tower is about 5 blocks up on the right between 12th Ave. NE and Brooklyn Ave. NE.

Traveling I-5 North - Take the 45th Street exit from I-5 (exit # 169.) Get into the far right turn lane. At the traffic light turn right onto NE 45th Street heading east (towards the main UW Seattle campus.) The UW Tower is about 5 blocks up on the right between 12th Ave. NE and Brooklyn Ave. NE.

Parking

A car is not necessary for conference participants who will be staying in University area hotels. The recommended hotels are walking distance from the UW Tower or a shuttle is provided by the hotel. For participants who will be arriving by car, parking is available on surrounding streets (Brooklyn, 43rd, 12th) or in University of Washington parking lots. UW Tower garage parking has limited visitors parking and closes at 6:00 p.m. Bicycle parking is available in front of the UW Tower, and major METRO bus routes run near the building.

UW Visitors Information Link with travel information and campus maps: http://depts.washington.edu/mediarel/temp/vc.shtml

Seattle Weather

Summer temperatures in Seattle are generally mild. The average daytime high temperature in September is 69°F (21°C) and the average nighttime low temperature is 51°F (11°C). Current weather forecast for Seattle.

Lodging

A limited number of rooms are reserved at a conference rate. Conference guests should reserve early and make reservations directly with the University Inn or Watertown Hotel. Specify you are with the ISCRMI Conference.

University Inn
4141 Roosevelt Way NE
Seattle, WA 98105
(206) 632-5055
Toll free: 800-733-3855
Single: $139 per night plus tax (Deluxe Room); $129 per night plus tax (Standard Room)

Watertown Hotel
4242 Roosevelt Way NE
Seattle, WA 98105
(206) 826-4242
Toll free: 866-944-4242
Single: $159 per night plus tax
Additional adults will be charged $10 per person per night. The conference rates are available until August 17, 2009

Sponsors

We are grateful to our sponsors for their generous support of the Information Security Compliance and Risk Management Institute.

ISSA-PS Logo issa-ps.org
ISC-RMI was approved for 14.5 CLEs by the Washington State Bar Association.