Information Security Compliance and Risk Management Institute:

Where Information Technology, Law and Risk Management Converge

September 10-11, 2008
Husky Union Building (HUB), University of Washington
Seattle, Washington, USA

InfoSec has been approved for 14.75 CLEs by the
Washington State Bar Association.

2008 Program

Wednesday, September 10, 2008

Day 1: Data Governance and Security

8:30 – 8:35 a.m.

Welcome and Introductions - John R. Christiansen, Christiansen IT Law

8:35 – 9:35 a.m.

Risk Reward Equation: Optimizing Information Risks while Maximizing Business Innovation Rewards - Julia Allen, Carnegie-Mellon University, Dave Cullinane, eBay, Laura Robinson, Robinson Insight  PDFPDF

The talk will review an authoritative report published in Summer 2008, addressing information risk and reward (in the context of enterprise risk management) when considering new business opportunities, including determining the magnitude of the risk and rewards; risk assumption; and risk mitigation. Discussion will center on risk roles and responsibilities, governance, and a proposed maturity framework for information risk management.

9:35 – 10:35 a.m.

Microsoft Data Governance Initiatives (20 min./panelist) - Kim Hargraves, Microsoft, Ilanko Subramanian, Microsoft  PDFPDF

Data governance is a unified approach to the management of information assets within a framework that strives to mitigate risk, achieve compliance and promote trust and accountability. It involves the monitoring, management, and protection of data in a manner that complies with corporate policy, industry standards and regulatory requirements

This panel will provide a unique opportunity to hear both internal, enterprise-oriented and external, support-oriented perspectives from a leading organization which has gone far up the data governance learning curve across, and help guide others in thinking through data governance challenges.

10:35 – 10:50

Break

10:50 – 11:50 p.m.

CISO Perspectives on Data Governance - Ravila White, Bill & Melinda Gates Foundation, Jim Reavis, Reavis Consulting, Jeff Lowder, Walt Disney Internet Group  PDFPDF

This panel of leading, senior information security professionals will update attendees on the important trends they see currently, with a focus on the strengths and weaknesses of data governance and its actual implementation.

11:50 – 12:15

Moderated Data Governance Discussion - Lane Leskela, OCEG

12:15 – 1:45 p.m.

Lunch

Keynote - John Jessen, founder and Chairman of the Board of Electronic Evidence Discovery, Inc.  PDFPDF

1:45 – 2:45 p.m.

Risk Transfer: Fitting Information Security Insurance Into the Risk Management Puzzle - David Navetta, InfoSec Compliance, Michael Donovan, Beazley USA, Chris Calvert, Laconic Security  PDFPDF

Information security insurance is increasingly becoming an important consideration for risks. This presentation will explore the mechanics and scope of the coverages, how they relate to legal and business risks and how to analyze risk and use risk transfer as tool to cost-effectively manage risk.

2:45 – 3:30 p.m.

Data-Centric Security - Ernie Hayden  PDFPDF

This talk, based on an article to be published in Summer 2008, will present a new model of data protection, a way to look at protecting the data from birth to death. This model incorporates many of the rules and good practices information security professionals have been taught over the years but in a holistic fashion rather than a collection of distinct, separate chapters in books. This model can be used for evaluating data handling as well as data forensics practices.

3:30 – 3:45

Break

3:45 – 4:30 p.m.

Data Classification Models - Terrence Nevins, University of Washington, Julia Navarez, University of Washington, Bill Marriott, University of Washington  PDFPDF

Classification and protection of sensitive data is necessary in all sectors of the economy. Industry groups, governmental agencies and the academy are working on models for assignment of levels of data sensitivity for life-cycle protection, while technology vendors have responded by developing products focused on supporting specific aspects of data classification and protection models. This talk will review three proposed models to illustrate the status of data classification models, and review four products using different approaches to data protection.

4:30 – 5:30 p.m.

Designing and Implementing a Compliance Communication Program - Brandon Dunlap, Brightfly

As compliance and security burdens multiply, managers face increasing end-user apathy and even subversion of corporate policies and procedures. This presentation covers communication strategies and practical techniques for increasing policy and control compliance.

5:30 – 7:00 p.m.

Reception

Thursday, September 11, 2007

Day 2: Integrating Electronic Evidence Policies into Data Governance

8:30 – 8:35 a.m.

Welcome and Introductions - Jane Winn, University of Washington

8:35 – 9:20 a.m.

Leveraging Security Policies and Procedures for Electronic Evidence Discovery - John R. Christiansen, Christiansen IT Law  PDF 1, 2, 3, 4, 5, 6,PDF

Policies, procedures and technology solutions for the creation, retention, production and admissibility of electronic records and data can and will be an added burden for information technology-driven organizations, but may also be integrated into existing information security and data governance programs. An integrated approach to both sets of issues allows organizations to leverage existing programs – or, where existing programs are considered inadequate, to leverage the need to address electronic evidence issues to develop more effective data governance.

9:20 – 10:05 a.m.

Digital Forensics and Records Management: What We Can Learn from the Discipline of Archiving - Barbara Endicott-Popovsky, University of Washington, Kirsten Ferguson-Boucher, Aberystwyth University
PDF 1, 2PDF

Organizational network forensic readiness has emerged as a discipline to support efficiently collecting digital evidence from networks using suggested checklists, procedures and tools. This talk will discuss a documented life cycle methodology for "operationalizing" organizational network forensic readiness by integrating best practices from records management, an archival discipline that has much to offer the field of digital forensics, including a conceptual framework for making decisions about how to identify and manage the increasing quantities of evidence collected on networks.

10:05 – 10:20

Break

10:20 – 11:05 a.m.

Antiforensics - Joel Scambray, Consciere  PDFPDF

The hacker’s focus has shifted, from developing destructive payloads to circumventing detection. Now, for every tool investigators rely upon to prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation. This talk will cover recent developments in the shadowy world of antiforensics, and the even newer field of anti-antiforensics. We’ll discuss the possible liability and regulatory impact of facing datasets that may (or may not have) been altered by hackers who leave no fingerprints, as well as technological and policy-level countermeasures that may help organizations protect themselves.

11:05 – 12:05 p.m.

Authentication and Admissibility of Digital Evidence - Ivan Orton, King County Prosecutor’s Office, Hoyt Kesterson  PDF 1, 2, 3,PDF

Today most of the data that is generated to record the actions of a company never appear on paper. It is created digitally, viewed digitally, modified digitally, and archived digitally. Only in response to litigation would that data be snapshot and printed to produce boxes of bates-numbered pages. Now there is an increasing demand to deliver that data in native form, i.e. the form in which it is used in the business. This demand for the electronically stored information (ESI) in native format creates some challenges. For example, metadata may reveal more than realized; questions may arise about the provenance of the ESI—is the process that created it accurate? how was it protected from the time of its creation until presented in court? Led by the author of two seminal books on eDiscovery and on digital evidence, the speakers will discuss how the processes by which a company creates its ESI can affect that ESI’s admissibility and the weight it is given once admitted as evidence.

12:05 – 12:30 p.m.

Moderated electronic evidence discussion - Kirk Bailey, University of Washington

12:30 – 2:00 p.m.

Lunch

Keynote - Jeffrey Ritter, Water's Edge Consulting, LLC  PDFPDF

Breakout Sessions

Attendees will break into two separate sessions for facilitated discussion and analysis of the proceedings, and development of recommendations for strategies, policies and procedures for the effective, efficient integration of electronic evidence response requirements into data governance programs. The conference will then reconvene as a whole to review the findings and recommendations of the breakout sessions, and provide recommendations for publication in a Report of Proceedings of the conference.

2:30 – 4:00 p.m. (15 minute break included)

Integrating Electronic Evidence and Data Governance: Recommendations from the IT Professionals - Discussion Leader: Michael Simon, Creation Logic, Reporter: Student volunteer
Integrating Electronic Evidence and Data Governance: Recommendations from the Lawyers - Discussion Leader: Jane Winn, University of Washington, Reporter: Student volunteer


4:00 – 5:00 p.m.

Breakout Session Reports and Discussion - Discussion Leader: John R. Christiansen, Christiansen IT Law Reporter: Student volunteer

Questions:
UW Conference Management
Attn: Julie Smith