May 13th, 2021, Member Meeting CCM 4.0 Mapping part two a technical dive into unified compliance strategy

Please register for CCM 4.0 mapping, Part Two: A technical dive into unified compliance strategy on May 13, 2021 7:00 PM PDT at:
https://attendee.gotowebinar.com/register/4980569285837634829
After registering, you will receive a confirmation email containing information about joining the webinar.

Members of the ISC2 East Bay and ISACA Silicon Valley Community on April 29th had an opportunity to review reasons to quickly adopt the newly released Cloud Security Alliance, Cloud Controls Matrix V4.0 Cloud Controls Matrix (CCM), a Cybersecurity Control Framework (cloudsecurityalliance.org). As part one of a two-part discussion, that evening covered some of the common pitfalls that plague our efforts as a community, and as promised, this May 13th, 2-hour event offers a chance to continue with a deeper technical dive.

Outline

What Major Regulations Completely Changed over the last 24 months? Why update everything now? (What’s the domino effect of waiting?) Which are the key new requirements, such as Cryptographic Controls and new legal considerations for IoT? How are DevOps and SecOps better represented in the new standards? (NIST/CCM) Who and where are the working groups we can interact with to accomplish new mapping? What are the common pitfalls in the notation for ISO and NIST Standards? How can these be overcome?

Here’s are the Part One Slides: CSA CCM 4 Robin Basham ISACA SV April 28 2021

This Discussion covers that:

Major Cloud Providers expect to use ©Cloud Security Alliance, CCM 4.0 as the backbone supporting their Security Programs Policies, Programs, Audits

Leveraging existing AICPA SOC 2, HITRUST, PCI DSS V3.2.1, FedRamp, DFARS CMMC, ISO/IEC 27001 plus Privacy, Processing and Cloud requires a detailed understanding of these frameworks – i.e., experience completing engagements to do this work.*

Creating useable cyber framework mapping is an exercise that drives common language across all Policies and Programs and is necessary to meaningful resilience and compliance. Volunteers generally can’t do it. Is increasingly necessary (CMMC)

The available mappings offered by AICPA, NIST, HITRUST, and CSA have proven un-useful. As a community, it’s up to us to restore consumer confidence in using CCM 4.0 as a mapped framework. We also seek to support NIST expanded efforts for SP-800-53 r5, SP-800-53B, NIST SP-800-171r2, SP-800-172 Cybersecurity

So, what’s in the new standard and why is mapping so hard?

How can we effectively map this -> to that?

HITRUST CSF v9.3.1 © 2019 HITRUST
ISO/IEC 27001:2013 € Information security management systems — PIMS Requirements
ISO/IEC 27002:2013 € Information security management systems — Requirements
ISO/IEC 27017:2015 € 27002 for cloud services
ISO/IEC 27701:2019 € privacy information management — Requirements and guidelines
ISO/IEC 27018:2019 € (PII) in public clouds acting as PII processors
NIST 800-171 r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information
NIST 800-53 r5 Security and Privacy Controls for Information Systems and Organizations
PCI DSS V3.2.1 Copyright © 2018 VISA
2017 Trust Services Criteria © 2017 AICPA

Audit and Assurance  – A&AAudit and Assurance Policy and Procedures; Independent Assessments; Risk-Based Planning Assessment; Requirements Compliance; Audit Management Process; Remediation
Application and Interface Security – AISApplication and Interface Security Policy and Procedures; Application Security Baseline Requirements; Application Security Metrics; Secure Application Design and Development; Automated Application Security Testing; Automated Secure Application Deployment; Application Vulnerability Remediation
Business Continuity Management and Operational Resilience  – BCRBusiness Continuity Management Policy and Procedures; Risk Assessment and Impact Analysis; Business Continuity Strategy; Business Continuity Planning; Documentation; Business Continuity Exercises; Communication; Backup; Disaster Response Plan; Response Plan Exercise; Equipment Redundancy
Change Control and Configuration Management  – CCCChange Management Policy and Procedures; Quality Testing; Change Management Technology; Unauthorized Change Protection; Change Agreements; Change Management Baseline; Detection of Baseline Deviation; Exception Management; Change Restoration
Cryptography, Encryption and Key Management – CEKEncryption and Key Management Policy and Procedures; CEK Roles and Responsibilities; Data Encryption; Encryption Algorithm; Encryption Change Management; Encryption Change Cost Benefit Analysis; Encryption Risk Management; CSC Key Management Capability; Encryption and Key Management Audit; Key Generation; Key Purpose; Key Rotation; Key Revocation; Key Destruction; Key Activation; Key Suspension; Key Deactivation; Key Archival; Key Compromise; Key Recovery; Key Inventory Management
Datacenter Security  – DCSOff-Site Equipment Disposal Policy and Procedures; Off-Site Transfer Authorization Policy and Procedures; Secure Area Policy and Procedures; Secure Media Transportation Policy and Procedures; Assets Classification; Assets Cataloguing and Tracking; Controlled Access Points; Equipment Identification; Secure Area Authorization; Surveillance System; Unauthorized Access Response Training; Cabling Security; Environmental Systems; Secure Utilities; Equipment Location
Data Security and Privacy Lifecycle Management – DSPSecurity and Privacy Policy and Procedures; Secure Disposal; Data Inventory; Data Classification; Data Flow Documentation; Data Ownership and Stewardship; Data Protection by Design and Default; Data Privacy by Design and Default; Data Protection Impact Assessment; Sensitive Data Transfer; Personal Data Access, Reversal, Rectification and Deletion; Limitation of Purpose in Personal Data Processing; Personal Data Sub-processing; Disclosure of Data Sub-processors; Limitation of Production Data Use; Data Retention and Deletion; Sensitive Data Protection; Disclosure Notification; Data Location
Governance, Risk and Compliance – GRCGovernance Program Policy and Procedures; Risk Management Program; Organizational Policy Reviews; Policy Exception Process; Information Security Program; Governance Responsibility Model; Information System Regulatory Mapping; Special Interest Groups
Human Resources – HRSBackground Screening Policy and Procedures; Acceptable Use of Technology Policy and Procedures; Clean Desk Policy and Procedures; Remote and Home Working Policy and Procedures; Asset returns; Employment Termination; Employment Agreement Process; Employment Agreement Content; Personnel Roles and Responsibilities; Non-Disclosure Agreements; Security Awareness Training; Personal and Sensitive Data Awareness and Training; Compliance User Responsibility
Identity and Access Management – IAMIdentity and Access Management Policy and Procedures; Strong Password Policy and Procedures; Identity Inventory; Separation of Duties; Least Privilege; User Access Provisioning; User Access Changes and Revocation; User Access Review; Segregation of Privileged Access Roles; Management of Privileged Access Roles; CSCs Approval for Agreed Privileged Access Roles; Safeguard Logs Integrity; Uniquely Identifiable Users; Strong Authentication; Passwords Management; Authorization Mechanisms
Interoperability and Portability – IPYInteroperability and Portability Policy and Procedures; Application Interface Availability; Secure Interoperability and Portability Management; Data Portability Contractual Obligations
Infrastructure and Virtualization Security – IVSInfrastructure and Virtualization Security Policy and Procedures; Capacity and Resource Planning; Network Security; OS Hardening and Base Controls; Production and Non-Production Environments; Segmentation and Segregation; Migration to Cloud Environments; Network Architecture Documentation; Network Defense
Logging and Monitoring  – LOGLogging and Monitoring Policy and Procedures; Audit Logs Protection; Security Monitoring and Alerting; Audit Logs Access and Accountability; Audit Logs Monitoring and Response; Clock Synchronization; Logging Scope; Log Records; Log Protection; Encryption Monitoring and Reporting; Transaction/Activity Logging; Access Control Logs; Failures and Anomalies Reporting
Security Incident Management, E-Discovery, and Cloud Forensics – SEFSecurity Incident Management Policy and Procedures; Service Management Policy and Procedures; Incident Response Plans; Incident Response Testing; Incident Response Metrics; Event Triage Processes; Security Breach Notification; Points of Contact Maintenance
Supply Chain Management, Transparency, and Accountability – STASSRM Policy and Procedures; SSRM Supply Chain; SSRM Guidance; SSRM Control Ownership; SSRM Documentation Review; SSRM Control Implementation; Supply Chain Inventory; Supply Chain Risk Management; Primary Service and Contractual Agreement; Supply Chain Agreement Review; Internal Compliance Testing; Supply Chain Service Agreement Compliance; Supply Chain Governance Review; Supply Chain Data Security Assessment
Threat and Vulnerability Management – TVMThreat and Vulnerability Management Policy and Procedures; Malware Protection Policy and Procedures; Vulnerability Remediation Schedule; Detection Updates; External Library Vulnerabilities; Penetration Testing; Vulnerability Identification; Vulnerability Prioritization; Vulnerability Management Reporting; Vulnerability Management Metrics
Universal Endpoint Management – UEMEndpoint Devices Policy and Procedures; Application and Service Approval; Compatibility; Endpoint Inventory; Endpoint Management; Automatic Lock Screen; Operating Systems; Storage Encryption; Anti-Malware Detection and Prevention; Software Firewall; Data Loss Prevention; Remote Locate; Remote Wipe; Third-Party Endpoint Security Posture

Your speaker tonight is ISC2 East Bay’s own, Robin Basham, Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), and GRC expert. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member of the ISACA SV Chapter.

April 8th, 2021, Member Meeting Zero Trust Data Protection

Thursday, April 8th, 7:00 – 9:00 PM

The Slides! Zero Trust Data Protection

For those who missed the event, here’s the playback link.

https://attendee.gotowebinar.com/recording/7443606173304303885

Zero Trust Data Protection
A new approach to protecting data is being adopted across organizations that have a remote workforce accessing cloud applications (and data) outside of their network. The essentials of Zero Trust Data Protection are simple and powerful:

  • Never trust, always verify – continuously
  • Identity: Conditional access to web, apps, app instances is based on user, device, application risk
  • Applications: Contextual activity controls are given within each and every app based on these risk levels
  • Data: Advanced cloud data protection policy actions are enforced, with user coaching, to protect sensitive data, across documents, images, screenshots, etc.

Attend this session to learn about the fundamentals of zero trust data protection along with a live demo (powered by Netskope) of real-world use cases.

Bob is the Vice President and Chief Evangelist at Netskope, a market-leading cloud security firm. Bob is a prolific speaker and product demonstrator, reaching live audiences in more than 45 countries over the past decade. Bob also has a passion for teaching and is the Program Director for the cybersecurity program at ESADE’s International Business School and has been a guest lecturer at the University of San Francisco’s MBA class each Spring for the last five years and he. His career spans more than 25 years in Silicon Valley, where he has held leadership roles in product management and product marketing at various technology companies. 
Before Netskope, Bob was the Chief Evangelist at Riverbed and was a member of the pioneering product team that launched Riverbed from a small start-up of fewer than ten employees to a market leader with more than 3,000 employees and $1B in annual revenue. Bob was first introduced to the world of cybersecurity as a teenager in the 80s when he hosted a popular (BBS) bulletin board system and had to develop security software to prevent hackers from infiltrating his site hosted from his parent’s home.

March 11TH, 2021 MEMBER MEETING SAP Data Custodian for Cloud Data Security

Topic: SAP Data Custodian for Cloud Data Security

March 11th 7 PM to 9 PM Playback Link

Learn more about SAP Data Custodian

Data is the most precious commodity for companies, and it needs to be protected at all costs. It’s an increasing challenge for our customers to protect and retain control of their data as they move from an on-premise world into the cloud and SaaS environments. Customers further face a wide range of stringent data protection regulations in various regions and countries as they move into globally connected cloud. These regulations demand strict data storage controls in terms of geo-locations and contextual data access controls based on user attributes, for example, geo-location, citizenship, job contract type, department, etc. These data protection regulations impose heavy penalties on data breaches: a single data breach can be critically detrimental for a company.
One of the most common requests from cloud customers is around geo-location: “Where is my data? How can I see where my data is and who is accessing it?”
This presentation will outline industry approaches (or lack thereof) to address the following topics:

  • full stack transparency
  • data residency controls
  • contextual application access control
  • data discovery
  • anomaly detection
  • customer-controlled encryption keys
  • and finally, “where is my data going?”

Further, the presentation will suggest how SAP Data Custodian offers a wide range of powerful data security features to help our customers protect their data in the cloud and to get full control of their data in the cloud. These features include full-stack transparency, data residency controls, contextual application access control, data discovery, anomaly detection, and customer-controlled encryption keys. These features help our customers meet their data protection regulations, data sovereignty and business compliance requirements.

Dr. Wasif Gilani is Vice President / Head Product & Solution Management in SAP Multi-Cloud organization, leading strategic cloud data security and data protection solutions. Wasif is also the Chief Product Owner of the SAP Data Custodian solution, an initiative that he started in 2017, and which won the prestigious International Association of Privacy Professionals (IAPP) innovation award in 2019. Wasif has been working with SAP for 14 years and has worked extensively in the areas of Cloud Computing, Data Security, Data Protection, Business Intelligence, Business Process Management, and System Engineering.

February 11th, 2021 Member Meeting How to Achieve Least Privilege at Cloud Scale

Title: How to Achieve Least Privilege at Cloud Scale

2.11.2021 7 PM – 9 PM Coming Soon, Playback Link.

Presentation

Three steps to achieving true cloud security with Cloud Infrastructure Entitlements Management (CIEM)

Achieving security in the cloud is an ever-moving target, making it challenging for security and cloud infrastructure teams to keep up with current risks, much less learn about new approaches. Over the past few years, too many global enterprises have fallen victim to hacks, attacks, and breaches, in many cases attributable to poor implementation of security policies and to the rise of human and non-human identities with excessive high-risk cloud permissions.

Current approaches, such as traditional assumption based Role-based Access Controls (RBAC) and other labor-intensive manual processes were early attempts to stay one step ahead of breaches due to accidental misuse and malicious exploitation of permissions. But they simply don’t work in the cloud! 

In this webinar, we’ll take a look at Gartner’s newly defined category called Cloud Infrastructure Entitlements Management (CIEM).  CIEM defines the next generation of solutions for managing access to permissions and enforcing least privilege in the cloud.

CloudKnox Security, the leader in the CIEM space, will take you through a quick-start path to achieving CIEM by leveraging a three-phased lifecycle approach.  You will learn how to:

·       Discover who (identities) is doing what, where (resources) and when across your cloud infrastructure

·       Manage risk by giving identities just-enough and just-in-time permissions to perform their daily tasks and nothing more

·       Monitor identity activity changes and prioritize alerts based on risk level associated with anomalous behavior

Join CloudKnox to explore the key steps to managing cloud permissions with CIEM and see how quickly you – and your organization – can reduce your attack surface by getting ahead of the #1 unmanaged risk to cloud infrastructure – identities with excessive high-risk permissions

Speaker:
Maya Neelakandhan: Head of Customer Success at CloudKnox Security
Maya Neelakandhan is the Head of Customer Success and Support at CloudKnox Security. As one of the founding engineers at CloudKnox, she was involved in building the patented CloudKnox activity-based authorization platform which helps enterprises manage entitlements in VMware vSphere, AWS, Azure, and GCP cloud infrastructure. Her background includes 20+ years of hands-on technical expertise in Enterprise and Cloud deployments, Identity and Access Management, SSO, Identity Federation. Prior to CloudKnox, Maya was part of the engineering team at Oracle in the Identity Cloud services team, Oblix and multiple other startups. Maya holds an engineering degree from the Indian Institute of Technology, Mumbai (India).
Hybrid Cloud Security, Multi Cloud Security, Private Cloud Security, Public Cloud Security, Identity and Access Management, Insider Threat Prevention, Identity Privilege Management, Privileged Access Management, Infrastructure Authorization Administration, Activity Based Access Controls, and Access Management

More about our Meeting Sponsor: CloudKnox Security

CloudKnox delivers a single platform for managing the entire identity privilege lifecycle across hybrid cloud utilizing a revolutionary Activity-based Authorization model. This groundbreaking approach offers a non-intrusive way to manage identity privileges and protect organizations’​ critical infrastructure from malicious and accidental credential abuse.


January 14th Annual Election and Member Meeting – Interactive Application Security Testing (IAST)

What is Interactive Application Security Testing (IAST) and How companies use it to improve the security of their applications

REGISTRATION LINK

Please register for Annual Election and Member meeting – Interactive application security testing (IAST) on Jan 14, 2021, 7:00 PM PST at: https://attendee.gotowebinar.com/register/649459940188431886

Interactive Application Security Testing (IAST) is a relatively new technology that complements existing application security testing technologies.
In this presentation, we will be discussing a wide range of topics:

  • History and current state of IAST,
  • Typical challenges of building security in DevOps,
  • State of adoption of IAST,
  • IAST relationship to SAST, DAST, SCA and RASP, IAST and threat modeling,
  • IAST applicability,
  • IAST and the cloud,
  • Instrumentation overview,
  • Data flow analysis,
  • How to instrument an application,
  • How to triage results,
  • Sensitive data tracking,
  • IAST pros and cons,
  • Live demo of an IAST solution

Eugene Pakhomov, CISSP

For the last few years, Eugene Pakhomov’s main focus was introducing Interactive Application Security Testing (IAST) technology to multiple customers in the Bay Area and throughout the country. Having worked in both Synopsys and Contrast Security, Eugene has a unique experience of bringing leading IAST technologies to the market and helping customers to incorporate IAST in their programs.

Asma Zubair, Product Manager, Sr. Staff at Synopsys Inc

Asma Zubair is a seasoned product leader with extensive experience managing and launching products and services in the application security and application protection space. At Synopsys, Asma manages Seeker, the industry’s first IAST solution with active verification and sensitive-data tracking for web-based applications. Prior to Synopsys, Asma led teams at WhiteHat Security, The Find (Facebook), and Yahoo!. Asma holds a degree in electrical engineering from IIT in India and an MBA from UC Berkeley’s Haas School of Business.

Sponsored by Synopsys

https://players.brightcove.net/5748441669001/rka4xWwYG_default/index.html?videoId=6197669498001

Synopsys Logos & Usage
Partnership Concept Solution on Visual Screen

8:30 PM – The 2021 Annual Meeting of ISC2 East Bay Chapter Members

The 2021 Annual Meeting of Members will be held as part of our January Member event and is open to all members, providing an electronic vote to elect Directors and Officers of the Chapter to serve for stated terms or until their successors are duly qualified and elected.

This meeting also serves to ratify our unchanged amendments to the Chapter Bylaws, which have been adopted by the Board of Directors since the 2020 Annual Meeting of Members. Summaries of the amendments are found at: https://isc2-eastbay-chapter.org/wp-content/uploads/2021/01/By-LawsTheISC2EastBayChapter.pdf.

The ballot for the Board of Directors is open until January 14th, 2021. Anyone wishing to nominate a member or themselves to any position should email their intention to secretary@isc2-eastbay-chapter.org, indicate their intention to run for a position, and include a very short bio, their ISC2 ID, and the position for which they would like to serve. Our ByLaws provide rules for specific roles, however, we welcome new members and hope anyone wishing to participate sees a role for themself. People are also welcome to reach out to any member of the existing board and to collaborate about ways to be a leader in this community.

Annually the East Bay Chapter has nominations and an election of Executive Officers (Board) for the upcoming year.

Members must be registered with the Chapter and in attendance to vote. Board positions are 2-year terms. In light of the Pandemic, Several Board positions have agreed to serve for additional time. Candidates must be an active Chapter member for at least one year except for the role of President. The presidential candidate must be a member in good standing for at least two years and have previous experience as a member of the board.

Send nominations to secretary@isc2-eastbay-chapter.org.

This year’s ballot of held and open positions are:

Position  DutiesCandidates
President    Responsible for presiding over the business meetings and ensures that all rules and regulations are observed, appoints and serves as a member of all committees, decides tie votes and ensures that all officers faithfully perform their duties. Must have (ISC)2 Credential in good standing.Robin Basham (current)
Write-in:                                       
Vice President    Responsible to co-assist in operations and general administration of the Chapter and assumes the responsibilities of President and Secretary when they are unavailable. Must have (ISC)2 Credential in good standing.Istvan Berko (current)
Write-in:                                       
Treasurer    Responsible for keeping an accurate and complete record of all chapter receipts and expenditures, develop detailed accounting reports, and file any necessary financial applications or forms required by (ISC)2 or applicable laws. Must have (ISC)2 Credential in good standing.Gary Dylina (current)
Write-in:                                       
Secretary    Conduct meetings, record proceedings of the chapter, assist in the election process, write correspondence, and prepare reports to (ISC)2 and assist in general operations as needed. Must have (ISC)2 Credential in good standing.Carmen Parrish (current)
Write-in:                                       
Director ProgramsOrganizing and hosting events, seminars, and other functions of the Chapter, liaison with the Director Marketing, and Director – Operations, assist in content development for the Chapter website, and assist in the general operations of the Chapter as needed; should always work in the interest of East Bay Chapter.Denise Bonds (current)
Write-in:                                     
Director EducationResponsible for assisting the Chapter members with their continuing education (CE) efforts, to provide information about the CE opportunities, and to assist in the general operations of the Chapter as needed.Maura Jones (current)
Write-in:                                     
Director – Membership    Responsible for promoting the membership growth of Chapter, ensuring smooth entry for new members, and maintaining accurate membership records. Must have (ISC)2 Credential in good standing.Kerry Bryan (current)
Write-in:                                     
Director – Communications & MarketingResponsible for marketing the events and seminars of the Chapter, liaison with President and Director-Programs, and assist in the general operations of the Chapter as needed.Krishnan Thiruvengadam (current)
Write-in:                                     
Director – Cybersecurity AwarenessResponsible for raising Cybersecurity awareness in the community via educating kids, seniors, parents, etc., about internet safety, cyberbullying etc., based on “Safe and Secure Online” or similar organizations, and assist in general operations as needed.  Write-in:                                     
Director – SponsorshipResponsible for reaching out to industry and businesses to seek donations and sponsorship for the Chapter, Chapter events, and assist in general operations as needed. This role reports to the President and Treasurer.  Write-in:                                     
Director – Career DevelopmentResponsible for assisting, guiding, and mentoring the Chapter members with career development and assist in general operations as needed, for gathering and updating the jobs page for the chapter website.  Write-in:                                     
Conferences CommitteeThis position does not require election. Members are welcome to participate in conference committee planning, offering a chance to bring speakers, plan events, coach presenters, and coordinate the physical day of our one day them-based training  Write-in:                                       
Technology and Web DesignOur chapter welcomes anyone with an eye towards web site maintenance, a flare for digital records management, the desire to help in building our community relationship. Just let us know who you are so we can include you in the appropriate team meetings.  Write-in:                                       
Sample Ballot

People are welcome to reach out to any existing member to learn more about their role.

president@isc2-eastbay-chapter.org Robin Basham
vicepresident@isc2-eastbay-chapter.org Istvan Berko
treasurer@isc2-eastbay-chapter.org Gary Dylina
secretary@isc2-eastbay-chapter.org Carmen Parrish
membership@isc2-eastbay-chapter.org Kerry Bryan
programs@isc2-eastbay-chapter.org Denise Bonds
marketing@isc2-eastbay-chapter.org Krishnan Thiruvengadam
education@isc2-eastbay-chapter.org Maura Jones
conferencedirector@isc2-eastbay-chapter.org Robin Basham

December 10th, 2020 – the gift of experience

The Gift of Experience

The (ISC)2 East Bay Board has some new and familiar faces, each with real-life experiences that we’d like to share.

So wonderful to see you. Thanks for attending. Here’s the slide deck.

During the most demanding and tragic of years, we’ve decided to share an experience regarding a Cybersecurity topic of interest, and a call to action. In the spirit of giving each Board member will take a turn sharing 10 to 15 minutes about a topic that in some way made this last year better.

7:00 PM (ISC)2 East Bay Chapter President Robin Basham

Sponsorship & Speakers, The Year In Review

  • Financial Data in the Cloud, Donald E. Hester  (January 9th)
  • Cyber-laundering, Faranak Firozan (February 13th)
  • WINTER CONFERENCE – Cancelled by Covid-19
  • IT Assurance Across System Boundaries, David Trepp (May 14th)
  • Data-Centric Security in an entirely Remote World, Daniel H. Gallancy, CEO, Atakama  (June 11th) Seminar Playback
  • The Road to Zero-Trust: Past, Present, and Future, Abhishek Singh, CEO, Araali Networks (July 9th)
  • Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy, Robin Basham, CEO EnterpriseGRC Solutions, (August 13th) LSHC Webinar Replay
  •  “Get Hired” Cyber Security event, @CodeRedPartners, Tom Alcock, Bruce Pendrey (September 10th)
  • Vulnerability Prioritization: Are You Getting It Right? John Timberlake, Dima Gorbonos, Senior Sales Engineer at WhiteSource (October 8th) Webinar Playback
  • Data-Driven Decision Making in Cyber Security, Dr. Marty Trevino, Joan Ross, Chief Intelligence Officer (November 12th)
  • The Gift of Experience: Lessons Learned and The Road Ahead, (ISC)2 East Bay Board of Directors Sharing Insights and Ideas (December 10th)

7:15 PM to 9:00 PM Lightening Rounds with the (ISC)2 East Bay Board of Directors.

Each topic follows the format of Something that mattered in the past year, why it’s important, what impact it has on the field of Cybersecurity and why it should matter to members in our chapter.

7:15 PM Director Programs Denise Bonds

Denise Bonds Topic: Maturing The SOC

Detect Patterns | Improve Security Coverage | Enhance Response

7:30 PM Director of Education & Career Development Maura Jones

Maura Jones Topic: Quantum Computing

7:45 PM Director Marketing & Communication Krishnan Thiruvengadam

Krishnan Thiruvengadam Topic: Securing IOT is a big challenge

8:00 PM Vice President  Istvan Berko

Istvan Berko Topic: Maturing Cloud controls using validation and deception 

8:15 PM Director Membership  Kerry Bryan

Kerry Bryan Topic: Data Owners v. Data Stewards

8:30 PM Chapter Secretary Carmen Parrish

Carmen Parrish Topic: Business Resiliency

8:45 PM Treasurer and Finance Director Gary Dylina

Gary Dylina Topic: Mentorship



EnterpriseGRC
President Robin Basham
Vice President  Istvan Berko
Treasurer and Finance Director Gary Dylina
Chapter Secretary Carmen Parrish
Director Membership  Kerry Bryan
Director Programs Denise Bonds
Directors Operations Dan Green, Rizwan Ashraf
Director Technical Steven Lai
Director Marketing & Communication Krishnan Thiruvengadam
Director Cybersecurity Awareness Maura Jones
Director of Education & Career Development Maura Jones
Conference Director Robin Basham

November 12th 2020 Member Meeting – The Science of Changing Behavior

Topic: Data-Driven Decision Making in Cyber Security

Presented by Dr. Marty Trevino, Chief Scientist for the Insight Cyber Group

What is Decision Support Science?

  • Random Forests and Linear Regressions
  • Neuroscience and Cognitive Behavior
  • What do bad actors understand about our thalamus and visual cortex?
  • What are intractable equations that enforce what we believe at a rate of 6 to 1 over the new information that must be understood?
  • What’s the importance of Peer Review and Cohesion?
  • What indicators tell us quite clearly if a group is likely to protect us or do harm?
  • Do I like my job? Do I like my coworkers? Am I committed to my company? Do people listen to me? Do people respect my opinion?
  • What if these same questions apply to the entire social platform and the state of our digital citizens?

About Marty:

Dr. Marty Trevino is the Chief Scientist for the Insight Cyber Group https://www.insightcybergroup.com. and serves as a Strategic Advisor to numerous other firms.  Dr. Trevino is a nationally known Data / Decision Scientist and thought leader with a focus on building advanced Analytics and Artificial Intelligence Systems. Dr. Trevino has conceptualized, developed, and deployed multiple next-generation Visual Analytic systems in the US Intelligence Community and the cybersecurity industry in Silicon Valley.  Dr. Trevino’s passion is improving higher-order decision-making through a deep understanding of the Neuroscience, Cognitive, and Behavioral Psychology of decision-making with Visual Analytics.  Dr. Trevino has led global and diverse technical and is a frequent writer and speaker.

Dr. Trevino is the senior technical advisor to the Inter-American Defense Board in Washington DC advising both the governments and military organizations of 27 nations of the Americas on advanced concepts in Cyber Security and Analytics.  Dr. Trevino is also a visiting professor at the National Defense University in Washington DC and is frequently a speaker at the Inter-American Defense College.  Dr. Trevino holds a Bachelor’s, two Master’s degrees, and a Doctoral degree in addition to various certifications.

MONITORING AND INCIDENT RESPONSE FOR THE IoT Better analytics.

 Insight Cyber Group provides a portfolio of services that deliver continuous, real-time cyber risk management and improved operational efficiencies of industrial IoT assets. Our services combine advanced visibility and expert analytics with proprietary automated tools. Insight Cyber supports the entire lifecycle of risk monitoring and incident response capabilities required by today’s industrial enterprises, filling three crucial IoT cybersecurity gaps:

1 – The Analytics Gap – Analytics for IoT are not detailed or granular enough.

2 – The Context Gap –  IoT events lack context for interpretation.

3 – The Skills & Knowledge Gap. There is a severe shortage of skilled IoT cyber resources.

Insight Cyber’s expert service-based approach delivers immediate value to your organization. We combine superior production data and state-of-the-art analytics with expert human intelligence. Our positive outcomes include measurable cyber risk monitoring, proactive defense of your IoT production environment and improved operational process efficiencies. – We protect your investments with advanced data collection tools that provide deeply granular views of process and SCADA data; advanced visibility that detects security and production issues; and dynamic, NIST-based risk scoring of IoT assets. – We extend your knowledge base by augmenting your existing team with dynamic reports and expert analysis.

Website
http://www.insightcybergroup.com

Joan Ross, Chief Intelligence Officer

Curtis Blount, CISO

 

October 8th Member Meeting – Vulnerability Prioritization

Vulnerability Prioritization: Are You Getting It Right?

Thank you to all who attended our October 8th event. Please enjoy this free playback.

The following materials have been shared with our entire membership. Thank you, John and Dima!

the-state-of-open-source-vulnerabilities-2020

WS-Presentation-ISC-Oct-08-V11

WhiteSource-DevSecOps-Insights

 

 

 

Dima Gorbonos, Senior Sales Engineer at WhiteSource

Is a key technical advisor and solution advocate, responsible for planning and delivering of solution demonstrations to large Enterprises. It’s his role to respond to functional and technical elements of RFIs/RFPs, so he’s an outstanding choice to guide our questions related to our own  Vulnerability Prioritization and program requirements.

Dima will be assisted by John Timberlake , A self-appointment “techie” who enjoys the luxury of working with enterprise clients who are embracing DevOps and Cloud Technologies to transform the way they build software and run their business. Leader for the Seattle based North American DevOps Group
John has graciously agreed to provide attendees with some spectacular resources.

<<the-state-of-open-source-vulnerabilties-2020>>

Their conversation and demo is supported by the work of David Habusha, WhiteSource Product Executive

Here’s a recent article sample:

Developers must find a way to zero in on the security vulns that present the most risk and quickly address them without slowing down the pace of development.

The past few years have seen an exponential rise in the volume of reported security vulnerabilities. Combined with the increase in headline-grabbing security breaches, it’s no surprise that organizations are upping their application-security game. This includes a heightened focus on the detection and remediation of security vulnerabilities as early as possible in their DevOps pipeline — leaving developers with the added task of handling an increasingly high number of security alerts.

But they can’t remediate everything. This is why they must find a way to zero in on the security vulnerabilities that present the most risk and quickly address them without slowing down the pace of development.

The prioritization of vulnerabilities has become a burning issue for software development outfits that want to stay ahead of security while not falling behind on AppSec release dates. Unfortunately, there is currently no set standard or practice for how to prioritize them. Different teams prioritize security alerts based on a variety of parameters and considerations — not necessarily the most effective ones, either. As a result, they are spending a lot of valuable time figuring out what to tackle first, to varying degrees of success.

To understand which prioritization methods are currently most common, we surveyed 300 of our customers and asked them how they prioritize vulnerability alerts. The top five considerations that arose were vulnerability severity, application type, the popularity of the vulnerable open source component, vulnerability disclosure date, and ease of remediation.

To learn more, we added a new perspective: the hacker community. We took the 100 most common open source vulnerabilities reported in 2019 based on the WhiteSource vulnerabilities database and compared characteristics, such as popularity, disclosure date, and severity score, to the level of discussion in the hacker community based on data from CYR3CON, which predicts cyberattacks based on artificial intelligence gathered from hacker communities.

In doing so, we’re able to gain insights about the effectiveness of common prioritization methods are and how they measure up when it comes to the hacker community’s preferences.

Vulnerability Severity
Many organizations consider the Common Vulnerability Scoring System (CVSS) vulnerability score first when prioritizing remediation since it’s so easily accessible and seemingly straightforward. Unfortunately, this parameter does little to shorten the long list of security vulnerabilities that teams need to address since data shows over 55% of the top open-source security vulnerabilities were rated as high or critical.

<Enjoy the full article here>

About WhiteSource

WhiteSource helps businesses all over the world to develop better software by harnessing the power of open source. Open source components, a significant and important part of commercial software today, are often substantially under-managed. WhiteSource fully automates the entire process of open source components selection, approval, tracking and management, including real-time alerts on vulnerable and problematic open source components, customized reports, enforcing policies automatically and more. An integral part of your software development environment, WhiteSource guarantees the continuity and integrity of open source management and reduces respective risks. WhiteSource provides a complete solution that supports all programming languages. The solution seamlessly plugs into all popular build tools. WhiteSource is a venture-backed company with offices in NY, Boston and Tel-Aviv.

Website
http://www.whitesourcesoftware.com/

 

September 10th Member Meeting – Get Hired

Please register for Thursday, September 10, 7 PM – 9 PM 2 CPE “Get Hired” Cyber Security event – Free and open to nonmembers.

Head of Permanent Security Recruitment – and Co-Founder at Code Red Partners –  Cybersecurity Careers Thriving During the Pandemic

 

Code Red specializes in cybersecurity staffing. We recruit exclusively in the security space, giving us an in-depth understanding of the needs of both the job seekers and employers that we partner with. We pride ourselves on our extensive network within the Financial Services industry, including FinTech, Banking, and Blockchain.

Website http://coderedpartners.com

JOBS HAPPENING RIGHT NOW, and how you get one.

Bruce Pendrey – Head of Security Recruitment – Permanent
Tom Alcock – Co-Founder at Code Red Partners | Cybersecurity Staffing and Consulting

August 13th 2020 Member Meeting

Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy

<<LSHC Webinar Replay>>

LSHC Centric Common Control Approach-short version

EnterpriseGRC

Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy

As the Pandemic moves to its sixth month, we see a shift not only in our prioritization of health issues but how we do medicine and the implications of cybersecurity across the proliferation of attack services ranging from devices to home computing.

  • Life Science and Health Care (LSHC) – Market, Players, Opportunities
  • Two key documents for learning – BSI Cybersecurity of Medical Devices; MDIC Medical Device Cybersecurity Report
  • Cyber Related Standards
  • Frameworks, Standards & Tools, How CISO’s Address MDM Cybersecurity
  • List of resources and Laws
  • IoT and CCPA
  • Mapping and Tagging – Unification within GRC and Cybersecurity Risk Management
  • Integration Progress – Facilitated Compliance Management
  • Investment in Licenses and Partners

Robin BashamRobin Basham is the owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Having served as Cisco, Unified Compliance, and ISMS Program Manager for a multi-year GRC project, Robin currently leads EnterpriseGRC Solutions LSHC initiative in support of three MDM clients. Robin may also be recognized for donating substantial time to supporting social platform security to further social democracy. Robin is also a past board member for the ISACA SV chapter.

Standard, Law or Framework Web Link to Source
California Consumer Privacy Act of 2018 California Consumer Privacy Act (CCPA)
Eudralex Volume 4 Annex 11 – Computerized Systems Eudralex Volume 4 Annex 11 –Computerized Systems
GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems GAMP®5
HIPAA – HITECH Title 45 C.F.R. § 164 HIPAA – HITECH Title 45 C.F.R. § 164
ISO/IEC 27001:2013 € Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27001:2013 €
ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002 ISO 27799:2016
ISO/IEC 27002:2013 € Information technology — Security techniques — Code of practice for information security controls ISO/IEC 27002:2013 €
ISO/IEC 27017:2015 € 27002 for cloud services ISO/IEC 27017:2015 € 27002 for cloud services
ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES
ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes ISO/IEC 30111:2019
ISO 14971:2019 Medical devices — Application of risk management to medical devices ISO 14971:2019 Medical devices — Application of risk management to medical devices
HITRUST CSF v9.3 HITRUST ALLIANCE
Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (MITRE) Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Premarket Management of Cybersecurity in Medical Devices Premarket Management of Cybersecurity in Medical Devices
Postmarket Management of Cybersecurity in Medical Devices Postmarket Management of Cybersecurity in Medical Devices
Title 21 CFR Part 11 CFR – Code of Federal Regulations Title 21 CHAPTER I–FOOD AND DRUG ADMINISTRATION PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
Title 21 CFR Part 820 QMS Requirements 21 CFR Part 820 QMS Requirements
*An overview of the medical device industry – MedPAC An overview of the medical device industry – MedPAC
*Cybersecurity of medical devices – Addressing patient safety and the security of patient health information Cybersecurity of medical devices

IoT and California Consumer Privacy Act, CCPA

TITLE 1.81.26. Security of Connected Devices, a new law, was designed to protect the security of IoT devices and the information those devices hold.

  • The law can be enforced only by the attorney general, a city attorney, a county counsel, or a district attorney, and does not provide for any right of private action.
  • The law does not apply to connected devices already subject to federal security standards.

The CCPA became effective on January 1, 2020

  • Officially called AB-375, CCPA is a bill that enhances privacy rights and consumer protection for residents of California. Signed into Law June 28, 2018, CCPA amends Part 4 of Division 3 of the California Civil Code.

July 9th 2020 Member Meeting

Please register for The Road to Zero-Trust: Past, Present, and Future: What is Zero Trust on Jul 9, 2020, 7:00 PM PDT at:
 
 
After registering, you will receive a confirmation email containing information about joining the webinar.

The Road to Zero-Trust: Past, Present, and Future: What is Zero Trust <Araali_ Deck for (ISC)2>

Organizations measure their Application teams on deployment velocity, feature release velocity, and performance of their apps. In today’s cloud-native world, app teams are building and iterating at lighting speed, churning out multiple features, and releases a day. Often application teams feel dragged down by their security counterparts, and the application security gets left behind. The disconnect between app and sec drives companies to focus more on Response and Detect – which is more manual and expensive than automated Prevention. Even though teams spend more on security, breaches galore.

Over the last couple of decades, analysts and the security community, focussed on Preventive Security, concentrated on user and hardware devices (e.g., software-defined perimeter (SDP), Zero-Trust, and Privileged Access Management). These technologies deliver the least permissive privilege and access for users and their devices, but the apps running in the data centers and hybrid cloud were never covered. One of the key reasons is that users and devices are independent entities, and they have identities – 2FA like a fingerprint, SMS, etc. Apps don’t have 2FA.

Different companies took different paths to deliver zero-trust for apps through Big Data, ML, Network processors, FPGAs, etc. However, the promised land of Application Zero-Trust remained elusive. Even though enterprises know the least permissive privilege/zero trust is the right way to go, they struggle to adapt. The conflict is mainly centered around three key pillars – operation complexity, business disruption, and operational cost.

In this talk, Abhishek will cover some of these ideas to unpack the concepts in an easy to understand fashion. Also, he will share some key ideas you should keep in mind while thinking of protecting your custom apps running in your public and private clouds.

Abhishek Singh, CEO, Araali Networks

Abhishek was previously the Co-Founder/VP of Engineering at Tetration Analytics where he led the initial team to build and scale a datacenter-scale platform to enable micro-segmentation and security in a Virtual Machine environment. Prior to Tetration, he held engineering leadership positions at Aruba, Cisco and Ericsson.

Abhishek has a Bachelor’s in Technology degree from the Indian Institute of Technology Kanpur and a Masters’s degree from John Hopkins University (both in Computer Science).

June 11th 2020 Member Meeting

Registration for the event:

Registration for Atakama June 11 – REQUIRED

Thu, Jun 11, 2020 7:00 PM – 9:00 PM PDT

In case you missed it or want to re-watch the video, you can find an exclusive recording of the webinar at the link below:

Watch The Video Here

Topic: Data-Centric Security in an entirely Remote World

Atakama protects files using advanced threshold cryptography and by inextricably linking files stored in one location to more than one physical device.

This session introduces the founders speaking on the problems they found and solved. Attendees can get a free trial license and experience the Atakama approach to file level security as required on any type of device and under any permutation of requirements for rights management.

Learn more at Atakama’s recent press release

Meet Daniel H. Gallancy and Dimitri Nemirovsky from Atakama

Daniel H. Gallancy  

CEO, Atakama,  LinkedIn 

200 Park Ave, 17th Floor, New York, NY 10166 – +1-212-273-9580

About Daniel:

Daniel H. Gallancy is the CEO and a founding member of Atakama, a NYC-based information security software company. Atakama Inc. provides unparalleled data protection for businesses. By employing a file-by-file encryption design, Atakama eliminates the ability for attackers to directly profit off of confidential data and substantially mitigates the damage of unpreventable attacks. Atakama’s encryption solution helps companies adhere to mandatory compliance regulations and in the process, provides best-in-class protection for sensitive and non-public information. Atakama’s distributed key management protocols can be customized based on company or department needs, seamlessly integrates with existing cybersecurity stacks, and can be deployed within hours.

Mr. Gallancy has provided bitcoin and blockchain-related advisory services for private corporations, investment management firms, post-trade processing companies, central counterparties, and US State and Federal regulators.

Prior to founding Atakama, Mr. Gallancy spent ten years in the asset management industry. Mr. Gallancy was an investment professional at Beaconlight Capital and, before that, at Alson Capital Management. Mr. Gallancy’s areas of focus included semiconductor capital equipment, IT hardware, software, and telecommunications. Mr. Gallancy was responsible for corporate diligence, financial analysis, and investment decision-making.

Daniel is one of the co-founders of SolidX Management LLC, a company that has filed a registration statement with the Securities and Exchange Commission relating to the proposed launch of the VanEck SolidX Bitcoin Trust, which will seek to provide shareholders with exposure to the daily change in the U.S. dollar price of bitcoin. Bitcoin to be held by the VanEck SolidX Bitcoin Trust will carry insurance against theft, loss, and other adverse operational events.

Daniel was raised in Queens where he attended public school. He taught himself to program in C at age 10. Daniel graduated from Stuyvesant High School before attending the University of Pennsylvania where he earned a BA in Physics and a BSE in Electrical Engineering. During college, Daniel built a wireless, laser-based network communication link (back in the days before WiFi). He earned an MBA from Columbia University and is a CFA Charterholder.

How it Works – The Graphichowitworks_infographic_03

Dimitri Nemirovsky

Co-founder & COO Atakama  LinkedIn

 

 

 

About Dimitri: Dimitri is the Cofounder and COO of Atakama. Dimitri took his first coding classes in 8th grade. He holds BBA and MBA degrees from Baruch College and earned his JD from Brooklyn Law School. Prior to co-founding Atakama, Dimitri practiced regulatory and enforcement law at an international law firm where he focused on the various technology, digital archive, and e-discovery regulations that developed during the 2000’s.

About Atakama

Atakama Inc. is an information security software company that provides unparalleled data protection for businesses. By employing a file-by-file encryption design, Atakama eliminates the ability for attackers to directly profit off of confidential data and substantially mitigates the damage of unpreventable attacks. Atakama’s encryption solution helps companies adhere to mandatory compliance regulations and in the process, provides best-in-class protection for sensitive and non-public information. Atakama’s distributed key management protocols can be customized based on company or department needs, seamlessly integrates with existing cybersecurity stacks, and can be deployed within hours. Undeniably, a vast improvement over the status quo.

If you want to improve your security and better protect your data, we’re here to help you.

To learn more or to do business with Atakama please contact us:
https://calendly.com/atakama-dimitri/15min
https://www.atakama.com/ 
Specialties: encryption, cloud security, cybersecurity

Atakama will be offering a free user version of their software to attendees and will be showcasing a live demo of their revolutionary file encryption product that is designed to protect companies from today’s emerging threats such as maze attacks.

 

(ISC)2 East Bay Chapter