7 PM Jennifer Cohn – Election Integrity, followed by 8 PM Sherri Douville, How to Be an Ambassador of Trust: Putting Risk Management To Work Combating the Threat of Misinformation

Session One: Election System Integrity, JENNIFER COHN, JOURNALIST AND ELECTION INTEGRITY ADVOCATE

Ms. Cohn’s talk will provide an overview of election system vulnerabilities, the impact of the Big Lie on election-security advocacy, and suggestions for improving the system in 2022.

Jennifer Cohn is an election integrity advocate, writer, and journalist. She graduated from the University of California, Los Angeles in 1989 and Hastings College of the Law in 1993. Since the 2016 election, she has focused her professional efforts exclusively on investigating and exposing our country’s insecure computerized elections. She was a law partner at Nielsen Haley & Abbott in Marin County for many years, where she specialized in insurance coverage and civil appeals. Before that, she specialized in criminal appellate law.

We can view her published work in @WhoWhatWhy @nybooks @Salon #HandMarkedPaperBallots#RobustManualAudits#BackupPaperPollBooks link.medium.com/qxbJDJMZ8db

Some Published content by the speaker:

• How New Voting Machines Could Hack Our Democracy | by Jennifer Cohn | The New York Review of Books (nybooks.com)
• Voting Machines: What Could Possibly Go Wrong? | by Jennifer Cohn | The New York Review of Books (nybooks.com)

8 PM Session Two: How to Be an Ambassador of Trust: Putting Risk Management To Work Combating the Threat of Misinformation, Presented by Sherri Douville, CEO, Medigram, Inc.

• The Integrity of Information and Our Role in The “Information Supply Chain”
• The Hard Road Traveled: Why trust is important to you, your career, and your teams, even your families.
• How to think of the role that bias plays in misinformation
• Methods of fact checking
• Compassion & Leadership for the human vulnerabilities that lead to susceptibility to misinformation.
• Evidence based techniques to combat misinformation while preserving relationships
• How the Mobile Medicine Book, the #1 new release in medical technology and medical informatics on Amazon can help you to combat technology misinformation. https://www.amazon.com/Mobile-Medicine-Overcoming-Culture-Governance/dp/0367651505/ref=sr_1_2?dchild=1&keywords=mobile+medicine&qid=1631669698&sr=8-2

Sherri Douville Biography

Sherri Douville is CEO & Board Member at Medigram and is a sought-after speaker and author in mobile medical technology, other healthcare-related industries, leadership, risk management, mobile security, and governance. Ms. Douville is honored to strategically build, grow, and lead multi-disciplinary, multi-industry teams at Medigram and in the market to solve the leading cause of preventable death –a delay in information. Ms. Douville is co-chair of the technical trust and identity standard subgroup for the healthcare industry for clinical IoT through an IEEE and UL joint venture and has been published and quoted in both mainstream and industry media such as CIO.com, the San Jose Mercury News, NBC, Becker’s Hospital Review, ThisWeekinHealthIT, and HITInfrastructure.com. Other industry leadership has included serving on the board of the NorCal HIMSS and teaching continuing education credit in mobile security for CISSP, the information security certification. She is the co-author for a number of technical articles and papers, a forthcoming Springer book chapter on Trust in Clinical IoT, and is the lead author and editor for Mobile Medicine: Overcoming People, Culture, and Governance (Taylor & Francis). Ms. Douville led the development of this industry guide to mobile computing in medicine and built the international, multi-industry, multi-disciplinary team behind it. Prior to her current work in the mobile medicine, privacy, security, health IT, and AI industries, Sherri worked in the medical device space consulting in the areas of physician acceptance and economic feasibility for medical devices. Previously, she worked for over a decade with products addressing over a dozen disease states at Johnson & Johnson and was recognized for industry thought leadership there by McGraw-Hill and won a number of awards. Ms. Douville has a Bachelor of Combined Science degree from Santa Clara University and has completed certificates in electrical engineering, computer science, AI and ML through MIT. She advises and serves startups, boards, and organizations including as a member of the Board of Fellows for Santa Clara University and an advisor to the Santa Clara University Leavey School of Business Corporate Board Education initiatives, the Black Corporate Board Readiness, and Women’s Corporate Board Readiness programs.

While we have your attention…

Dear Colleague,
The fourth annual event is around the corner. This year is the best yet – tried and proven innovations of 2021 will be shared by local governments and small businesses, along with resources. We need to and can build back better and more securely in crises. Register today. 

Never waste a crisis.  Never reinvent the wheel. #SecureSafetyNet2021

Contacts        

Program and Sponsorship: Lan Jenson, Lan@CybertrustAmerica.org
Expo and Job Fair: Kenny Yuen Kenny @CybertrustAmerica.org

Register today for our upcoming events and your chance to lead an RSAC 2022 Sandbox session.           Here’s a lineup of October events sure to pique your interest. Don’t miss out on our two webcasts on the topic of Cloud Security & Virtualization. Plus, find out how you can lead a session in the RSAC Sandbox.   Lead a Sandbox Session at RSAC 2022       We’re offering another opportunity to showcase your expertise at RSAC. Submit to lead a session in the RSAC Sandbox—a hub for innovation. We will be accepting submissions until October 8. Learn more.             UPCOMING RSAC EVENTS               Post-Exploitation of Cloud Service Providers       October 7 | 1 PM ET | 10 AM PT       Get a demo of ”barq,“ the AWS post-exploitation tool that helps penetration testers better assess risks and identify weaknesses. Register now.       Confidential Computing in Cloud and Edge       October 26 | 1 PM ET | 10 AM PT       Learn how confidential computing can help provide your trusted execution environment greater security and privacy. Register now.       GIAC and (ISC)2 members can earn CPE credits for attending webcasts live.   © 2021 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. Other trademarks may be trademarks of their respective owners. Legal Notices | Privacy Statement RSA, 174 Middlesex Turnpike, Bedford, MA 01730 For questions about your email preferences, contact us at information@rsaconference.com.

Please join (ISC)2 East Bay Chapter on August 12th, 7 PM – 9 PM, for Two CPE hours attending “SHARING SENSITIVE INFORMATION SECURELY – Privacy-Preserving Analytics and Secure Multiparty Computation

Speaker Ulf Mattsson | Chief Security Strategist

Sharing Sensitive Information Securely
Different industries are taking advantage of secure data-sharing techniques. New privacy-preserving computing approaches are needed to meet legal requirements and provide privacy for data sharing.
Tonight’s speaker and topic shares:

Meet Ulf Mattsson, Chief Security Strategist at Protegrity

Ulf Mattsson | Chief Security Strategist

+ 1 203 570 6919

+ 1 860 969 7883

www.protegrity.com

About Protegrity

Protegrity protects the world’s most sensitive data wherever it resides. Our industry-leading solutions allow businesses to finally tap into the value of their data and accelerate digital transformation timelines – without jeopardizing individuals’ fundamental right to privacy. For more than 20 years, Protegrity has delivered innovative, data-centric protection for the most sensitive data of the largest brands on the planet. We free businesses from the constraints associated with accessing and leveraging data to create better customer experiences, make intelligence-supported decisions, and fuel innovation. Data knows no boundaries and Protegrity’s technology is built for data ubiquity. Protegrity is headquartered in Salt Lake City, Utah.

Please enjoy this free playback link. https://register.gotowebinar.com/register/6492462645812148493

7:00 PM Session One: Internet of Things, IoT, Reducing Vulnerability and Unauthorized Endpoints by Implementing Least Privilege

Abstract: IT security organizations big and small are concerned about threats from applications, endpoints, especially unmanaged endpoints, and IoT devices. They want to reduce the number of unknown endpoints/IoT devices and are concerned about unauthorized endpoints in the network.

They are concerned about the vulnerability of these endpoints and are wondering how to detect IoT device compromise. Protecting IoT devices, to segment them with least privileged access is a real challenge.
Further, the organization must make sure sensitive data sent by these devices is protected while at rest and in motion.
Finally, they must address privacy concerns on the data stored, and data processing throughout the product lifecycle.
With all these challenges, where does the organization start? As security professionals, how do we onboard and secure these IoT devices?
This discussion provides approaches that help to identify, gather context, understand behavior, and implement necessary segmentation of IoT devices.

Speaker Krishnan Thiruvengadam, Sr. Technical Marketing Engineer at Cisco, Director Communications, ISC2 East Bay Chapter

Sr. Technical Marketing Engineer, Drives product technical direction for Endpoint Analytics and newer innovations towards the Trusted workplace. Providing deployment solutions to customers and integration with customer eco-systems, Krishnan is an expert in Cisco ISE, its performance, integrations, and use cases. He evangelizes and presents the solution with experts in a variety of forums. Krishnan Develops the TDM, Solution deployment documentation, white papers, videos, demos. Work with customer/partner in adoption/POV etc.

Learn more from Krishnan about End Point Analytics

8:00 PM to 9:00 PM Session Two: The Failure of Security to Protect

Jacques Remi Francoeur (MBA, M.A.Sc., B.A.Sc.) Presents Security and Assurance Working Group, Digital Currency Global Initiative

The Failure of Security to Protect
The total global economy in 2018 was estimated to be $86 Trillion. It is estimated that there are 4,5B people connected to the Internet, as of June 2019, based on a population of 7,7B, a 58.8% Internet penetration. The Global Risks Report 2019 outlines the greatest risks facing the world, cyber threats are the 4th most significant societal risk that is by no means under control. As the world accelerates into the 4th Industrial Revolution, according to the ITU Global Cybersecurity Index 2018, 73% of the Internet connected world today is unprotected while the remaining 27%, who think they are protected, spend 80% of the global security spending estimated to be $300B by 2023.
Is Protection just for the Rich?
Today, people extending themselves into the digital world are highly exposed to potential significant harm and have no way to detect or prevent the threat.
Should Digital Protection be a Human Right!
Security Inclusion Now! is a call-to-action to urgently drive global action to prevent an eventual untenable global situation that threatens the promises of the 4th industrial revolution – the increasing digital protection divide, the gap between the demand for protection and the available supply.
The asymmetry of the problem is ironic. When we look at a rapidly morphing, well-funded and increasingly sophisticated and difficult to attribute threat, in relation to our current industry capability, there are significant limitations that if not addresses will inherently prevent society from achieving the required “one protection for all” with enough assurance at a reasonable cost.
In a highly interconnected world, no one is protected unless everyone is.
The presenter will explore a new way forward to transition from notional to precision security and from security information in a world of friction to security knowledge in a frictionless world. This will enable those less expert to participate in the protection of their organizations.

Security Control Expressions (SCE) Store Security Knowledge

Everyday security professionals spend countless hours searching for information that is highly distributed and fragmented. This highly subjective and non-interoperable information must be interpreted, synthesized, and communicated to stakeholders.

All matters security can be described uniquely & unambiguously by a simple “expression” model between 6 actors engaged in 5 relationships. The model is published by the ITU, Study Group 17: Security as Technical Report Unified Security Model.

• Genesis Cybersecurity Program is the practitioner training program on the SCE Model innovation. The program involves the transfer & institutionalization of the capability to different centers of expertise for the development of a sustainable & growing security training & knowledge capture capability.
• SINOW Security Validation Platform is a software tool that emulates the SCE model. A nested and iterative process stores security knowledge which is then available frictionlessly to all other dependent practitioners for knowledge verification or their specialized dependent knowledge contribution. It transforms Security & Compliance information in a world of friction to Security & Compliance knowledge in a frictionless world. By enabling instant and frictionless navigation & visualization of any security control, its state, relationships, and dependencies, the security practitioner is free to focus on security and not finding information.

About our speaker: Jacques Remi Francoeur (MBA, M.A.Sc., B.A.Sc.)

Jacques is the founder and Chief Scientist of Security Inclusion Now – the USA, a California-based consulting, training, and software organization innovating in security tool development. Jacques is also a member of the World Economic Forum Expert Network recognized as a Blockchain security expert and the Team Lead of the Security & Assurance Working Group of the Digital Currency Global Initiative, a joint program of the International Telecommunications Union (ITU) & Stanford University.

Jacques has an MBA with honors from Concordia University, Montreal; M.A.Sc from the University of Toronto, Institute for Aerospace Studies and a B.A.Sc. in Engineering Science, Aerospace Engineering from the University of Toronto.

Jacques has over 30+ years of experience in high technology beginning his career as an Aerospace Engineer with the Canadian Space Agency, next moving to Silicon Valley in 1999, beginning his privacy and security consulting advisory career with KPMG, followed by SAIC and E&Y. Jacques is a 2018/19/20 US Delegate to the U.S. Department of State to ITU, Standardization Study Group 17: Security. He was also Vice-Chair of the ITU Focus Group on Digital Fiat Currency and co-chair of the Security Working Group. Finally, Jacques is also a US Marine Corp Cyber Auxiliary.

Jacques Remi Francoeur M.A.Sc, B.A.Sc, MBA

Chief Scientist & Founder
Security Inclusion Now, USA

SecurityInclusionNow.org
jacques@securityinclusionnow.org

https://www.linkedin.com/in/innoonewetrust/

Team Lead: Security & Assurance Working Group
Digital Currency Global Initiative,
International Telecommunications Union

USA Delegate (2018 to present) Security Expert & Contributor
ITU, Standardization, Study Group 17: SecurityExpert Network Member
World Economic Forum, Security

THIS EVENT IS SPONSORED BY ISC2 SILICON VALLEY (ISC)² Silicon Valley Chapter – 2021-06-08 virtual meeting (google.com)

Speaker: Robin Basham on “NIST SP-800-53 r5 – The Control Reference Layer: Taming the Beast”

Abstract: NIST SP-800-53 r5 was a long labor with a few false starts. FedRamp dependencies still include r4, however, 75 new control, enhancement or attribute elements of r5 exist in the SSP – NIST SP-800-53B.

• NIST 800-53 is a common reference layer used in mapping nearly all other Cybersecurity Frameworks –> compounding issues in failed updates to mapping
• NIST Addendum to Mapping ISO/IEC 27001 missing Cloud, Privacy, Processing
• Examining common pitfalls in notation for ISO and NIST Standards? How can these be overcome?
• Exploring data elements necessary to mapping – a walk through the schema elements (reminder to look at Schema.Org)
• NIST 800-53 r5 v. r4
• NIST 800 171 r2
• NIST 800 172 Enhanced Security Requirements for Protecting Controlled Unclassified Information; A Supplement to NIST Special Publication 800-171
• ISO/IEC 27001:2013 €, as implemented with
• ISO/IEC 27002:2013 €, including certification for Cloud, Privacy, and PII Processors
• ISO/IEC 27017:2015 € 27002 for cloud services
• ISO/IEC 27018:2019 € Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• ISO/IEC 27701:2019 € Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
• Case Study: Mapping NIST 800-53r5 to configuration rules such as those used in CIS Benchmarks

About the speaker: Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Unified Compliance and ISMS Program Manager, Robin currently leads LSHC in support of three MDM clients as well as donating substantial time to supporting social platform security to further social democracy. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member to the ISACA SV Chapter.

Pre-registration required

Where: online Zoom webinar

When: Tuesday, June 8, 2021 at 06:00 PM Pacific Time

Pre-registration: https://zoom.us/webinar/register/WN_ugctymxqRXmeEc52pDXUAg

Calendar: iCal download, Google Calendar or scan QR code image

Pre-registration is required. Registration ends automatically at the scheduled start time.

After registering, you will receive a confirmation email containing information about joining the meeting.

In order to process CPEs (Continuing Professional Education points) for members, please double check your (ISC)² member number is entered correctly.

• We will use Zoom’s webinar attendance report to compute attendees’ CPEs. To get the full 2 CPEs for the meeting requires attendance from the scheduled start time to the end of the meeting. Late arrivals and/or early departures will receive CPEs based on minutes attended, rounded down to 0.25 CPE increments.
• If you need to self-submit your CPEs for any reason (such as not entering an (ISC)² member number), use 1 CPE per hour in 0.25 CPE increments for the portion of the 2 hours you attended. If the meeting ends before 2 hours, full attendance still counts for 2 CPEs.

We hope you enjoyed CCM 4.0 mapping, Part Two: A technical dive into unified compliance strategy on May 13, 2021, 7:00 PM PDT at:
https://attendee.gotowebinar.com/register/4980569285837634829
After registering, the pre-meeting, presentation, and post-meeting are all on playback. We apologize for the glitch in editing. The session starts at minute 30. You are welcome to enjoy the presentation but please forward to minute 30 and feel free to stop viewing at minute 2:35:00.

We had an extra session with Eric Heitzman Director of Business Development. Eric helps Security Compass’s largest customers (in finance, technology, health, oil & gas) address Security, Privacy, and Compliance for software applications at scale. Eric is a career application security expert (security consulting, static analysis, and dynamic analysis).

Members of the ISC2 East Bay and ISACA Silicon Valley Community on April 29th had an opportunity to review reasons to quickly adopt the newly released Cloud Security Alliance, Cloud Controls Matrix V4.0 Cloud Controls Matrix (CCM), a Cybersecurity Control Framework (cloudsecurityalliance.org). As part one of a two-part discussion, that evening covered some of the common pitfalls that plague our efforts as a community, and as promised, this May 13th, 2-hour event offers a chance to continue with a deeper technical dive.

Outline

What Major Regulations Completely Changed over the last 24 months? Why update everything now? (What’s the domino effect of waiting?) Which are the key new requirements, such as Cryptographic Controls and new legal considerations for IoT? How are DevOps and SecOps better represented in the new standards? (NIST/CCM) Who and where are the working groups we can interact with to accomplish new mapping? What are the common pitfalls in the notation for ISO and NIST Standards? How can these be overcome?

Here’s are the Part One Slides: CSA CCM 4 Robin Basham ISACA SV April 28 2021

This Discussion covers that:

Major Cloud Providers expect to use ©Cloud Security Alliance, CCM 4.0 as the backbone supporting their Security Programs Policies, Programs, Audits

Leveraging existing AICPA SOC 2, HITRUST, PCI DSS V3.2.1, FedRamp, DFARS CMMC, ISO/IEC 27001 plus Privacy, Processing and Cloud requires a detailed understanding of these frameworks – i.e., experience completing engagements to do this work.*

Creating useable cyber framework mapping is an exercise that drives common language across all Policies and Programs and is necessary to meaningful resilience and compliance. Volunteers generally can’t do it. Is increasingly necessary (CMMC)

The available mappings offered by AICPA, NIST, HITRUST, and CSA have proven un-useful. As a community, it’s up to us to restore consumer confidence in using CCM 4.0 as a mapped framework. We also seek to support NIST expanded efforts for SP-800-53 r5, SP-800-53B, NIST SP-800-171r2, SP-800-172 Cybersecurity

So, what’s in the new standard and why is mapping so hard?

How can we effectively map this -> to that?

HITRUST CSF v9.3.1 © 2019 HITRUST
ISO/IEC 27001:2013 € Information security management systems — PIMS Requirements
ISO/IEC 27002:2013 € Information security management systems — Requirements
ISO/IEC 27017:2015 € 27002 for cloud services
ISO/IEC 27701:2019 € privacy information management — Requirements and guidelines
ISO/IEC 27018:2019 € (PII) in public clouds acting as PII processors
NIST 800-171 r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information
NIST 800-53 r5 Security and Privacy Controls for Information Systems and Organizations
PCI DSS V3.2.1 Copyright © 2018 VISA
2017 Trust Services Criteria © 2017 AICPA

Your speaker tonight is ISC2 East Bay’s own, Robin Basham, Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), and GRC expert. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member of the ISACA SV Chapter.

Thursday, April 8th, 7:00 – 9:00 PM

The Slides! Zero Trust Data Protection

For those who missed the event, here’s the playback link.

https://attendee.gotowebinar.com/recording/7443606173304303885

Zero Trust Data Protection
A new approach to protecting data is being adopted across organizations that have a remote workforce accessing cloud applications (and data) outside of their network. The essentials of Zero Trust Data Protection are simple and powerful:

• Never trust, always verify – continuously
• Identity: Conditional access to web, apps, app instances is based on user, device, application risk
• Applications: Contextual activity controls are given within each and every app based on these risk levels
• Data: Advanced cloud data protection policy actions are enforced, with user coaching, to protect sensitive data, across documents, images, screenshots, etc.

Attend this session to learn about the fundamentals of zero trust data protection along with a live demo (powered by Netskope) of real-world use cases.

Title: How to Achieve Least Privilege at Cloud Scale

2.11.2021 7 PM – 9 PM Coming Soon, Playback Link.

Presentation

Three steps to achieving true cloud security with Cloud Infrastructure Entitlements Management (CIEM)

Achieving security in the cloud is an ever-moving target, making it challenging for security and cloud infrastructure teams to keep up with current risks, much less learn about new approaches. Over the past few years, too many global enterprises have fallen victim to hacks, attacks, and breaches, in many cases attributable to poor implementation of security policies and to the rise of human and non-human identities with excessive high-risk cloud permissions.

Current approaches, such as traditional assumption based Role-based Access Controls (RBAC) and other labor-intensive manual processes were early attempts to stay one step ahead of breaches due to accidental misuse and malicious exploitation of permissions. But they simply don’t work in the cloud! 

In this webinar, we’ll take a look at Gartner’s newly defined category called Cloud Infrastructure Entitlements Management (CIEM).  CIEM defines the next generation of solutions for managing access to permissions and enforcing least privilege in the cloud.

CloudKnox Security, the leader in the CIEM space, will take you through a quick-start path to achieving CIEM by leveraging a three-phased lifecycle approach.  You will learn how to:

·       Discover who (identities) is doing what, where (resources) and when across your cloud infrastructure

·       Manage risk by giving identities just-enough and just-in-time permissions to perform their daily tasks and nothing more

·       Monitor identity activity changes and prioritize alerts based on risk level associated with anomalous behavior

Join CloudKnox to explore the key steps to managing cloud permissions with CIEM and see how quickly you – and your organization – can reduce your attack surface by getting ahead of the #1 unmanaged risk to cloud infrastructure – identities with excessive high-risk permissions

More about our Meeting Sponsor: CloudKnox Security

CloudKnox delivers a single platform for managing the entire identity privilege lifecycle across hybrid cloud utilizing a revolutionary Activity-based Authorization model. This groundbreaking approach offers a non-intrusive way to manage identity privileges and protect organizations’​ critical infrastructure from malicious and accidental credential abuse.