Jan 13th member meeting nist 171, dfars and cmmc 2.0 – our resources and roles

Thursday, January 13th online from 7:00 PM to 9:PM

Presenter: Robin Basham, Chapter President, CEO EnterpriseGRC Solutions.

Management Discussion: We do not have a quorum of candidates to move forward with our new board. Istvan Berko will engage with our voting chapter members to gain consensus for how we cost effectively stay alive with a 100% remote model.

In the absence of in person conferences and meetings, Robin has not been able to coordinate conferences, which has been our sole source of revenue for the last five years.

Some board members with more than five years in our roles will explain what it means for us to step away with dignity knowing what it takes to support the next generation of leaders. With revenue and support a lot of our community can do this, but we have to change the way things are done.

Istvan Berko
Establishing a vision to move forward, Istvan Berko
NIST 171 Assessment is really Seven NIST, an Array of CMMC and an Array of DFARS requirements

Why the topic update: People are seeing the words DFARS and CMMC thrown into webinar topics. Our board wants to assure that our membership gets qualified and accurate training. Since Robin is recently engaged on this topic…

Topic: NIST 171 Compliance: The NIST Special Publication 171 series, Defense Federal Acquisition Regulation Supplement (DFARS) 7012, and Cybersecurity Maturity Model Certification – Regulating Protected Controlled Unclassified Information

Suppose you are a nonfederal service provider whose offering might involve handling Controlled Unclassified Information (CUI). Up till now, it might not have been an issue. Still, suddenly either your Government Contract Management Officer or an upstream distributor for one of your products has informed you that your contracts and work orders won’t move forward till your offering is listed in the DoD Supplier Performance Review System as having passed NIST 171. Now what? This paper explains what you need to know about the NIST SP 800-171 Assessment Methodology and its use in demonstrating adequate security as detailed in the recently updated DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting

In short, DFARS Rule 2019-D041 means that US Federal Agencies cannot award your contract unless you’ve met with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and have validated that assessment either by a Self-Reported, Supplier Performance Risk System (SPRS) score, or, as certified by a DoD accredited assessor (third party) using the prescribed Cybersecurity Maturity Model Certification (CMMC) Framework.

Domains of Knowledge ->NIST Frameworks (The SP-800 series)DFARS Guidance Certified Assessor Requirement Level
User or Actor  NIST 171, 171A-Low, 171A-Medium, 171A-High, 172, DoD NIST 171 Assessment Methodology, NIST.HB.162 Assessors HandbookDFARS 2019-D041, DFARS 252.204-7012, DFARS 252.204-7019, DFARS provision 252.204-7008, *CMMC RuleCMMC L1, L2, L3, CMMC L1 Scoping Guide, CMMC L2 Scoping Guide, SPRS-Basic, SPRS-Derived, DoD NIST 171 Assessment Methodology,   NIST.HB.162 Assessors Handbook
Compliance Professionals – Basic AssessmentNIST 171, 171A-Low, NIST.HB.162 Assessors Handbook (for low)DFARS 252.204-7012SPRS, DoD Assessment Methodology, NIST.HB.162 Assessors Handbook
Compliance Professionals – Medium AssessmentNIST 171, 171A-Medium, NIST.HB.162 Assessors HandbookDFARS 252.204-7012SPRS, DoD Assessment Methodology, NIST.HB.162 Assessors Handbook, CMMC L2, CMMC Level 2 Scoping Guide
Compliance Professionals – High AssessmentNIST 171, 171A-High, 172, NIST.HB.162 Assessors HandbookDFARS 252.204-7012, DFARS 252.204-7019, *CMMC RuleCMMC L1, L2, L3 (content is the same as NIST 172), NIST.HB.162 Assessors Handbook
Assessors – externally accredited, DoD certifiedNIST 171, 171A-all, 172, NIST.HB.162 Assessors HandbookDFARS 2019-D041, DFARS 252.204-7012, DFARS 252.204-7019, *CMMC RuleCMMC L1, L2, L3, SPRS-Basic, and Derived, NIST.HB.162 Assessors Handbook
Executives / LegalNIST 171 (Chapter 3)DFARS 2019-D041, DFARS 252.204-7012N/A
DCMA (Contract Administrator)DoD NIST 171 Assessment MethodologyDFARS 2019-D041, DFARS 252.204-7012 DFARS 252.204-7019SPRS – Review system results as provided by an assessor
Based On Who You Are – What You Need To Know

Robin Basham, Current ISC-2 East Bay Chapter President, Conferences Director, covering for Director Programs… Leader for Cloud Security Alliance CCM NIST WG

About the speaker: Robin Basham recently lead the Cloud Security Alliance CCM 4 to NIST 800-53 R5 Working Group. This effort began as a proposed commitment in April, involving the collaboration of some of our biggest and most well respected East Bay Enterprises. Leveraging the talent of 20 volunteers and mappings as designed in three major companies, the CCM WG produced a refined mapping that will release in JSON format and hopefully brings much-needed clarity to the Cloud Security and Compliance Community.

Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC-IA), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Unified Compliance and ISMS Program Manager, Robin currently leads LSHC in support of three MDM clients as well as donating substantial time to supporting social platform security to further social democracy. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member to the ISACA SV Chapter.

February Topic is BotSentinel CEO Christopher Bouzy.

Dec 9TH, 2021 MEMBER MEETING: CMM 4 to NIST SP800-53R5 Working Group Results

Thursday, 7 PM to 9 PM Webinar – Registration Link

Cloud Security Alliance Working Group CCM 4.1 to NIST SP 800-53 r5 Mapping Insights and Outcomes
Follow up to “Aligning the Cloud Controls Matrix CCM 4.1 to NIST SP 800-53 r5 – The Control Reference Layer”

Presentation prepared for Cloud Security Alliance, CSA CCM 4.1 to NIST SP 800-53 rev 5 Working Group, By Robin Basham, CEO EnterpriseGRC Solution, CISSP, CISA, CGEIT, CRISC, CRP, VRP, and President, ISC2 East Bay Chapter, With collaboration from 20 CCM WG team members

Robin Basham, Current ISC-2 East Bay Chapter President, Conferences Director, covering for Director Programs… Leader for Cloud Security Alliance CCM NIST WG

About the speaker: Robin Basham recently lead the Cloud Security Alliance CCM 4 to NIST 800-53 R5 Working Group. This effort began as a proposed commitment in April, involving the collaboration of some of our biggest and most well respected East Bay Enterprises. Leveraging the talent of 20 volunteers and mappings as designed in three major companies, the CCM WG produced a refined mapping that will release in JSON format and hopefully brings much-needed clarity to the Cloud Security and Compliance Community.

Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Unified Compliance and ISMS Program Manager, Robin currently leads LSHC in support of three MDM clients as well as donating substantial time to supporting social platform security to further social democracy. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member to the ISACA SV Chapter.

Side note: A Friend of the Chapter, Bill Klaben sends an invitation to Join Omdia and CybeReady experts (Dec 14th, 8 am PST / 11 am EST): Measuring Effectiveness in Security Awareness Training This Webinar is one of the products in the Informa Tech Cybersecurity portfolio, which includes market-leading brands Black Hat, Dark Reading, and OMDIA Key Topics for Discussion include: -How training effectiveness can be measured -Click Rate in phishing simulations: is lower always better? -How to translate the measurements into the language of the boardroom Register via this link – https://event.on24.com/wcc/r/3503879/82F96812AC621BE31030EA09ABFB8161?partnerref=CybeReadySales

CPE Summary 2021











(September – private board event 2 CPE)

CCSK Training Istvan Berko, reported by individual up to 8 CPE



Our board met 12 times in 2021 and provided support to other chapters and organizations as mentors and collaborators. We take pride in being a supporting member of many other California organizations and look forward to our continued partnerships.

From all of us at (ISC)2 East Bay Chapter, We Wish You All
The Happiest of SAFE Holidays
and a Joyous New Year

Nov 11th, 2021 member meeting: SES 1 – Who’s Accountable Anyway; Ses 2 – Managed Security

Meeting from 7:00 PM to 9:00 PM – 2 CPE for full attendance. Registration is required.

Session One: Who’s Accountable Anyway? Sarah Clarke, Data protection and security governance, risk, and compliance

No one can (or perhaps should) be accountable for something they either cannot influence or don’t understand. This talk will highlight ways to create that connective communications tissue, to build buy-in for pragmatic security and data protection.

It is the foundation from which we build consensus and to tackle another challenge at the core of prospering as a security function: The GRC paradox. Workload invariably exceeds available hours in staff days. Having the means to triage is grounded in understanding prevailing risks. In order to understand risk, we need skilled personnel and time. In order to justify the budget for personnel and time, we need to understand risk.

This session will also discuss how to break that deadlock by moving triage left in the development lifecycle and keeping things simple enough to involve the rest of the organization in that process.

After a start in IT and network security, she too often saw colleagues burnt out. Frequently because they didn’t have data and sponsorship to describe challenges and drive change. This lead to a ground-up redesign of various processes, including vendor security governance, and sustainable triage. Working mainly in financial services.

She speaks and writes about related things, in between advising companies via her own firm Infospectives Ltd. She also volunteers with not-for-profit For Humanity, designing independent AI audit solutions, resulting in the election to their board as Director earlier this year. She is also a guest lecturer on vendor security governance for University of Manchester IT Governance Masters students. 

Session Two: Where is Managed Security Services going and where do we stand today?

In the past 18-24 months there has been a lot of change in the managed security services. The analysts have been measuring and driving it in the past through the MSS magic quadrant from Gartner and the Forrester Wave.  The change is in part due to the way clients consume security services but also driven by investors and the private venture partners that are pushing the service organizations to fit into a SaaS model to drive their valuation.  What this has done, is the change from services focuses to a platform focus, with a twist of consulting to support the holistic engagement.  

Istvan will start by defining the current changes in the marketing, what is meant by MSS, MSSP, MDR, XDR, SOCaaS, etc., and discussing some of the value some of these services have brought to companies, but also what gaps the new approach may introduce.

Istvan Berko
Istvan Berko, (ISC)2 East Bay Chapter Vice President, New Role to be Announced Soon.

I drive new business by providing excellent customer engagement and establishing strategic partnerships with stakeholders and executives to increase revenue. I have been able to guide the technical strategy and direction of the security practice and advise strategic clients on the role of new security technology and innovations. I have had outstanding success in building and maintaining relationships with key decision makers, establishing major accounts while ensuring client retention and loyalty. I am well-organized with a track record that demonstrates leadership, self-motivation, perseverance, and creativity. I have extensive executive face-to-face interaction while focusing on client relationships and closing on new projects to provide customers with exceptional results.

October 14th 1-election systems audit, 2-Covid-19 Disinformation, stripping the politics out of cybersecurity

7 PM Jennifer Cohn – Election Integrity, followed by 8 PM Sherri Douville, How to Be an Ambassador of Trust: Putting Risk Management To Work Combating the Threat of Misinformation


Ms. Cohn’s talk will provide an overview of election system vulnerabilities, the impact of the Big Lie on election-security advocacy, and suggestions for improving the system in 2022.

Jennifer Cohn is an election integrity advocate, writer, and journalist. She graduated from the University of California, Los Angeles in 1989 and Hastings College of the Law in 1993. Since the 2016 election, she has focused her professional efforts exclusively on investigating and exposing our country’s insecure computerized elections. She was a law partner at Nielsen Haley & Abbott in Marin County for many years, where she specialized in insurance coverage and civil appeals. Before that, she specialized in criminal appellate law.


We can view her published work in @WhoWhatWhy @nybooks @Salon #HandMarkedPaperBallots#RobustManualAudits#BackupPaperPollBooks link.medium.com/qxbJDJMZ8db

Some Published content by the speaker:

8 PM Session Two: How to Be an Ambassador of Trust: Putting Risk Management To Work Combating the Threat of Misinformation, Presented by Sherri Douville, CEO, Medigram, Inc.

  • The Integrity of Information and Our Role in The “Information Supply Chain”
  • The Hard Road Traveled: Why trust is important to you, your career, and your teams, even your families.
  • How to think of the role that bias plays in misinformation
  • Methods of fact checking
  • Compassion & Leadership for the human vulnerabilities that lead to susceptibility to misinformation.
  • Evidence based techniques to combat misinformation while preserving relationships
  • How the Mobile Medicine Book, the #1 new release in medical technology and medical informatics on Amazon can help you to combat technology misinformation. https://www.amazon.com/Mobile-Medicine-Overcoming-Culture-Governance/dp/0367651505/ref=sr_1_2?dchild=1&keywords=mobile+medicine&qid=1631669698&sr=8-2
Sherri Douville is CEO & Board Member at Medigram
Sherri Douville is CEO & Board Member at Medigram, Inc.
Editor & Coauthor, Best Seller, New Releases in Medical Technology
Mobile Medicine: Overcoming People, Culture, & Governance 
Routledge, Taylor & Francis Group

Sherri Douville Biography

Sherri Douville is CEO & Board Member at Medigram and is a sought-after speaker and author in mobile medical technology, other healthcare-related industries, leadership, risk management, mobile security, and governance. Ms. Douville is honored to strategically build, grow, and lead multi-disciplinary, multi-industry teams at Medigram and in the market to solve the leading cause of preventable death –a delay in information. Ms. Douville is co-chair of the technical trust and identity standard subgroup for the healthcare industry for clinical IoT through an IEEE and UL joint venture and has been published and quoted in both mainstream and industry media such as CIO.com, the San Jose Mercury News, NBC, Becker’s Hospital Review, ThisWeekinHealthIT, and HITInfrastructure.com. Other industry leadership has included serving on the board of the NorCal HIMSS and teaching continuing education credit in mobile security for CISSP, the information security certification. She is the co-author for a number of technical articles and papers, a forthcoming Springer book chapter on Trust in Clinical IoT, and is the lead author and editor for Mobile Medicine: Overcoming People, Culture, and Governance (Taylor & Francis). Ms. Douville led the development of this industry guide to mobile computing in medicine and built the international, multi-industry, multi-disciplinary team behind it. Prior to her current work in the mobile medicine, privacy, security, health IT, and AI industries, Sherri worked in the medical device space consulting in the areas of physician acceptance and economic feasibility for medical devices. Previously, she worked for over a decade with products addressing over a dozen disease states at Johnson & Johnson and was recognized for industry thought leadership there by McGraw-Hill and won a number of awards. Ms. Douville has a Bachelor of Combined Science degree from Santa Clara University and has completed certificates in electrical engineering, computer science, AI and ML through MIT. She advises and serves startups, boards, and organizations including as a member of the Board of Fellows for Santa Clara University and an advisor to the Santa Clara University Leavey School of Business Corporate Board Education initiatives, the Black Corporate Board Readiness, and Women’s Corporate Board Readiness programs.

While we have your attention…

Dear Colleague,
The fourth annual event is around the corner. This year is the best yet – tried and proven innovations of 2021 will be shared by local governments and small businesses, along with resources. We need to and can build back better and more securely in crises. Register today. 

Never waste a crisis.  Never reinvent the wheel. #SecureSafetyNet2021

Register Your Free Ticket
View the Agenda – Key Takeaways   
Useful experience, not a sales pitch, to protect your organization and you from cyber risks (bring your children too) – easier and safer digital transformation connections with people in your shoes – safer smart cities and communities for our future together
Innovations and resources you can be part of to move the needle in cybersecurity – trends, and opportunities Register Now


Program and Sponsorship: Lan Jenson, Lan@CybertrustAmerica.org
Expo and Job Fair: Kenny Yuen Kenny @CybertrustAmerica.org

Register today for our upcoming events and your chance to lead an RSAC 2022 Sandbox session.          
Here’s a lineup of October events sure to pique your interest. Don’t miss out on our two webcasts on the topic of Cloud Security & Virtualization. Plus, find out how you can lead a session in the RSAC Sandbox.  
Lead a Sandbox Session at RSAC 2022       We’re offering another opportunity to showcase your expertise at RSAC. Submit to lead a session in the RSAC Sandbox—a hub for innovation. We will be accepting submissions until October 8.
Learn more.            
Upcoming Webcasts  
Post-Exploitation of Cloud Service Providers      
October 7 | 1 PM ET | 10 AM PT      
Get a demo of ”barq,“ the AWS post-exploitation tool that helps penetration testers better assess risks and identify weaknesses. Register now.      
Confidential Computing in Cloud and Edge      
October 26 | 1 PM ET | 10 AM PT      
Learn how confidential computing can help provide your trusted execution environment greater security and privacy.
Register now.      
GIAC and (ISC)2 members can earn CPE credits for attending webcasts live.  
© 2021 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. Other trademarks may be trademarks of their respective owners.
Legal Notices | Privacy Statement
RSA, 174 Middlesex Turnpike, Bedford, MA 01730
For questions about your email preferences, contact us at information@rsaconference.com.    

August 12th, 2021 member meeting, Protegrity Presentation: Sharing Sensitive Information securely

Please join (ISC)2 East Bay Chapter on August 12th, 7 PM – 9 PM, for Two CPE hours attending “SHARING SENSITIVE INFORMATION SECURELY – Privacy-Preserving Analytics and Secure Multiparty Computation

Speaker Ulf Mattsson | Chief Security Strategist

Sharing Sensitive Information Securely
Different industries are taking advantage of secure data-sharing techniques. New privacy-preserving computing approaches are needed to meet legal requirements and provide privacy for data sharing.
Tonight’s speaker and topic shares:

Meet Ulf Mattsson, Chief Security Strategist at Protegrity

Ulf is the Chief Security Strategist at Protegrity, previously Head of Innovation at TokenEx, Chief Technology Officer at Atlantic BT, and earlier CTO at Compliance Engineering. Ulf was the CTO and a founder of Protegrity Technology. He invented the Protegrity Vaultless Tokenization and created the initial architecture of Protegrity’s security technology.
At Protegrity he serves as a catalyst for innovation with an active role in shaping the product roadmap and strategy. Ulf works in industry standards bodies has an active role in forming strategic partnerships and alliances across the industry, and represents Protegrity at C-level meetings with customers and prospects. Prior to Protegrity, Ulf worked 20 years at IBM software development and research, in the areas of IT Architecture and Security.
He is the inventor of more than 70 awarded/issued US Patents and worked in joint software development projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA Security. Ulf also worked as a leader in companies providing Data Discovery Services, Cloud Application Security Brokers, Web Application Firewalls, Managed Security Service, Security Operation Center, and Cybersecurity consulting.
Leading journals and professional magazines, including IEEE Xplore, ISACA Journal, ISSA Journal, and IBM Journals, published more than 100 of his in-depth professional articles and papers. Ulf frequently gives presentations at leading security and database conferences in the US, Europe, and ASIA.
Ulf received a master’s degree in physics in engineering from the Chalmers University of Technology.

Ulf Mattsson 
| Chief Security Strategist

+ 1 203 570 6919

+ 1 860 969 7883


About Protegrity

Protegrity protects the world’s most sensitive data wherever it resides. Our industry-leading solutions allow businesses to finally tap into the value of their data and accelerate digital transformation timelines – without jeopardizing individuals’ fundamental right to privacy. For more than 20 years, Protegrity has delivered innovative, data-centric protection for the most sensitive data of the largest brands on the planet. We free businesses from the constraints associated with accessing and leveraging data to create better customer experiences, make intelligence-supported decisions, and fuel innovation. Data knows no boundaries and Protegrity’s technology is built for data ubiquity. Protegrity is headquartered in Salt Lake City, Utah.

July 8th, 2021 MEMBER MEETING: Vulnerability validation; risks & threats with 5G, IoT, IIoT, OT

Sorry we missed you, but please enjoy the playback: https://register.gotowebinar.com/recording/recordingView?webinarKey=7663730602062283020&registrantEmail=robin%40enterprisegrc.com

How Vulnerability Validation Saves DevSecOps Teams Significant Time

Rezilion Prioritize identifies vulnerabilities that are actually exploitable, helping to avoid remediation on those that are not loaded to memory and therefore not real threats. Vulnerability validation will:

  • Reduce vulnerability patching efforts by up to 70% 
  • Provide CISOs with the actual attack surface vs. a perceived attack surface, allowing them to better allocate resources
  • Find more time to patch without slowing down business operations by providing compensating controls for production vulnerabilities through autonomous mitigation 

Curtis Barker, VP of Solution Architecture, at Rezilion, AWS security architect, certified scrum product owner trained in agile development, and certified cisco network professional is presenting:

Originally from London, UK, Curtis holds a Masters’s Degree in Electronic Communications Engineering with Business Mgt (MEng) from the University of Sussex. He started out in telecommunications as a network engineer, which included laying cables between sunken warships between England and France.  He moved to South East in 2008 where, as a network designer, he experienced the explosion of communications infrastructure in the region. As business went mobile, Curtis moved to mobile communications in 2011 to lead solution sales focused on mobile security. He joined Symantec in 2014 to manage their emerging mobile security products and went on to lead the Symantec product portfolio in the Asia Pacific region.  Curtis transferred to Symantec headquarters in Mountain View, California in 2016 to manage the introduction of emerging cloud security products. He helped Symantec bring new products to market and led product integrations to strategic partner marketplaces.

In his spare time, Curtis enjoys cycling and traveling with friends and family.


Curtis Barker
VP Solution & Product Architecture
P:  +1.650.495.5287
E:  curtisb@rezilion.com
W:  www.rezilion.com

Session Two: Next-Generation Cellular and Broad-spectrum IoT cybersecurity

What are the risk and threats associated with 5G, IoT, IIoT, and OT, and what should you be concerned about?

As enterprises embrace IoT to help drive efficiencies and compete in the new online world, customers are faced with the challenge of having to balance best practices with time to market.  With 80% of IoT deployment now wireless, wireless had become the new network and new attack surface creating this massive invisible blind spot – the invisible espionage threat to the business.
In this discussion, learn from a wireless industry veteran who understands the new visibility that’s required in order to detect, assess and prevent risk from backdoor data exfiltration.

Garry Drummond, CEO and Founder LOCH Technologies, www.lock.io

Mr. Drummond is an experienced Go-To-Market Executive with a career that spans over 20 years across numerous leadership roles in Sales, Business Development and Product Marketing within the Technology Industry. Mr. Drummond is a Certified Information Systems Security Professional (CISSP), as well as a Certified Wireless and Network Security Professional (CWNA/CWSP), and has helped many of his clients implement a best practice approach to risk management.

From his humble beginnings in Scotland, Mr. Drummond arrived in the Bay Area in 1998.
Mr. Drummond went to Business School in Scotland where he studied International Business. With a passion for self-learning, Mr. Drummond has become an expert in the field of wireless security technologies and has received several patents for his work.
Mr. Drummond was instrumental in the go-to-market fit for two Silicon Valley security start-ups prior to setting up LOCH Technologies in July 2014 when he moved into entrepreneurship and started LOCH Technologies (formerly 802 Secure) from his garage in Pleasanton, CA.

Along with a small team of industry experts, he conceptualized, designed, and delivered wireless cybersecurity products for the company by developing next-generation signal intelligence technologies for securing the Internet of Things (IoT) by combining software-defined radio (SDR) with big data analytics. The patented solutions created by LOCH have been deployed across many industries including Critical Infrastructure, Government, Transportation, Healthcare, and Enterprises around the world.

With 80% of new IoT deployments wireless, wireless has fast become the new network and new attack surface. LOCH was recognized as a Gartner Cool Vendor 2021 for Edge Computing.

LOCH Technologies awarded Silicon Valley Start-up of the Year in April 2015 Silicon Valley Company of the Year May 2016

In 2017, Mr. Drummond was awarded the Most Innovative CEO of the Year. LOCH Technologies recognized as a Gartner Cool Vendor 2021 for Edge Computing. The company’s products are being sold today through partnerships with AT&T, Dell Technologies, Optiv Security, and Herjavec Group here in the US, and through international partners, Rikei Corporation (Japan) and Oxygen (Dubai).

About LOCH Technologies
LOCH is a global leader in next-generation wireless threat monitoring. The company provides actionable threat intelligence across cellular 4G/5G networks as well as broad-spectrum IoT networks such as CBRS or Private LTE.
With 80% of new IoT deployments wireless, wireless has fast become the new network and new attack surface, therefore, every wireless device needs to be discovered, identified and tagged along with its risk profile in order to secure this new multi-access edge regardless of what type of device it is, what protocol it uses, and who owns it.
LOCH aims to secure the new world of wireless innovation that will drive digital transformation.
Learn more: www.LOCH.io

June 10th, 2021 MEMBER MEETING IoT Endpoint security: Failure of Security to Protect

Please enjoy this free playback link. https://register.gotowebinar.com/register/6492462645812148493

7:00 PM Session One: Internet of Things, IoT, Reducing Vulnerability and Unauthorized Endpoints by Implementing Least Privilege

Abstract: IT security organizations big and small are concerned about threats from applications, endpoints, especially unmanaged endpoints, and IoT devices. They want to reduce the number of unknown endpoints/IoT devices and are concerned about unauthorized endpoints in the network.

They are concerned about the vulnerability of these endpoints and are wondering how to detect IoT device compromise. Protecting IoT devices, to segment them with least privileged access is a real challenge.
Further, the organization must make sure sensitive data sent by these devices is protected while at rest and in motion.
Finally, they must address privacy concerns on the data stored, and data processing throughout the product lifecycle.
With all these challenges, where does the organization start? As security professionals, how do we onboard and secure these IoT devices?
This discussion provides approaches that help to identify, gather context, understand behavior, and implement necessary segmentation of IoT devices.

Speaker Krishnan Thiruvengadam, Sr. Technical Marketing Engineer at Cisco, Director Communications, ISC2 East Bay Chapter

Sr. Technical Marketing Engineer, Drives product technical direction for Endpoint Analytics and newer innovations towards the Trusted workplace. Providing deployment solutions to customers and integration with customer eco-systems, Krishnan is an expert in Cisco ISE, its performance, integrations, and use cases. He evangelizes and presents the solution with experts in a variety of forums. Krishnan Develops the TDM, Solution deployment documentation, white papers, videos, demos. Work with customer/partner in adoption/POV etc.

Learn more from Krishnan about End Point Analytics

8:00 PM to 9:00 PM Session Two: The Failure of Security to Protect

Jacques Remi Francoeur (MBA, M.A.Sc., B.A.Sc.) Presents Security and Assurance Working Group, Digital Currency Global Initiative

The Failure of Security to Protect
The total global economy in 2018 was estimated to be $86 Trillion. It is estimated that there are 4,5B people connected to the Internet, as of June 2019, based on a population of 7,7B, a 58.8% Internet penetration. The Global Risks Report 2019 outlines the greatest risks facing the world, cyber threats are the 4th most significant societal risk that is by no means under control. As the world accelerates into the 4th Industrial Revolution, according to the ITU Global Cybersecurity Index 2018, 73% of the Internet connected world today is unprotected while the remaining 27%, who think they are protected, spend 80% of the global security spending estimated to be $300B by 2023.
Is Protection just for the Rich?
Today, people extending themselves into the digital world are highly exposed to potential significant harm and have no way to detect or prevent the threat.
Should Digital Protection be a Human Right!
Security Inclusion Now! is a call-to-action to urgently drive global action to prevent an eventual untenable global situation that threatens the promises of the 4th industrial revolution – the increasing digital protection divide, the gap between the demand for protection and the available supply.
The asymmetry of the problem is ironic. When we look at a rapidly morphing, well-funded and increasingly sophisticated and difficult to attribute threat, in relation to our current industry capability, there are significant limitations that if not addresses will inherently prevent society from achieving the required “one protection for all” with enough assurance at a reasonable cost.
In a highly interconnected world, no one is protected unless everyone is.
The presenter will explore a new way forward to transition from notional to precision security and from security information in a world of friction to security knowledge in a frictionless world. This will enable those less expert to participate in the protection of their organizations.

Security Control Expressions (SCE) Store Security Knowledge

Everyday security professionals spend countless hours searching for information that is highly distributed and fragmented. This highly subjective and non-interoperable information must be interpreted, synthesized, and communicated to stakeholders.

All matters security can be described uniquely & unambiguously by a simple “expression” model between 6 actors engaged in 5 relationships. The model is published by the ITU, Study Group 17: Security as Technical Report Unified Security Model.

  • Genesis Cybersecurity Program is the practitioner training program on the SCE Model innovation. The program involves the transfer & institutionalization of the capability to different centers of expertise for the development of a sustainable & growing security training & knowledge capture capability.
  • SINOW Security Validation Platform is a software tool that emulates the SCE model. A nested and iterative process stores security knowledge which is then available frictionlessly to all other dependent practitioners for knowledge verification or their specialized dependent knowledge contribution. It transforms Security & Compliance information in a world of friction to Security & Compliance knowledge in a frictionless world. By enabling instant and frictionless navigation & visualization of any security control, its state, relationships, and dependencies, the security practitioner is free to focus on security and not finding information.

About our speaker: Jacques Remi Francoeur (MBA, M.A.Sc., B.A.Sc.)

Jacques is the founder and Chief Scientist of Security Inclusion Now – the USA, a California-based consulting, training, and software organization innovating in security tool development. Jacques is also a member of the World Economic Forum Expert Network recognized as a Blockchain security expert and the Team Lead of the Security & Assurance Working Group of the Digital Currency Global Initiative, a joint program of the International Telecommunications Union (ITU) & Stanford University.

Jacques has an MBA with honors from Concordia University, Montreal; M.A.Sc from the University of Toronto, Institute for Aerospace Studies and a B.A.Sc. in Engineering Science, Aerospace Engineering from the University of Toronto.

Jacques has over 30+ years of experience in high technology beginning his career as an Aerospace Engineer with the Canadian Space Agency, next moving to Silicon Valley in 1999, beginning his privacy and security consulting advisory career with KPMG, followed by SAIC and E&Y. Jacques is a 2018/19/20 US Delegate to the U.S. Department of State to ITU, Standardization Study Group 17: Security. He was also Vice-Chair of the ITU Focus Group on Digital Fiat Currency and co-chair of the Security Working Group. Finally, Jacques is also a US Marine Corp Cyber Auxiliary.

Jacques Remi Francoeur M.A.Sc, B.A.Sc, MBA

Chief Scientist & Founder
Security Inclusion Now, USA



Team Lead: Security & Assurance Working Group
Digital Currency Global Initiative,
International Telecommunications Union

USA Delegate (2018 to present) Security Expert & Contributor
ITU, Standardization, Study Group 17: SecurityExpert Network Member
World Economic Forum, Security

June 9 2021 Member opportunity Virtual Cyber Security Summit Featuring NSA & The FBI

Subject: Complimentary Admission to Region’s Official Virtual Cyber Security Summit Featuring NSA & The FBI – June 9

ISC2 East Bay is proud to partner with the Official Cyber Security Summit this year for the Virtual 4th Annual Silicon Valley Cyber Security Summit on Wednesday, June 9.

Admission is normally $95 but we have secured Exclusive FREE Admission!

To secure your pass, register with code ISC2EB at https://CyberSecuritySummit.com/Summit/SiliconValley21/

Earn up to 8 Continuing Education Credits by attending the day in full.

Join us virtually and learn about the latest cybersecurity threats facing your company, best cyber hygiene practices, solutions to protect against a cyber-attack, and much more – all from the comfort and safety of your home/office.

The Director of Operations of The NSA, Red Team will be leading a Security Keynote – “Looking Through the Eyes of the Cyber Attacker” – Exclusively at the Cyber Security Summit!

Additional thought leaders include the Asst. Special Agent in charge, FBI San Francisco Cyber Branch and other SMEs from Cybercrime Support Network, Center for Internet Security, Darktrace, ExtraHop, Intel and many more.

You are welcome to share this invitation with your IT Security Team and other Senior Level colleagues who would benefit from attending this event.

Please note: Admission is for C-Suite/Senior Level Executives, Directors, Managers, and other IT/Cyber Professionals and Business Leaders. Those in Sales / Marketing and Students are not permitted.

We encourage you to attend this invitation-only event, rated Top 50 InfoSec Conference to Attend Worldwide!

For event details, visit https://CyberSecuritySummit.com/Summit/SiliconValley21/

If you would like to exhibit and/or speak at the Cyber Security Summit, contact Megan Hutton at MHutton@CyberSummitUSA.com.

June 8 Partner Chapter Member ISC2 SV Event NIST SP-800-53 r5 – The Control Reference Layer: Taming the Beast

THIS EVENT IS SPONSORED BY ISC2 SILICON VALLEY (ISC)² Silicon Valley Chapter – 2021-06-08 virtual meeting (google.com)

Speaker: Robin Basham on “NIST SP-800-53 r5 – The Control Reference Layer: Taming the Beast”

Abstract: NIST SP-800-53 r5 was a long labor with a few false starts. FedRamp dependencies still include r4, however, 75 new control, enhancement or attribute elements of r5 exist in the SSP – NIST SP-800-53B.

  • NIST 800-53 is a common reference layer used in mapping nearly all other Cybersecurity Frameworks –> compounding issues in failed updates to mapping
  • NIST Addendum to Mapping ISO/IEC 27001 missing Cloud, Privacy, Processing
  • Examining common pitfalls in notation for ISO and NIST Standards? How can these be overcome?
  • Exploring data elements necessary to mapping – a walk through the schema elements (reminder to look at Schema.Org)
  • NIST 800-53 r5 v. r4
  • NIST 800 171 r2
  • NIST 800 172 Enhanced Security Requirements for Protecting Controlled Unclassified Information; A Supplement to NIST Special Publication 800-171
  • ISO/IEC 27001:2013 €, as implemented with
  • ISO/IEC 27002:2013 €, including certification for Cloud, Privacy, and PII Processors
  • ISO/IEC 27017:2015 € 27002 for cloud services
  • ISO/IEC 27018:2019 € Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27701:2019 € Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
  • Case Study: Mapping NIST 800-53r5 to configuration rules such as those used in CIS Benchmarks

About the speaker: Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Unified Compliance and ISMS Program Manager, Robin currently leads LSHC in support of three MDM clients as well as donating substantial time to supporting social platform security to further social democracy. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member to the ISACA SV Chapter.

Pre-registration required

Where: online Zoom webinar

When: Tuesday, June 8, 2021 at 06:00 PM Pacific Time

Pre-registration: https://zoom.us/webinar/register/WN_ugctymxqRXmeEc52pDXUAg

Calendar: iCal download, Google Calendar or scan QR code image

Pre-registration is required. Registration ends automatically at the scheduled start time.

After registering, you will receive a confirmation email containing information about joining the meeting.

In order to process CPEs (Continuing Professional Education points) for members, please double check your (ISC)² member number is entered correctly.

  • We will use Zoom’s webinar attendance report to compute attendees’ CPEs. To get the full 2 CPEs for the meeting requires attendance from the scheduled start time to the end of the meeting. Late arrivals and/or early departures will receive CPEs based on minutes attended, rounded down to 0.25 CPE increments.
  • If you need to self-submit your CPEs for any reason (such as not entering an (ISC)² member number), use 1 CPE per hour in 0.25 CPE increments for the portion of the 2 hours you attended. If the meeting ends before 2 hours, full attendance still counts for 2 CPEs.

May 13th, 2021, Member Meeting CCM 4.0 Mapping part two a technical dive into unified compliance strategy

We hope you enjoyed CCM 4.0 mapping, Part Two: A technical dive into unified compliance strategy on May 13, 2021, 7:00 PM PDT at:
After registering, the pre-meeting, presentation, and post-meeting are all on playback. We apologize for the glitch in editing. The session starts at minute 30. You are welcome to enjoy the presentation but please forward to minute 30 and feel free to stop viewing at minute 2:35:00.

We had an extra session with Eric Heitzman Director of Business Development. Eric helps Security Compass’s largest customers (in finance, technology, health, oil & gas) address Security, Privacy, and Compliance for software applications at scale. Eric is a career application security expert (security consulting, static analysis, and dynamic analysis).

Members of the ISC2 East Bay and ISACA Silicon Valley Community on April 29th had an opportunity to review reasons to quickly adopt the newly released Cloud Security Alliance, Cloud Controls Matrix V4.0 Cloud Controls Matrix (CCM), a Cybersecurity Control Framework (cloudsecurityalliance.org). As part one of a two-part discussion, that evening covered some of the common pitfalls that plague our efforts as a community, and as promised, this May 13th, 2-hour event offers a chance to continue with a deeper technical dive.


What Major Regulations Completely Changed over the last 24 months? Why update everything now? (What’s the domino effect of waiting?) Which are the key new requirements, such as Cryptographic Controls and new legal considerations for IoT? How are DevOps and SecOps better represented in the new standards? (NIST/CCM) Who and where are the working groups we can interact with to accomplish new mapping? What are the common pitfalls in the notation for ISO and NIST Standards? How can these be overcome?

Here’s are the Part One Slides: CSA CCM 4 Robin Basham ISACA SV April 28 2021

This Discussion covers that:

Major Cloud Providers expect to use ©Cloud Security Alliance, CCM 4.0 as the backbone supporting their Security Programs Policies, Programs, Audits

Leveraging existing AICPA SOC 2, HITRUST, PCI DSS V3.2.1, FedRamp, DFARS CMMC, ISO/IEC 27001 plus Privacy, Processing and Cloud requires a detailed understanding of these frameworks – i.e., experience completing engagements to do this work.*

Creating useable cyber framework mapping is an exercise that drives common language across all Policies and Programs and is necessary to meaningful resilience and compliance. Volunteers generally can’t do it. Is increasingly necessary (CMMC)

The available mappings offered by AICPA, NIST, HITRUST, and CSA have proven un-useful. As a community, it’s up to us to restore consumer confidence in using CCM 4.0 as a mapped framework. We also seek to support NIST expanded efforts for SP-800-53 r5, SP-800-53B, NIST SP-800-171r2, SP-800-172 Cybersecurity

So, what’s in the new standard and why is mapping so hard?

How can we effectively map this -> to that?

ISO/IEC 27001:2013 € Information security management systems — PIMS Requirements
ISO/IEC 27002:2013 € Information security management systems — Requirements
ISO/IEC 27017:2015 € 27002 for cloud services
ISO/IEC 27701:2019 € privacy information management — Requirements and guidelines
ISO/IEC 27018:2019 € (PII) in public clouds acting as PII processors
NIST 800-171 r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information
NIST 800-53 r5 Security and Privacy Controls for Information Systems and Organizations
PCI DSS V3.2.1 Copyright © 2018 VISA
2017 Trust Services Criteria © 2017 AICPA

Audit and Assurance  – A&AAudit and Assurance Policy and Procedures; Independent Assessments; Risk-Based Planning Assessment; Requirements Compliance; Audit Management Process; Remediation
Application and Interface Security – AISApplication and Interface Security Policy and Procedures; Application Security Baseline Requirements; Application Security Metrics; Secure Application Design and Development; Automated Application Security Testing; Automated Secure Application Deployment; Application Vulnerability Remediation
Business Continuity Management and Operational Resilience  – BCRBusiness Continuity Management Policy and Procedures; Risk Assessment and Impact Analysis; Business Continuity Strategy; Business Continuity Planning; Documentation; Business Continuity Exercises; Communication; Backup; Disaster Response Plan; Response Plan Exercise; Equipment Redundancy
Change Control and Configuration Management  – CCCChange Management Policy and Procedures; Quality Testing; Change Management Technology; Unauthorized Change Protection; Change Agreements; Change Management Baseline; Detection of Baseline Deviation; Exception Management; Change Restoration
Cryptography, Encryption and Key Management – CEKEncryption and Key Management Policy and Procedures; CEK Roles and Responsibilities; Data Encryption; Encryption Algorithm; Encryption Change Management; Encryption Change Cost Benefit Analysis; Encryption Risk Management; CSC Key Management Capability; Encryption and Key Management Audit; Key Generation; Key Purpose; Key Rotation; Key Revocation; Key Destruction; Key Activation; Key Suspension; Key Deactivation; Key Archival; Key Compromise; Key Recovery; Key Inventory Management
Datacenter Security  – DCSOff-Site Equipment Disposal Policy and Procedures; Off-Site Transfer Authorization Policy and Procedures; Secure Area Policy and Procedures; Secure Media Transportation Policy and Procedures; Assets Classification; Assets Cataloguing and Tracking; Controlled Access Points; Equipment Identification; Secure Area Authorization; Surveillance System; Unauthorized Access Response Training; Cabling Security; Environmental Systems; Secure Utilities; Equipment Location
Data Security and Privacy Lifecycle Management – DSPSecurity and Privacy Policy and Procedures; Secure Disposal; Data Inventory; Data Classification; Data Flow Documentation; Data Ownership and Stewardship; Data Protection by Design and Default; Data Privacy by Design and Default; Data Protection Impact Assessment; Sensitive Data Transfer; Personal Data Access, Reversal, Rectification and Deletion; Limitation of Purpose in Personal Data Processing; Personal Data Sub-processing; Disclosure of Data Sub-processors; Limitation of Production Data Use; Data Retention and Deletion; Sensitive Data Protection; Disclosure Notification; Data Location
Governance, Risk and Compliance – GRCGovernance Program Policy and Procedures; Risk Management Program; Organizational Policy Reviews; Policy Exception Process; Information Security Program; Governance Responsibility Model; Information System Regulatory Mapping; Special Interest Groups
Human Resources – HRSBackground Screening Policy and Procedures; Acceptable Use of Technology Policy and Procedures; Clean Desk Policy and Procedures; Remote and Home Working Policy and Procedures; Asset returns; Employment Termination; Employment Agreement Process; Employment Agreement Content; Personnel Roles and Responsibilities; Non-Disclosure Agreements; Security Awareness Training; Personal and Sensitive Data Awareness and Training; Compliance User Responsibility
Identity and Access Management – IAMIdentity and Access Management Policy and Procedures; Strong Password Policy and Procedures; Identity Inventory; Separation of Duties; Least Privilege; User Access Provisioning; User Access Changes and Revocation; User Access Review; Segregation of Privileged Access Roles; Management of Privileged Access Roles; CSCs Approval for Agreed Privileged Access Roles; Safeguard Logs Integrity; Uniquely Identifiable Users; Strong Authentication; Passwords Management; Authorization Mechanisms
Interoperability and Portability – IPYInteroperability and Portability Policy and Procedures; Application Interface Availability; Secure Interoperability and Portability Management; Data Portability Contractual Obligations
Infrastructure and Virtualization Security – IVSInfrastructure and Virtualization Security Policy and Procedures; Capacity and Resource Planning; Network Security; OS Hardening and Base Controls; Production and Non-Production Environments; Segmentation and Segregation; Migration to Cloud Environments; Network Architecture Documentation; Network Defense
Logging and Monitoring  – LOGLogging and Monitoring Policy and Procedures; Audit Logs Protection; Security Monitoring and Alerting; Audit Logs Access and Accountability; Audit Logs Monitoring and Response; Clock Synchronization; Logging Scope; Log Records; Log Protection; Encryption Monitoring and Reporting; Transaction/Activity Logging; Access Control Logs; Failures and Anomalies Reporting
Security Incident Management, E-Discovery, and Cloud Forensics – SEFSecurity Incident Management Policy and Procedures; Service Management Policy and Procedures; Incident Response Plans; Incident Response Testing; Incident Response Metrics; Event Triage Processes; Security Breach Notification; Points of Contact Maintenance
Supply Chain Management, Transparency, and Accountability – STASSRM Policy and Procedures; SSRM Supply Chain; SSRM Guidance; SSRM Control Ownership; SSRM Documentation Review; SSRM Control Implementation; Supply Chain Inventory; Supply Chain Risk Management; Primary Service and Contractual Agreement; Supply Chain Agreement Review; Internal Compliance Testing; Supply Chain Service Agreement Compliance; Supply Chain Governance Review; Supply Chain Data Security Assessment
Threat and Vulnerability Management – TVMThreat and Vulnerability Management Policy and Procedures; Malware Protection Policy and Procedures; Vulnerability Remediation Schedule; Detection Updates; External Library Vulnerabilities; Penetration Testing; Vulnerability Identification; Vulnerability Prioritization; Vulnerability Management Reporting; Vulnerability Management Metrics
Universal Endpoint Management – UEMEndpoint Devices Policy and Procedures; Application and Service Approval; Compatibility; Endpoint Inventory; Endpoint Management; Automatic Lock Screen; Operating Systems; Storage Encryption; Anti-Malware Detection and Prevention; Software Firewall; Data Loss Prevention; Remote Locate; Remote Wipe; Third-Party Endpoint Security Posture

Your speaker tonight is ISC2 East Bay’s own, Robin Basham, Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), and GRC expert. Robin recently contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross FISMA team and is currently contributing to the CCM Mapping for version 4.0. She is also a past board member of the ISACA SV Chapter.

April 8th, 2021, Member Meeting Zero Trust Data Protection

Thursday, April 8th, 7:00 – 9:00 PM

The Slides! Zero Trust Data Protection

For those who missed the event, here’s the playback link.


Zero Trust Data Protection
A new approach to protecting data is being adopted across organizations that have a remote workforce accessing cloud applications (and data) outside of their network. The essentials of Zero Trust Data Protection are simple and powerful:

  • Never trust, always verify – continuously
  • Identity: Conditional access to web, apps, app instances is based on user, device, application risk
  • Applications: Contextual activity controls are given within each and every app based on these risk levels
  • Data: Advanced cloud data protection policy actions are enforced, with user coaching, to protect sensitive data, across documents, images, screenshots, etc.

Attend this session to learn about the fundamentals of zero trust data protection along with a live demo (powered by Netskope) of real-world use cases.

Bob is the Vice President and Chief Evangelist at Netskope, a market-leading cloud security firm. Bob is a prolific speaker and product demonstrator, reaching live audiences in more than 45 countries over the past decade. Bob also has a passion for teaching and is the Program Director for the cybersecurity program at ESADE’s International Business School and has been a guest lecturer at the University of San Francisco’s MBA class each Spring for the last five years and he. His career spans more than 25 years in Silicon Valley, where he has held leadership roles in product management and product marketing at various technology companies. 
Before Netskope, Bob was the Chief Evangelist at Riverbed and was a member of the pioneering product team that launched Riverbed from a small start-up of fewer than ten employees to a market leader with more than 3,000 employees and $1B in annual revenue. Bob was first introduced to the world of cybersecurity as a teenager in the 80s when he hosted a popular (BBS) bulletin board system and had to develop security software to prevent hackers from infiltrating his site hosted from his parent’s home.

March 11TH, 2021 MEMBER MEETING SAP Data Custodian for Cloud Data Security

Topic: SAP Data Custodian for Cloud Data Security

March 11th 7 PM to 9 PM Playback Link

Learn more about SAP Data Custodian

Data is the most precious commodity for companies, and it needs to be protected at all costs. It’s an increasing challenge for our customers to protect and retain control of their data as they move from an on-premise world into the cloud and SaaS environments. Customers further face a wide range of stringent data protection regulations in various regions and countries as they move into globally connected cloud. These regulations demand strict data storage controls in terms of geo-locations and contextual data access controls based on user attributes, for example, geo-location, citizenship, job contract type, department, etc. These data protection regulations impose heavy penalties on data breaches: a single data breach can be critically detrimental for a company.
One of the most common requests from cloud customers is around geo-location: “Where is my data? How can I see where my data is and who is accessing it?”
This presentation will outline industry approaches (or lack thereof) to address the following topics:

  • full stack transparency
  • data residency controls
  • contextual application access control
  • data discovery
  • anomaly detection
  • customer-controlled encryption keys
  • and finally, “where is my data going?”

Further, the presentation will suggest how SAP Data Custodian offers a wide range of powerful data security features to help our customers protect their data in the cloud and to get full control of their data in the cloud. These features include full-stack transparency, data residency controls, contextual application access control, data discovery, anomaly detection, and customer-controlled encryption keys. These features help our customers meet their data protection regulations, data sovereignty and business compliance requirements.

Dr. Wasif Gilani is Vice President / Head Product & Solution Management in SAP Multi-Cloud organization, leading strategic cloud data security and data protection solutions. Wasif is also the Chief Product Owner of the SAP Data Custodian solution, an initiative that he started in 2017, and which won the prestigious International Association of Privacy Professionals (IAPP) innovation award in 2019. Wasif has been working with SAP for 14 years and has worked extensively in the areas of Cloud Computing, Data Security, Data Protection, Business Intelligence, Business Process Management, and System Engineering.

(ISC)2 East Bay Chapter