Ireland Melbourne

Welcome to COSAC's first event in Asia-Pacific, hosting the inaugural SABSA APAC Congress. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Tuesday 5th December 2017

09:30 - 10:00 Delegate Registration & Coffee

Plenary Session

10:00 1P: Premium Value : Exceptional Trust Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

Welcome to a unique and special event that is destined to become APAC’s premium annual forum for elite professionals.

This brief introductory session sets expectations for the week: it describes the COSAC ethos and trust culture, and sets the tone through interaction and participation. 

We will also discuss the rules and conventions for sessions and discussions held under Chatham House Rule or subject to full Non-Disclosure.

10:40 - 11:00 Morning Coffee

11:00 2A: Banking Under a Tree: Architecting for Mobility Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 
X
 

In an effort to create to new business revenue models as well as extend banking services to growing business segments, this session will demonstrate how a strategic security solution approach can enable business to  adapt their business strategy to support a Channel Convenience strategy, allowing customers to be able to bank anywhere from any device and at any time leveraging innovative technologies offered though emerging mobility platforms.

In addition, the session will aim to :

- Provide an understanding of the mobile business problem domain and its related complexities at a major bank,

- Show how to analyse business strategy to define business security requirements and key business attributes 

- Illustrate how the business problem can be solved through  design and creation and population of  SABSA styled domain maps and entities 

- Indicate the various emerging security mechanisms through associated product components and service management capabilities to solve the business problem of mobility   

- Address in-house organizational challenges:

- Comparison of tactical “build” versus “buy“ decisions on security solutions, and its associated trade off’s.

11:00 2B: Visualising Organisational Threat & Risk Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Risk managers often find it difficult to communicate threats and risk (and the difference) to those who must understand what is at stake in the context of the organizations mission.  Identifying ways to model and visualize risk is key to helping stakeholders determine which mission objectives or organizational assets are at risk, and where risk treatments are needed. To add to the complexity, many risk managers have to give assessments on the fly, or with short notice.  There are many effective methods that can be used to model risk and address these challenges and this workshop aims to explore different risk and threat modeling methods and practices.  In this highly interactive session we will work in groups to visually model risk on the fly in a 15-20 minute activity with a given challenging mission scenario.  We will then share, brainstorm, and discuss advantages and disadvantages to these risk models. 

12:20 3A: How to Implement SABSA in a Major Enterprise Speaker(s): Shane Tully

Shane Tully

Global Enterprise Security Architect, CBA (Australia)

Shane is an enterprise security architect with experience in Australian state government agencies, transport and financial services industries. His interest is in the security of international businesses. Shane was the founder of the Oneworld® airline alliance IT Security Forum; a founding member of the board of management of the global security thought leadership group, The Jericho Forum and an invited SCADA representative to the Australian Government IT Security Expert Advisory Group (ITSEAG).
X
 

This session is a real-life case study based on personal experience of updating an existing Enterprise Security Architecture using the SABSA framework  in a major enterprise. The presentation covers the security challenges along the way, understanding what you can solve, avoiding scope issues, the evolution of security controls, mapping responsibility between different security teams, aligning the architecture with the operational security lifecycle, and ends with some of the important lessons learnt along the way.

12:20 3B: The Behavioural Economics of Cyber Security Speaker(s): Craig Templeton

Craig Templeton

CISO, REA Group (Australia)

Hailing from Northern Ireland, Craig Templeton brings over 22 years experience to the security field, having worked for a variety of blue chip organisations globally.  With his no-nonsense approach, Craig is widely known for not conforming to traditional approaches to solving security problems. Over the last 5 years Craig has focused on the behavioral aspects of security, winning Security Professional of the Year at the AISA National Conference in 2015.
X
 

If the focus of cybersecurity programs continues to be on designing better technologies to combat the growing menace of cyberattacks, we’ll continue to neglect the most important aspect of security — the human in the middle.

Put simply, there's a language problem in Security. Some say that we need a war on cyber-crime. Craig says we need a war on security bullshit.

Insights from behavioural economics and psychology show that human judgment is often biased in predictably problematic ways - where decision makers use flawed mental models to help them determine where and how much investment is necessary.

For example, they may think about cyber defence as a fortification process — if you build strong perimeters with well-manned turrets, you’ll be able to see the attacker from a mile away. Or they may assume that complying rigidly with a security framework or standard is sufficient. They may also fail to consider the counter-factual thinking, "We didn’t have a breach this year, so we don’t need to ramp up investment" — when in reality they probably either got lucky this year or are unaware that a bad actor is already lurking in their system.

The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. That’s why cybersecurity efforts have to focus on building security aware cultures.  Because people beat technology.  Leading research shows that attitudes to security are a stronger indicator of resilience to cyber-attack than compliance.

In his presentation, Craig will describe his strategy at REA Group and how he is building a ‘values led’ security culture, and importantly, why this matters.

13:30 - 14:30 Lunch

14:30 4A: Using SABSA to Architect Zero Trust Networks Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

In 2014, Google threw away its traditional approach to securing its services and reimagined what a security should look like to be truly effective in today's world of distributed teams, systems, and applications.

They developed BeyondCorp, a perimeterless architecture that does away with the idea of trusted networks and treats all applications as if they are Internet connected, thereby creating an environment that is zero-trust by default. Every request is authenticated and authorised in real-time based on a set of dynamic conditions that considers changes in user status and device state.

This interactive session will explore how to apply SABSA to architect a zero-trust network through the layers of the SABSA matrix. This will be supported by a sanitised case study to highlight and discuss the real-world challenges and how they were overcome when a zero-trust network for a New Zealand organisation.

14:30 4B: Defending the Modern Castle Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Warfare and the arts of intrusion have advanced considerably since the days of King Arthur and the Knights of the Table Round, but in many ways the principles of fortification we use in 2017 remain the same as those used in 1017. The great castles of antiquity were ingeniously designed with multiple layers of physical security to protect their inhabitants from persistent, even advanced enemy threats. Towers and moats and archery slits and murder holes and a trained castle army provided effective physical security for the castle dwellers (and maybe the local peasantry). Their carefully planned and creative defensive measures provide rich metaphors, both positive and negative, for ourselves as today’s cyber guardians. 

On the other hand, clever, daring, sometimes brilliant offensive strategies and tactics have historically breached battlements thought to be unassailable. New and better defenses were almost always defeated by newer and better offensive strategies or machines, which, in turn spurred newer defensive weapons and tactics. Still, most of the castles we see today are ruins. And not always merely because of age. We’ll examine defensive and offensive strategies and identify lessons that can be applied to securing our own sophisticated digital fortresses. 

15:40 - 16:00 Afternoon Coffee

16:00 5A: The Playground of Risk Speaker(s): Allen Baranov

Allen Baranov

Principal Consultant, Elucidate Solutions (Australia)

Allen Baranov has more than 20 years of Information Security experience and almost 5 as a SABSA® practitioner. He has worked in South Africa and Australia across large, small and tiny organisations as everything from Firewall Administrator to head of Information Security. As a speaker he presents topics from interesting angles and was the People’s Choice at IT Web Security Conference, South Africa’s largest conference. 
X
 

First presented at a SABSA World Event in Melbourne to great acclaim, this session will explore an unexpected avenue to risk & risk management. 

An eye-catching Standard listed on the Australian Standards website defines “risk” in the most interesting way possible. This happens to be AS-4685 and it is the Australian Standard for playground equipment. “Wait…What?”. 

Yes, the Australian Standard for playground equipment defines “risk” in a better way than anything in the 27000 (and possibly 31000) range of Standards. 

This playground equipment analogy is perfect for discussing how Information Security should  view risk and how architectures should be designed. The extended analogy becomes very useful as it is designed around risk (injury) vs reward (fun). 

The value of this approach lies in an “out of the box” way to think about designing safe environments balancing (no pun intended) the risk aspect. It builds on the SABSA theory that architecture should take into account the opportunity cost of restricting business aims. Security professionals tend to take our views to be sacrosanct and this session will provide a fresh view on the topic, along with clear guidance on the roles in Risk Management.

16:00 5B: Commit - Plan - Deliver: 21 Years in the Middle Speaker(s): Michael Hirschfeld

Michael Hirschfeld

First Assistant Secretary, Department of Finance (Australia)

Michael is acting Chief Information Officer and First Assistant Secretary, IT and Workplace Division in the Australian Commonwealth Department of Finance and has executive responsibility for ICT as well as physical security within that agency.He has previously held senior roles with a number of Australian government agencies including as Assistant Secretary for ICT Planning and Governance at the Australian Department of Foreign Affairs and Trade. 
X
 

I have held middle management and senior executive roles in Security, ICT Security, and ICT in general in various Australian Government Agencies over the past 23 years.

I have learnt a lot about managing the delivery and leading the strategic improvement of these fields. I also have much much more to learn.

Many believe that great leaders are born and not made – this may be true - but good leaders and great managers are, more often than not, made through the dedication to personal development of individuals.

There are innumerable capabilities and skills that take us from being technical experts to being good managers and then good leaders. In this presentation, I will share some of my experiences and tools that can be used to help you manage your deliverables and career.

There are a number of topics to cover - this session will focus on three fundamentals: committing to action, planning and delivery. Understanding the nature of commitment to action and if your team has committed to what you are committed. How do you successfully plan tasks, for teams and projects and then, how do you make sure you and your team deliver successfully.

17:20 6A: How to Herd White Cats in a Snowstorm Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

Transforming the Conversation on Governance, Policy & Risk Ownership

“It is curious how often you humans manage to obtain that which you do not want.”

Spock (Star Trek)

The issue has been swept under the carpet and we like to pretend that we have not noticed, so whisper it softly……

…….The Emperor has no clothes. he opened a can of worms only to find a horrible ball of spaghetti, and as a result made an unholy mess of a horse’s ass.

We follow the defined practices for Governance, Policy & Risk like sheep. But while we as professionals love the subject of ‘rules’, the reality is that we as humans resist policy, hate being told what to do, and often enjoy the thrill of taking risk.

“It is difficult to get a man to understand something when his salary depends on not understanding it”

Upton Sinclair (I, Candidate for Governor: and How I Got Licked)

The psychology and ethos we have employed to create Governance, Policy & Risk structures in our organisations is historically deeply flawed and inverted. It is completely unworkable to force a group of human beings to do something they do not want to do and it is totally unsustainable to prevent human beings from doing something they do want to do.

“Humans have a unique ability to listen to one story and understand another”

Pandora Poikilos (Excuse Me, My Brains Have Stepped Out)

Traditionally, we sell fear, uncertainty and doubt to stakeholders who really want enablement, excellence and value. The experts tell us that we should use an holistic framework to provide value and to separate Governance from Management but what they don’t tell us is how to achieve that.

This session will examine why the universe of Governance, Policy & Risk is broken and, more importantly, how to use SABSA Architectural structures to transform the conversation, repair the problem, and create proactive, clear, instinctive, business-enabling, positive and motivating Governance, Policy & Risk models.

17:20 6B: Going Bust: The CISO's Perspective Speaker(s): Michael Wallmannsberger

Michael Wallmannsberger

Consultant, Wallmansberger Ltd (New Zealand)

Michael Wallmannsberger is an independent security consultant and Chair of New Zealand's CERT Establishment Advisory Board. He was the Chief Information Security Officer at Wynyard Group, a NZX-listed New Zealand software company, and a consultant and lead security architect at ASB Bank. His governance experience includes serving as a member of the board of New Zealand's national standards body, Standards NZ, and New Zealand's ccTLD manager, InternetNZ.
X
 

Being the CISO of a multinational software and cloud vendor that becomes insolvent is a unique learning opportunity. However, it is not one to seek out or wish for. This case study shares the lessons and insights form the speaker’s experience managing information security during a company’s statutory administration.

Large firms sometimes evaluate a vendor’s financial stability during procurement. However, a previously sound supplier becoming insolvent seems to be a mostly neglected risk. What happens to a company’s management of its security controls and obligations during bankruptcy or administration?

This case highlights new issues arising in a world where handing  data over to investor-funded (i.e. unprofitable) public cloud providers is the new normal. It examines the implications for security practitioners, including how we might better prepare for the possibility that our business, or a supplier’s business, fails. 

If your cloud provider becomes insolvent, who secures your information? Can you get the data out? What happens to as-a-service cloud infrastructure when you stop paying the monthly bill? Managing IT and information security through statutory administration had many challenges, some obvious but also many that were unexpected.

If selected, this talk will be presented first at COSAC & SABSA APAC 2017.

About the company:

Wynyard Group listed on the New Zealand Stock Exchange in 2013, raising $65 million, and subsequently raised a further $110 million from the market before its fortunes declined and its board decided to put the company into voluntary administration in October 2016.

Networking & Dinner

18:45 Drinks Reception
19:30 Dinner

Wednesday 6th December 2017

09:00 - 09:30 Delegate Registration & Coffee

Plenary Session

09:30 7P: Immutable Deadline: Maximum Outage Redefined Speaker(s): Tim Evans

Tim Evans

Assistant Secretary Commemorations, Dept of Veterans Affairs (Australia)

Tim Evans has been Assistant Secretary Commemorations at the Department of Veterans’ Affairs since 2009.  In this role he is responsible for programs to acknowledge and commemorate veterans’ service and sacrifice and promote an increased community awareness of Australia’s wartime and service heritage and veterans’ experiences. Tim has played a key role in the planning, coordination and delivery of national and international programs to mark the Anzac Centenary and the Century of Service.
X
 

We are all familiar with the Business Continuity Planning concept of ‘maximum allowable outage’.  But what if the tolerance for outage from every perspective (including process, management, social and political) is in fact truly zero?  What if the deadline is truly immutable?  What if ‘never-fail’ really means never…and you get only one shot to get it right?

This session explains and draws lessons from both federal elections and the Anzac Day centenary commemorations at Gallipoli in 2015: events with precise and immutable schedules and locations, come hell or high water – literally.

This session will provide valuable tactical and operational lessons and strategic concepts not just for mass public event organisers but for Business Management in general, BCP & Business Process practitioners, and the Security and Risk professions as a whole.

10:30 - 10:50 Morning Coffee

10:50 8A: Practical Implementation of SABSA Traceability Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, Deloitte (Australia)

Andreas is an Enterprise Security Architect in Deloitte’s Cyber Risk Advisory Services line with over 25 years of experience in IT and security consulting. He has worked on defining the security architectures and models for various global organisations across various industries and global locations. In addition to his work at Deloitte Andreas is a long standing member of the ISACA Melbourne Chapter board where he held various positions as director and president.
X
 

While some organisations understand and can articulate their information security requirements the less mature ones just ask for compliance with some of the major security control frameworks like ISO27001/2, NIST, PCI and any locally applicable policy and/or standard. As Security Architects we need to deal with these organisations as with any other client, i.e. turning it around into a meaningful solution.

The problem here is not to design and implement a solution in line with these control frameworks, but consolidate them and define a security architecture that can be actively managed as the organisations matures and requirements most likely will change. This requires a well-structured approach of integrating the control frameworks that often just refer to each other, and turn them into meaningful designs without losing sight of risks and opportunities as part of the greater plan

This session is based on a governmental agency that wants to do the right thing by its citizens, but also politically needs to justify, aka provide traceability from requirements to implementation, of what they are doing.

At the end of this session participants should have an idea of how they can tackle the issue of “security framework overload” by applying some simple techniques of security controls management and security architecture design documentation management.

The key takeaway from this session will be that applying some thinking of how to manage requirements, how to document and how to provide traceability can set the foundation of a more manageable security architecture design.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a solution security architecture with the intention of providing a more structured approach of delivering security architecture.

10:50 8B: The Journey to Artificial Intelligence, and its Continuum.. Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 
X
 

Advances in technology have made artificial intelligence(AI) now a reality. This session will provide a cursory overview of Artificial Intelligence explaining what  Artificial Intelligence  is though the various dimensions , its types and categories of applications. The session will briefly cover some use cases as well as some considerations in selecting the relevant AI solution approach.

12:00 9A: SABSA in Law Enforcement & Border Protection Speaker(s): Paul Blowers

Paul Blowers

CISO & Director, New Zealand Police & Hi-Spec Security (New Zealand)

Paul Blowers has more than  30 years experience  in the Intelligence, Law Enforcement, Defence and Border Security environments and approaching almost 10 as a SABSA® practitioner. He has spent the last 14 years in New Zealand having worked in the USA, the UK and mainland Europe. Currently, head of security for New Zealand Police he also runs his own small company, Hi-Spec Security Limited providing high-end consultation services. 
X
 

On the 6th November 2014, Phillip John Smith left New Zealand on an aircraft bound for Santiago in South America. He had a ticket for onward travel to Rio de Janeiro in Brazil. 

Mr. Smith passed unimpeded through immigration and security checks at Auckland International Airport. He carried a New Zealand passport that had been issued 16 months earlier in his birth name.

Phillip John Smith-Traynor as he has since become notoriously known is a convicted prisoner, sex offender and murderer. He evaded authorities by exploiting loopholes in the NZ identity management legislation, justice sector and ineffective border protection agency practices.

My presentation will demonstrate how I approached my Masters thesis to develop a solution that incorporates most aspects of the SABSA® matrix including the Operational Security Architecture.

It highlights the challenges faced by the Justice Sector and Border Protection Agencies, multi-government sector collaboration, legislative changes, individual business identity management programmes, strategy direction, policy changes and the potential for identity management technology transformation.

As part of my presentation I will present a prototype web-based application that has been developed in support of my Masters thesis and adapted to enable the semi-automation of the SABSA® Risk Assessment Method. 

12:00 9B: Making SABSA Stick: Business Analysis & Stakeholder Engagement Speaker(s): Victoria Czaplewski

Victoria Czaplewski

Change Management Consultant, David Lynas Consulting (USA)

Victoria Czaplewski, principal of Kalixity, LLC & Change Management Consultant for DLC, combines expertise in Organizational Change Management and Enterprise Business Analysis to assess and navigate the impacts of change and address consequences to culture, policy, processes, operations and organizational structures. She recognizes change as a prime opportunity to engage stakeholders in meaningful dialogue about the future state and to assess alignment to vision & mission. 
X
 

How Business Analysis and Stakeholder Engagement can help embed SABSA into the organizational culture.

Successful adoption of a business-driven enterprise security architecture doesn’t just happen. Embedding a sustainable security approach depends on an organizational mindset that’s sold on the business value of the SABSA methodology –  and willing, ready and able to embrace the cultural change required to make it happen. Achieving the right balance of business, technical and behavioral readiness requires an interdisciplinary strategy that starts with the guerilla infusion of Business Attributes Profiling capability into the organization.

This session proposes that Security professionals drive Business Attributes Profiling techniques into the hands – and minds – of the Business Analyst community within their organizations.

As our shoulder-to-shoulder allies, Business Analysts already share our interest in forging business solutions. They join us on the front line in requirements engineering and in interaction with our stakeholders. The benefits of adopting Business Attributes Profiling are proven in the context of enterprise security and become evident in application to any project or strategy in focus for Business Analysis.

 The challenge lies in the change.

 In addition to convincing our BA colleagues of the benefits of Business Attributes Profiling, we must also equip them to take it into the organization as a standard practice. Shifting away from “the way things have always been done around here” requires:

-Aligning SABSA methods to standard Business Analysis practices

-Identifying and engaging relevant stakeholders

-Analyzing the impacts of change

-Assessing organizational change readiness 

-Developing effective messaging

 Through demonstration and discussion, we’ll explore how to engage our Business Analysis stakeholders as partners in establishing SABSA as a way of life.

13:00 - 14:00 Lunch

14:00 10A: Selecting, Aligning & Effectively Using Compliance & Control Frameworks Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architects role. This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.

14:00 10B: Attribute Function Deployment - Structuring Business Attribute Deployment Speaker(s): John Czaplewski

John Czaplewski

Director, David Lynas Consulting (USA)

John Czaplewski is a Director as David Lynas Consulting, and the lead SABSA Instructor for North America. John has over 15 years experience in providing security program, risk management and security assessment services to international enterprises and US Federal Agencies & currently leads David Lynas Consulting's consulting practice. John also sits on the SABSA Institute's Board of Trustees. 
X
 

Structuring Business Attribute Development and Deployment with AFD – Attribute Function Deployment

The SABSA Methodology transforms enterprise requirements, goals, and objectives into Business Attributes that form the deep core of an enterprise security architecture. AFD – Attribute Function Deployment – is a proposed method for structured development of Business Attributes and their deployment into the enterprise security architecture, based on Quality Function Deployment (QFD), an established method for product planning and development that supports systematically translating customer wants and needs into products or services that satisfy.

AFD adapts QFD to support the use of SABSA’s Business Attributes through all phases of the SABSA Life Cycle by integrating matrix-driven models and quality control techniques into a structured process for traceably translating and transforming enterprise requirements into business drivers for security, business attributes, logical security services, physical security mechanisms, and security service management activities.

In addition, AFD provides practical support for:

-Structuring captured information to enable analysis

-Analyzing information

-Prioritizing analysis inputs and outputs

-Correlating inter-element analysis to identify positive and negative associations

-Identifying and resolving conflicts

-Documenting, organizing, and using the results of analysis

-Communicating with stakeholders

-Developing consensus

AFD can be extended to integrate its core workflow stages with supporting and supported SABSA processes and models:

-Risk Assessment

-Risk Enablement

-Control and Enablement Objectives

-Multi-tiered Control Strategy

-Governance Model

-Extended RACI

The session will demonstrate AFD in action to deliver key SABSA Foundation Course IBFS Business Case-driven workshop objectives.

15:10 11A: Show Me the Controls! Speaker(s): Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.
X
 

What happens when Cuba Gooding Jr meets a SABSA/TOGAF alignment consultancy?

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …

15:10 11B: Critical Infrastructure (ICS/SCADA) – Keeping the Lights On Using SABSA Speaker(s): Christopher Beggs

Christopher Beggs

Managing Director, Security Infrastructure Solutions (Australia)

Dr Christopher Beggs is the Managing Director and ICS security program leader for Security Infrastructure Solutions (SIS). SIS specialises in Industrial Control System Security (ICS) safeguarding owners and operators of critical infrastructure within the Middle East and Asia Pacific regions.  Christopher holds a PhD in Cyber-terrorism and SCADA security awarded by Monash University and is a Certified CSSA, SABSA and SANS-GIAC Security Professional. 
X
 

Industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS) are used to operate, monitor and control electricity generation, transmission and distribution, oil and gas pipelines and refineries, water treatment plants, chemical factories, manufacturing, and transport infrastructure. Such systems that were once isolated from corporate systems are now becoming increasingly interconnected, exposing them to significantly more internal and external threats. Coupled with the ability to cause devastating impact, attacks on such utility companies has made them high-value targets.

 This presentation will demonstrate how the application of the SABSA development process can serve to ensure that our infrastructure assets of national significance are resilient to cyber threats. Key artefacts from each architectural layer will be discussed, providing real-world working samples in the design and build of security architecture for ICS facilities, focusing on risk mitigation. The presentation will also show the integration of other ICS security standards, such as ISA/IEC 62443, with SABSA, extending this methodology from the corporate environment to incorporate industrial networks. Benefit from learning exactly how to develop a target-state security architecture and to achieve controlled integration with corporate systems.

16:10 - 16:30 Afternoon Coffee

16:30 12A: How to Write a Great SABSA Advanced Exam Answer Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

-evaluate the question to ensure you know what is being asked of you;

-use a hypothetical or real-world case study to frame your answer;

-plan and structure your answer to ensure that you cover each area of the question;

-assess the competency verbs in the question to ensure that you understand them and can meet them; and

-effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenter has scored 91% + in their Advanced exams, and is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!

16:30 12B: Kick Starting SABSA in your Organization Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Implementing SABSA in an organization can be a daunting task. Many architects face challenges getting started such as dealing with culture, knowing where to start, and validating that they are on the right track especially when they face organizational roadblocks. SABSA practitioners come out of self-study or SABSA training armed with new skills and ideas, but struggle with applying them in the complex situations of their organization.  

In this session, we will use real life examples of implementing SABSA in an organization to address some the common pitfalls and hardships practitioners face when trying to introduce change in an organization and some of the strategies that led to success.  Some of the important concepts we will address include transition planning, understanding the time frame of change, enabling others (and championing their success) and adopting a mission assurance approach. We will also cover building a support team/network both within your organization and community. 

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress.  Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. 

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected] before 10AM Friday, December 1.

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 6 December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:30 Dinner

Thursday 7th December 2017

09:30 - 10:00 Delegate Registration & Coffee

11:40 Morning Coffee
16:10 Afternoon Coffee

Workshop W1

10:00 Incident Handling Tabletop Workshop Speaker(s): Ahmed ElAshmawy,

Ahmed ElAshmawy

Senior Information Security Consultant, Axenic (New Zealand)

Ahmed is a Senior Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team. 
X
Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

The incident handling tabletop workshop is a paper-based exercise that allows participants to detect and respond to real-life incidents, and provides them with hands-on incident handling experience.
Participants will be provided with a brief introduction that sets the context for the incident including the technical environment, a generic incident handling process and an incident report template. In additions, they will be provided with a set of artefacts that include real-world indicators of compromise that they must analyse to identify and respond to a set of incidents.

Participants must analyse the information provided to filter the “noise” from meaningful/useful information following the process provided. They will be expected to perform incident handling activities including detection, triage, analysis, containment, eradication and recovery, while communicating and escalating issues to management and relevant stakeholders (represented by the workshop facilitators).

The workshop has been developed to ensure that participants will go through all incident handling steps and will not get stuck in the incident detection phase. The timeline of the workshop is designed to provide participants with hints to ensure they detect the incidents before the allocated time expires. The workshop is supported by two facilitators to ensure timely response to participants’ inquiries.

Workshop W2

10:00 Wonderful, Terrible, Inevitable: Big Data, Analytics & IoT Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Big Data and the Internet of Things are revolutionizing virtually every industry. We’re told of pinpoint accurate medical records and diagnostics, all-encompassing analytics, mastery of industrial processes, effortless control of our static and moving environments and complete connectivity and communication with anything and everything we might ever imagine being useful. Wonderful!

But COSAC delegates have an internal red flag that goes up upon hearing “It’s gonna be great!” Then those euphoria-deflating security questions start multiplying and running through our somewhat addled brains. Where is all this Big Data coming from? Where will it reside? Who controls it? Who grants access? On what basis? How do we know it’s accurate, relevant? Is it complete enough for life and death medical decisions? What about analytics system administration; data monitoring and correction procedures; incompatible security architectures? Oh yeah, and privacy?

What kind of security is built into all these Internet-connected devices? How easy is it to control access? Is the data they trade and store encrypted? Who’s liable if they fail or give erroneous signals?

Big Data and IoT are neither fads nor merely trends, they constitute a revolution. There’s no going back. Join us as we look from a security perspective at both the bright and dark sides.

13:30 - 14:30 Lunch

Forum F1

14:30 SABSA Open Forum Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

This Open Forum provides the first ever opportunity for the SABSA community in APAC to ‘rugby tackle’ the powers that be, pin them down, and get the answers and information they need.  Members of the Board of Trustees of The SABSA Institute, work programme participants, and the SABSA community in general will join together to report, discuss and plan:

-What progress has been made by TSI’s Board of Trustees?

-What activities, developments and programmes are in progress?

-What needs to be done next to serve the needs of the SABSA community?

As an Open Forum, plenty of opportunity will be provided to raise your own specific questions and obtain answers.

Forum F2

14:30 1st APAC Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

For 17 years the International Roundtable Forum (run under NDA) has been for many participants the very embodiment of the COSAC ethos. Now for the first time John O’Leary brings his world-leading facilitation skills to run a half-day version at COSAC APAC.

The approach is straight-forward: we fill a room with international information security veterans and present them with scenarios that have happened recently or probably will happen soon. The assembled delegates use the wisdom accrued in each of their 15+ years of solid IT security experience to examine the given scenarios from business, technical, political and any other viewpoints that might reflect on that situation or similar situations they have faced or analyzed. This puts immediate emphasis on one of COSAC’s most characteristic and valuable features. Interactivity.

COSAC speakers (or moderators) realize that someone, maybe several people in the room, know more about the subject in dispute than the exalted session leader. Here is where COSAC consistently shows itself as the single best Information Security conference anywhere. COSAC session leaders draw out the room’s expertise and thus enrich the learning environment for everyone. In past forums, this moderator has learned much more from the delegates than any of them have from him.

In describing some recent event, the moderator poses a question or two about what the involved people did, whether it was appropriate, what other directions could have been taken, what alternative consequences might still be in play. Not surprisingly, there is often disagreement, occasional discord, but so far no duels. Appropriate solutions tend to be industry-based or public/private sector-based or organizational culture-based. The spirited discussions emanating from these very real differences augment learning for all.

We also predict the future for Information Security. 50 billion IoT devices by 2020! And no universally accepted security standards for them. How do we get our arms around that? Will legal systems ever catch up with technology? Where should we spend our security dollars?

Come help solve the problems of the world with a half-day immersion into the COSAC way.

Dinner & Networking

18:15 Drinks Reception
19:00 Dinner