Contact Us
Get in contact with us by email, phone or just stay social and connect with us on LinkedIn & Twitter
COSAC APAC: Melbourne, 27-29 February 2024
For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2024 Delegate Registration is now open with early-bird pricing available until 17 November 2023.
09:00 - 09:30 Delegate Registration & Coffee
09:30 |
11A: SABSA by Sea - Smooth Seas Do Not A Good Architect Make
Speaker(s):
Robert Laurie Robert Laurie Deputy CISO / Enterprise Security Architect,David Lynas Consulting (Australia) Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
|
In this session, we demonstrate how risk floats exactly like bricks don’t. Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment. The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks. In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk. We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green? We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals. Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment. This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change. |
09:30 |
11B: The Risk Boomstick
Speaker(s):
Harley Aw Harley Aw CISO,Phoenix HSL (Australia) Harley is an Information Security and IT industry veteran based in Sydney Australia with nearly 25 years in retail, tertiary education, hospitality, sport and gaming, financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board, Founding Member of the SABSA Institute and a director of the SABSA Founders Bursary. He is currently the CISO of the international Phoenix Group.
X
|
“Alright, you primitive screwheads, listen up! You see this? This... is my BOOMSTICK!!!” – Ash Williams, Evil Dead 4 Ahhhhhhhhhhhhhhhhhh, Risk: no other topic bears as sweet a perfume, as intoxicating a character, as entrancing an allure... ... Nor, for some reason, as predisposing an invitation to an uninvited critique from those around you (including, I might add, from yours truly). That we all do this to each other is a good sign that the way we think about Risk is full of complexity, character and a seemingly bottomless well of nuance from which any amount of pithy insight can be drawn. ‘That’s all well and good, but you should model your opportunities.’ ‘I can see your inherent risks, but where are your cascading risks?’ ‘That’s a discrete risk, what about the aggregate risk?’ ‘There’s too much detail here, roll it up.’ ‘This is too abstract, break it down.’ ‘That’s not a risk.’ Yet amidst the hoity-toity brouhaha of the Risk enthusiast lies the rock-solid, time-worn lesson: Suck at Risk and you suck at your job. That’s why, shoppers, you need the RISK BOOMSTICK™! 25 years of not sucking at Risk is distilled down into an eensy weensy power-packed (like me) 1 hour presentation for your enjoyment, pleasure and 100% money-back-guaranteed satisfaction*. Chock-packed full of nuanced techniques, revitalised ideas and all-weather analysis ammo to get you out of any situation, this baby will eat up ANYTHING you feed it and never fail to deliver whatever is on your sights and on le-plait-de-jour! That’s right. Shop smart! Shop S-MART! * 100% money-back-guarantee not included |
10:20 |
12A: Business Trust Model using SABSA
Speaker(s):
Sarit Kannanoor Sarit Kannanoor Consulting CISO,Digital Frontier Partners (Australia) Sarit is a highly accomplished security leader with experience in enterprise security architecture, security governance and security management. Sarit comes from an engineering, governance and technology background and looks at security from an "enterprise security as a system" view not just from an Information Security or IT Security or Cyber Security viewpoint. Sarit also has consciously gained experience in all IT functions and a number of business functions (Governance, Risk, Compliance and...
X
|
Trust is an integral part of human nature and society. However, ‘Zero Trust’ is a hot topic among security professionals, vendors, regulators, assurers, and business stakeholders. The immediate impression one gains from ‘zero trust’ is ‘no trust’, though the concepts and principles described by zero trust are about the maintenance and provision of continuous trust. The presentation uses SABSA frameworks and methodologies to argue the case for a holistic ‘Business Trust Model’ that can be architected to assist the business and its stakeholders in making informed decisions on the business trust strategy they could implement. The ‘Business Trust Model’ explores the entities that play a part in providing business trust and their interactions, the definition of business trust as attributes of value to the business, the risks (opportunities and threats) associated with business trust, the use of attributes of business trust to map the capabilities of tool and processes related to business trust and means for justifying the capabilities required, the type of governance and assurance processes that are required for business trust to be immutable, the use and interplay of logical and physical domains in business trust, and the time dependencies related to trust. |
10:20 |
12B: Chaos Comes to Threat Modeling
Speaker(s):
Jason Kobes, Jason Kobes Tech Fellow,Northrop Grumman (USA) Jason Kobes works as a Tech Fellow for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. Jason holds a...
X
William Schultz Senior Director, Enterprise Cybersecurity,Vanderbilt University Medical Centre (USA) Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
|
Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!
In this session we will leverage the work from the 2022/2023 working sessions at both COSACs. We then will build on these ideas with our combined experience and discuss what mechanisms and processes exist to help us unfold this difficult topic and see if we can create a method to address these threats. |
11:05 - 11:25 Morning Coffee
11:25 |
13A: The Grammar of Attributes, Requirements and ESA
Speaker(s):
Kirk Nicholls Kirk Nicholls Consulting Lead,No Duff Security (Australia) Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.
X
|
‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for. When undertaking any work as a risk professional, it behooves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity. This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay. Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium |
11:25 |
13B: Threat Modeling for Virtual Power Plants
Speaker(s):
Luke Lynch Luke Lynch Principal Technical Advisor,Trustwave (Australia) Luke is a Senior Technical Advisor at Trustwave specialising in security architecture services for critical infrastructure owners and operators. Luke is experienced in designing, implementing, and managing a broad spectrum of cyber capabilities, and is equally conversant with cloud, enterprise, and industrial control system contexts. Luke has deep knowledge of best practice standards such as the ACSC Essential Eight, NIST Cyber Security Framework, MITRE D3FEND, and the Cloud Controls Matrix, and...
X
|
As Australia continues to adopt renewable energy resources, virtual power plants (VPPs) are becoming an increasingly popular solution for integrating renewable energy sources into the grid. A VPP is a cyber-physical system that coordinates the operation of distributed energy resources (DERs) such as solar panels, wind turbines, and energy storage devices. While VPPs offer numerous benefits, such as improved grid stability and flexibility, they also introduce new attack surfaces and opportunities for exploitation. This talk will review recent developments in VPP technologies and their security ramifications, and present a consolidated VPP threat model. As a class of emerging technologies where adoption tends to outpace security practice, the practice of threat modeling and security by design is imperative for VPPs. Architectural characteristics of VPPs can vary significantly depending on the deployment and operating model. However. a number of key features tend to recur and are worth noting from a security perspective:
Each of the above components possess specific attack surfaces each of which merit threat modeling in their own right. For example, compromise of developer access for the central VPP management platform, or via compromise of the software supply chain, may allow an adversary to tamper with energy resource operations at scale or further penetrate into environments where DER devices are deployed. Such tampering may be pursued by direct modification of configuration parameters (e.g., setpoints) in devices themselves, or through abuse of rules that govern the VPP's energy management logic. In the onsite context, the inherently distributed nature of DER equipment may permit fairly liberal physical access of adversaries to such devices, and represent an attractive foothold from which to probe the broader VPP architecture for vulnerabilities. The services supply chain for installation and commissioning of DER equipment, in which multiple sets of general contractors, subcontractors, installers, and other third parties may have custody of a VPP-enrolled device throughout its lifecycle, is a common factor in VPP-related deployments which significantly extends the attack surface of the overall VPP. In order to correct the typical tendency for security to follow in the path of decisions already made, it is emphasised that critical infrastructure owners and operators that seek to benefit from VPP technologies understand their threat model and leverage the threat model to guide better security decisions for such projects. The resulting consolidated VPP threat model (aligned to the MITRE ATT&CK framework) presented in this talk is offered as a template for the community of critical infrastructure asset owners and operators to utilise as they see fit. |
12:15 |
14A: Is Not a Thing of Beauty Bare? A Simple Graph Can Powerfully Communicate Thousands of Words
Speaker(s):
Duncan Hall Duncan Hall Strategy & Planning Manager,Ministry of Foreign Affairs and Trade | Manatū Aorere Aotearoa (New Zealand) I’m a member of The SABSA Institute (G001093), and a SABSA Chartered Security Architect (SCF13071903).
Over many years I have contributed in pro bono voluntary capacities to numerous not-for-profit civil society organisations, professional societies, and authoring and reviewing good practice guidelines for software engineering. My ResearchGate site provides further information.
X
|
It can be difficult to explain SABSA’s value to folk who have not actively become enmeshed in planning for, implementing, or operating information security controls. I will present a simple (perhaps simplistic?) framework using graphical constructs of Linear Programming (LP) to convey – from a top-down holistic perspective – the value in business terms of adopting the SABSA framework to inform information security architecture development. By holistic, I mean that not all of SABSA’s value can be easily communicated – even to a technologically erudite audience – using reductionist perspectives, in which the value propositions are explained in terms of itemised lists of specific components and sub-models. In contrast, from a business and technology senior leadership perspective, key messages are best communicated verbally and visually in a ‘BLUF’ manner: Bottom Line Up Front.
To expand on the graphical LP construct, further details are best presented in subsidiary artefacts which can then be pored over by éminence grise functionaries. |
12:15 |
14B: Major Incident Management for Small Teams
Speaker(s):
Jack Sussmilch Jack Sussmilch CISO & FSCS Champion,460degrees (Australia) Jack Sussmilch has over 25 years’ experience in the definition and enablement of both strategic and operational cybersecurity domains. He has a proven track record in working with business and IT leadership to mitigate cyber security risks in a measurable, scalable, repeatable and sustainable way across a broad range of technologies, compliance and cultural environments in the context of historical, current and emerging threats.
X
|
Major incidents can be described as being a form of organised chaos. As the duration of the incident response extends, the risks to your personnel can become extreme. These risks can and do often compromise the efficacy of the Incident responses. Jack has seen people physically collapse or even suffer heart attacks exacerbated by the evil nexus of exhaustion and stress. For smaller organisations and teams, fatigue management often becomes an afterthought during their first major incident – usually after someone “loses their shit”. By preparing in advance, you can mitigate the adverse effects on your personnel and help to ensure a more rapid and effective response for the harder incidents that run into days weeks and even months. In this session, Jack will describe the key artifacts required of which your Incident Response Plans, Disaster Response Plans and Business Continuity Plans should all leverage off. These artefacts and the forethought required to create them will maximise the focus your key personnel can bring to bear on the incident at hand and help to ensure your response is not inhibited by mistakes tired people make whilst also helping to minimise the impact on your most important asset – your people. |
13:00 - 14:00 Lunch
14:00 |
15A: Attributes of the Metaverse
Speaker(s):
MZ Omarjee MZ Omarjee Head: Client Security and Moonshots,Standard Bank Group (South Africa) Muhammed Zubair (Mz) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.
X
|
The session will illustrate how two key attributes can shape the discussion of the Metaverse, what it is in business context, what it means from an end user perspective, the types of metaverses and a sequenced approach in terms of shaping its delivery strategy. This session will show some insights on how to introduce the concept to the organization as a case study, through to creating awareness and balancing compliance and security requirements. |
14:00 |
15B: Using Markov Chains to Estimate Security Risks in Descriptive System Models
Speaker(s):
David Keene David Keene Sr Staff Cyber Architect,Northrop Grumman (USA) David is a Cyber Architect for Northrop Grumman, based in San Antonio, Texas. He holds both INCOSE Expert Systems Engineering Professional (ESEP) and (ISC)2 Certified Information System Security Professional (CISSP) certifications, and in his 40-year career (most at Northrop Grumman) he has worked in a variety of roles in software, systems, and cybersecurity engineering. Recently, he has been working with NG’s Digital Transformation initiative to help define new approaches to engineering...
X
|
The Markov chain is a well-known mathematical tool for evaluating the probability of a series of interdependent events. Risk-based domains such as reliability and security can make use of this state-based process model to better assess the likelihood of a given fault scenario, but such analyses typically take place in a fashion that is not integrated with the architectural/design model of the system-of-interest. As systems grow in complexity, our ability to fully understand the holistic nature of risks and how to manage them is increasingly challenged by the absence of established methods that can associate risk evaluations with those systems’ authoritative architecture and design models, especially as the pace of engineering development processes quickens. This topic explores a method for modeling and analyze system security risk using adaptations of the Risk Analysis and Assessment Modeling Language (RAAML). It provides the means to accurately express Markov processes in the same foundational language used for Model-Based Systems Engineering, thereby inherently improving the integration of security analyses and engineering development processes. This enhanced integration of processes can yield results that are both more timely and of better quality, thus increasing our confidence in the engineered system’s security. |
14:50 |
16A: Increase Resilience, Decrease Risk: Embedded Dependency Models in SABSA
Speaker(s):
David Lynas David Lynas Chairman,COSAC (Northern Ireland) David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
X
|
The ability of an Enterprise to collect diverse but inter-connected Risk information, integrate it, align it, view it, and consider it holistically, may be the difference between success and failure. “This capability is what separated the banks that survived the financial crisis from those that failed. The failed companies had relegated risk management to a compliance function.” Harvard Business Review 2012 A complex system such as today’s modern enterprise is composed of many constituent parts which interact, are inter-dependent, with conflicted and systemic relationships. It is an eco-system, changing organically because of the innovations and behaviours of its parts, each of which has its own objectives, success factors, methods, risks and opportunities. The Enterprise and/or its parts also interact with the ever-changing environment in which it exists. A complex Enterprise cannot be defined by reference to its constituent parts alone because no part is completely independent of the behaviour of the other parts. And yet an Enterprise can spend huge resources and finances on checklist-based, compliance-driven, highly subjective, non-normalised, isolated, siloed risk assessments and treatment plans. “Insanity is doing the same thing over and over again but expecting different results.” Albert Einstein The traditional approach to Risk is fundamentally flawed. We know it is broken and not fit-for-purpose in real world complexity, but we continue to blindly do things the way they have always been done simply because they have always been done that way. When viewing the Enterprise as a complex system, failure to understand the complex nature of risk is itself the greatest risk of all. We cannot predict all failures and cannot model all successes. Pull one end of the spaghetti and all sorts of interesting things start to unravel and fall off the plate. What is good news for one authority may represent horribly bad news for another. But the question is, how do we approach this challenging subject to achieve the systemic understanding that the Harvard Business Review suggests? Just as a system depends upon subsystems and processes depend upon subprocesses, so each perspective of SABSA (What, Why, How, Who, Where, and When) can be modelled as a layer-independent dependency chain where each dependent element sets the requirements for each dependency, and each dependency meets the needs of each dependent element. At the same time, we can understand the inter-relationships between the perspectives that often present real-world risk tensions or conflicts. By using this technique, we can more clearly identify complex relationships to articulate clear risk context, empower accurate, meaningful control and enablement decisions strategically, tactically and operationally, and identify true risk owners and decision-making authorities. |
14:50 |
16B: Threat Driven Cyber Investment Strategies
Speaker(s):
Chathura Abedyeera, Chathura Abedyeera Director – Cyber Security,KPMG (Australia) Chathura is a Director in the Cyber security and Forensic practice of KPMG Australia and leads the Cyber Attack and Response services. He is a highly technical Cyber security practitioner with over 20 years’ experience in offensive Cybersecurity and Incident Response. He is a CREST Certified Tester and an examination assessor for the CREST International. He is also an advisory board member of the CREST Australasia. He has delivered complex technical Cyber security assessment programs and...
X
Andreas Dannert Principal Enterprise Security Architect,Standard Chartered (Singapore) Andreas is Principal Enterprise Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians.
X
|
In today's landscape of increasingly sophisticated and persistent cyber threats, it is crucial for organisations to leverage Cyber Threat Intelligence (CTI) and effective effectively integrate CTI in to other business units (downstream consumers) such as risk functions, Internal audit, architecture, engineering, sec-ops, security testing, SOC, to enhance the collective decision-making capabilities of the organisation. This presentation emphasizes the importance of leveraging CTI more directly and efficiently in decision making processes with an organization to achieve the desired business outcomes. Attendees will gain valuable insights into the practical steps and best practices required to strengthen their organisation's defenses by integrating CTI within their existing security infrastructure. The following topics will be explored in the presentations.
|
15:35 - 15:55 Afternoon Coffee
15:55 |
17A: Modelling Uncertainty & Building Cyber Resilience
Speaker(s):
Dimitrios Delivasilis Dimitrios Delivasilis Director - Cyber Risk & Resilience,David Lynas Consulting (UK) Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...
X
|
The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors. A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack. This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls. |
15:55 |
17B: GRC Modernisation ≠ Automation
Speaker(s):
Ahmed El Ashmawy Ahmed El Ashmawy Consulting Practice Lead,Axenic Limited (New Zealand) Ahmed is a Senior Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team.
X
|
Over the last two years, Axenic has embarked on a journey to modernise aspects of its Governance, Risk and Compliance (GRC) offerings. Almost one million dollars later, coupled with numerous scars, Axenic became the first Archer IRM customer to multi-tenant a single instance of the platform for small and medium customer. This is not the end of the journey, it is the tip of the iceberg. This session is an automation vs modernisation discussion exploring what to automate (or not to automate), and how to modernise GRC. Axenic will share successes, failures and expensive lessons learnt throughout the process. Whether you represent an organisation that is trying to automate their GRC tasks, and consolidate their governance, risk, assurance and compliance data, or a provider trying to offer modern services, this session should help save you time and money. Even if you are at an advanced stage of your GRC modernisation journey, discussions could enrich your experience, or you may have some lessons to share. |
16:45 |
18A: Ask A Master Q&A with a SABSA Masters Panel
Speaker(s):
William Schultz, William Schultz Senior Director, Enterprise Cybersecurity,Vanderbilt University Medical Centre (USA) Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
Maurice Smit Principal Security Architect,David Lynas Consulting (Netherlands) Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
|
In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in. In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way. |
16:45 |
18B: That’s No Moon, It’s A Space Station. Mapping the Scale, Maturity, and Compliance Value of the Victorian Protective Data Security Framework
Speaker(s):
Bethany Sinclair-Giardini Bethany Sinclair-Giardini Principal Consultant,Votar Partners (Australia) Hurtling towards the end of her third decade in the profession, Bethany is a time served information governance professional, passionate, and energetic about assisting organisations to better manage their information security risks by championing effective information governance. Bethany is a Principal Consultant at Votar Partners, a small boutique information governance consultancy in Melbourne, specialising in assisting firms with their information security and governance challenges, with a...
X
|
The Victorian Protective Data Security Framework (VPDSF) is a beast. It’s not just a simple moon, it’s a fully operational space station with all the bells and whistles. All Victorian public sector organisations must report to our Information Commissioner, every two years, on its compliance and maturity against the VPDSF. Across its 12 standards and 95 elements, it really provides a window into an organisation’s internal operating environment and demonstrates clearly how seriously (or otherwise) organisations are taking information security. It’s like a tractor beam, pulling in several disciplines and there’s literally nowhere to hide. As I audit these firms, I walk a fine line between a Darth Vader compliance approach, and a Yoda-like helpfulness in really unpacking how they need to approach the VPDSF, to understand what it could do for them. This paper will demonstrate how, by taking the VPDSF seriously, organisations can chart a course that protects them from being abandoned on the outer rim of information security governance, and instead could take them to the stratosphere in terms of compliance and maturity. |
Plenary Session
17:40 |
19P: COSAC Rump Session
Speaker(s):
David Lynas David Lynas Chairman,COSAC (Northern Ireland) David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
X
|
The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:
Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation. |
Dinner & Networking
18:45 | Drinks Reception |
19:15 | Dinner |