Ireland Sydney

Welcome to COSAC's second annual event in Asia-Pacific, hosting the SABSA APAC Congress. For 2018, COSAC will be held in Sydney for the first time. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Wednesday 6th December 2017

09:00 - 09:30 Delegate Registration & Coffee

Plenary Session

09:30 7P: Immutable Deadline: Maximum Outage Redefined Speaker(s): Tim Evans

Tim Evans

Assistant Secretary Commemorations, Dept of Veterans Affairs (Australia)

Tim Evans has been Assistant Secretary Commemorations at the Department of Veterans’ Affairs since 2009.  In this role he is responsible for programs to acknowledge and commemorate veterans’ service and sacrifice and promote an increased community awareness of Australia’s wartime and service heritage and veterans’ experiences. Tim has played a key role in the planning, coordination and delivery of national and international programs to mark the Anzac Centenary and the Century of Service.

We are all familiar with the Business Continuity Planning concept of ‘maximum allowable outage’.  But what if the tolerance for outage from every perspective (including process, management, social and political) is in fact truly zero?  What if the deadline is truly immutable?  What if ‘never-fail’ really means never…and you get only one shot to get it right?

This session explains and draws lessons from both federal elections and the Anzac Day centenary commemorations at Gallipoli in 2015: events with precise and immutable schedules and locations, come hell or high water – literally.

This session will provide valuable tactical and operational lessons and strategic concepts not just for mass public event organisers but for Business Management in general, BCP & Business Process practitioners, and the Security and Risk professions as a whole.

10:30 - 10:50 Morning Coffee

10:50 8A: Practical Implementation of SABSA Traceability Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, Deloitte (Australia)

Andreas is an Enterprise Security Architect in Deloitte’s Cyber Risk Advisory Services line with over 25 years of experience in IT and security consulting. He has worked on defining the security architectures and models for various global organisations across various industries and global locations. In addition to his work at Deloitte Andreas is a long standing member of the ISACA Melbourne Chapter board where he held various positions as director and president.

While some organisations understand and can articulate their information security requirements the less mature ones just ask for compliance with some of the major security control frameworks like ISO27001/2, NIST, PCI and any locally applicable policy and/or standard. As Security Architects we need to deal with these organisations as with any other client, i.e. turning it around into a meaningful solution.

The problem here is not to design and implement a solution in line with these control frameworks, but consolidate them and define a security architecture that can be actively managed as the organisations matures and requirements most likely will change. This requires a well-structured approach of integrating the control frameworks that often just refer to each other, and turn them into meaningful designs without losing sight of risks and opportunities as part of the greater plan

This session is based on a governmental agency that wants to do the right thing by its citizens, but also politically needs to justify, aka provide traceability from requirements to implementation, of what they are doing.

At the end of this session participants should have an idea of how they can tackle the issue of “security framework overload” by applying some simple techniques of security controls management and security architecture design documentation management.

The key takeaway from this session will be that applying some thinking of how to manage requirements, how to document and how to provide traceability can set the foundation of a more manageable security architecture design.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a solution security architecture with the intention of providing a more structured approach of delivering security architecture.

10:50 8B: The Journey to Artificial Intelligence, and its Continuum.. Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 

Advances in technology have made artificial intelligence(AI) now a reality. This session will provide a cursory overview of Artificial Intelligence explaining what  Artificial Intelligence  is though the various dimensions , its types and categories of applications. The session will briefly cover some use cases as well as some considerations in selecting the relevant AI solution approach.

12:00 9A: SABSA in Law Enforcement & Border Protection Speaker(s): Paul Blowers

Paul Blowers

CISO & Director, New Zealand Police & Hi-Spec Security (New Zealand)

Paul Blowers has more than  30 years experience  in the Intelligence, Law Enforcement, Defence and Border Security environments and approaching almost 10 as a SABSA® practitioner. He has spent the last 14 years in New Zealand having worked in the USA, the UK and mainland Europe. Currently, head of security for New Zealand Police he also runs his own small company, Hi-Spec Security Limited providing high-end consultation services. 

On the 6th November 2014, Phillip John Smith left New Zealand on an aircraft bound for Santiago in South America. He had a ticket for onward travel to Rio de Janeiro in Brazil. 

Mr. Smith passed unimpeded through immigration and security checks at Auckland International Airport. He carried a New Zealand passport that had been issued 16 months earlier in his birth name.

Phillip John Smith-Traynor as he has since become notoriously known is a convicted prisoner, sex offender and murderer. He evaded authorities by exploiting loopholes in the NZ identity management legislation, justice sector and ineffective border protection agency practices.

My presentation will demonstrate how I approached my Masters thesis to develop a solution that incorporates most aspects of the SABSA® matrix including the Operational Security Architecture.

It highlights the challenges faced by the Justice Sector and Border Protection Agencies, multi-government sector collaboration, legislative changes, individual business identity management programmes, strategy direction, policy changes and the potential for identity management technology transformation.

As part of my presentation I will present a prototype web-based application that has been developed in support of my Masters thesis and adapted to enable the semi-automation of the SABSA® Risk Assessment Method. 

12:00 9B: Making SABSA Stick: Business Analysis & Stakeholder Engagement Speaker(s): Victoria Czaplewski

Victoria Czaplewski

Change Management Consultant, David Lynas Consulting (USA)

Victoria Czaplewski, principal of Kalixity, LLC & Change Management Consultant for DLC, combines expertise in Organizational Change Management and Enterprise Business Analysis to assess and navigate the impacts of change and address consequences to culture, policy, processes, operations and organizational structures. She recognizes change as a prime opportunity to engage stakeholders in meaningful dialogue about the future state and to assess alignment to vision & mission. 

How Business Analysis and Stakeholder Engagement can help embed SABSA into the organizational culture.

Successful adoption of a business-driven enterprise security architecture doesn’t just happen. Embedding a sustainable security approach depends on an organizational mindset that’s sold on the business value of the SABSA methodology –  and willing, ready and able to embrace the cultural change required to make it happen. Achieving the right balance of business, technical and behavioral readiness requires an interdisciplinary strategy that starts with the guerilla infusion of Business Attributes Profiling capability into the organization.

This session proposes that Security professionals drive Business Attributes Profiling techniques into the hands – and minds – of the Business Analyst community within their organizations.

As our shoulder-to-shoulder allies, Business Analysts already share our interest in forging business solutions. They join us on the front line in requirements engineering and in interaction with our stakeholders. The benefits of adopting Business Attributes Profiling are proven in the context of enterprise security and become evident in application to any project or strategy in focus for Business Analysis.

 The challenge lies in the change.

 In addition to convincing our BA colleagues of the benefits of Business Attributes Profiling, we must also equip them to take it into the organization as a standard practice. Shifting away from “the way things have always been done around here” requires:

-Aligning SABSA methods to standard Business Analysis practices

-Identifying and engaging relevant stakeholders

-Analyzing the impacts of change

-Assessing organizational change readiness 

-Developing effective messaging

 Through demonstration and discussion, we’ll explore how to engage our Business Analysis stakeholders as partners in establishing SABSA as a way of life.

13:00 - 14:00 Lunch

14:00 10A: Selecting, Aligning & Effectively Using Compliance & Control Frameworks Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architects role. This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.

14:00 10B: Attribute Function Deployment - Structuring Business Attribute Deployment Speaker(s): John Czaplewski

John Czaplewski

Director, David Lynas Consulting (USA)

John Czaplewski is a Director as David Lynas Consulting, and the lead SABSA Instructor for North America. John has over 15 years experience in providing security program, risk management and security assessment services to international enterprises and US Federal Agencies & currently leads David Lynas Consulting's consulting practice. John also sits on the SABSA Institute's Board of Trustees. 

Structuring Business Attribute Development and Deployment with AFD – Attribute Function Deployment

The SABSA Methodology transforms enterprise requirements, goals, and objectives into Business Attributes that form the deep core of an enterprise security architecture. AFD – Attribute Function Deployment – is a proposed method for structured development of Business Attributes and their deployment into the enterprise security architecture, based on Quality Function Deployment (QFD), an established method for product planning and development that supports systematically translating customer wants and needs into products or services that satisfy.

AFD adapts QFD to support the use of SABSA’s Business Attributes through all phases of the SABSA Life Cycle by integrating matrix-driven models and quality control techniques into a structured process for traceably translating and transforming enterprise requirements into business drivers for security, business attributes, logical security services, physical security mechanisms, and security service management activities.

In addition, AFD provides practical support for:

-Structuring captured information to enable analysis

-Analyzing information

-Prioritizing analysis inputs and outputs

-Correlating inter-element analysis to identify positive and negative associations

-Identifying and resolving conflicts

-Documenting, organizing, and using the results of analysis

-Communicating with stakeholders

-Developing consensus

AFD can be extended to integrate its core workflow stages with supporting and supported SABSA processes and models:

-Risk Assessment

-Risk Enablement

-Control and Enablement Objectives

-Multi-tiered Control Strategy

-Governance Model

-Extended RACI

The session will demonstrate AFD in action to deliver key SABSA Foundation Course IBFS Business Case-driven workshop objectives.

15:10 11A: Show Me the Controls! Speaker(s): Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.

What happens when Cuba Gooding Jr meets a SABSA/TOGAF alignment consultancy?

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …

15:10 11B: Critical Infrastructure (ICS/SCADA) – Keeping the Lights On Using SABSA Speaker(s): Christopher Beggs

Christopher Beggs

Managing Director, Security Infrastructure Solutions (Australia)

Dr Christopher Beggs is the Managing Director and ICS security program leader for Security Infrastructure Solutions (SIS). SIS specialises in Industrial Control System Security (ICS) safeguarding owners and operators of critical infrastructure within the Middle East and Asia Pacific regions.  Christopher holds a PhD in Cyber-terrorism and SCADA security awarded by Monash University and is a Certified CSSA, SABSA and SANS-GIAC Security Professional. 

Industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS) are used to operate, monitor and control electricity generation, transmission and distribution, oil and gas pipelines and refineries, water treatment plants, chemical factories, manufacturing, and transport infrastructure. Such systems that were once isolated from corporate systems are now becoming increasingly interconnected, exposing them to significantly more internal and external threats. Coupled with the ability to cause devastating impact, attacks on such utility companies has made them high-value targets.

 This presentation will demonstrate how the application of the SABSA development process can serve to ensure that our infrastructure assets of national significance are resilient to cyber threats. Key artefacts from each architectural layer will be discussed, providing real-world working samples in the design and build of security architecture for ICS facilities, focusing on risk mitigation. The presentation will also show the integration of other ICS security standards, such as ISA/IEC 62443, with SABSA, extending this methodology from the corporate environment to incorporate industrial networks. Benefit from learning exactly how to develop a target-state security architecture and to achieve controlled integration with corporate systems.

16:10 - 16:30 Afternoon Coffee

16:30 12A: How to Write a Great SABSA Advanced Exam Answer Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

-evaluate the question to ensure you know what is being asked of you;

-use a hypothetical or real-world case study to frame your answer;

-plan and structure your answer to ensure that you cover each area of the question;

-assess the competency verbs in the question to ensure that you understand them and can meet them; and

-effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenter has scored 91% + in their Advanced exams, and is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!

16:30 12B: Kick Starting SABSA in your Organization Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

Implementing SABSA in an organization can be a daunting task. Many architects face challenges getting started such as dealing with culture, knowing where to start, and validating that they are on the right track especially when they face organizational roadblocks. SABSA practitioners come out of self-study or SABSA training armed with new skills and ideas, but struggle with applying them in the complex situations of their organization.  

In this session, we will use real life examples of implementing SABSA in an organization to address some the common pitfalls and hardships practitioners face when trying to introduce change in an organization and some of the strategies that led to success.  Some of the important concepts we will address include transition planning, understanding the time frame of change, enabling others (and championing their success) and adopting a mission assurance approach. We will also cover building a support team/network both within your organization and community. 

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress.  Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. 

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected] before 10AM Friday, December 1.

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 6 December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:30 Dinner