Ireland Melbourne

Welcome to COSAC's first event in Asia-Pacific, hosting the inaugural SABSA APAC Congress. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Wednesday 6th December 2017

09:00 - 09:30 Delegate Registration & Coffee

Plenary Session

09:30 7P: Immutable Deadline: Maximum Outage Redefined Speaker(s): Tim Evans

Tim Evans

Assistant Secretary Commemorations, Dept of Veterans Affairs (Australia)

Tim Evans has been Assistant Secretary Commemorations at the Department of Veterans’ Affairs since 2009.  In this role he is responsible for programs to acknowledge and commemorate veterans’ service and sacrifice and promote an increased community awareness of Australia’s wartime and service heritage and veterans’ experiences. Tim has played a key role in the planning, coordination and delivery of national and international programs to mark the Anzac Centenary and the Century of Service.

We are all familiar with the Business Continuity Planning concept of ‘maximum allowable outage’.  But what if the tolerance for outage from every perspective (including process, management, social and political) is in fact truly zero?  What if the deadline is truly immutable?  What if ‘never-fail’ really means never…and you get only one shot to get it right?

This session explains and draws lessons from both federal elections and the Anzac Day centenary commemorations at Gallipoli in 2015: events with precise and immutable schedules and locations, come hell or high water – literally.

This session will provide valuable tactical and operational lessons and strategic concepts not just for mass public event organisers but for Business Management in general, BCP & Business Process practitioners, and the Security and Risk professions as a whole.

10:30 - 10:50 Morning Coffee

10:50 8A: Practical Implementation of SABSA Traceability Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, Deloitte (Australia)

Andreas is an Enterprise Security Architect in Deloitte’s Cyber Risk Advisory Services line with over 25 years of experience in IT and security consulting. He has worked on defining the security architectures and models for various global organisations across various industries and global locations. In addition to his work at Deloitte Andreas is a long standing member of the ISACA Melbourne Chapter board where he held various positions as director and president.

While some organisations understand and can articulate their information security requirements the less mature ones just ask for compliance with some of the major security control frameworks like ISO27001/2, NIST, PCI and any locally applicable policy and/or standard. As Security Architects we need to deal with these organisations as with any other client, i.e. turning it around into a meaningful solution.

The problem here is not to design and implement a solution in line with these control frameworks, but consolidate them and define a security architecture that can be actively managed as the organisations matures and requirements most likely will change. This requires a well-structured approach of integrating the control frameworks that often just refer to each other, and turn them into meaningful designs without losing sight of risks and opportunities as part of the greater plan

This session is based on a governmental agency that wants to do the right thing by its citizens, but also politically needs to justify, aka provide traceability from requirements to implementation, of what they are doing.

At the end of this session participants should have an idea of how they can tackle the issue of “security framework overload” by applying some simple techniques of security controls management and security architecture design documentation management.

The key takeaway from this session will be that applying some thinking of how to manage requirements, how to document and how to provide traceability can set the foundation of a more manageable security architecture design.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a solution security architecture with the intention of providing a more structured approach of delivering security architecture.

10:50 8B: The Journey to Artificial Intelligence, and its Continuum.. Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 

Advances in technology have made artificial intelligence(AI) now a reality. This session will provide a cursory overview of Artificial Intelligence explaining what  Artificial Intelligence  is though the various dimensions , its types and categories of applications. The session will briefly cover some use cases as well as some considerations in selecting the relevant AI solution approach.

12:00 9A: SABSA in Law Enforcement & Border Protection Speaker(s): Paul Blowers

Paul Blowers

CISO & Director, New Zealand Police & Hi-Spec Security (New Zealand)

Paul Blowers has more than  30 years experience  in the Intelligence, Law Enforcement, Defence and Border Security environments and approaching almost 10 as a SABSA® practitioner. He has spent the last 14 years in New Zealand having worked in the USA, the UK and mainland Europe. Currently, head of security for New Zealand Police he also runs his own small company, Hi-Spec Security Limited providing high-end consultation services. 

On the 6th November 2014, Phillip John Smith left New Zealand on an aircraft bound for Santiago in South America. He had a ticket for onward travel to Rio de Janeiro in Brazil. 

Mr. Smith passed unimpeded through immigration and security checks at Auckland International Airport. He carried a New Zealand passport that had been issued 16 months earlier in his birth name.

Phillip John Smith-Traynor as he has since become notoriously known is a convicted prisoner, sex offender and murderer. He evaded authorities by exploiting loopholes in the NZ identity management legislation, justice sector and ineffective border protection agency practices.

My presentation will demonstrate how I approached my Masters thesis to develop a solution that incorporates most aspects of the SABSA® matrix including the Operational Security Architecture.

It highlights the challenges faced by the Justice Sector and Border Protection Agencies, multi-government sector collaboration, legislative changes, individual business identity management programmes, strategy direction, policy changes and the potential for identity management technology transformation.

As part of my presentation I will present a prototype web-based application that has been developed in support of my Masters thesis and adapted to enable the semi-automation of the SABSA® Risk Assessment Method. 

12:00 9B: Making SABSA Stick: Business Analysis & Stakeholder Engagement Speaker(s): Victoria Czaplewski

Victoria Czaplewski

Change Management Consultant, David Lynas Consulting (USA)

Victoria Czaplewski, principal of Kalixity, LLC & Change Management Consultant for DLC, combines expertise in Organizational Change Management and Enterprise Business Analysis to assess and navigate the impacts of change and address consequences to culture, policy, processes, operations and organizational structures. She recognizes change as a prime opportunity to engage stakeholders in meaningful dialogue about the future state and to assess alignment to vision & mission. 

How Business Analysis and Stakeholder Engagement can help embed SABSA into the organizational culture.

Successful adoption of a business-driven enterprise security architecture doesn’t just happen. Embedding a sustainable security approach depends on an organizational mindset that’s sold on the business value of the SABSA methodology –  and willing, ready and able to embrace the cultural change required to make it happen. Achieving the right balance of business, technical and behavioral readiness requires an interdisciplinary strategy that starts with the guerilla infusion of Business Attributes Profiling capability into the organization.

This session proposes that Security professionals drive Business Attributes Profiling techniques into the hands – and minds – of the Business Analyst community within their organizations.

As our shoulder-to-shoulder allies, Business Analysts already share our interest in forging business solutions. They join us on the front line in requirements engineering and in interaction with our stakeholders. The benefits of adopting Business Attributes Profiling are proven in the context of enterprise security and become evident in application to any project or strategy in focus for Business Analysis.

 The challenge lies in the change.

 In addition to convincing our BA colleagues of the benefits of Business Attributes Profiling, we must also equip them to take it into the organization as a standard practice. Shifting away from “the way things have always been done around here” requires:

-Aligning SABSA methods to standard Business Analysis practices

-Identifying and engaging relevant stakeholders

-Analyzing the impacts of change

-Assessing organizational change readiness 

-Developing effective messaging

 Through demonstration and discussion, we’ll explore how to engage our Business Analysis stakeholders as partners in establishing SABSA as a way of life.

13:00 - 14:00 Lunch

14:00 10A: Selecting, Aligning & Effectively Using Compliance & Control Frameworks Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architects role. This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.

14:00 10B: Attribute Function Deployment - Structuring Business Attribute Deployment Speaker(s): John Czaplewski

John Czaplewski

Director, David Lynas Consulting (USA)

John Czaplewski is a Director as David Lynas Consulting, and the lead SABSA Instructor for North America. John has over 15 years experience in providing security program, risk management and security assessment services to international enterprises and US Federal Agencies & currently leads David Lynas Consulting's consulting practice. John also sits on the SABSA Institute's Board of Trustees. 

Structuring Business Attribute Development and Deployment with AFD – Attribute Function Deployment

The SABSA Methodology transforms enterprise requirements, goals, and objectives into Business Attributes that form the deep core of an enterprise security architecture. AFD – Attribute Function Deployment – is a proposed method for structured development of Business Attributes and their deployment into the enterprise security architecture, based on Quality Function Deployment (QFD), an established method for product planning and development that supports systematically translating customer wants and needs into products or services that satisfy.

AFD adapts QFD to support the use of SABSA’s Business Attributes through all phases of the SABSA Life Cycle by integrating matrix-driven models and quality control techniques into a structured process for traceably translating and transforming enterprise requirements into business drivers for security, business attributes, logical security services, physical security mechanisms, and security service management activities.

In addition, AFD provides practical support for:

-Structuring captured information to enable analysis

-Analyzing information

-Prioritizing analysis inputs and outputs

-Correlating inter-element analysis to identify positive and negative associations

-Identifying and resolving conflicts

-Documenting, organizing, and using the results of analysis

-Communicating with stakeholders

-Developing consensus

AFD can be extended to integrate its core workflow stages with supporting and supported SABSA processes and models:

-Risk Assessment

-Risk Enablement

-Control and Enablement Objectives

-Multi-tiered Control Strategy

-Governance Model

-Extended RACI

The session will demonstrate AFD in action to deliver key SABSA Foundation Course IBFS Business Case-driven workshop objectives.

15:10 11A: Show Me the Controls! Speaker(s): Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.

What happens when Cuba Gooding Jr meets a SABSA/TOGAF alignment consultancy?

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …

15:10 11B: Securing Agile the SABSA Way Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

The analysis, design and delivery of software has changed fundamentally in the last few years, with flowcharts and specification documents giving way to user stories and post-it notes. This seems fundamentally opposed to the more structured architected waterfall approach that typified early software efforts. However, experience with agile has shown it can deliver results early and produce software that fits closely to user needs, outcomes that were becoming increasingly difficult to achieve with the waterfall approach to software development.

There are two agile methodologies currently in play: Scrum and Kanban. These are quite different approaches to making software development agile and many development shops deploy a combination of both – Scrum providing the sprint culture and Kanban the post-it notes. A culture of Extreme Programming – XP – is also often woven into agile deployments.

Agile development is a cultural approach to software delivery which has a number of fundamental implications for security. As a business solution delivery approach which is designed to “fail fast, fix quickly”, it relies upon user identification of functional mismatches. There is little chance that the same approach will identify anything other than very large security holes – the subtle ones will likely go unnoticed. Security has also developed in a strong waterfall manner, with assurance testing and accreditation against recognised standards being a common approach to delivering security assurance. This approach does not work in an agile shop.

This presentation addresses the new paradigm of agile security, in which the approach to security assurance aligns with the cadence of agile delivery. Concepts such as continuous security integration and testing can be effective alternatives to waterfall security, and security guard rails provide the cultural alignment necessary to remove security blocks and ensure security is an effective partner in agile delivery. SABSA provides the agile architectural approach which brings these and other tactics together into a strategic solution for building an agile security program.

16:10 - 16:30 Afternoon Coffee

16:30 12A: How to Write a Great SABSA Advanced Exam Answer Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

-evaluate the question to ensure you know what is being asked of you;

-use a hypothetical or real-world case study to frame your answer;

-plan and structure your answer to ensure that you cover each area of the question;

-assess the competency verbs in the question to ensure that you understand them and can meet them; and

-effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenter has scored 91% + in their Advanced exams, and is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!

16:30 12B: Smart Transport Security Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

The impact of the internet on society to date has been substantial, and with the ubiquitous connectivity of the Internet of Things, the impact will be even more significant. Two of the key areas of risk in this area are security and privacy. Early IoT architectures are giving way to innovative technologies such as network edge, or fog, and cloud based IoT core management and applications are being promoted. However, the security required to support these technologies is typically missing from the proposed solutions. This presentation looks at the architecture of smart transport security, with a particular focus on digital rail solutions. The business goals of interconnected digital rail systems are explored, and the conceptual architecture is developed. This is then mapped onto a typical LTE wireless digital rail solution and, taking contemporary cybersecurity threats into account, a cybersecure digital rail architecture is proposed for application in the modern smart transport sector.

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress.  Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. 

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected] before 10AM Friday, December 1.

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 6 December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:30 Dinner