Presentation Abstract:
Breakfast will be provided in the Union Hall lobby.

Speaker Bio:
TBA

Presentation Abstract:
Welcome and overview of the day's events.

Speaker Bio:
President, ISSA Sacramento Valley Chapter.

Presentation Abstract:
First generation Intrusion Prevention Systems (IPS) have failed to solve today’s threat problem - breaches are occurring at an ever increasing rate, damaging organizations’ reputations and costing revenue. Standalone IPS only protect against intrusions, coming from the perimeter, during the time of the attack. Today’s blended threats require blended security systems that have more remediative options. Martin Roesch will discuss how the combination of endpoint, threat and network intelligence provides true intrusion prevention by defending networks against all threats from all vectors, all the time - before, during and after an attack.

Speaker Bio:
Martin Roesch founded Sourcefire in 2001 and serves as CTO. A respected authority on intrusion prevention & detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 14 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort® Intrusion Protection and Detection System that forms the foundation for the Sourcefire product suite.

For more about Sourcefire, please visit www.sourcefire.com

Presentation Abstract:
As a result of their collaboration, Jack and Steve present strategies, methods, and tools that allow Security Management Professionals to translate security needs into a currency that executive leadership and financial controllers can understand and believe. This approach elevates the credibility of security management professionals to effectively compete for an organization's limited budgets. This approach also results in the implementation of security safeguards that have been stranded for years... finally providing essential protection of key information assets.

Speaker Bio:
Jack is VP of Professional Services for CyberCommunication.com, providing industry expertise in the disciplines of Cyber Security, Business Continuity, Disaster Recovery Planning, Project Management, Web Development, IT Consulting, Telcom, Systems Integration, Communications and Network Consolidation. He is currently the HIPAA Security Project Manager for the State of California Dept. of Human Services (CDHS) Office of HIPAA Compliance (OHC).

Jack Orlove is the VP of Cyber Communication Inc. in Sacramento, California. Jack joined Cyber Communication in October of 2002 and through his 27 years of experience in Networking, Computers and Business brings a well-rounded view of Security and Business Continuity to the company. He has nine years working for such OEM’s as Digital Equipment and Fore Systems. Jack has also supported the major American military commands in Europe, Central America, the Middle East and the in the US. Rounding out Jack’s experience is 14 years with Verizon as a technical engineer, sales engineer and as a manager. Jack Orlove was 1993 class valedictorian for his MBA at Nova University and holds a CISSP, CISM, CBCP, CERT and various vendor certifications. He is a former president of ASAP (the Association of Sacramento Area Planners) and a director of ISSA-Sacramento.

Steve Ruhnau is Principle Consultant and Practice Director for Hubbert Systems Consulting, a local firm focused on the business of health care.

Steve has developed a career of experiences that are wide ranging... both in business functions (e.g., Product & Systems Development, Business Development, Sales, Project & Program Management) and organizations (e.g., Fortune 100 companies, international collaborations, a broad range of public sector organizations and programs). Steve has recently combined these abilities with his experiences in risk management to create a Health Care Security Management Practice in collaboration with domain experts such as Jack Orlove and Cyber Communication.

Presentation Abstract:
The issue of authorizing secure and appropriate levels of access for all users -- remote, internal, employee and third party -- is being addressed, in part, by the Network Access Control initiatives that have been launched on many fronts. However, once network access has been granted, most organizations still cannot answer the following questions: Who is the user? Where can he go? What did he do? Is he behaving? That’s because today’s corporate networks are designed to protect sensitive resources, rather than to connect the right user to the right resource. To gain control over what authorized users can and can’t do, companies need to begin leveraging particular user, application, device and web service profiles, based on identity. Policy tied to the identity of users is mobile, with all behavior traceable back to the user rather than an IP or network address. It is the same regardless of device or location. This information is extremely important not only for security, but for creating an audit trail for liability purposes.

1. When you leave my session you will have learned about several specific security issues commonly caused by authorized constituents within your company’s ecosystem.

2. When you leave my session you will understand how new techniques are being applied to address the access control problem.

3. When you leave my session you will have a better understanding of how to develop a comprehensive access control strategy for internal, external and remote users.

Speaker Bio:
Marco Murgia, Chief Technical Resource
Caymas Systems

Marco Murgia was most recently Senior Director of Engineering and Architecture for Silvan Networks responsible for overall product architecture, design and implementation. Silvan developed and delivered a Peer to Peer Content Networking platform, using distributed routing protocols. Prior to Silvan, he was Director of New Technology for Fibercycle Networks (FCN), a pioneering company in Internet Content Acceleration servers and was the Systems Architect for Systems and Deployment Engineering Group at Webvan, having overall responsibility for the design of the network and systems architecture used to run the 10 city Webvan service. Mr. Murgia spent over 12 years of his professional career at Hewlett-Packard Corporation starting as a software engineer in HP’s Unix networking group. His last position was as Architect for the Internet Infrastructure Division. Mr. Murgia has a BSEE from MIT and a MS in Engineering.

Presentation Abstract:
California’s ID theft laws and the 2003 FACTA amendments to FCRA. A comparison to new legislation: SB 27 Information-Sharing Disclosure, AB 68 Online Privacy, and SB 1 Financial Information Privacy.

Speaker Bio:
Joanne McNabb heads the only state agency in the nation with a mission to protect consumer privacy. A resource and advocate on identity theft and other privacy issues, the Office provides information for consumers and issues privacy practice recommendations for organizations. McNabb is co-chair of the International Association of Privacy Professionals’ Government Working Group and a member of the Privacy Advisory Committee to the U.S. Department of Homeland Security. California is the first state to have an agency dedicated to promoting and protecting the privacy rights of consumers. Created by legislation enacted in 2000, the Office of Privacy Protection opened in 2001. The Office of Privacy Protection:

1. Assists individuals with identity theft and other privacy-related concerns.
2. Provides consumer education and information on privacy issues.
3. Coordinates with local, state and federal law enforcement on identity theft investigations.
4. Recommends policies and practices that protect individual privacy rights.

Presentation Abstract:
The New Challenges of Business Continuity: From Malicious Code to the Pandemic

Speaker Bio:
Cole Emerson is a Director with KPMG’s Risk Advisory Practice. He is Western Region BCM Practice Leader. Cole has over 30 years experience in Business Continuity Management and holds the MBCP certification from DRII.

Presentation Abstract:
This presentation provides an overview of network security trends including the technology and software developments available to network managers to keep their networks a safe and productive environment. We will address the growing concerns of internal access and how to prevent employee misuse at the same time minimize the vulnerability, exposure and liability to our network resources.

Speaker Bio:
Lydell Wall is a detective with the Stanislaus County Sheriff’s Department and is assigned to the High-Tech Crimes Task Force. Lydell is a computer analyst who specializes in network security and has been involved in the development of network application software to protect corporate interests.

For more about the Sacramento Valley Hi-Tech Crimes Task Force, please visit www.sachitechcops.org

Presentation Abstract:
This session provides security professionals with a deeper understanding of the strategic use of scenario planning for their organizations and enterprises and, to provide some macro/Big Picture driving forces that are anticipated in the next five years that may be useful in the dynamic environment of information security.

• Brief history and overview of Scenario Planning
• The value of Scenario planning and thinking for security professionals
• How Scenario Planning works - The Eight Step Scenario planning process
• Emerging Driving Forces that will affect the world of Digital and Information Security

Speaker Bio:
Constance Beutel, Ed.D, Professor and Consultant
University of San Francisco.

With 30 years corporate service in telecommunications, Constance began her career in her hometown, St. Paul, Minnesota. She served five years active and three years reserve duty in the US Air Force and holds the Bronze Star and Meritorious Service Medal among other awards. Passionately committed to the education of colleagues and working professionals, she initiated higher education programs on Pacific Bell premises which graduated thousands of women and men with Bachelors and Masters degrees. Upon leaving the corporate sphere, she now works in higher education and continues to expand her contributions to the areas of teaching, higher education assessment and distance education/Internet and video delivery. She served as an Associate Professor and Associate Dean in Golden Gate University’s School of Technology. In these positions she developed and helped lead the development of many graduate programs in Digital Security, Enterprise and Network Systems. She continues to teach as an adjunct faculty. She holds a BA from the University of Minnesota, MPA and MSSNM from Golden Gate University, and an Ed D from the University of San Francisco. She is passionately committed to the advancement of women and the preservation and restoration of the environment. To support environmental issues, she is working in video documentary and the early stages of Internet video streaming. She serves the community in many capacities from committees, Board participation and Emergency response.

Presentation Abstract:
Juniper’s vision for the enterprise with the Enterprise Infranet providing Use, Delivery, and Threat control will be introduced and presented with Juniper’s newly announced Unified Access Control (UAC). UAC enhances security with granular access control across the enterprise and is supported with the Infranet Controller, Infranet Agent, and Infranet Enforcers. The benefits of upgrading existing firewalls to become Infranet Enforces and the Enterprise Infranet vision will be demonstrated.

Speaker Bio:
Troy Herrera is a Sr. Field Solutions Manager in Americas Marketing at Juniper Networks. In this role Troy works with enterprise and service provider customers to leverage Juniper’s market leading products and solutions for solving today’s critical networking problems. Mr. Herrera received a BS degree in Electrical Engineering from the University of California at Santa Barbara and an MBA from Regis University, Denver, CO.

Presentation Abstract:
This session will provide the attendee who is unfamiliar with Identity & Access Management, with an understanding of the main concepts and key focus areas for customers deploying such solutions today. Security has been a critical issue for organizations large and small in many industries for years. Performing security management functions such as adding, updating and deleting user identities has primarily been a manual process. With the explosion of e-business, the number of users and applications has grown exponentially and information technology organizations have been forced to commit additional resources to meet the rapidly increasing user administration demands. With expanding user populations fluctuating, and user communities expanding to include business partners, suppliers and customers, the need for an efficient way to manage user identities throughout their entire life cycle has never been more pressing. The deployment of an effective identity management solution to manage a user’s identity, credentials and access rights can help an organization address these challenges.

Speaker Bio:
J. Tony Goulding, Principal Security Consultant
Computer Associates

J. Tony Goulding is the Western Regional Principal Consultant for security at Computer Associates International. In this capacity, he focuses on evangelizing CA’s eTrust™ brand of security solutions and providing technical and business strategy to the regional sales force. Mr. Goulding consults in the areas of Identity, Access, Threat, and Security Information Management with a focus on role-based identity and authorization, directory infrastructures, regulatory compliance, authentication methods, and PKI.

In addition to his individual contributor roles, Mr. Goulding’s career has included a number of senior management positions in product marketing, professional services, pre-sales consulting and customer support. He has served as Practice Director for three Silicon Valley software security companies, managing P&L for Professional Services covering both North America and Europe. In this role, he led many teams responsible for design, development and implementation of enterprise-wide security solutions for Fortune 500 clients nationally and internationally. Mr. Goulding was also co-founder of a Silicon Valley company focused on building services practices and methodologies for companies specializing in security services and security software solutions. Educated in England and Wales, U.K., Mr. Goulding holds a Bachelor of Science degree with Honors in Mathematics. He is a CISSP- and ITIL-certified security professional with over 22 years of industry experience.

Presentation Abstract:
The .NET Framework provides cryptographically strong names to .NET executables as an element in its security system. By altering an assembly's CLI Header information, strong name verification can be disabled. Additionally, no binding exists between CLI header information, the strong name signature block, or the public key; therefore, public key information can be replaced allowing an assembly to impersonate (or cloak) an arbitrary publisher. This is a serious flaw in the .NET Framework security mechanism

Speaker Bio:
David C. Rice, CISSP, President, TantricSecurity, LLC

Presentation Abstract:
Current law for information privacy is divided among several codes; each with its own concepts, constructs, vocabulary, and specific requirements, which are not always consistent, compatible, easy to locate or reconcile. While California has more information privacy laws than any other state, it is greatly compounded by other federal laws such as HIPAA and its Privacy and Security regulations. Under the complex legal preemption process designed to create a floor (rather than a ceiling) for privacy of information, an entity is sometimes required to follow state law, sometimes federal law, and sometimes both. This presentation will be reviewing how the construction of these laws affects business practices in State departments, counties, the health care industry, and its impact on the patients/consumers. This session will cover some of the problems believed to exist in the laws and seek consensus on those problems, as well as solicit input from the audience on how these problems may impact them.

Speaker Bio:
Cris Navarro, J.D., County Compliance Officer, County of Butte
and Brandi Periera, J.D., Paralegal, Napa County Counsel

Cris Navarro holds a Bachelor of Arts from the University of Bridgeport (1990) and a Juris Doctorate from the University of Miami, School of Law (1995). Prior to serving as a legal advisor and appellate attorney for various municipalities in Connecticut, Cris engaged in federal appellate work concerning the United States Sentencing Guidelines. Currently, she holds the position of Compliance Officer for the County of Butte.

Brandi Periera received her Bachelor of Arts in Criminal Justice at California State University Stanislaus in 1997. She continued her education by obtaining a Juris Doctorate at Santa Barbara College of Law in 2003. She currently holds a paralegal position with the Office of County Counsel in the County of Napa. She is becoming more familiar with Privacy and Compliance and hopes to transition into a privacy position in the future.

Presentation Abstract:
The Jeanette MacDonald Syndrome of Disasters: Imagining Total Devastation Diverts Our Attention from More Likely Events.

One of the most common assumptions in the Business Continuity Planning community is that by developing plans for the worst case scenario all smaller events are automatically assumed to be covered. This presentation will explore why this is a dangerous planning belief. Many business organizations have focused their planning on the big ticket disasters such as earthquakes, wild fires, floods, hurricanes, and terrorism. Yet they have not performed the necessary risk analysis to determine their vulnerabilities to loss of particular critical equipment components, utilities, raw materials, or human resources. Additionally, by assuming that only worst case events occur they may structure their response in ways that increase the likelihood of business interruption in moderate events due to evacuation requirements that should be reserved for large events.

Speaker Bio:
Joshua D. Lichterman, Ph.D. is the owner and President of the Emergency Management Group Inc. of Grass Valley, CA. He has been a Business Continuity Planner for more than 27 years and has worked with a variety of clients in both the public and private sectors. He has performed risk assessments and vulnerability analyses, developed business continuity plans, and developed and delivered related training and exercise programs. He developed the Preferred Evacuation Plan for the Transbay Tube for the Bay Area Rapid Transit District. He taught at the California Specialized Training Institute and the UC Berkeley Extension Certificate Program in Emergency Management. He started his career as a volunteer fire fighter. He chaired the Fire Assessment Commission in the City of Berkeley following the 1991 Berkeley-Oakland Hills Wild Fire. His clients have included: Neutrogena Corp., Chevron, Berkeley Unified School District, City of Berkeley, California Department of Rehabilitation, Genentech Corp., and other clients.

Presentation Abstract:
On January 29, 2002, President George Bush delivered his State of the Union address to the American people. During this address President Bush called on all Americans to donate 4000 hours during their lifetime to their communities. Sheriff Lou Blanas has responded by creating the Sacramento County Sheriff’s Citizen’s Corps Council, Medical Reserve Corps and Community Service Reserve Corps. These unique programs allow citizens from all walks of life the chance to contribute to the overall organized response to emergencies and disasters of all kinds and enhance the quality of life for all members of our community. Law enforcement volunteers perform service for a department without promise, expectation, or receipt of compensation for services rendered. They include interns, chaplains, reserve officers, Explorers, and persons providing administrative support, among others. Volunteer programs are as varied and diverse as law enforcement agencies, and each program is tailored to the needs and resources of the agency and its community; there are many successful examples.

Speaker Bio:
Geoff Winford, Sacramento Police Department (SPD)
and Sergeant Bob Erickson, Sacramento Sheriff’s Department (SSD)

Officer Geoff Winford is a 28 year veteran of the Sacramento Police Department. He is assigned to the Homeland Security/ VIPS-Volunteer in Police Service division. He currently works as the volunteer coordinator, overseeing the SPD's VIPS as well as coordinating with other arms of Homeland Security and FEMA volunteer programs through the Sacramento Region Citizens Corps Council (SRCCC). He is also a national instructor for IACP (International Association of Chiefs of Police) and President of LEVOC (Law Enforcement Volunteers of Ca.) a regional training team of coordinators who train over 400 volunteers a year in Ca.

Sergeant Bob Erickson is with the Sacramento Sheriff’s Department (SSD) and is a co-trainer with Officer Winford.

For more information about voluteering in the Sacramento region, please visit the following web sites:

• Sacramento Police Department
• SPD Volunteers In Police Service (VIPS)

• Sacramento Sheriff’s Department
• SSD Volunteers In Partnership with the Sheriff (VIPS)

• Sacramento Region Citizens Corps Council (SRCCC)
• Hand's On Sacramento

Presentation Abstract:
Hands-on Digital Security Scenario Planning (Cont.)

Speaker Bio:
Constance Beutel, Ed.D, Professor and Consultant
University of San Francisco.

Presentation Abstract:
Many organizations treat security and compliance as a nuisance. They react to each security problem with a product or a patch. This presentation will discuss how to rethink your security strategy to actually attract, gain, and keep customers

Speaker Bio:
Paul Ardoin manages product positioning and strategy for Secure Computing’s authentication products. He has over a decade of experience in network security and communications. He has written articles and given presentations on security strategy, regulation compliance, and authentication.

Presentation Abstract:
Lunch is available in the Union Hall food court.

Speaker Bio:
TBA

Presentation Abstract:
If the Romans were as frivolous with their concrete as we are with our software, the Romans would never have had a Republic - or an Empire - to speak of. Software is the aggregate of the modern world and like concrete creates infrastructure for the transport and transaction of goods and services. Ironically, more stringent regulations exist for concrete than for computer programs, yet software is connecting more and more of our critical infrastructure. This is heinous. If $50 billion in lost productivity does not warrant re-evaluation of our software purchasing habits, then what does? This keynote address will change your outlook, your concepts, and your checkbook.

Speaker Bio:
David is President of TantricSecurity, LLC a results-oriented consultancy located in Monterey, CA. The Department of Defense commends David for providing critical configuration and policy guidance on current and emerging technologies, aiding decision makers and protecting sensitive information systems world wide. David is a nationally recognized security expert, a SANS Institute course author, instructor and editor, has developed and authored several security configuration guides and technical publications, and is adjunct faculty for James Madison University's Information Security Graduate Curriculum.

Prior to working for private enterprise, he dedicated a decade to military service, the majority of that time, working on highly sensitive national security issues. David was a Global Network Vulnerability Analyst for the National Security Agency and holds numerous professional certifications.

For more about TantricSecurity, please visit www.tantricsecurity.com

Presentation Abstract:
This presentation is a case study about starting & sustaining an Information Security Program. It is based on the humorous events that occurred while training the HIPAA workforce. Your security initiative will benefit directly from the lessons learned.

Speaker Bio:
Jim Reiner, Project Manager
County of Sacramento

Jim Reiner is project manager for implementing the HIPAA Security Rule for the County of Sacramento. Jim has developed many of the policies and training material for information security practices used in Sacramento County.

Presentation Abstract:
Explore the latest and greatest Websense technologies in web filtering, web security and endpoint security. Your attendance will provide a forum to learn about and discuss the latest internet threats that you face today and provide you with a better understanding of how to protect your organization. Learn about the latest threats you face today!

Speaker Bio:
Dan Goldstein, Field Systems Engineer,
and Charles Neri, Territory Manager, Websense.

Dan Goldstein is the former Director of Security Engineering Services for a Managed Security Provider and ISP, and is the former head of Systems Engineering for Zone Labs. Dan brings over 17 years experience in IT, almost entirely in the defense and information security sectors. At Websense, Dan deploys Websense at government and enterprise accounts, provides engineering certification training, and delights in presenting the Websense technical story wherever he can!

Charles Neri has been managing channels and territories in the operating system and security space for the past 8 years. After 5 years managing channels and alliances at SurfControl LLC throughout the U.S., he has moved on to Websense where he currently manages Northern California.

For more information about Websense, please visit their web site at www.websense.com

Presentation Abstract:
Are you aware that the federal government is moving rapidly to clear the path for an electronic health records (EHR) system? Did you know that included awarding various contracts to entities to work on different aspects of this goal? Did you know that one of the contracts will be looking at HIPAA and State laws that may be considered barriers to the interoperability of EHR? This panel will discuss activities that are being conducted to ready California to effectively participate in the review process of the HIPAA provisions and State laws. You will have an opportunity to sign up to participate in the development of the documents that will be the basis for identifying problems with and solutions for State medical privacy and security laws and the resulting preemption of State laws when HIPAA is applied.

Speaker Bio:
Bobbie Holm, Chief Operations,
and Stephen Stuart, Senior Counsel,
California Office of HIPAA Implementation (CalOHI)

Bobbie Holm began state service in 1970 with the Department of Social Services where she has spent most of her career. She has a broad range of experience working in policy development for the different public assistance programs. Her policy work was concentrated with the Aid to Families with Dependent Children (AFDC) now known as CalWORKs and the Child Care Program for public assistance recipient families. She spent many holidays developing proposed welfare reform packages for the January state-of-the-state addresses.

With the new federal welfare reform program, she moved into policy development for the consolidated child care program designed to provide child care services to public assistance families when parents first begin preparing for work and working. She was involved in the development of this new program and its implementation. She has been part of the CalOHI HIPAA team since its inception in November 2001. She was the primary author of the CalOHI report to the legislature that provided the findings from the assessment of the different state government entities to determine their HIPAA status. She was primarily responsible for facilitating with the State and County HIPAA Privacy Workgroup that developed and released generic, adaptable tools and templates that state and county governments are using in their implementation of the HIPAA Privacy Rule. These include the tools for complaints, business associates, access to protected health information, and those still under development for use and disclosure of information. She was involved in the issuance of the Security tools and templates developed by the HIPAA Security Workgroup. Currently, she is lead to two other staff members who are primarily responsible for the Privacy, Security and the Transactions and Code Sets portions of the HIPAA Rule. In addition, she is working with the CalOHI legal counsel reviewing the health care privacy laws that govern the provision of health care services in California.

Stephen Stuart began state service in 1999 with the Department of Health Services where he was counsel to various parts of the Medi-Cal Program. Aside from a yearlong stint at the California Secretary of State’s Office, Mr. Stuart has been part of the CalOHI HIPAA team since its inception in November 2001. At CalOHI, Mr. Stuart is responsible for all statewide HIPAA/ State law preemption analyses, pursuant to Health and Safety Code section 130311.5, and was the author of CalOHI’s State Law Preemption Analyses. Mr. Stuart is also the Legislative Coordinator for CalOHI and assists in handling HIPAA-related proposed legislation. Currently, Mr. Stuart is helping to lead the statewide project to review state health care privacy laws that govern the provision of health care services in California. This review is being conducted to identify problems within the laws and HIPAA and provide information necessary to interact effectively with the State law reviews being conducted by the federal government to enhance the interoperability of electronic health records systems. Mr. Stuart earned his undergraduate degree at Arizona State University (1988), and his law degree at the University of the Pacific-McGeorge School of Law (1992).

Presentation Abstract:
Disaster Recovery and Information Security planning are both professions with the stated goal of mitigating an event that can potentially cause serious financial, operational, and regulatory impacts to an organization. Mitigation strategies for disaster recovery tend to be reactive; lessening the impact to the organization after the event has taken place. Information security mitigation strategies usually focus on preventing a security breach before it can have a disastrous impact on the organization. While disaster recovery and information security planning have similar stated goals, sometimes real world strategies for disaster recovery are in conflict with or contrary to information security best practices. This session will provide an overview of business continuity and disaster recovery planning standards, guidelines, best practices, and trends after 9/11, and discusses the similarities, differences, and issues that are sometimes encountered during recovery exercises and actual disaster responses.

Speaker Bio:
Jim Kotowski, Director of Business Continuity & Disaster Recovery Services
Eclipse Solutions, Inc.

Mr. Kotowski is currently the Director of Business Continuity & Disaster Recovery Services with Eclipse Solutions, Inc. He is responsible for delivering a wide range of Business Continuity and Disaster Re! covery consulting services and solutions to both the public and private sector. He is a Certified Business Continuity Planner (CBCP) and recently passed the MBCP exam (certification pending). He is a member of the Business Recovery Managers Association (BRMA) and the Association of Sacramento Area Planners (ASAP). He is recognized as a leader in the industry and is an experienced speaker who has consistently received excellent reviews.

Mr. Kotowski has 26 years of IT experience; the last 16 years concentrated in the business continuity and disaster recovery profession. Roles have included Consultant, Disaster Recovery Manager, Senior Business Continuity Planner, and Contingency Planner. He has been responsible for enterprise wide Business Continuity and Disaster Recovery Programs in both the public and private sector. This diversified experience covers all business continuity domains, including mitigation, incident management, emergency response, disaster recovery, and business resumption planning. He has successfully implemented solutions for the mainframe, mid-range, distributed systems, call centers, and print (to name just a few) with an emphasis on low cost scalable solutions. He has created and maintained many business continuity and disaster recovery plans. He has designed, led and participated in many exercises, ranging from technical ‘HOT’ site exercises to Table Top exercises focused on business resumption plans and the EOC. He previously directed and participated in recovery efforts during the Loma Prieta earthquake in 1989, Hurricane Floyd in 1999, and the WTC disaster in 2001.

Presentation Abstract:
Techniques to find physical locations of IP’s and the unknown commands and techniques used with Google.com to find IP’s, people and items. As time permits a demo of techniques to find data stored in the Black Web that Google and other search sites don’t record.

Speaker Bio:
Michael Menz has 18 years in the law enforcement field and 12 years as a High Tech Crime Detective. He has assisted in the formation of the Sacramento Valley High Tech Crime Task Force. He has also taught over 4000 officers and detectives about High Tech Crime and Computer Forensics. Michael is President of the High Tech Crime Investigation Association and is also on staff at two Universities where he instructs on High Tech Crime and Computer Forensics.

Presentation Abstract:
University of San Francisco's New Security Curriculum: Master of Science in Information Security and Assurance (MSISA).

The vulnerability of data and information has far-reaching implications for an organization’s competitive position and long-term viability. Most corporations today are desperately searching for knowledgeable and qualified security professionals to help them protect corporate resources. The MSISA prepares professionals with in-depth knowledge of current and emerging security threats and solutions to ensure that networks and computer systems are secure. This specialization prepares technical leaders to identify, develop and implement highly secure information systems that will support organizational goals.

Speaker Bio:
Dr. Salman Azhar, Program Director, Information Security and Information Systems
and Lisa Morana, University of San Francisco

Salman Azhar, Ph.D., earned Bachelors degrees with Honors in Mathematics and Physics from Wake Forest University, and his Masters degree and Ph.D. in Computer Science from Duke University. His area of research is predictive computing and its application to decision systems and security. He has published four major papers in top-notch journals. Dr. Azhar has held faculty positions at Wake Forest, Duke, Santa Clara, and Rose-Hulman, before joining the University of San Francisco in 2005. He serves several charitable and multicultural organizations. He has started several companies as a serial entrepreneur and continues to be involved as an executive consultant to stay current with the industry.

Presentation Abstract:
Session attendees will gain an understanding on how to secure email against internal security threats, comply with regulatory, security and business requirements, and enforce global policy management around messaging.

Speaker Bio:
Jeff Brainard, sales manager at Mirapoint, brings over 10 years experience in the email/messaging & security industry. Most recently at Mirapoint, Jeff held the position of director of corporate & product marketing. Prior to Mirapoint, Jeff worked at Sun Microsystems and Netscape on their messaging products, as well as AirFlash, a mobile messaging company.

Jeff Lok, principal system engineer at Mirapoint, Inc. leads the sales engineering team in the US Western region and Asia Pacific. Lok has extensive background in designing messaging and security solutions for large corporations such as SingTel, Roche and Broadcom. Prior to Mirapoint, Jeff was with nCube, a Video-on-Demand (VOD) company, where he deployed China’s largest cable (QAM256) VOD system at China Telecom. In addition, Lok worked at Auspex Systems and Sanritz, a Toyota subsidiary. During his tenure there, Lok built a real-time vehicle image capturing and processing application for Toyota’s

Presentation Abstract:
Mission critical systems must be secure from the ground up. SQL Server 2005 delivers fresh new features to help you architect solutions for today’s demanding security requirements. In this session, we’ll explore new security enhancements such as the Surface Area Configuration tool, encryption, execution context controls, proxy accounts and password policy enforcement. Get set to harness Microsoft's most secure and flexible design to build true enterprise class database systems.

• Faster Results - A new Management Studio and integration with Visual Studio 2005 and the Microsoft .NET common language runtime helps you build, debug, and operate applications faster and more efficiently.
• Better Decisions - A comprehensive business intelligence platform for data integration, analysis, and reporting that helps you turn insight into action and make better decisions, faster.
• Trusted Platform - The highest performance, availability and security to run your most demanding applications with native data encryption, secure default settings, and password policy enforcement.

Speaker Bio:
Kai Axford, CISSP, MCSE-Security
Microsoft TechNet Presenter
Microsoft Corporation

Kai Axford (CISSP, MCSE-Security) has been with Microsoft for 6+ years. His initial position was as a Support Engineer on the Windows Server Support Team where he dealt with security on a deep technical level. In July 2000, Kai began working exclusively with the IT Pro community in his new role as a TechNet Presenter. In 2003, Kai took the role of TechNet Security Lead and was asked to drive TechNet's security efforts. In October 2003, Kai was asked to present with Microsoft CEO, Steve Ballmer, at the Security Summit in Toronto. In 2004, Kai personally spoke with more than 28,000 IT Pros around information security, for which he received a Microsoft Circle of Excellence Award. Kai is a frequent speaker at security summits, TechNet events, and college campuses in the U.S. and Canada, including Tech-Ed, COMDEX, TechMentor, Microsoft Security Summits, and the Windows IT Pro Magazine Security Roadshows.

In addition, Kai is an active Technical Editor with Microsoft's Security Content Review Board, which evaluates all Microsoft security guidance and publications. Kai has reviewed several Microsoft Press security books and his name appears in the Windows Security Resource Kit (2nd Ed). In addition, Kai has authored three articles for the new TechNet magazine (Dec 2004, May 2005, October 2005). He is interested in a GIAC certification around forensics and incident response, and is currently pursuing an MBA in Information Assurance. He is a member of the Information Systems Security Association (ISSA).

Prior to Microsoft, Kai served as a Weapons Squad Leader with the U.S. Army's elite 75th Ranger Regiment and was a primary leader in several real-world security related operations.

Originally from Wisconsin, Kai is a huge Green Bay Packers fan. He is based in Dallas, Texas (where he finds the heat overwhelming). When he is not playing with his new industrial strength, cross-cut shredder, Kai is a goaltender for the Microsoft Texas ice hockey team.

Presentation Abstract:
Many companies conduct periodic scans of their networks, system and application for security vulnerabilities. While these scans provide you with a good 'point-in-time' assessment, true vulnerability management goes far beyond simple discovery and identification. To understand which vulnerabilities truly constitute risk to your systems, you have to approach the process as a lifecycle that includes asset classification, threat detection, process workflow, patch and configuration management, audit trail, compliancy check and incident response.

Speaker Bio:
Michael J Wiser, CISSP, CIWSA, MCIWA
Vice President Worldwide Product Engineering
Citadel Security Software, Inc.

Mr. Wiser is regarded as one of the industry’s foremost authorities on distributed infrastructure and security. He has advised leading Wall Street Firms, Fortune 500 companies and the U.S. Government’s most classified agencies on overall security architecture and vulnerability management. He is most recognized for executing a vulnerability assessment that resulted in the identification of an international spy. Mr. Wiser is an active member of the Information Systems Security Association and Association of Information Technology Professionals and holds several industry certifications including CISSP, CIWSA, MCIWA, MCSE, MCSA, LINUX+, CCSA NG, and I-Net+. Michael now holds the position of Executive Vice President of World Wide Sales Engineering for Citadel Security Software. Wiser is a frequent speaker, teacher and writer on security-related topics. He has been coined as a .security evangelist given his sermon-like real-life stories that always portray the moral of good winning over evil - even in the world of bits and bytes.

Presentation Abstract:
One major challenge faced by all enterprises is to "Secure sensitive data handled by those with authorized access to it". Also ensuring data availability without compromising its integrity and confidentiality has become a formidable challenge in current IT environments. Current solutions have evolved into a complex fabric of different technologies with access control logic scattered throughout disparate databases, numerous applications and even middleware. Legislation like SOX, HIPAA and GLBA has made data security a CIO, and even a CEO’s immediate concern. "ARC Technology" offers a solution that provides Data security /access control and Data Aggregation products to protect the confidentiality of sensitive data and maintain data integrity, yet improving the data availability to the authorized users. All this without changing your applications, changing your databases or changing your business processes. Compared to other security solutions, ARC offers a lower total cost of ownership, reduced time to implement, and less risk. It implements enterprise role based granular (table/column or even row level) access control at the data access level in between the application and the data source.

Speaker Bio:
Ashok Aggarwal, President, Teamsoft Technologies LLC
and Rakesh Verma, Founder, Agetak Inc.

Ashok Aggarwal brings over 15 years of experience in Information Technology and with an overall 25 years in Management. He led a few IT start ups successfully and is currently involved with building Teamsoft Technologies, a software consultancy firm with focus on building Data base Security and compliance solutions for medium to large Enterprises. Teamsoft services the Government sector, financial institutions and Health care industries. Ashok has been instrumental in creating partnerships and Tie ups with companies in the Far East and Europe He brings extensive Sales and Marketing management experience to the company. Ashok is active in Computer Associations and is currently a member of TIE, The Indus Entrepreneur group in Silicon Valley and is associated closely with senior IT professionals both in International forums. He holds a B.S. in Electronics and Communications and a Master's degree in Business Management from Bombay University.

Rakesh Verma, an engineering graduate from IIT Bombay, a premier institute in India, has a diverse industrial experience with a proven track record of innovating and incubating disruptive technologies and successfully delivering products that were instrument in building organizations. As a technocrat, he brings extensive experience in delivering global solutions to large corporate accounts across the globe in India, Singapore, Germany, Britain, Japan and USA. In addition, he has handled large teams of developers on-site and off-shore to manage task like requirement definitions, architecture and low level design, coding, integrated testing and field delivery of quality solution with definite accuracy on time scale. ARC is the technology created by him to meet the demand gap for comprehensive yet simple data security and access control product which represents the need for Medium to Large accounts.

Presentation Abstract:
While our dependence on email grows, so do the complexity of the threats. These blended threats of spam, viruses, and phishing are compromising networks, diluting employee productivity, and causing significant consumer privacy and identity issues. Fortunately, there are things that can be done to make email useful again. This presentation discusses ideas on how technology, policy and consumer best practices play a role to protect your privacy and identity.

Speaker Bio:
Abhay Rajaram, Product Manager, IronPort Systems

Presentation Abstract:
Many companies often have anxiety about application and infrastructure security audits. But there are several things a company can do to reap the benefits of a security audit.

This presentation will discuss the different types of security audits, the most common areas that security auditors.

Speaker Bio:
Ronald Dinfotan, Manager-Security Services Group
Deloitte & Touche, LLP

Ronald Dinfotan is a Manager with Deloitte & Touche’s Security & Privacy Group. He has over six years experience in network security auditing which includes performing ethical hacks and vulnerability assessments for major financial institutions, internet host providers, biotech companies, healthcare organizations and software development companies.

Presentation Abstract:
This presentation is a case study of a typical Identity Theft investigation.

Speaker Bio:
Detective Pahlberg has been a Sacramento County Deputy Sheriff since 1987, working in a variety of assignments, including patrol, neighborhood policing, vice, and for the past five years, Identity Theft investigations. He is a member of the California Financial Crimes Investigators Association. Detective Pahlberg is currently assigned to the Identity Theft Task Force, a team that includes members from the Sacramento District Attorney’s Office, the California Highway Patrol, the California State Controller’s Office, the U.S. Postal Inspection Service, and Sacramento Sheriff’s Department.

Presentation Abstract:
ISSA in Australia and New Zealand

Speaker Bio:
Guy Lupo, National Director, ISSA Australia-New Zealand

Presentation Abstract:
The presentation "Stopping Spyware at the Internet Gateway: Lessons from Real-World Spyware Attacks" will examine the new and growing spyware threat from a real-world perspective in order to develop anti-spyware best practices and requirements.

Speaker Bio:
Joshua Lin, Director, Marketing and Business Development
CP Secure, Inc.

Joshua Lin is responsible for marketing and business development at CP Secure. His prior experience includes software business development, venture capital, and investment banking. Josh holds a master’s degree from Oxford University and a bachelor’s degree from Williams College.

Presentation Abstract:
"Who is being who, and who is being You" - CEH Hacking Demonstration

What types of attacks will a real world intruder use against you? Here's demonstration of how simple "script kiddie" programs any 10 year old can download from the Internet can be used against you.

The next CEH course starts December 5th, 2005. To sign-up, please visit the New Horizons web site at Certified Ethical Hacker Course

Speaker Bio:
Jon R. Kibler is a Systems Architect and Chief Technical Officer for Advanced Systems Engineering Technology of Charleston, South Carolina. He has over 34 years experience in information technology and has worked in a variety of industries including: aerospace, defense, systems engineering, manufacturing, general business, security, training, and consulting. Mr. Kibler has been actively involved in systems security since 1975, and is actively involved in many security areas and specializes in network and UNIX server hardening. He was the technical consultant to the South Carolina Legislature when it rewrote the State’s computer crime statutes in 2002.

Mr. Kibler also teaches several IT security courses at New Horizons Computer Learning Centers, including Certified Ethical Hacker, and various Solaris, Unix, Linux, and network security courses.

Presentation Abstract:
Breakfast will be provided in the Union Hall lobby.

Speaker Bio:
TBA

Presentation Abstract:
Welcome and overview of the day's events.

Speaker Bio:
President, ISSA Sacramento Valley Chapter.

Presentation Abstract:
CCISDA Best Practices

Speaker Bio:
Kevin Dickey is the Chief Information Security Officer of Contra Costa County. The first Chairman of the California County Information Services Directors Association (CCISDA) Information Security Forum, Kevin orchestrated the establishment of "Best Practices" in information security for use statewide. His involvement with the Critical Infrastructure Assurance Office (CIAO) improved cooperation between private industry and local state and federal governments and addressed the challenge of ensuring the protection of essential services in the event of a terrorist attack or significant security breach.

For more information, and best practices, see CCISDA's Best Practices in Information Security at www.ccisda.org.

Presentation Abstract:
State of the State

Speaker Bio:
Debra Reiger, Information Security Officer, State of California

Presentation Abstract:
Web Application and Services Security.
The problem of poorly-coded applications that create vulnerabilities and expose confidential data has caused a significant problem for enterprises. For the most part, the response has been a reactive strategy of identifying vulnerabilities and attempting to remediate them. Forward-thinking security teams are beginning to move beyond this by creating programs that utilize data from vulnerability assessment tools in order to learn what has gone wrong and how to correct it.

The majority of vulnerabilities can be eliminated if development teams are committed to following established best practices. Rather than simply identifying vulnerabilities, QA, security and compliance teams are far more effective when they establish a model of conformance based around previously collected data and experience. For example, they should not ask "Why didn’t the filter you constructed work properly?" Instead, they should be taught to ask, "Did you use the UserInputDateFiltered function to validate that date?" as reinforcement that developers are relying on best practices.

Enterprises need to utilize the data gained from scanning Web applications to improve how they operate, as opposed to narrowly focusing on fixing individual vulnerabilities.

This presentation is intended to:

• Demonstrate how poorly coded applications create vulnerabilities that can expose confidential data
• Outline the importance of developers adhering to best practices in order to protect against vulnerabilities
• Identify the need to shift focus from the reactive process of identifying and correcting vulnerabilities to the proactive process of utilizing data and experience to prevent vulnerabilities from emerging.

Speaker Bio:
As Director of Engineering at NT OBJECTives, Dan focuses on new threats and attack automation strategies for all aspects of Web application/services security. Prior to joining NT OBJECTives, Mr. Kuykendall worked as a Web Application Software Engineer at Foundstone where he developed a web application for managing the FoundScan network scanning software. During this time Mr. Kuykendall was responsible for securing the web application from exploit from the outside and in its communication with the scanning engine. Mr. Kuykendall previously worked at one of the top 20 European financial institutions as a Network Engineer and part of its emerging Network Security Team. As part of his duties he was responsible for managing and securing a mixed network of Novell, Microsoft and Tandem servers and mainframes, conducting setup, maintenance and security audits.

Presentation Abstract:
"Presenting Identity Theft to the DA" is intended to provide corporate and law enforcement an understanding of the investigative, legal and procedural issues relevant to the District Attorney’s decision making process when reviewing cases for criminal prosecution. The presenter will provide the attendees with the specific statutory elements of identity theft per Penal Code section 530.5. The type and nature of evidence needed for court presentation will be discussed, as well as related issues of jurisdiction, enhancements, and bail.

Speaker Bio:
Steven G. Counelis, Deputy District Attorney
Riverside County District Attorney's Office
CATCH - Computer And Technology Crime High-Tech Response Team

Deputy District Attorney Steven G. Counelis is currently assigned to the Computer and Technology Crime High-Tech Response Team (CATCH.) In this task force assignment he is assigned to vertically prosecute high-tech related identity theft, computer intrusion, internet auction fraud, and any other crimes connected to a computer or the Internet. He has worked for the Riverside County District Attorney’s office since January 2002. During this time he has been assigned to the Special Prosecutions Section where he has prosecuted identity theft, consumer fraud, and contractor fraud cases. He is a member of the California District Attorneys Association’s High Tech Crime Committee. The CDAA has accepted his article for publication entitled "Factual Innocence for Victims." He has drafted three identity theft bills for two Assembly members from Riverside County. DDA Counelis was an Identity Theft instructor for the National District Attorneys Association first course on the topic in May 2005. Over 50 prosecuting attorneys attended from throughout the United States. He assisted in constructing a POST certified course on Identity Theft for the Riverside County Sheriff’s Training Center in October 2005. He earned is law degree from the University of San Francisco in 1992 and has been a Deputy District Attorney since 1994. He has prosecuted 80 jury trials in his career.

For more information, please visit the following websites:

• www.catchteam.org
• www.riversideda.com

Presentation Abstract:
Carole will be speaking on the County Emergency Response Plan and Evacuation Plan, and regional evacuation plan which encompasses other jurisdictions, counties, CHE, state OES, and CalTrans.

Speaker Bio:
Carole Hopwood, Emergency Coordinator, Sacramento County.

Carole Hopwood has been working in the field of Emergency Management for over twenty-eight years. She began her career in Emergency Management in 1977 for Orange County as a Program Coordinator and promoted to Director of the Emergency Management Department in 1982. In 1984, Carole made a career move to Sacramento County where she was hired as the Director of the Sacramento County Emergency Operations Office, and remains today. Carole has extensive planning and coordination experience, including hazardous materials, earthquake preparedness and nuclear power plant planning and response. Carole coordinated emergency responses for the 1983 Orange County Flood, the 1986, 1995 and 1997 floods in Sacramento County. She also coordinated mutual aid for response from Sacramento County after the Loma Prieta Earthquake in 1989, and the Northridge Earthquake in Los Angeles County. Most recently, Carole has been at the helm of the coordination efforts for receiving Katrina evacuee’s into our County.

Carole and her team provide training for the professionals of Sacramento County who make up the large Emergency Operations Center staff during disasters. This includes training on the Standardized Emergency Management System (SEMS) now used state-wide for coordinated multidiscipline responses to emergencies and disasters. Carole is a graduate of the University of San Francisco, and holds a Bachelor of Science degree in Organizational Behavior. She also holds numerous training certificates in Emergency Preparedness and Response under the auspices of the Federal Emergency Management (FEMA) College from Golden Gate University, San Diego State University and Harvard School of Public Health.

Presentation Abstract:
This session provides an overview of selected mandatory reporting statutes that directly impact information security professionals followed by a plethora of other unique and relevant issues that have captured the imagination of the speaker. The speaker invites conference participants to e-mail questions or issues that they would like to see addressed to Robert.Morgester@doj.ca.gov.

Speaker Bio:
Robert Morgester is an Deputy Attorney General and in February of 2001 was assigned to the Special Crimes Unit. He specializes in complex trial litigation targeting the use of advance technology to commit crime. This position includes providing legal support to the Sacramento Valley High Technology Crime Task Force and being the California point of contact for the National Association of Attorney Generals computer crime point of contact list. Mr. Morgester is a state recognized authority on high technology crime prosecutions. He has testified as an expert on high technology crime in both California’s Senate and Assembly. He has taught and lectured extensively on high technology crime issues throughout the United States. His past accomplishments include authoring Senate Bill 438 and 1734 which created a California grant program to address high technology crime, and prosecuting the first "Three Strikes" case filed in Sacramento County.

Presentation Abstract:
This presentation is about activities at the Center for Information of Assurance and Security which is housed within the College of Engineering and Computer Science at California State University Sacramento (CSUS). Our long-term goal is to position CSUS to apply for and successfully achieve the designation as a Center of Academic Excellence (CAE) in Information Assurance from the National Security Agency (NSA) and Department of Homeland Security (DHS).

The mission of the center is to advance knowledge of information assurance and security practices through:

• 1) Forming collaboration with other education, research, industry, and government institutions as partners
• 2) Education, training, and awareness programs in information assurance and security issues and practices
• 3) Applied research in information assurance and security
• 4) Developing interdisciplinary programs in information assurance and security
• 5) Outreach programs to assist our community, including community colleges, K-12 schools, industry, and government in information assurance and security issues.

Speaker Bio:
Isaac Ghansah is teaching and doing research in the areas of Computer Networks & Distributed Systems, Computer Security, and Computer Interfacing at California State University Sacramento (CSUS), where he is a Professor of Computer Science and Computer Engineering. His recent research interests are in the areas of high speed network protocols, reliable and secure distributed systems, Network Security, and Computer Forensics. Dr. Ghansah is also the Director of the Center for Information Assurance and Security at CSUS and is leading the effort to help CSUS become recognized by NSA (National Security Agency) and DHS (Department of Homeland Security) as one of the National Centers of Academic Excellence in Information Assurance and Security Education.

Presentation Abstract:
With today's corporations running many types of systems with many types of functions, in often very geographically distributed ways, corporations are increasingly relying on automated ways of managing technical system vulnerabilities and corporate policy compliance initiatives. In this discussion we'll profile the evolution of the threat in the last several years, including research Qualys has conducted on the Laws of Vulnerabilities, and discuss best practices in vulnerability management. Portions of this talk have been delivered at Black Hat, CSI, RSA, and NetSec security conferences annually for the last several years.

Qualys’ research is based on the largest real-world data base of vulnerabilities across hundreds of thousands of global systems and networks. This data is not identifiable to individual users or systems. However, it provides significant statistical information for analysis.

The agenda for this presentation is:

• Overview of trends from the industry’s most up-to-date research on security vulnerabilities:
• Potential threats
• Critical vulnerabilities
• Half-life, prevalence, persistence and exploitation
• Detailed information on vulnerability management tool evolution in the past 10 years
• Best practices in vulnerability management as observed at MSN, TMobile, Kaiser Permanente, Adobe, eBay, Google and others

Speaker Bio:
Quinton Jones, CISSP
Regional Sales Manager, Quays, Inc.

Quinton Jones, CISSP, consults with Qualys' West Coast clients such as Google, Nordstrom, Warner Brothers, T-Mobile, eBay and Lucas Films on risk management best practices and security metrics. Quinton has served on the board of the Los Angeles ISSA, on an advisory board for a Consortium of Southern California Colleges in curriculum development, and is a founding member of the Los Angeles InfraGard.

Presentation Abstract:
Change control, administrative auditing, regulatory compliance, internal SLA’s, changing technology landscape; all of these issues put pressure on day to day management of enterprise security infrastructure. How do you respond to the changing regulatory environment and integrate emerging security technologies while controlling hard and soft management costs? We will discuss these issues and look at the pitfalls of technology-only "panacea" solutions. Finally, we will evaluate some repeatable and sustainable practices which have worked for Fortune 100 companies looking to effectively manage global security infrastructures.

Speaker Bio:
James M. Winebrenner, Director of Business Development
SiegeWorks

James Winebrenner joined SiegeWorks in May of 2005 in the Director of Business Development role. Mr. Winebrenner has over ten years of industry experience in the networking and security space. Prior to joining SiegeWorks, Mr. Winebrenner spent four years with Check Point Software Technologies, focused on developing enterprise security architectures for Check Point’s largest customers and communicating technical product and roadmap information to Check Point’s business partners, analysts and the press. Mr. Winebrenner has also held several security consulting roles focused in the financial, healthcare and global logistics industries. He has led security architecture development efforts for several national on-line banking systems as well as holding the lead architecture role for several global, follow-the-sun security management infrastructures. Mr. Winebrenner has a broad software development and network programming background and holds CISSP, CCSE, and several other industry certifications.

Presentation Abstract:
At one time, traditional Internet Protocol Security (IPSec) virtual private networks (VPNs) were the only options for secure remote access. However, because IPSec solutions were designed for site-to-site connectivity and not with a highly mobile workforce in mind, these solutions provided limited remote access and often proved both difficult and costly to maintain. In response to increasing user demands for remote access, a new kind of VPN emerged-SSL VPNs. These new VPNs, based on the Secure Sockets Layer (SSL) protocol that safeguards the world of e-commerce, quickly became the leading option for remote access. And increasingly, SSL VPNs are replacing IPSec VPNs for remote access as they offer everywhere access with complete control and security. In addition, recent advances in SSL VPN technology offer many benefits for both users and companies. When compared to IPSec VPNs, SSL VPNs are less costly to manage, eliminate security risks of open-by-default tunnels, and offer a simpler, easier experience for employees and business partners who need access to a wide range of applications and resources from remote locations. This presentation provides an overview of the differences between SSL VPNs and IPSec VPNs, and explains why SSL VPNs are ultimately a better choice for secure remote access.

Speaker Bio:
Scott Stanton, Director, US West Operations
Aventail Corporation

Scott Stanton has worked at Aventail Corporation, headquartered in Seattle, WA, for the past eight and half years and is currently the Director of US West Operations. During his tenure he has been involved in numerous secure remote access SSL VPN implementations including deployments for a number of healthcare, banking, financial, high tech and manufacturing institutions. Prior to joining Aventail, he worked at Gartner Group and with a series of systems integrators before that.

Presentation Abstract:
Demonstration of database and web vulnerabilities and attacks and discussion of alternative defense strategies. Includes common identity theft attacks such as: SQL injection, Script Injection, Cross-Site Scripting, Parameter Tampering and others.

Speaker Bio:
Mark Kraynak, Director of Product Marketing, has held consulting and marketing positions at Ernst & Young's Center for Technology Enablement, Check Point, CacheFlow. He regularly speaks on database and web security and participates in industry standards groups. He has an engineering degree from Duke University.

Presentation Abstract:
California has been through more than twenty federally declared disasters in the past 15 years, with numerous lesser emergencies. Many lessons can be gained from these events, lessons with applicability to both public and private sectors. This presentation will provide examples from planning, training, response, recovery, and mitigation. Please come equipped with a sense of humor.

Speaker Bio:
Jim Watkins, President and CEO
JJ Watkins Consulting

James Watkins has over 30 years experience in emergency management, ranging from radiological response training through emergency planning, response, and recovery to communications and data management. Projects include developing response plans for hazardous materials incidents, major earthquakes, and volcanic eruptions, as well as installation of California’s satellite-based emergency communications system. In emergency response, he directed State Operations for the Northridge Earthquake (‘94) and Winter Storms (‘95 and ‘96). He established protocols for and managed joint federal-state action planning meetings for Winter Storms of ‘97 and El Niño ‘98.

Mr. Watkins has retired from being Chief Information Officer for the Governor’s Office of Emergency Services, where responsibilities involved oversight of Geographic Information Systems, network management, programming and application development, and client support ("help desk"). His talk today focuses on lessons learned from his experiences in emergency management. Mr. Watkins is now President and CEO of JJ Watkins Consulting. (He also claims to be the Keeper of the Hounds, the Master of the Back Steps, the Lord High Everything Else, the Great Poo-Bah. He sees all, knows all, and tells even more.)

Presentation Abstract:
This presentation involves a real world case study tracing events from international computer intrusions to the conviction of data thieves. Based on the cunning tactics of teen hackers and organized criminals, the presentation discusses why system prevention and vigilance is key. The case began with the intrusion from Russia into several financial institutions and e-commerce sites in the Sacramento area and developed into an organized criminal extortion investigation spreading throughout the entire U.S.

Speaker Bio:
LuAnna Harmon has been an agent with the FBI for 15 years and is currently assigned to the Cyber Squad working computer intrusions and cyber terrorism since 1999. She was previously employed as a computer programmer before being assigned to the Sacramento FBI division in 1990. SA Harmon initially worked violent crimes for nine years to include bank robberies, fugitives, narcotics, gang investigations, surveillance and was a member of the FBI SWAT team. She has also recently worked on terrorist financing projects out of Headquarters in Washington D.C. and worked Russian Organized Crime investigations in Budapest, Hungary.

Presentation Abstract:
Digital Signatures offer a mechanism by which an electronic document or transaction can be locked in a way that they cannot be changed. In other words, they provide absolute Data Integrity of the document, and proof of the singer's identity. Digital signatures replace the function of the pen and paper wet signature in an electronic document environment. This presentation describes a Digital Signature system that is easy to use, quick to deploy and affordable by any organization. The presentation offers a number of scenarios in which Digital Signatures can streamline processes and greatly improve the efficiency of the workflow and document management system, while at the same time ensuring strong standard security and integrity of the transactions.

Speaker Bio:
Dr. Aharoni has served as the CEO of Algorithmic Research (ARX) for the past 5 years. He has lead the MBO of ARX from Cylink Corp (today SafeNet Nasdaq: SFNT) in 2001, turning ARX into a successful and profitable privately-held company providing Strong Standard Electronic-Signature solutions that are easy to deploy and use. Prior to becoming ARX's CEO, Dr. Aharoni spent 3 years holding various senior management positions at Cylink's Santa Clara CA, headquarters.

In 1996, he co-founded Orcast, which developed a conditional-access system for digital-television broadcasting. Prior to that, Dr. Aharoni held a number of Engineering positions at companies in the UK and Israel. Dr. Gadi Aharoni holds an MEng degree in Computing from Imperial College of Science and Technology, UK and a Ph.D. in Computer Science from the Hebrew University of Jerusalem.

Presentation Abstract:
Encryption of data-at-rest is quickly becoming a regulatory mandate, as well as an industry standard ‘best practice’ for protecting sensitive information stored throughout the organization’s IT environment. The effective implementation of encryption, however, requires that it be used in combination with other security technologies in order to addresses all the vulnerabilities to stored information. This presentation looks at vulnerabilities to stored information, and the role of encryption in addressing those vulnerabilities as part of a complete solution to protect against both internal and external threats. The role of encryption as a requisite for compliance with regulatory mandates will also be reviewed, along with other influences that are driving the adoption of encryption to protect stored information.

Speaker Bio:
Phil Grasso, VP and Founder
Vormetric, Inc.

Phil Grasso is responsible for developing partner-facing strategies and programs for Vormetric. Prior to Vormetric, Grasso founded two successful technology start-ups, held sales and marketing management positions at Actix and Diamond Multimedia, and provided sales and marketing consulting for several technology companies. As the founder and CEO of Digital Engineering, Grasso led the company’s growth to over 100 employees with sales in 35 countries. He was also co-founder and VP of Marketing for Linux4 Networks. Grasso holds a BSEE degree from the University of California, Davis.

Presentation Abstract:
Lunch is available in the Union Hall food court.

Speaker Bio:
TBA

Presentation Abstract:
The State of ISSA and Information Security

Speaker Bio:
Dave Cullinane is the Chief Information Security Officer (CISO) for Washington Mutual, Inc. - one of the largest banks in the United States. He is responsible for developing and sustaining a comprehensive information security program that effectively protects the personal information of millions of Washington Mutual customers. Prior to joining Washington Mutual, Dave was a Senior Consultant for nCipher, Inc.; the Director of Information Security for Sun Life of Canada’s U.S. operations and helped create Digital Equipment Corporation’s Security Consulting Practice. He has more than 20 years of security experience and is Board Certified in Security Management by ASIS International as a Certified Protection Professional (CPP). He is also a Certified Information Systems Security Professional (CISSP) and a former Certified Business Continuity Professional (CBCP).

Dave is also the International President of the Information Systems Security Association (ISSA), the largest not-for-profit association of information security professionals in the world. Dave is a Charter Member of the Global Council of Chief Security Officers, a group of influential senior cyber-security leaders dedicated to enhancing cyber security. He also serves on ASIS International’s Information Technology Security Committee (ITSC) and is on the Editorial Advisory Board of CSO Magazine, SC Magazine and Security Technology & Design Magazine. He was nominated for Information Security Executive of the Year for 2004 and awarded SC Magazine’s Global Award as Chief Security Officer of the Year for 2005.

For more about Dave, please visit www.issa.org/board/pres.html

Presentation Abstract:
Identity and Access Management (IAM) is the process for managing the lifecycle of digital identities and access for people, systems and services. This includes:

• Provisioning and De-provisioning of users is the adding and removing of users from applications and systems.
• Access Management is the process of enforcing the appropriate system and application access privileges.
• Audit and Reporting allows users to review access privileges and validate changes.

• Enterprises report on 'Who has access to what'.
• Certification of User Entitlements by BU Managers and Application Owners.
• Continuous Monitoring - Identity Auditing for Segregation of Duty Conficts.
• Users have the correct access for their job.
• Accounts are terminted in a timely manner.
• Audit trail for all account access requests.

Speaker Bio:
Sachin Nayyer, Managing Partner, Vaau Consulting

Sachin Nayyar is the Identity and Access Management Solution (IAM) lead for Vaau. He has led several assessments and end-to-end implementations of Provisioning, Access Control, Web Services, Directory and Password Management products.

Summary:

• Defined the Identity Management solution, roadmap and strategy for a large entertainment company.
• Lead a team of 6 consultants to architect, design and deploy an IAM solution for a large Utility Client. The solution included Web Access Control (WAC), Provisioning, Role Based Access Control (RBAC) and Web Services Security.
• Lead a team of 4 consultants to define the Identity and Access Management Strategy, Roadmap and Architecture for a major Utility Client.
• Led a team of 20 consultants to deploy RBAC, User Provisioning and Auditing in a very aggressive timeline for a fortune 100 financial institution.
• Led a team of 18 consultants to implement RBAC and User Provisioning for a fortune 500 insurance company.
• Managed a team of 3 consultants that implemented a single sign and provisioning for a large health care company.

Prior to working for Vaau, Sachin worked for Ernst & Young where he was a thought leader in the Identity Management space. He regularly speaks at events and has published several whitepapers around IAM. In addition, Sachin is also very familiar with the regulatory and compliance laws around Sarbanes Oxley, HIPAA, GLBA, California Privacy Act, FERC / NERC, etc. as they relate to user provisioning, administration, access control and segregation of duties. Sachin has Bachelor degree in Management Information Systems and is a CISSP.

Presentation Abstract:
Risk and Compliance Management are not mutually exclusive. Properly identifying and addressing risk in the corporate environment can lead to significant savings of critical resources while also addressing compliance and regulatory needs. This presentation will challenge you to consider the way you think about and address risk and regulatory compliance in your corporate environment.

Speaker Bio:
Angela Triola, GSEC
Solutions Engineer, Cybertrust, Inc.

Presentation Abstract:
The increasing emphasis on personal privacy issues in the 21st century business world is inescapable. While the United States has always practiced a more laissez-faire approach to personal privacy and data protection than other regions and countries, government regulations have finally caught up to the public’s perception that privacy in the context of commerce is an important matter to be dealt with. With the recent increase in media coverage of database compromises, the identity theft epidemic and the question of who actually controls the access and protection of people’s personal information, regulatory agencies and politicians have finally begun to address these issues. Morally and Financially bankrupt companies like WorldCom and Enron have driven home the important point that executives and officers of companies have a responsibility and can now be held accountable on a personal level for the misdeeds of their companies. In fact in the newly reshaped business climate, regulatory compliance is the primary driver behind information security practices. This presentation will address the legal and policy issues surrounding data protection laws, database compromise liability and identity theft concerns that those in information security should be most aware of.

Speaker Bio:
Eduard F. Goodman, J.D., LL.M.
General Counsel and Chief Privacy Officer
Identity Theft 911

Eduard F. Goodman, J.D., LL.M. is General Counsel and Chief Privacy Officer for Identity Theft 911, LLC in Scottsdale, Arizona. Identity Theft 911, LLC is an identity theft resolution and database compromise consulting company that services the Banking, Financial, Medical and Insurance industries as well as a number of Educational Institutions. Eduard provides consulting on a number of legal and policy related privacy issues that span the areas of International Business, Intellectual Property, and Data Protection law.

Eduard received his Bachelor of Arts from the University of California at Irvine in 1996. He went on to receive his Juris Doctor from McGeorge School of Law in Sacramento, with a dual concentration in International Law and Intellectual Property Law in 2000. From there he became the first American attorney to receive his LL.M. in International Business and Trade Law from Erasmus Universiteit Rotterdam in the Netherlands in 2001. While at Erasmus, Eduard concentrated his research and dissertation on the comparative analysis of European Union and United States Data protection law related to e-commerce.

Eduard has researched and studied at the International Court of Justice in the Hague and has written and lectured on subjects ranging from international data protection policies to wireless networking technologies to cyber-terrorism. He currently sits on the State Bar of Arizona’s Internet, E-commerce and Technology Law Section’s Executive Council as the section’s former Treasurer and current Secretary.

Presentation Abstract:
Only Auditors Audit: A CSO’s Guide to Audit Preparation Using the Risk Assessment Process.
What do you do when your customers want you to do an independent security audit-and your CEO doesn’t? What do you do when the FTC notifies you that they will be performing an audit, and you don’t want to? Like it or not, Security Auditing is here to stay. Dr. Michael Kelley believes that the best defense is a good offense, and shows you how to achieve audit preparation readiness using the familiar Risk Management techniques.

Speaker Bio:
Dr. Michael Kelley, CISSP, PMP, CHS-II
TKG, Inc.

Michael Kelley, Ph.D., has worked with TKG - The Kelley Group - as a Scientific Advisor since 1996, and has been involved in security since starting with DOD in 1984. Dr. Kelley has performed security reviews within the public and private sectors throughout the US & Canada. He holds a Ph.D. in Business Administration with a major in Business and Organizational Security Management and is involved in the CxO Security Council and Presidential Business Commission. His current work with CCE is to help develop their MIS and Information Security curricula and is also working with CSUS to develop a Information Security "Center of Excellence".

Presentation Abstract:
Incident Report
Incident Response

Speaker Bio:
Rodney Smith, EnCE, CISSP
Senior Forensic Consultant
Guidance Software, Inc.

Presentation Abstract:
Security is a serious IT industry problem because most managers, users, programmers and administrators lack adequate security awareness and training. New Horizons offers IT security training for every level of user and will discuss the following courses. For network, systems and security administrators, courses such as CEH, CSA and CHFI provide hands-on experience in recognizing system compromises, hardening systems against attack and analyzing breached systems. For systems analysts and programmers, the CSP and CSAD courses provide the skills needed to design and implement applications less subject to compromise. Specialized courses, such as Linux / UNIX Security and Wireless Security are also available and will be discussed. Information Security training translates into productivity increases for your organization, and security and trust when doing business with your customers.

Speaker Bio:
Jon Kibler is Chief Technical Officer of Advanced Systems Engineering Technology and Information Systems Security instructor at New Horizons Computer Learning Center.

Presentation Abstract:
Viruses and Zombies: Attacks and Defenses

Speaker Bio:
Alex Hernandez, Matt Sarnie, Paul Sylvestre, and Michael Ghany will be present from CipherTrust to answer your questions.

Presentation Abstract:
E-mail has revolutionized how businesses communicate. But e-mail also makes it easy to transport confidential information and valuable intellectual property outside the organization -- without anyone knowing until it is too late. To combat these threats, enterprises must develop clear policies for outbound e-mail (and other messaging protocol) content and should adopt technology to monitor and enforce such policies.

Content security expert Shaun Coleman will discuss the regulatory, financial and legal risks posed by outbound e-mail, especially as a conduit for leakage of proprietary and confidential information. He will also discuss a step-by-step process for designing, deploying and enforcing e-mail security policies to help mitigate these risks. Additional key "take aways" include:

• the 10 key questions to ask when developing e-mail security policies; and
• best practices in using technology to
• (1) assess an organization’s current level of risk,
• (2) create policies, and
• (3) refine them over time.

Speaker Bio:
Shaun B. Coleman, Senior Product Manager, Content Security
Proofpoint, Inc.

Shaun Coleman has spent the past 12 years in the computer security industry. He is currently senior product manager for messaging security vendor Proofpoint, in charge of the company’s outbound email content security products. Prior to joining Proofpoint, Mr. Coleman was co-founder and Director of Product Management for risk management vendor Reconnex, where he was responsible for the company’s product roadmap and product direction. Before joining Reconnex, Mr. Coleman held product management positions at Array Networks, and various management roles at RSA Data Security. Prior to RSA, Mr. Coleman was an information security officer at Lawrence Livermore National Laboratories and Sandia National Laboratories working for the US Department of Energy.

Presentation Abstract:
Worms, viruses and botnets are just the tip of the iceberg: equally serious is the threat posed by a knowledgeable, determined attacker. This presentation describes in detail the steps such a person might take in compromising a fictional online investment corporation.

Speaker Bio:
Will Irace serves as a Senior Systems Engineer for the Western region for Internet Security Systems, Inc. (ISS). With more than four years of enterprise network security design, deployment, testing and training, Irace is considered a "Trusted Advisor" to ISS customers and is responsible for providing a range of services, from needs assessment and deployment to configuration and training. Irace also assists in the development of custom reporting solutions based on customer’s unique needs. Prior to joining Internet Security Systems, Irace worked in the entertainment industry as an IT professional, where he produced a variety of online streaming media events. Irace earned a Bachelor’s degree from California State University in Northridge, Calif., and holds a CISSP (Certified Information System Security Professional) accreditation.

Presentation Abstract:
Presented at the National HIPAA Summit and slated to be published in the ISSA Journal, this topic discusses the "Marriage" of privacy and security professionals under HIPAA.

While HIPAA has changed many things within the Health Care industry, one of the benefits of the changes is that privacy and security are wedded as never before, in a very public way. If that is the case, there are two certifications that appear to walk hand in hand to support this union. This presentation points out the overlap in the two certifications and points to the common ground that privacy and security share.

Speaker Bio:
David Nelson, CISSP, CIPP/G
Privacy & Security Officer, Yolo County

David Nelson has been the Co-Chair of the California State HIPAA Privacy & Security Workgroup for the last four years. He is also a member of the State HIPAA Steering Committee as well as a member of the County HIPAA Issues Workgroup. He has spoken about HIPAA Privacy at the California Public Health Officer Association, the County Mental Health Directors Association, the Annual Leibert Cassidy Whitmore Labor Relations Conference and the Annual County Risk Management Conference. Most recently he has been speaking on the amalgamation of Privacy and Security under the HIPAA Rules at the Partners In Learning portion of the Government Technology Conference, the National HIPAA Summit, and the California Data Managers Association. He has been published in the WEDI/SNIP Synopsis in May 2004 and the ISSA Journal November 2005. He achieved CISSP status April 2005 and CIPP/G in October 2005.

Presentation Abstract:
Intel resets their Corporate Business Continuity Program post 9/11. The session will review the highlight activities and the methods used to go from Risk Assessment to Sustaining Model.

Speaker Bio:
Howard Pierpont, CBM, CBCP, CRP
DEG Security, Compliance and Continuity Program Office - Manager
Intel Corporation

Howard Pierpont, CBM, CBCP, CRP, has 26 years experience in Information Technology, including IT Management, Business Continuity Planning and Auditing. He worked for a major player in the computer design and manufacturing industry supporting every phase of the process from concept design to shipment of finished product. Mr. Pierpont also spent a number of years as a Capital Acquisition Manager with responsibility for high availability configuration of systems for the desktop and the data center. He has designed high availability security solutions for ERP systems and designed Business Continuity programs for international multi site Companies. He specializes in taking complex Business Continuity concepts and distilling them into practical real components. The sessions will include 2005 updates from BCI, DRII and ISACA and others. Mr. Pierpont lives and works in Hillsboro Oregon for a major silicon designer and manufacturer and is also President of the Willamette Valley ISACA chapter.

Presentation Abstract:
This presentation will cover how to investigate the theft of proprietary data and prepare a report that can serve as a search warrant affidavit or an affidavit in support of a request for an injunction. The presenter will use as examples cases he investigated while with the District Attorneys office and corporations in Silicon Valley. Cases will include two case that have been appealed through the California courts, People vs. Avanti and People vs. Hawkins, these affidavits will be distributed as handouts. How to use these examples in support of network intrusion cases will also be discussed.

Best Practices: Reporting and Prevention Guidelines

Speaker Bio:
John C. Smith, Retired Chief of Police
Principle, John C. Smith Group - High Tech Investigations and Security Consulting

John C. Smith was the Sr. Criminal Investigator, High Technology / Computer Unit, Santa Clara County District Attorney's Office, Specializing in industrial espionage, trade secret theft and network intrusion investigations. He has 32 years in law enforcement and 7 years in the corporate sector where he served as the corporate security manager for Netscape and myCFO and as a Senior Investigator at 3Com. He has taught classes around the United States for organizations such as CERT, SANS, MIS, Sun Users Group, HTCIA, and ISSA and has provided training and consultation to prosecutors and law enforcement including officials from the Netherlands, Australia, Singapore, Korea, Italy, India, Peoples Republic of China, and Taiwan.

John is Membership Chair for ASIS Sacramento, a chapter of theAmerican Society for Industrial Security.

Presentation Abstract:
Most of us are familiar with intrusion detection using the signature based approach. Snort is the famous example of a signature based tool. These tools match network traffic against a database containing signatures of known intrusion attempts. If the match is positive, the tool generates an alert. Such tools have been helpful in detecting network intrusions. There are similar signature based tools for host based intrusion detection. Tripwire, Aide, Samhain, Osiris are the top contenders in this category. However signature based tools suffer from one deficiency; they can generate alerts only for those intrusion attempts that are known before hand and their signature has been hand coded in the repository for the tool to access. Hence, they are unable to detect any intrusions from a source that does not match any pattern stored in the system. The statistical approach overcomes that shortcoming. The statistical approach establishes normal usage patterns (profiles) using statistical measures on system features, for example, the CPU consumed and I/O done by a particular user or program. The speakers will present an overview of implementing a system that they have developed for Caetra Network Security using the statistical approach.

Speaker Bio:
Ravi Verma, Chief Executive Officer,
and G. Ramon Gomez, Security Engineer, Caetra Network Security

Ravi Verma is the Chief Executive Officer of Caetra Network Security. During his 20 years in the information technology field, Mr. Verma has implemented security solutions for government and the medical and manufacturing industries. He is a member of the board of the Information Systems Security Association, Sacramento Chapter. Mr. Verma is involved with the development communities of Snort, Netfilter, Openswan, Prelude, and Nessus. His technology background includes CISCO, Nortel, Sonicwall, Checkpoint and Linux security products. Mr. Verma is a graduate of the Indian Institute of Technology, Kanpur in India.

G. Ramon Gomez attended Chico State University, California as a Computer Science major and has worked in the IT industry for 12 years, with specialties in Infrastructure and Security Engineering. He has designed and implemented Vulnerability Assessment and Remediation programs both for internal use and provisioned customer services, as well as designed and implemented entire data centers on both the East and West coasts of the United States. He is actively involved in the development of the Prelude Hybrid IDS, and a contributor to the Snort IDS.

For more information about Caetra Network Security, visit their web site at www.Caetra.com

Presentation Abstract:
Today a typical e-mail attack is a global event. The lifecycle starts with the sender, not the e-mail, and ends with the last effect on the recipient. All e-mail attacks, whether spam, viruses, phishing, or other attack type, follow a similar lifecycle. Merely focusing on the e-mail will miss many of the identifiers of an attack and will not consider some of the broader ramifications. This presentation will discuss the global nature of e-mail threats and how to stop these threats by considering the sending server; the e-mail content; any attachments; embedded URLs and other contact points; any Web sites to which the embedded URLs link; the recipient; and the effect on the e-mail community. In addition to being global in nature, e-mail attacks often contain blended threats, attacking recipients on multiple fronts. The presentation will also show how to effectively target the various e-mail threats so that the combined protection will stop both individual and blended attacks.

Speaker Bio:
Adam Sicker, Senior Sales Engineer, MailFrontier, Inc.

With 16 years of experience in data networking and telecommunications, Adam Sicker is an expert in the field of network infrastructure and security. He has coordinated the development of numerous IEEE industry standards, and has served on national and international standardization committees for data interchange (ANSI, ISO, ITU). As a Systems Engineer for Niksun, Mr. Sicker architected and installed network monitoring and security systems for U.S. Department of Defense (DoD) and Department of Energy (DOE) installations, as well as various university and enterprise customers. He currently oversees the installation of email security solutions for MailFrontier. Mr. Sicker graduated from the University of Maryland with a bachelor of social sciences degree in behavioral psychology.

Presentation Abstract:
The Future of Computer Forensics

Speaker Bio:
Lydell Wall is a detective with the Stanislaus County Sheriff’s Department and is assigned to the High-Tech Crimes Task Force. Lydell is a computer analyst who specializes in network security and has been involved in the development of network application software to protect corporate interests.

For more about the Sacramento Valley Hi-Tech Crimes Task Force, please visit www.sachitechcops.org

Presentation Abstract:
Breakfast will be provided in the Union Hall lobby.

Speaker Bio:
TBA

Presentation Abstract:
Today, more than ever, organizations must address the complex task of managing users’ identities and their access. As significant investments in business-critical applications increase, so does the need for effective identity and access management. Organizations are evolving to increase their accessibility to customers, partners, vendors, suppliers and employees. Because they were not originally structured for such access, a disjointed effort to address specific identity and access problems has resulted in a patchwork of solutions that have caused significant inefficiencies, identity silos, increased risk of identity theft, unauthorized access and failure to meet regulatory compliance. The increased focus on the need to secure the organization and protect confidential and personal data now demands a more integrated, comprehensive approach. Effective security management starts with identity and access - knowing and controlling who can do what and accounting for what they have done. Based on industry best practices, Coady will outline the "success factors" for a complete identity and access management strategy that allows for provisioning, enforcement, auditing, to come together within a common user interface as well as share common components - helping you streamline management, allow trusted access to partners, protect your investments in existing systems, reduce costs, improve efficiency and facilitate regulatory compliance.

Speaker Bio:
Mick Coady is a Vice President with Computer Associates Inc. Security Practice with sixteen years of Privacy and Technology experience. During the past 12 years he has worked with two Big Five Firms and lead Forensics and Security investigations both in the public and private sector. Mr. Coady has worked with Computer Task Forces around the world and has developed an enterprise security methodology to help mitigate risks to companies. Mr. Coady has worked with many U.S. and European based clients implementing the European Privacy Directive in the early 1990’s. He is a renowned National Speaker for Privacy and Security as it relates to HIPAA, GLBA, EUPD and PIPEDA compliance. He has managed over 60+ Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Directive (EUPD) and Gramm-Leach-Bliley Act (GLBA) engagements nationwide for clients in the public and private sector.

Presentation Abstract:
*Hands-on* WLAN Intrusion Detection and Prevention
Hands-on workshop on wireless vulnerabilities and exploits - and how to protect a WLAN system against a variety of wireless attacks.

We will demonstrate how to set up a wireless intrusion detection and prevention system that can prevent unauthorized connections, either malicious or accidental.

Speaker Bio:
Dr. Christopher Waters, Chief Technical Officer
Network Chemistry

Chris is an entrepreneurial technical leader, initially founding Celsius Research to develop mesh networking technology for robust industrial networks. After Celsius was acquired by Ubicom, he led designs of wireless network processors and software, found in wireless products by Linksys, InFocus, NEC, and Sony. Prior to Network Chemistry, Chris co-founded Tazmen Technologies to develop the technology for personal firewall products. He holds one U.S. patent and has four pending patent applications. Chris holds a Bachelor of Engineering with First Class Honors and a PhD in Electrical and Electronic Engineering from the University of Auckland in Auckland, New Zealand.

Presentation Abstract:
TBA

Speaker Bio:
TBA

Presentation Abstract:
This is a condensed version of a 2 day session that was conducted at Willamette Valley Chapter ISACA Spring Training week 2005. The session will cover Ready.gov, The BCI and DRI methods and the "FEMA's CAR / NFPA 1600 / BCI & DRII Professional Practices Crosswalk". A 'hands on' Risk and Impact Assessment exercise will be conducted to demonstrate what to look for when auditing a risk assessment and looking at steps for risk mitigation.

Speaker Bio:
Howard Pierpont, CBM, CBCP, CRP
DEG Security, Compliance and Continuity Program Office - Manager
Intel Corporation

Io, labor durus, opportet autem ut quidam faciat

Presentation Abstract:
The objective of a vulnerability scanning is to find the holes in your network before the attacker does. It includes internal and external network scanning plus penetration testing of enterprise networks to identify weakness in relation to known threats. In this session, Ravi Verma and G. Ramon Gomez provide overview and hands-on training on major vulnerability scanning tools like Nessus, Nmap, Ethereal, Kismet, Airsnort. The speakers will also help the attendees to interpret the output from the scanning tools.

Speaker Bio:
Ravi Verma, Chief Executive Officer,
and G. Ramon Gomez, Security Engineer, Caetra Network Security

Ravi Verma is the Chief Executive Officer of Caetra Network Security. During his 20 years in the information technology field, Mr. Verma has implemented security solutions for government and the medical and manufacturing industries. He is a member of the board of the Information Systems Security Association, Sacramento Chapter. Mr. Verma is involved with the development communities of Snort, Netfilter, Openswan, Prelude, and Nessus. His technology background includes CISCO, Nortel, Sonicwall, Checkpoint and Linux security products. Mr. Verma is a graduate of the Indian Institute of Technology, Kanpur in India.

G. Ramon Gomez attended Chico State University, California as a Computer Science major and has worked in the IT industry for 12 years, with specialties in Infrastructure and Security Engineering. He has designed and implemented Vulnerability Assessment and Remediation programs both for internal use and provisioned customer services, as well as designed and implemented entire data centers on both the East and West coasts of the United States. He is actively involved in the development of the Prelude Hybrid IDS, and a contributor to the Snort IDS.

For more information about Caetra Network Security, visit their web site at www.Caetra.com

Presentation Abstract:
Information technology has been developed to help ensure that organizations meet their business objectives or enterprise mission. Risk management plays a critical role in protecting the enterprise’s information assets. An effective risk management process is an important component of successful information technology security architecture. The principal goal of the risk management process is to protect the ability of the enterprise to meet its missions and objectives, not just to protect information technology assets. In this session we will examine industry-accepted standards and guidelines that will allow attendees to have a better understanding of risk management and resources to implement the process.

In this session we will review the four key elements of the risk management process and how each of the maps to the system development life cycle. Once this is established we will discuss how risk management is used in business and security.

Speaker Bio:
Tom Peltier is in his fifth decade of computer technology. During time he has shared his experiences with fellow professionals, and has been awarded the 1993 Computer Security Institute’s (CSI) Lifetime Achievement Award. In 1999, the Information Systems Security Association (ISSA) bestowed its Individual Contribution to the Profession Award and in 2001 he was inducted into the ISSA Hall of Fame. Tom was also awarded the CSI Lifetime Emeritus Membership Award. Currently, he is President of Thomas R. Peltier Associates, LLC, an information security training firm. Prior to this, he was Director of Policies and Administration for the Netigy Corporation’s Global Security Practice. Previously, Tom was the Information Security Specialist for General Motors Corporation responsible for implementing an information security program for GM’s worldwide activities. He has been the technical advisor on a number of security films from Commonwealth Films. He is the past chairman of the Computer Security Institute (CSI) Advisory Council, the chairman of the 18th Annual CSI Conference, founder and past-president of the Southeast Michigan Computer Security Special Interest Group and a former member of the board of directors for (ISC)2 the security professional certification organization. He has conducted numerous seminars and workshops on various security topics and has led seminars for CSI, Crisis Management, American Institute of Banking, the American Institute of Certified Public Accountants, Institute of Internal Auditors, ISACA, and Sungard Planning Solutions. He was also an instructor at the graduate level for Eastern Michigan University.

For more about Tom, please visit the Peltier Associates web site at www.PeltierAssociates.com

Presentation Abstract:

Speaker Bio:

Presentation Abstract:
Lunch is available in the Union Hall food court.

Speaker Bio:
TBA

Presentation Abstract:
It's a scenario that is increasingly all-too-familiar among public sector and education entities around the globe: The phone rings. On the other end, a frantic Executive is demanding immediate access to all his/her emails - and their attachments - that contain certain keywords and involve certain individuals for the past 12 months. "It's a matter of life and death," is the directive as the phone slams down. Or perhaps it's the VP of Human Resources requesting all emails and personal electronic files from a recently terminated, long-time employee who is threatening a lawsuit. The employee's records are scattered across the employee's laptop and hundreds or thousands of backup tapes, some of which are stored at an offsite facility while others are haphazardly organized in the back office of the data center or in a filing cabinet.

While this scenario may seem simple enough to the casual bystander or even the Executive making the request, the reality of the task and the shortcomings of most user's information recovery processes can incite a chain of panic among even the most-experienced IT departments today, and for good reason. The truth is that traditional email management and backup procedures have not improved and evolved at the pace of business. Over the past few years, email repositories (i.e., Exchange and Notes servers) have grown exponentially in both size and in strategic importance to the entire organization.

Speaker Bio:
Steven Hendrix is the Senior Partner Account Manager for Enterprise Vault in the Western Area covering 13 States. Steven previously worked as an Enterprise Vault Sales Specialist for two years at KVS prior to it’s acquisition by VERITAS Software.

Arshad Mea is a Senior Systems Engineer with Symantec Corporation

Presentation Abstract:
E-mail is the new battleground for Internet security. Both small and large organizations must find cost-effective means to minimize three key threats: fast-moving e-mail attacks, isolated targeted attacks and unknown viruses.

Speaker Bio:
Terry Dickson, CEO
Avinti, Inc.

Presentation Abstract:
TBA

Speaker Bio:
TBA

Presentation Abstract:

Speaker Bio:

Presentation Abstract:
TBA

Speaker Bio:
TBA

Presentation Abstract:
This workshop offers an explanation of the business of security. The role of security to facilitate the life and health of an organization will be explored using the perspectives of enterprise architecture. It's one thing to have security at the network level or implement security in a server; it's another to implement security for maximum benefit. Security as a business enabler must be fully integrated with the enterprise and, if done right, creates synergy across the enterprise. In short security protects organizational capabilities by enabling and restraining access to resources.

Speaker Bio:
Mr. Lee has developed the research vehicle for investigating what works and what does not work in the area of organizational design and enterprise development. Since 1986, he has worked in or consulted with large corporations and systems all over the country to implement the "Vision to Value" concept--identify performance problems, design the changes required to meet goals, and mentor the key management personnel on effecting the changes. The positions held include program mentor, requirements analyst, executive/management coach, project architect/manager, and organizational analyst, to name a few.

Presentation Abstract:
TBA

Speaker Bio:
TBA

Presentation Abstract:
Information security is no longer the "after-market add-on" it once was. It's now part of early planning efforts, even earlier than system design and development. Information security is part of legislative initiatives, at State, Federal and Local levels. It's become a prominent feature in Enterprise Architecture plans. System and network implementers must convince customers of their knowledge, skills and abilities in information security. And the genral public is becoming more and more aware, both of threats to privacy as well as weaknesses in technology. As a result, information security has become one of the first topics of discussion for information technologists, project managers, auditors and planners.

Speaker Bio:
Dean is President of the Sacramento Valley Chapter of the ISSA.

Currently a consultant working through Delegata, Inc., Dean has provided information security consulting services for several State agencies. He has also consulted for the County of Sacramento, during which time he played an early role in shaping CCISDA Best Practices for counties statewide. As a member of ISSA, Dean created the Chapter's CISSP Review Seminar, leaning on skills gained as adjunct professor of computer science at National University. As President, Dean is advising the CSU College of Continuing Education about their IT curricullum, the CSU Computer Science Department on their Information Assurance Center, the Sacramento Region Citizens Corps Council on plans for an emergency volunteer network, and the Walnut Creek Chamber of Commerce on information security for home and small businesses. He's also, temporarily, your webmaster.