Register by 24 July 2009 and save €500 Gartner Information Security Summit 2009 Managing risk and securing information: your role, your priorities, your tactics Thought Leader Keynote Guru Keynote Spencer Kelly Professor Fred Piper Technology Tourist, Information Security Group, Presenter of the BBC’s Royal Holloway, international technology University of London programme Click Summit Co-Chairs 21 – 22 September | London Jay Heiser Tom Scholtz Research VP, Gartner Research VP, Gartner europe.gartner.com/security 2 Register today at europe.gartner.com/security Introduction CONTENTS SUMMARY Page 4 Plenary Your Summit — Your Agenda! Page 5 Foundation Sessions and Gartner Analyst/ User Roundtables With a wealth of sessions, it is helpful to have a tool to build your own agenda focusing on your Page 6-9 Summit Program: The Tracks and Sessions own needs. The online Agenda Builder helps you Page 10 End-User Case Studies select the relevant sessions and schedule them in your calendar, and to build in networking and Page 12 Gartner Research reﬂection time into your schedule. Page 13 Maximize Your Summit Experience Go to ab/gartner.com/sec10i to view the full Page 14 Solution Showcase agenda and plan your on-site schedule. Page 15 How to Register Managing risk and securing information: Key Beneﬁts that you will your contribution to the success of your derive from attendance at the organization! Gartner Information Security Summit: • Meet business needs: protect and We are living in challenging times. Money is tight, and support critical systems and processes cyber-risks are increasing. As an information security or to ensure delivery of the organization’s overall objectives risk professional, you have a special contribution to make to the success of your organization. Traditional emphasis • Make wise investments: gain the most up-to-date understanding of has been on effectiveness in preventing security breaches the vendor landscape allowing you to and incidents, but the focus is increasingly turning toward assess your best-ﬁt approaches the efﬁciency with which this can be achieved. It might • Sound deployment of resources: sound like alchemy, but you have an important duty to learn where to place your time, energy simultaneously improve security, while reducing costs. and budget in order to achieve quick- wins and clear results This year’s Gartner Information Security Summit • Make the business case: explain to emphasizes the role of the individual practitioner, which c-level executives where and how your work in security has delivered value and is becoming increasingly specialized. What should you why it is worth the investment be doing, and what are the best practices of your peers? • Safeguard clients: both internally and The event will provide the information and networking externally individuals rely on you and opportunities to help you do your job better. need to have full conﬁdence if you are to have their support at every step • Deepen tactical knowledge: you know what your problems are...come meet the Gartner analysts and learn what the solutions look like • Strengthen strategic vision: advantage is gained by knowing where Jay Heiser Tom Scholtz to jump and how soon. Don’t learn to be Research VP, Gartner Research VP, Gartner ﬁrst, learn to be the best • Develop your most vital resource: yourself: Summit Timetable increased expertise, broader awareness at all levels, connections within the industry, and ways to make an impact; the Gartner Sunday 18:00 - 19:30 Networking Summit experience is designed to make Monday 07:30 - 20:00 Reception: you an asset to your organization and a true knowledge worker. Tuesday 07:30 - 17:30 18:30 - 20:00 3 Customize your agenda! To assist you in making the most of your attendance we have tagged a series of sessions to create two recommended agendas for you - “Your How To Guides” — put knowledge into action with the practical implementation advice offered in these sessions. “Your Technology Strategy” — a suite of sessions giving you full brieﬁngs on a core selection of security and risk technologies. What’s New at the Gartner Information Advisory Board Security Summit? The Gartner Information Security Summit • Practical, Actionable Know-How: operates with the advice and support of a number In the present climate, your value relies not on who of end-user representatives who help ensure that the content and direction of the Summit ﬁts the you are but on what you can deliver effectively. This needs of our intended audience. year’s agenda features ﬁve presentations telling you the “how-to” approaches for effective programs in Paul S. Raines, Head IT Information Security, IAM, DLP, GRC, vulnerability management and your Organization For The Prevention Of Chemical Weapons overall security structure. Neville Hinchliffe, • Rising Compliance Issues: LUIM Risk & Resilience Manager, The agenda deals directly with incoming regulatory London Underground requirements such as Solvency II, IFRS and SEPA, Richard Astill, including cross-border issues and gives an exclusive Head of IT Risk Management & Assurance, AON analysis of how you should go about preparing for other compliance challenges. Peter Tiffany, IT Security Ofﬁcer, • Frameworks for the Organization: Department Of Health This year’s agenda features a demonstration Mathieu Ransijn, of ITILv3 for security, a real-world case study Global Information Security Operations Manager, of ISO27001/ISO27005 in action and the Shell implementation of a risk management framework. Joe Dauncey, Information Security Manager, • Advanced Practitioner Insight and Scottish & Southern Energy Professional Development: Take your organization and your own career to the next level… Let Gartner help you with everything from a full self-assessment workshop, our maturity benchmark session showing global organizational standards and how to advance up the chain, an advanced workshop on risk management and a Gartner guide to how you can make best use of security qualiﬁcations and accreditation for your CV. Register Now and builder your agenda at europe.gartner.com/security 4 Register today at europe.gartner.com/security Plenary Sessions Plenary Sessions Milestones and Monsters Making the Real World Trade-Off: Gartner Strategy Keynote: The Web has levelled the playing ﬁeld. Now, Balancing the Costs of Security Your Role in Information Security and Insecurity Information security only started maturing in anyone can come up with a great idea, and unleash it on the world. And in an age where Over the past 25 years the practice of the 1990s, when distributed computing and consumer electronics is massive business, information security has made many advances pervasive networking resulted in a dramatic every new invention is a potential goldmine. but has not been an unobstructed march increase in business dependency on IT. The best thing is, to capitalize on it, you don’t to victory over insecurity; in some ways, the This coincided with a dramatic increase in even have to have the idea yourself. You just organization is more insecure than ever. As risk. Maturation implies change. Using other have to know how and when it could change best practice and theory have come into examples of IT maturation, we can better the world, and be ready. We start with a look contact with the day-to-day reality within understand what an information security at some of the technology past milestones organizations, it has been demonstrated professional will look like, starting ﬁve years that have given rise to the success stories of time and again that security is not an all- from now. today, and a look ahead at some which have encompassing end goal; it is a series of • What are the key roles and responsibilities yet to happen — the ones that you may be evolving compromises and ongoing choices. of information security practitioners today? able to make a few zeroes on. Professor Fred Piper, internationally respected • How will those key roles change over the And then it’s on into the dark side — after all... for his contributions to the advancement next ﬁve to seven years? innovation isn’t always for the greater good. of information security, will explore how to balance the needs of security with the needs • Which direction should you set for your As more and more real life and real business career in information security and risk? takes place online, there are real opportunities of a functioning organization and the people for organized criminals to cash in. So, who who work within it. He will argue that the role Christian Byrnes, Gartner are they? How are they structured? And of the security professional is to demonstrate how are they likely to hit you? to the organization exactly what trade-offs Gartner Closing Keynote: are involved, and to govern the relationship The Future of Information Security Place yourself in the hands of the perfect guide between the policies set and their practical — one who has investigated cutting edge Infosec managers who forget the past are impacts on the people who have to work cybercrime, and demonstrated how easy it is doomed to repeat it. We cannot understand with them. to command an army of zombie machines to the risk implications of continuous evolution do anything you want. Looking to the here and now, it is time to of information media outside of the context deﬁne security policies that take into account of the last 6000 years of information Spencer Kelly, Technology Tourist, Presenter the true costs and are acceptable to the security failure. Cuneiform tablets resulted of the BBC’s international technology people who will have to act within their in a rash of Babylonian identity frauds, programme Click proscriptions; if you fail to strike the right Gutenberg launched a four-century debate balance those same people will turn out to be on intellectual property protection, and your key enemy and your greatest threat. cyber warriors committed man in the middle Professor Fred Piper, Information Security attacks in 1862. As digital technology Group, Royal Holloway, University of London becomes increasingly complex, and IT continues to lose control over information, the loss patterns of the past are repeating themselves at an exponentially accelerating rate. Only by understanding the lessons of the past can we prepare ourselves to thrive in a future of increasingly abstract and distributed trust mechanisms, a world of sophisticated anonymous attacks, in which the end user will inevitably become our ﬁrst line of defense. Jay Heiser, Gartner 5 Foundation Sessions and Gartner Analyst/User Roundtables Begin your Summit experience with a full brieﬁng on the latest priorities and essential updates relating to three key subjects featured within the Summit. As an experienced professional wanting a fast refresh on the Gartner perspective, or as a newcomer wanting a snapshot of what you need to know, the Foundation Sessions form a solid basis for your time on-site. Foundation Sessions Legacy Information Management: The IT Security Manager’s Guide to Articulating the Business Value of Control Risk, Improve Security and Enterprise Risk Management Information Security Save Money According to a Gartner survey, enterprise The security management program is a big Legacy data creates substantial costs for risk management is one of the top three ticket budget item. As budgets begin to storage and maintenance despite much initiatives affecting IT security professionals tighten it will become increasingly difﬁcult to of it being outdated and redundant. New in 2009. Risk comes in many forms and justify security expenditures. This presentation techniques and technologies can help with can have a serious impact. As corporations will share. information retention management, which move to real time, so does risk. Limited • Strategies for obtaining and maintaining is the bedrock of risk mitigation, information data, complex interdependencies and executive support for security initiatives governance and overall data security. With organizational silos inhibit risk identiﬁcation, • A practical model for communicating the legal and regulatory oversight bodies, as well measurement and management. In order business value of an information security as the courts expecting companies to clear to retain stakeholder trust, establish program up this undisciplined data growth, it’s time transparency while protecting privacy and to meet regulatory requirements, an integrated • Techniques for effective cost/beneﬁt you start the long journey to better manage approach to enterprise risk management analyses for security project investments. your data. must be applied. Tom Scholtz, Gartner • What is the extent of the problem? French Caldwell, Gartner • How does it relate to governance risk and compliance? Debra Logan, Gartner Gartner Analyst/User Roundtables Gartner Analyst/User Roundtables are your chance to network with a Gartner analyst and a group of your peers; to get ideas and answers from organizations experiencing similar challenges. Your Role as CISO: 2010-2012 Assessing Outsourcing and External Service Risks Christian Byrnes, Gartner Jay Heiser, Gartner Managed Security Services Providers Security Information and Event Carsten Casper, Gartner Management Mark Nicolett, Gartner Remote Access Authentication Mashup/Meltdown Contemporary Issues in IAM John Girard, Gartner Ant Allan, Gartner Protecting the Endpoint Peter Firstbrook, Gartner For more information about the Foundation Sessions visit europe.gartner.com/security 6 Register today at europe.gartner.com/security Summit Program Presented by both Gartner analysts and invited guest speakers these sessions offer the very latest topical updates and actionable insights on the subjects most critical to your organizational development and innovation. TRACK 1: 1 A Secure Infrastructure is no Luxury Today’s highly-connected environment simultaneously offers huge business advantages and signiﬁcant risks. You not only have to maintain network ﬁrewalls, secure Web gateways and endpoint protection platforms, but you have to support teleworkers and partners. Virtualization and cloud security challenge your established perimeters while the bad guys keep innovating. Protecting the Endpoint From the Secure Remote Access For Non- Securing the Web Gateway Malware Pandemic Securable People: Access Protection The Web is simultaneously becoming more The expansion of endpoint protection from in an Outsourced, Contracted, important and more dangerous to modern Partnered World traditional signature-based detection and business. Web-based applications and personal ﬁrewalls, to data protection and Contractors are less expensive on the services such as Skype and Salesforce.com PC life cycle tools is well underway. This ledger than full-time employees. Business have the ability to cut costs and improve session will examine what makes sense in partners must be connected to make productivity, yet few organizations have an endpoint security package and which just-in-time decisions. Companies give adequate solutions to effectively manage and vendors are leading the way. We will also control of critical internal systems to users ﬁlter Internet trafﬁc ﬂooding the LAN. examine the converging roles of operations who are not under direct supervision. • What are the trends and implications of the and security and list the top procedural Relationships span political boundaries. evolving Web applications? changes that will enhance the security Enforcement of data protection and SLAs posture of endpoints. are acts of faith. We take stock of the • What are the key features and requirements vulnerabilities caused by extranet access of a secure Web gateway? • What are the advantages of security and operations integration? and recommend a survival plan. • Which vendors will your organization rely on • What are the extranet security and to secure the Web gateway? • What features, conﬁguration options and procedural enhancements will be critical privacy challenges through 2014? Peter Firstbrook, Gartner for future endpoint security success? • How will business integrity be maintained • Which vendors are leading the way and when users may never be seen? Trusted Portable Personalities: Case how to negotiate effectively to get the • Which contractual, technological and Studies To Mix Security and Portability best deal? managerial practices will be most Every company struggles to adapt to rising Peter Firstbrook, Gartner effective to maintain access control? demands for portable information access John Girard, Gartner without increasing investments in supervision and dedicated workstations. Data loss Planning for the Content Aware prevention is failing under an avalanche of Enterprise: 2009 DLP Magic portable media devices and Internet portals. Quadrant Gartner Magic Quadrant Power Session: Getting What These demands extend far beyond the The content aware data loss prevention question of employee access to encompass you Want From the Security market continues to evolve. Organizations Market Players sharing of legally sensitive data and are adjusting to a strategy where they can competitive intellectual property. dynamically apply policy at the time of an With cost rationalization and efﬁciency high on the corporate agenda for 2009-2010, • How can corporate data be productively operation. Data loss prevention technologies learn from the Gartner analysts who are used on noncorporate workstations? are increasingly common compliance tools for many organizations. However, many struggle best placed to give you what you need • What are the decision factors that determine when it comes to selecting and deploying and whether there are opportunities the best methods for secure, portable meaningful content-aware DLP solutions and for you to achieve a better deal or remote access? achieving their intended compliance goals. a renegotiated arrangement in this John Girard, Gartner climate. The session will cover the key • What should an enterprise data loss technology providers in SIEM, user prevention strategy look like? provisioning, content monitoring and Using Vulnerability • Who are the leaders in each market ﬁltering, data loss protection, personal Management to Operationalize segment? ﬁrewalls and mobile data protection. Security • What ﬁve points must organizations • What trends and product features Security policies are most effective when consider when deploying DLP solutions? contributed to the 2009 Magic assessment and remediation processes Paul Proctor, Gartner Quadrant positioning? are implemented by network, desktop and server administration groups. The security • Which vendors have the sharpest organization needs to keep control of vision of where the market is going? policy and audit while it runs projects to • Where are the dangers and operationalize selected assessment and opportunities in the security remediation functions. This presentation technology market? provides guidance on how to use operations Gartner Analysts: to improve the effectiveness and efﬁciency Peter Firstbrook, John Girard, of IT security. French Caldwell, Paul Proctor Mark Nicolett, Gartner 7 TRACK 2: 2 Protect Data and Applications to Deliver Higher Business Value Attackers are increasingly concentrating on data and applications because “that’s where the money is.” But it’s not just a matter of protection against ﬁnancial fraud. Privacy demands protection of personal data. Government regulations demand activity monitoring. Business continuity demands robust and reliable backup and recovery. Security managers must address these needs by orchestrating vulnerability management and IAM initiatives to maximize effectiveness and efﬁciency. The Elements of an Effective • Exactly what is DLP and how much of it The Root to Happiness: Best Practices Identity and Access do you need and in what form? for Managing Superuser Privileges and Management Program Shared Account Passwords • How and what kind of DLP should be Identity and access management (IAM) leveraged to maximize effectiveness within Organizations are under increasing can deliver real business value beyond its organizations at the lowest cost and in pressure to reduce the number of contributions toward efﬁcient and effective minimizing the Christmas tree effect? users having permanent full superuser security, risk management and compliance. privileges. In addition, there is pressure to • What are the key deployment lessons However, realizing that value demands implement better control over, and greater learned from successful deployments? sound program management. To build an accountability for, use of shared accounts IAM infrastructure that will meet your needs, Eric Ouellet, Gartner with like privileges. you must orchestrate a variety of different • What are the risks of unconstrained technologies. G14: The Dawn of Content Aware IAM use of superuser privileges and shared • What are the drivers for and beneﬁts from Content awareness is a relatively new idea accounts? IAM? under evaluation in identity and access • What are the best practices for managing • What are the key elements of an IAM management (IAM) circles. Originally a superuser privileges and shared accounts program? capability incorporated within data loss in a controlled and auditable manner? • What is the range of IAM technologies: prevention (DLP) offerings, it can deliver • What are the most effective tools for which are core and which fringe, which new capabilities within IAM suites. This managing superuser privileges and shared tactical and which strategic? presentation will look at: accounts? Ant Allan, Gartner • Content awareness in the context of IAM Ant Allan, Gartner • Initial and long term vision for content awareness integration User and Resource Access Monitoring to Securing Your Organization Improve Security • How organizations should plan for the With Data Scrubbing Today’s threat environment is dangerous introduction of content Technologies because attackers are targeting your highest Eric Ouellet, Gartner Organizations are quickly becoming aware value data, and quiet because attackers of the risks associated with unintended want to capitalize on a breach for as long as embedded metadata information in Role Management Evolves: Contextual possible. In many cases, the only signal that Entitlement Administration documents shared with clients and partners. you will have of a breach is abnormal user With the potential risk exposure being very activity or resource access. Come to this Enterprises frequently struggle with how to signiﬁcant, organizations need to consider presentation to learn how user and resource control access — who has it, what level, data scrubbing solutions. access monitoring technologies (SIEM. DAM, and to what? Role life cycle management is key to many successful user provisioning • What is data scrubbing and why is it and so on) improve security, compliance and important? efﬁciency. and IAM governance implementations, and is itself evolving to a new form of • What type of data scrubbing offerings are Mark Nicolett, Gartner “entitlement administration.” currently available? • What are the key elements? • What is the current legal impact and Planning for DLP Deployments • Who are the key vendors and what do accepted best practice for enacting a data for Compliance and Intellectual they offer to customers today? scrubbing program? Property Protection Eric Ouellet, Gartner • What’s the difference between role Organizations large and small are planning management and authorization to deploy DLP to better control and protect management? sensitive assets at the perimeter, within data stores and document management systems, Ant Allan, Gartner and at the endpoints. As these tools become mainstream within organizations they will impact and challenge traditional views of data classiﬁcation, protection and access controls. Register Now and builder your agenda at europe.gartner.com/security 8 Register today at europe.gartner.com/security Summit Program TRACK 3: 3 Meeting Expectations for IT Risk and Compliance Management What level of business risk is represented by partnering arrangements or dependence upon SaaS or cloud computing providers? Will outsiders properly secure your data? Can you efﬁciently demonstrate that your organization meets all regulatory and legal obligations in every country? Today’s IT risk manager needs to be an enabler, helping the line of business and IT to make effective decisions about which risks to accept and which to avoid. One Nation’s Compliance Equals Stormy Weather: Assessing the IT GRC Management Another’s Violation: E-Disclosure and Security Risks of SaaS Products Security organizations are not Privacy Issues Heat Up and Cloud Services exempt from the struggle to link Historically, the argument has been that You need visibility into your supplier’s IT to the business. In fact this linkage is the European statutes on data protection processes to ensure the appropriate level required to: evaluate risk with business and privacy have not been rigorously and of information protection. You’ll also need context; reduce the cost of compliance consistently enforced and the disclosure to assess the security features and service reporting; and to produce metrics to of potentially relevant evidence carried no levels and how well they’re implemented measure the effectiveness of security real penalty. Despite the change in U.S. and maintained. Proven risk assessment programs. Come learn how IT GRCM administration, the courts are unlikely to practices can provide a useful level of technology can be used to evaluate IT risks become similarly friendly. IT practitioners will assurance that a product or service is and to efﬁciently demonstrate that your ﬁnd themselves caught in the middle. reliable, including its capabilities to resist organization meets regulatory and legal • What relevant laws and statutes do both accident and human manipulation. obligations. European headquartered companies need • What types of information facilitates Mark Nicolett, Gartner to be mindful of? provider transparency, and how do you • What can IT do to help mitigate the get it? problem by providing local facilities? • What are the three basic ways to assess Assembling a GRC Solution: Beyond Marketscopes and • Are there best practices or technological the risk associated with a supplier? Magic Quadrants approaches that can be called upon to • What are the compliance concerns Most vendors providing ﬁnancial, IT make the problem more tractable? associated with cloud computing? operations and IT security solutions Debra Logan, Gartner Jay Heiser, Gartner claim to have a GRC solution, and there are specialist GRC vendors too. Learn the differences in technology-enabled Managing Compliance in a Getting Ahead of Regulations: Pan-European Environment Why Compliance Isn’t Enough approaches to GRC, and how you can assemple a comprehensive GRC solution. New regulations such as Solvency II, Compliance has become quite complex: IFRS or SEPA are a peculiar challenge for audit requirements, accounting standards, • How can Gartner methodologies help in ﬁnancial services providers which act in a encryption laws, electronic signatures, architecting the GRC solution? pan-European environment and operate information security standards, privacy laws, • What are the architectural principles that a heterogeneous IT landscape. In this breach notiﬁcations, document retention can advance GRC maturity in support of presentation we will discuss root causes and rules and e-discovery vary from country business performance? consequences of such compliance activities. to country. We will give an update on the French Caldwell, Gartner In addition we will discuss best practices to regulatory landscape and analyze what these overcome the challenges. requirements mean for business and IT. Turning Risk Management Into a • The surging wave of pan-European • What makes the regulatory landscape so Competitive Weapon for Financial regulations diverse across different countries? Services Organizations • Business and IT implications for ﬁnancial • What do regulations mean for IT Organizations around the world are facing services providers departments? many new regulations and the latest • How to deal with the compliance • What are the key elements of an IT economic crisis will most likely lead to challenges compliance program? further regulation. Several IT organizations Juergen Weiss, Gartner Carsten Casper, Gartner are struggling to cope with these challenges and are looking for ways to create additional business value out of these efforts, which goes beyond pure compliance. In this presentation we will introduce some practical guidelines and case studies to show how to overcome this dilemma. • Implications of re-regulation for risk managers • Overcoming the conﬂict between compliance and business value Juergen Weiss, Gartner 9 TRACK 4: 4 Leading the Security and Risk Management Team Through Turbulent Times How do you align security and risk management with the business? How do you get staff to comply with policy? How do you articulate the business value of security? How do you balance the budget? Leading the information security or risk management function is a special responsibility, requiring a mix of technical, political and social skills. Transforming from CISO to IT CRO Report to the Board: Five Practical As enterprises reform their compliance Tips to Link Risk and Security to Gartner Workshop Session: Security Corporate Performance Maturity Self Assessment efforts from reactionary to risk-oriented, chief information security ofﬁcers (CISOs) A board wants to know that the organization Assessing the maturity of security and other IT risk management and security is appropriately protected against reasonably management processes is the professionals will need to follow along or anticipated risk. CIOs, CISOs and RMOs foundation of continuous improvement will ﬁnd themselves deemed as irrelevant struggle to link risk management efforts in in security performance. Consistent to the business. However, CISOs who security, privacy, business continuity and reporting on process maturity supports develop competencies in enterprise risk compliance to the value they provide at line- increased executive awareness and management (ERM) and business analysis of-business and executive levels. A handful support. Furthermore, process maturity will be able to align IT risk management with of companies have ﬁgured it out and these can also be interpreted as an indicator business performance — for the beneﬁt of ﬁve practical tips can help you solve this of the risk posture of the organization. both. challenge. • How should organizations deﬁne a • What are the relationships between • What do boards of directors and line- security and risk process catalog? IT security, IT risk management and of-business executives want from risk • What are the steps for formalizing enterprise risk management? management, GRC and security? security processes? • How will business risks be better • How do you map key risk indicators into managed if IT security professionals play a key performance indicators to support (Audience Limited to 40 - 1hr30minute session) direct role in enterprise risk management? corporate performance? Christian Byrnes, Paul Proctor, Gartner • What are the skills and process disciplines • How can you present a defensible case needed for IT security professionals for the value and effectiveness of risk to contribute to the enterprise risk management to executive audiences? management program? Christian Byrnes, Gartner The Risk Program Maturity French Caldwell, Gartner Benchmark: How Does Your Integrating Security Management Into Organization Stack Up? Know IT Security? Prove It! Developing ITIL v3 Strategies: Case Study and Gartner has surveyed several hundred Your Career With the Right Security Best Practices organizations, in different geographies Qualiﬁcation Version 3 of ITIL takes a life cycle view of and verticals, and of different sizes In times when even venerable IT security service management, as opposed to the across 12 dimensions of program jobs may be at risk, you need a little bit extra functional approach of previous versions. maturity. Come to this presentation to that makes you stand out from the crowd. While this is a major improvement in ﬁnd out how you compare. Having a security certiﬁcation can help, but approach, it does have major practical Paul Proctor, Gartner it can also pigeon hole you in terms of your implications on IT security, risk and perceived skills. When just about everyone compliance strategies. This presentation will has some certiﬁcate, what can you do to look at: No More Dr No: A Framework for Positive Information Security Management make sure you have the right one? • What’s new in ITIL v3, and how it impacts security management strategies Security controls are inherently restrictive, • What are the beneﬁts of personal and consequently the nickname of many certiﬁcations that exist today? • A case study of how a multinational organizations information risk and security • How do training, exam, peer review and organization has integrated its security management is “Dr No.” However, there are continuous education inﬂuence the value and risk management program into its ITIL a number of governance, process, cultural of certiﬁcation? v3 program and technological actions that information • What skills and certiﬁcations should an • Best practices in using ITIL v3 to align security leaders can implement to align their employer look for when optimizing the security and service management programs closer to business strategies. team structure? strategies. • The symptoms, causes and consequences Carsten Casper, Gartner Tom Scholtz, Gartner • The governance, process, cultural and technical characteristics of a business- aligned security practice. Tom Scholtz, Gartner Register Now and builder your agenda at europe.gartner.com/security 10 Register today at europe.gartner.com/security End-User Case Studies The case studies bring practitioners’ own experiences at leading organizations from a variety of industries and countries to the event. They demonstrate the challenges, adopted solutions, chosen processes, and resulting beneﬁts that you can apply to your own environment. Best practice examples and real-world know-how showing you what you want to do — and what to avoid. A Practical Integration of ISO 27001 The Gartner Best Practice Council and ISO 27005 for Superior Security Advanced Security Practice Panel Discussion: Meeting the Management Workshop: Risk Management — for Business Half Way The case study illustrates how an organization the Advanced Information Security Practitioner with many varying lines of business can deﬁne Safeguarding information in a corporate and link together in a practical way This workshop will begin with a bottom IT environment — a ‘consumer-centric’ • A common mandatory guideline and up view from within IT of the current arena of changing threats — requires baseline for information security based on state of IT risk management. We will an agile and responsive approach from ISO 27001 move forward by taking a look at the risk the security team. In this interactive landscape facing all organizations. This • A mandatory information classiﬁcation debate, hear how a number of leading- will highlight the gaps that are all too often model edge organization’s have approached present between where organizations are this essential are in terms of strategy, • A information security risk assessment and where they need to be. We will go on governance and communications. process based on ISO 27005. to explore the resources readily available Richard Barber, IT Security Strategy Jan A Svensson, Director Information to organizations to enable them to close & Risk Manager, British American Security, City of Göteborg the gaps and effectively manage IT risks. Tobacco Roger Southgate, Leader, London Ian Mason, Gartner Best Practices Implementing Network Access Control CobiT Development Group and Councils EMEA for the Swiss Federal Railways President, IT Governance Casimiro Juanes, Head of IT Security, This session will highlight the common Standards, ISACA Ericsson threats for large enterprise networks and Paul Jervis, CISO, RWE nPower how a Network Access Control (NAC) solution can help Security Essentials for the 21st Century: Instituting an IT Risk Reporting and minimize the risk. The focus will be on Security Leaders not just Managers Management Framework at Euroclear evaluating and implementing a NAC- Your professional development objectives Gaining management acceptance was Solution in a large and heterogeneous should ensure you learn how to move from positively affected by linking risk to speciﬁc IT environment: ‘pushing’ employees toward security objectives, processes — Euroclear created a consistent • Key points to consider when evaluating to leading and taking them with you. framework containing ﬂexible reporting. a NAC-Solution • Becoming a true leader drawing employees • Addressing risk and reporting at the • Overview of the solution chosen by the toward security goals strategic, operational and tactical levels Swiss Federal Railways • Securely enabling the organization in an • Ensuring clear reporting to enhance • Sharing our hands-on experience in inherently insecure environment acceptance and understanding. implementing NAC • Moving from technology focus to ‘soft skill’ Olivier Nijland, IT Risk Manager, Euroclear Alexander Hermann, Security Project people focus Manager, Swiss Federal Railways Jim Heard, Information Security Manager, Centrica Energy Using DLP to Prevent Misuse of Conﬁdential Information Banc Sabadell Group will present their experience of selection and implementing a solution in this ﬁeld. • What to do before deploying a DLP solution • Measuring our success in help detect, monitor and prevent misuse of data • Best practices for formulating the correct process. Santiago Minguito, Information Security Manager, Banc Sabadell Group Register Now and builder your agenda at europe.gartner.com/security 11 Media and Accreditation Partners Use the Gartner Information Security Summit to advance your professional and personal development. At the 2009 Summit we are partnering with key certiﬁcation providers within this subject area to allow you to count your attendance toward your qualiﬁcations. You will also be able to meet and learn from these organizations on-site as part of your Summit experience so you can gain a better understanding of the options open to you as you seek to develop in your chosen career. ISACA, previously known as the Information Systems Audit SANS is the most trusted source for information security and Control Association, now goes by its acronym only, to training and certiﬁcation in the world. It also develops, reﬂect the broad range of IT governance professionals it maintains, and makes available at no cost, the largest serves. The Certiﬁed Information Security Manager® (CISM®) collection of research documents about various aspects certiﬁcation program launched in 2002 and developed of information security. Its programs now reach more than speciﬁcally for experienced information security managers, 165,000 security professionals. A wide range of individuals and those who have information security management are sharing the lessons they learn and are jointly ﬁnding responsibilities has added impetus to the growth in ISACA solutions to the challenges they face. At the heart of membership worldwide to more than 75,000 since its SANS are the many security practitioners in varied global inception in 1967. ISACA’s strong chapter network provides organizations from corporations to universities working local support and networking opportunities via more than together to help the entire information security community. 175 chapters located in over 70 countries. www.sans.org www.isaca.org.uk The International Information Systems Security Certiﬁcation The Institute of Information Security Professionals (IISP) Consortium, Inc. — (ISC)2® — is the globally recognized Gold is setting the standard for professionalism in information Standard for certifying information security professionals. security. Full Membership of the Institute is becoming Founded in 1989, (ISC)2 has certiﬁed over 60,000 information the recognized competence-based qualiﬁcation in security professionals in 135 countries. (ISC)2 issues the this ﬁeld. The addition of the UK Government Infosec Certiﬁed Information Systems Security Professional (CISSP) Training Paths & Competences (ITPC) scheme to the and related concentrations, Certiﬁcation and Accreditation Institute’s programme is a great step in providing a single Professional (CAP), and Systems Security Certiﬁed harmonized skills framework for the accreditation of Practitioner (SSCP) credentials to those meeting necessary Information Security and Assurance professionals working competency requirements. The CISSP, CISSP-ISSEP, in both public and private sectors. CISSP-ISSAP and SSCP are among the ﬁrst information technology credentials to meet the stringent requirements www.instisp.org of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)2 members can earn up to 16 CPEs. www.isc.org Media Partners 12 Register today at europe.gartner.com/security Gartner Research Worldwide Expertise at Your Fingertips — Your Questions on Information Security Answered Gartner analysts draw constantly from the real-life challenges and solutions experienced by more than 45,000 clients worldwide. The value of this resource, combined with our deep analysis of technology vendors, is unrivalled. Gartner for Meet the Analysts Focus Areas: User authentication, password management, IT Leaders Ant Allan user provisioning, role life cycle management Research VP Every day you’re faced with decisions that will determine success or failure Focus Areas: Risk program management that could inﬂuence your organization’s Christian Byrnes ﬁnancial results, customer retention Managing VP rates or ability to compete. Getting information is easy, but is Focus Areas: Governance, risk and compliance, knowledge it insightful and relevant? Your time French Caldwell management, regulatory developments is scarce. Spend less time searching Research VP for information and more time applying relevant insight to your IT initiatives that Focus Areas: Privacy legislation, EU and cross-border need effective solutions-right now. privacy, compliance Carsten Casper Ensure your success as an IT leader. Research Director Get the insight you need — when you need it. With instant Web access Focus Areas: Anti-virus, anti-spyware, antispam, e-mail to exclusive Gartner research that’s Peter Firstbrook security relevant, insightful and tailored for IT Research Director leaders in Applications. John Girard Focus Areas: Wireless security, mobile device management, VP Distinguished mobile data encryption, mobile user authentication Your Role. Your Event. Analyst Insightful and relevant events aligned to your role, your priorities and your Focus Areas: Trust communities, risk management, challenges. Jay Heiser compliance, forensics and investigation Research VP Applications Debra Logan Focus Areas: Information governance, e-discovery, Business Intelligence & VP Distinguished enterprise information management Information Management Analyst Business Process Improvement Mark Nicolett Focus Areas: Security information and event management, VP Distinguished vulnerability management, IT GRC management CIO Analyst Focus Areas: Resource and access audits, PKI/PKO Enterprise Architecture integration, IAM Eric Ouellet Research VP Infrastructure & Operations Paul Proctor Focus Areas: Security program management, audit and VP Distinguished compliance, network security, content monitoring and Program & Portfolio Management ﬁltering Analyst Security & Risk Management Focus Areas: Security strategy, security architecture, Tom Scholtz organization, outsourcing, BCP/DRP Sourcing & Vendor Relationships Research VP Juergen Weiss Focus Areas: Risk management and compliance, future Interested in our role-based events? technology trends in the insurance industry Visit gartner.com/events for further Principal Research information. Analyst 13 Maximize Your Summit Experience Depth, Discipline, Decisiveness Gartner Summits are unique in the experience that they bring to attendees. A mixture of session formats brings extended opportunities to interact with Gartner analysts, with fellow attendees and focused solution providers. Gartner Analyst One-on-One Meetings Don’t you think you deserve a little private and focused time? Meeting face-to-face with a Gartner Analyst is one of Gartner for IT Leaders: the key beneﬁts for attending this Summit. [Number tbc] Gartner analysts specializing in various aspects of Information Security will be at the Security & Risk Management Summit. Bring your issue, select the relevant Analyst, set the agenda and walk away with invaluable, tailor-made advice. Gartner clients have instant access to exclusive research tailored to their speciﬁc role via the Gartner for IT Leaders resource. The Gartner Gartner Analyst/User Roundtables Information Security Summit is your chance to Learn from your peers. Moderated by a Gartner analyst, these roundtables are a great forum for hearing what your industry access Gartner research and Gartner analysts peers are experiencing on issues similar to those you face. Be presenting their latest insights whilst giving you prepared to join the discussion and share best practices and practical advice. All end-user attendees at the event are invited to register for direct access to the individual experts. Gartner Analyst/User Roundtables by reserving at the at the One-on-One booking desk. In 2009 we have worked to weave the key GITL initiatives directly to the Gartner content Solution Provider Sessions with insights on all areas including: Selected technology providers will give their advice on the latest technologies and best practices. The providers, and in many cases their clients, will explore best practices, key learning’s and future trends and technologies. Identity and Access Management These sessions give you a unique opportunity to learn from the organizations Information Security Program Management that will shape the future of technology and to beneﬁt from the real-life Infrastructure Protection experiences of their clients. IT Compliance Management IT Risk Management Personalize Your Experience Your Summit — your agenda. With a wealth of sessions, it is helpful to have a tool to build your own agenda focusing on your own Reinforce your Gartner for IT Leaders’ research needs. The online Agenda Builder helps you select the relevant by attending and hearing it live and direct. sessions and schedule them in your calendar to build in networking. Vendor Ratings — Track and Monitor Vendor Magic Quadrants — Speed up your knowledge of Performance competing technology providers Manage the risk of your provider portfolio while you keep an eye Who are the competing players in the major technology on up-and-coming players and potential alternate providers. markets? How are they positioned to help you over the long haul? Gartner can help. Market Share — Validate Leading Providers Assessing a market and its participants is a daunting task. Understand where and how you can take advantage of shifts Vendor differentiation caused by differing sizes, levels in market share, both now and in the future. of complexity and strategies can inhibit comparisons of vendor offerings, and the market’s overall direction is often murky. The Magic Quadrant Power Session will solve these Hype Cycles — Interpret Technology Hype challenges by offering snapshots of markets and their When new technologies make bold promises, how do you discern the hype from what’s commercially viable? participants, enabling you to map vendor strengths against Gartner can help! your current and future needs. Register Now and builder your agenda at europe.gartner.com/security 14 Register today at europe.gartner.com/security Solution Showcase Meet the technology and service providers at the forefront of Information Security The Summit helps you develop a “short list” of technology providers who can meet your particular needs. We offer you exclusive access to some of the world’s leading technology and service solution providers in a variety of settings. Visit the Solution Showcase, attend the Solution Provider Sessions and join in the Networking Reception for informal relationship building. Premier Sponsor CA (NASDAQ: CA) is the world’s leading independent IT management Symantec is a global leader in providing security, storage and systems management software company. We help organizations govern, manage and secure IT solutions to help consumers and organizations secure and manage their information- to better perform, innovate and grow their businesses. With our Enterprise driven world. Symantec software and services protect against more risks at more IT Management (EITM) solution, organizations can unify IT and simplify the points, more completely and efﬁciently, enabling conﬁdence wherever information is management of complex computing environments. Learn how CA, a Security used or stored. Headquartered in Cupertino, Calif., Symantec has operations in more Management leader for over 25 years, can help you grow your business — than 40 countries. More information is available at www.symantec.com. with less risk: visit the CA stand and listen to CA presentation. www.symantec.com ca.com/security Platinum Sponsors Fortify® Software is the leader in the emerging category of Software Security PGP is a global leader in e-mail and data encryption software for enterprise data Assurance providing unique security solutions that protect companies and protection. Based on a uniﬁed key management and policy infrastructure, the government agencies from today’s greatest security risk: the software that PGP® Encryption Platform offers the broadest set of integrated applications for runs their businesses. With backing from top-tier investors, Fortify has rapidly enterprise data security. established itself as the vanguard in the application security arena. www.pgp.com www.fortify.com Verizon Business is one of few security providers that can help customers secure data and identities at the device, along their network and around the world. Our professional services, managed services and technologies are delivered as our customers need them, through full outsourcing, managed and hosted services and self-service models. www.verizonbusiness.com Silver Sponsors ActivIdentity Corporation (NASDAQ: ACTI) is a ArcSight (NASDAQ:ARST) is global leader in NetIQ is a leading provider of security and global leader in strong authentication and credential compliance and security management, enabling compliance management solutions, reducing management, providing solutions to conﬁdently enterprises and government agencies to comply enterprise risk, decreasing compliance costs and establish a person’s identity when interacting with policy, safeguard assets and control business increasing the security of critical information assets. digitally. risks. Visit www.arcsight.com. www.netiq.com www.actividentity.com www.arcsight.com Qualys. is the leading provider of on demand IT Sourceﬁre®, a world leader in intrusion prevention TippingPoint provides comprehensive network security risk and compliance management solutions and the creator of Snort®, is transforming the way security solutions that address the security and — delivered as a service. global organizations manage and minimize network regulatory compliance needs of complex network More information at www.qualys.com. security risks in real time. environments for enterprises, government agencies, www.qualys.com www.sourceﬁre.com service providers and academic institutions. Sponsor listing correct at 20 May 2009 www.tippingpoint.com Sponsorship Opportunities If your organization is interested in sponsoring this event, Tripwire solutions help over 6,500 customers worldwide reduce security risk and gain control please contact Darren McCormack for further details: over IT conﬁgurations. Headquartered in Portland, Tel: +44 1784 26 8624 Oregon, Tripwire has ofﬁces worldwide. www.tripwire.com E-mail: firstname.lastname@example.org 15 Registration How to Register Online: europe.gartner.com/security Telephone: +44 20 8879 2430 E-mail: email@example.com Pricing Team Discount Early Bird Price Bring the Team: Divide and Conquer! Ð1,695 + 15% VAT Teams that attend a Gartner Summit together gain (offer ends 24 July 2009) a much richer experience of the event. Not only can they divide and conquer, attending all the sessions Standard Conference Price to maximize their learning, but they also have the Ð2,195 + 15% VAT added beneﬁt of inviting a Gartner analyst to a team Why Register Early? meeting — to facilitate a discussion or advise them • Save Ð500 on the standard conference price on strategic initiatives and key projects. For this • Priority Gartner Analyst One-on-One booking reason, companies often take the opportunity to hold offsite team meetings and incorporate Gartner Events as part of their training programs. Gartner Clients Gartner Events has designed an experience that will help teams of 4 to 25 maximize their Summit experience A Gartner ticket covers both days of the Summit. while on-site and long after the event concludes. If you are a client with queries about tickets, please Team Beneﬁts: contact your Account Manager or e-mail emea. 1) Team meeting with a Gartner analyst (end users only) firstname.lastname@example.org 2) Optional team meeting(s) with select executives from vendor organizations Refer a Colleague 3) Advice and support on building personalized agendas for your team If you know of a colleague who would beneﬁt from 4) 10+ Free audio sessions from the Gartner the Summit experience and direct access please Multimedia Events On Demand product forward this brochure to them. 5) Complimentary team lounge and meeting space (based on team size) 6) Concierge service pre-event and on-site 7) Discounts on registration rates Summit Team Discount Offers: 4 for the price of 3 6 for the price of 4 10 for the price of 7 To register a team please e-mail: EMEA.TeamSend@eventreg.com or contact your Gartner Account Manager. Please note that teams must be registered at the same time and we can only guarantee availability of team beneﬁts if the team is registered at least 3 weeks in advance of the Event. Register Now and builder your agenda at europe.gartner.com/security Return address: Gartner, PO Box 754, North Shields, NE29 1EJ, United Kingdom Visit europe.gartner.com/security Your Event Reminders Register before 24 July for Early Bird discount! Build your own agenda online now Book a 30-minute Gartner Analyst One-on-One Meeting with your preferred analyst Access the documentation and presentations after the event Product group from well-managed forests and other controlled sources Gartner UK Ltd. is a company registered in England & Wales with the registration number 2266016. The registered ofﬁce is Tamesis, The Glanty, Egham, Surrey, TW20 9AW, United Kingdom.
Pages to are hidden for
"Gartner Information Security Summit 2009"Please download to view full document