Post-Conference Workshops

W1 Auditing a Cybersecurity Program

Monday, July 15, 2019 
9:00 AM – 5:00 PM
Full-Day, 8 CPEs
Jason Claycomb, Principal, INARMA

Auditors need to be able to assess the effectiveness of an enterprise’s cybersecurity program. They need to understand what controls are needed, where the controls should be positioned and how to perform substantive tests to assess the controls reasonable effectiveness specifically related to cybersecurity. During this workshop attendees will have the opportunity to conduct a mock cybersecurity program audit. By the end of the session attendees will be armed with knowledge of how to perform an assessment on a company's cybersecurity program and will leave this session with audit and self-assessment checklists along with examples of various cybersecurity program artifacts.

  • Vulnerability assessment
  • Threat analysis
  • Cybersecurity risk assessment
  • Cybersecurity program

Learning Level: Basic

W2 Understanding and Conducting Effective Digital Presence Audits

Thursday, July 18, 2019  
12:15 PM – 5:15 PM
Half-Day, 6 CPEs 
Shawna Flanders, Director of Instructional Technology and Innovations and Senior Trainer, MISTI

Marketing is continually improving to address changing customer expectations and demands. Today’s consumer / customer bases many purchase decisions on digital content, so enterprises must ensure their digital brand is appealing to today’s consumer.

In this half-day workshop we will describe the challenges facing enterprises today and what assurance activities are needed to assess the reasonable effectiveness of the controls that safeguard today’s digital presence.

By the end of this workshop attendees should have a better understanding of digital presence, the impacts of artificial intelligence and the role audit plays in assessing digital marketing efforts today and in the future.

In this workshop you will learn:

  • What is a digital presence: website; social media; email marketing; online advertising
  • What artificial intelligence has to do with digital marketing—what AI can predict
  • Features of common digital marketing platforms
  • What is adware and what does it do
  • How are marketing efforts influenced by current and changing privacy regulations
  • Social media risks
  • What is a part of a digital presence audit
    • Inventory of your digital presence (and your leading competitor)
    • Business model / return on investment (ROI) expectations and goals
    • Lead generation, outreach and closing deals
    • Website analytics, Google Analytics and search engine assessments
    • Paid advertising ROI
    • Content generation / marketing
    • Social media marketing
    • API’s and how they drive customers to or away from sites, I.e. “ease of use”
    • Company website security: registration, access, administration, content, encryption
    • Digital marketing cloud provider vendor assessment

Learning Level: Intermediate
Technical Level: Medium

W3 The Cycle of Cybersecurity: Integrating Cyberdefense Into Your Risk Decision-Making Process

Thursday, July 18, 2019  
12:15 PM – 5:15 PM
Half-Day, 6 CPEs
Tony Sager, SVP & Chief Evangelist, Center for Internet Security 

Cybersecurity is often described as a technology challenge, or a threat sharing problem, or perhaps even as a training and awareness problem. It’s all of these and more. At its heart, cyberdefense is a decision-making, risk-managing machine, fueled by information and designed to deal with real-life business questions. In this half-day workshop, we’ll examine the critical role of auditors and others to both validate business decisions and to verify that the machinery of defense is operational and effective as part of a broader cycle of business activities.

  • Making sense of the millions of attacks happening all the time, everywhere
  • Optimize your investment in cyberdefense, and how to know when you have invested enough
  • Navigate the emerging “multi-framework era” of security oversight, regulation, partnerships, and frameworks
  • Recognize whether your cyberdefense program is making real progress, and maturing

Learning Level: Medium

W4 Application Security: Vetting the Security of Web and Mobile Apps

Friday, July 19, 2019
7:45 AM – 3:15 PM
One-Day, 8 CPEs
Jerod Brennen, Security Architect, One Identity

As web and mobile application usage continues to increase among both corporations and consumers, organizations are urged to deploy applications quickly to remain competitive. Unfortunately, the security of these applications is not always given the attention it deserves. This has created a large attack surface for criminals to exploit, especially when those apps handle sensitive financial information.

This one-day workshop is designed to provide the knowledge and experience you need to enable an organization to securely develop, deploy, and monitor both web and mobile applications. Attendees will gain specialized knowledge of web and mobile application security. We will cover all security integration points within the software development lifecycle (SDLC), including contract and project documentation, source code security reviews, security testing in QA, dynamic application security testing, application penetration testing, and application security monitoring.

  • Contract and Project Documentation
    • What documentation needs to be in place internally
    • What to look for in third party service provider agreements
    • Industry resources that should be reflected in this documentation
  • Source Code Security Reviews
    • The unique characteristics of a source code security review
    • What reviewers should be looking for
    • Tools and techniques to help automate these reviews
  • Security Testing in QA
    • How different development methodologies impact security testing in QA
    • Aligning QA security testing with industry best practices
    • Tools and techniques to help automate QA security testing
  • Dynamic Application Security Testing
    • Distinction between static and dynamic testing
    • How to conduct dynamic testing without impacting production
    • Tools and techniques to help automate dynamic testing
  • Application Penetration Testing
    • Understanding the difference between automated testing and penetration testing
    • Scoping and executing web and mobile application penetration tests
    • Tools, techniques, and industry resources to help improve penetration testing efforts
  • Application Security Monitoring
    • How to detect attacks against web and mobile apps
    • Exploring the relationship between apps and infrastructure (who owns what?)
    • Tools and techniques to ensure robust application security monitoring

Learning Level: Intermediate
Technical Level: Medium

W5 Simplified Vulnerability Scanning for IT Auditors

Friday, July 19, 2019
7:45 AM – 3:15 PM
One-Day, 8 CPEs
Lee Neely, Senior Cyber Analyst, Lawrence Livermore National Laboratory
Chelle Clements, Web Mistress, Online Marketing and Publishing

Vulnerability scans work by rapidly interrogating network ports and services to determine types and versions of those services and any obvious configuration issues. This determination is accomplished by comparing information or responses to databases of known vulnerabilities. During this interactive workshop you will learn:

  • How to determine which services are running by:
    • Port scanning
    • Banner interrogation
    • On-host software validation
  • How to determine what potential risks exist for the running services
  • How to scan web servers for possible risks
  • The advantages and trade-offs of application scans versus service scans
  • What are the risks and concerns related to scanning activities
  • What are the limitations of free tools versus commercial offerings
  • Which resources are available to create a home lab to practice your skills

During this interactive workshop you will be provided the open source tools for and will experience three types of vulnerability scanning: network scanning, credential scanning and web scanning. Things that will be discussed/included in the workshop will be how to perform scans, how to analyze results, looking for pitfalls to avoid and discussing plans for remediation.

Technical Requirements: A Mac or PC laptop with administrative permissions (iPads, tablets, etc will not work for this workshop)
Learning Level: Intermediate
Technical Level: Medium



  • May 5: Early Bird Pricing Deadline
  • July 10: Standard Pricing Deadline
  • July 15: Data Governance Summit & W1
  • July 16-18: Main Conference Program
  • July 18: Half-Day Workshops
  • July 19: Full-Day Workshops