Potomac Forum The Forum of Choice for Government & Industry Training Since 1982

The Forum of Choice for Government & Industry Training Since 1982

(Postponed due to potential government shutdown) Cybersecurity Training: Integration of NIST Risk Management with Cybersecurity Framework Workshop

Workshop for New Staff and Experienced Practitioners addressing Risk Management Issues within their Agencies and to improve their cybersecurity posture

Tuesday, May 2, 2017

***At the request of government staff, we have postponed this Workshop.  Many government employees are not permitted to register for a class after the cessation of government funds. We will reschedule the workshop in June (when agencies have an Authorization).***

 

Keynote Speaker

 

Dr. Ron Ross

NIST Fellow

Author of the NIST Risk Management Framework and numerous NIST Publications

 

 

Guest Speakers

 

Honorable Theresa M. Grafenstine

Inspector General

U.S. House of Representatives

 

Jonathan Alboum

Chief Information Officer

U.S. Department of Agriculture

 

Tuesday, May 2, 2017

Meeting Location: 
Willard InterContinental Hotel

Willard Intercontinental Hotel
1401 Pennsylvania Avenue N.W.
Washington 20004
United States

Metro Center (Red, Orange, Blue Lines). Use the exit marked “12th & F Sts” to exit onto F St., then continue straight two blocks and cross 14th St.

Overview: 

The purpose of this workshop is to provide a better understanding of the NIST Risk Management Framework (RMF) used by the federal government to mitigate risk within enterprise information systems which include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization and security control monitoring. Understand the risks and cybersecurity threats that managing information systems presents and how risk management is a consistent objective of all senior leaders within organizations today. Obtain information about the NIST Cybersecurity Framework (CSF) guidelines, how it can be used in conjunction with NIST RMF and what this could mean for your organization.

 

Hear from industry experts and government officials tasked with implementing robust security and risk management strategies along with learning how the NIST RMF can be effectively implemented to reduce risk. Listen to two different government discussion panels presenting information from both a security and audit prospective, led by experienced moderators that will discuss key issues that organizations are facing and the risks that are being seen today throughout the government. 

What You Will Learn: 

  • The approach used by the NIST RMF
  • The value of the integration of the NIST RMF with the NIST CSF
  • Development of agency Risk Management Strategies
  • Changes in federal information system authorization requirements and guidelines
  • Guidance into what agencies can expect from the NIST RMF and new CSF processes
  • Importance of Risk Assessments (RA), Security Control Assessments (SCA), and Security Testing & Evaluation (ST&E)
  • Security control categorization and how it is used to manage risk
  • NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans; NIST SP 800-37 Rev. 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach and NIST SP 800-39 Managing Information Security Risk
Why You Should Attend: 

  • Review the key steps within the NIST RMF and CSF
  • Obtain practical knowledge of how NIST RMF and CSF are incorporated into information system security
  • Gain insight into conducting and implementing NIST RMF and CSF in your organization
  • Collect information on how NIST frameworks can be leveraged to enhance the security of your organization
  • Learn how risk management and cybersecurity are essential for regulatory compliance
  • Learn from risk management, security and OIG colleagues in Federal, State and Local Governments
Who Should Attend: 

  • CIOs and Staff
  • IT security and risk management practitioners
  • IGs and Staff
  • Program Managers responsible for risk management
  • Government Employees who want to better understand organization risk management
  • Industry and Contractors who support risk management for the government
  • All government and industry members who need to better understand risk management 
Agenda: 

 

7:30AM

Registration and Continental Breakfast

8:30

Welcome
Art Chantker, President, Potomac Forum

8:45

NIST Risk Management Framework and Cyber Threat Landscape  -
Integration of NIST Risk Management with Cybersecurity Framework

Presenter: John Lainhart, Grant Thorton

  • Overview of the NIST RMF and CSF Frameworks
  • Integration of risk management into cybersecurity processes
  • Understanding of compliance-based vs. risk-based governance structure

 

9:45

Refreshment Break

10:00

Keynote Speaker:
Dr. Ron Ross, NIST Fellow, Author of the NIST Risk Management Framework and  numerous NIST Publications

11:00

Understanding NIST Risk Management Framework
Step 1: Categorize

Step 2: Select
Step 3: Implement

Presenter: Noel Nazario, Grant Thornton

  • Process for categorization information systems and data
  • Understanding of different types of security controls
  • Implementation strategies for security controls

12:00 PM

Networking Luncheon

1:00

CIO/CISO/OIG Government Panel Discussion: Operational and Compliance Challenges and Best Practices for Risk Management
Moderator – Hon. Theresa Grafenstine, Inspector General, U.S. House of Representatives
Panel - Jonathan Alboum, Chief Information Officer, USDA
Additional speakers awaiting confirmation
  • What are the differences in perspectives of Risk Management
  • How can IGs help their agencies address Risk Management
  • How have CISOs integrated Risk Management into their agency’s Enterprise Risk Management

2:00

Understanding NIST Risk Management Framework 
Step 4: Assess
Step 5: Authorize
Step 6: Monitor
Presenter - Jessica Saunders, Grant Thornton
  • Components of an information system Authority to Operate (ATO)
  • Understanding of differences between C&A and A&A practices
  • Incorporation of risk and security control assessments as part of continuous monitoring

3:00

Refreshment Break

3:15

Cyber Security Overview – Latest information on Government Cyber Security Initiatives
Presenter - Glenn Keaveny, Grant Thornton
  • Where does cyber security fit within an agency?
  • What are some cyber security common misconceptions?
  • What are the common information system security pitfalls?
 

4:00

Cyber Security Working Group Case Studies 
Presenters - Joshua McGee and Amanda Schnurr, Grant Thornton

4:45

Wrap-up and Q&A

5:00

Workshop Adjourns

5:00

Post Workshop Discussions with Instructors on Specific Individual Topics

 

 

Registration Information: 

 

*** Super Early Bird Special for Government: Register by April 15 and pay just $595. ***

Register Now!

 

 

  Early Bird Registration Fee AFTER April 21
Government Employees:
(Federal, State or Local Government Issued ID)

 $ $695 

In effect April 16-21

Special Reduced Rates in Support of Government Budget Reductions

 $ $895
Team Rate for both Government and Industry: Send a government team to learn together. Register two government employees from the same office at the same time and the third person receives $100 off the current government rate. Team rate applies to every tiered registration fee.
Industry and Contractors:
(Including contractors on-site and in direct support of government agencies).
 $ $895  $ $995

Registration Includes: Presentations, Workshop Notebook, Continental Breakfast, All Day Refreshments and Hosted Luncheon

Keynote Speaker: 

Ronald (Ron) Ross

Fellow

National Institute of Standards and Technology

Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800-37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 (systems security engineering), and SP 800-171 (security requirements for nonfederal systems and organizations). Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.

 

 

Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country including the Massachusetts Institute of Technology, Dartmouth College, Stanford University, the George Washington University, and the Naval Postgraduate School. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a four-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Presidential Rank Award. He has also received the Department of Commerce Gold and Silver Medal Awards and has been inducted into the Information Systems Security Association Hall of Fame and given its highest honor of Distinguished Fellow. In addition, Dr. Ross has been inducted into the National Cyber Security Hall of Fame.

 

 

Dr. Ross has received numerous private sector cybersecurity awards including the Partnership for Public Service Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Applied Computer Security Associates Distinguished Practitioner Award, Government Computer News Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries, (ISC)2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and three-time Top 10 Influencers in Government IT Security.

 

 

During his military career, Dr. Ross served as a White House aide and a senior technical advisor to the Department of the Army. He is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.

Guest Speakers: 

Honorable Theresa M. Grafenstine

Inspector General

U.S. House of Representatives

In 2010, the Honorable Theresa M. Grafenstine was named the Inspector General of the U.S. House of Representatives (House), having been unanimously appointed by the House Speaker, Majority Leader, and Minority Leader. She has served for twenty-five years in the Inspector General community in both the legislative and executive branches of the US Government. As the Inspector General, she is responsible for planning and leading independent, non-partisan audits, advisories, and investigations of the financial and administrative functions of the House. Prior to joining the House, Grafenstine served at the U.S. Department of Defense Office of Inspector General, where she led acquisition audits of major weapon systems and was selected to respond to high-profile Congressional audit requests.

 

She is also an active volunteer in support of the information technology, governance, internal auditing, and accounting professions. Ms. Grafenstine currently serves on the board of directors of the Association of International Certified Professional Accountants (AICPA). With over 650,000 members, the AICPA is the world’s largest member association representing the accounting profession. Ms. Grafenstine is also the Vice-Chairman of the international board of directors of ISACA, a global association with over 140,000 members in the IT audit, governance, security and risk profession. She also provides financial oversight as the audit committee chairman of the Pentagon Federal Credit Union, which has over $21 billion in assets and 1.3 million members.

 

She has received numerous awards and accolades, including the Golden Gov Federal Executive of the Year and, most recently, the Greater Washington Society of CPAs “2016 Women to Watch” and “2016 Outstanding CPA in Government” awards.

 

Ms. Grafenstine is a Certified Public Accountant (CPA), a Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise Information Technology (CGEIT), Certified in Risk and Information Systems Control (CRISC), and a Chartered Global Management Accountant (CGMA). Ms. Grafenstine received a bachelor’s degree in Accounting from Saint Joseph’s University in Philadelphia, Pennsylvania.

Jonathan Alboum

Chief Information Officer

U.S. Department of Agriculture

 

Jonathan Alboum was appointed the U.S. Department of Agriculture’s (USDA) Chief Information Officer (CIO) by Agriculture Secretary Tom Vilsack in June 2015. In this role, Alboum works with stakeholders across USDA’s 17 component agencies and throughout government to formulate Information Technology (IT) strategies and to develop policies that support IT budget formulation and execution, portfolio management, governance, IT operations and information security.

 

Prior to his appointment as CIO, Alboum held several leadership positions at the USDA and the General Services Administration (GSA). He most recently served as the Program Executive for USDA's Modernize and Innovate the Delivery of Agriculture Services (MIDAS) initiative, where he provided executive leadership for a $400+ million SAP implementation that gives farmers and ranchers the flexibility to update customer information at any Farm Service Administration (FSA) county office, enables them to more efficiently manage multiple customer records, reduces improper payments, and provides program eligibility information through a single view. Before that, Alboum served at GSA as the Associate CIO for Enterprise Governance and Planning. During his tenure at GSA, he also led the creation of GSA's consolidated IT organization and worked as the Deputy CIO for the Federal Acquisition Service. Jonathan began his Federal government career at the USDA Food and Nutrition Service (FNS), where he served as the Deputy CIO and the CIO.

 

Alboum joined government after working as a management consultant for both PricewaterhouseCoopers and Ventera Corporation. In these roles, he managed several large system implementations, gaining a depth and breadth of knowledge regarding how organizations use technology to transform their businesses and better serve their customers.

 

Jonathan earned a MS in the Management of Information Technology from the University of Virginia's McIntire School of Commerce and a BS in Systems Engineering from the University of Virginia's School of Engineering and Applied Science.

Instructors: 

Glenn Keaveny

Director, Cybersecurity

Grant Thornton

Glenn Keaveny recently joined Grant Thorton’s US Public Sector practice, serving as Director, Cybersecurity. Glenn is a CISSP and CEH with over 15 years of experience in Cybersecurity Operations, Vulnerability/Penetration Testing and Cybersecurity Management.  His application background and operations management experience in challenging environments such as defense and healthcare provides a unique basis for his cyber expertise.  Prior to joining Grant Thornton he led and managed Security Operations and Monitoring services for Deloitte.  Prior to that he was the Security Officer for the Defense Information Systems (DISA) Field Security Office (FSO).  He was responsible for security operations of the FSO field activity as well as a team of over 30 cyber security professionals who conducted security operations and monitoring as well as Cyber Command Readiness Inspections (CCRI) similar to civilian vulnerability assessments.  He also managed a team of full time attack and penetration testers who operated year round on sites and systems around the globe.

Joshua McGee

Senior Associate, Public Sector

Grant Thornton

Joshua is a Senior Associate in the Public Sector Practice of Grant Thornton’s Alexandria office. He is a member of the Information Assurance and Cybersecurity group.

 

Joshua McGee has over three years of experience auditing federal financial accounting and reporting systems and performing internal controls reviews. Joshua is well equipped in guidance such as FISCAM, NIST, GAS, FAM, OMB Circular A-123, FISMA, etc.  Joshua has supported clients from various government agencies. The majority of his experience pertains to providing services to DoD agencies, including the US Air Force, Defense Finance and Accounting Service, Defense Logistics Agency, The Joint Staff, US Marhsals Service, and Defense Contract Management Agency.

 

Joshua is an active member of the National Capital Region Chapter of ISACA, and has participated in Working Groups for the national organization. Joshua is an Advisory Council member and active volunteer for the local non-profit DC SCORES, which provides after-school programming to over 2,200 DC Public School students.

 

Joshua received his Bachelor of Arts in Political Science from Elon University in North Carolina. His honors thesis focused on US Foreign Policy in Cybersecurity issues.

 

Professional Qualifications and Memberships

  • Certified Information Systems Auditor (CISA), ISACA
  • Certified Scrum Product Owner (CSPO), Scrum Alliance

John Lainhart

Director, Global Public Sector

Grant Thornton

John is a Director in the Public Sector Practice of Grant Thornton’s Alexandria office. He is a member of the Information Assurance and Cybersecurity group. 

 

John has 45+ years of U.S. federal government experience in IT Governance, Security, Privacy, IT Risk Management, IT Value, and Cybersecurity.  He has 30+ years of experience as an IT auditor and culminated his public sector career serving as the first Inspector General and Officer of the U.S. House of Representatives. He joined PwC consulting service as the Partner responsible for providing Security and IT Management services to the U.S. Public Sector and served as the Partner, Cybersecurity & Privacy Services Leader for the U.S. Public Sector when IBM acquired PwC’s consulting business until retiring in June 2016.

 

John serves on the Board of Directors of George Washington University’s Center for Cyber and Homeland Security. John is active in the ISACA community, and currently serves as Advisor to the ISACA Board of Directors. He previously served as Co-chair of the COBIT 5 Task Force and served on the AICPA’s Assurance Services Executive Committee and was instrumental in the development of the AICPA’s Trust Services and SSAE No. 16.

 

Education

M.A., Management and Supervision, Central Michigan University, 1976

B.A., Business Administration, Davis & Elkins College, 1969

Wharton Information Systems Program, Wharton School of Finance, 1974

 

Professional qualifications and memberships

  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified in the Governance of Information Technology (CGEIT)
  • Certified Information Privacy Professional/Government (CIPP/G)
  • Certified Information Privacy Professional/U.S. (CIPP/US)

 

Noel A. Nazario

Director, Global Public Sector

Grant Thortnon

Noel is a Director in the Public Sector Practice of Grant Thornton’s Alexandria office. He is a member of the Information Assurance and Cybersecurity group .  
Experience

 

Noel has more than 30 years of experience in IT management and security audit management, cyber security and Information Technology (IT) assessments, IT standards development, and IT program management. Noel is a Cybersecurity leader with extensive experience developing security technology, assessing systems security, and helping organizations optimize their cybersecurity efforts to better support mission and business objectives. Prior to joining Grant Thornton, Noel served as Senior Manager at Ernst & Young and as a manager at KPMG. Prior to that, he served as an Electronic Engineer within the Computer Security Division of National Institute of Standards and Technology (NIST).

 

Noel serves on the board of the National Capital Region Chapter of ISACA.

 

Noel received his Master of Science in Computer Science from the Johns Hopkins University.
Noel received his Bachelor of Sciences in Computer Engineering from the University of Puerto Rico.

 

Professional qualifications and memberships
•    Certified Information Systems Auditor (CISA), ISACA
•    Certified Information Systems Security Professional (CISSP)
 

Jessica Saunders

Manager, Global Public Sector

Grant Thornton

 

Jessica is a manager in the Public Sector Practice of Grant Thornton’s Alexandria office. She is a member of the Information Assurance and Cybersecurity group.

 

Jessica has more than five years of experience in IT audit/Information Assurance, Internal Controls reviews, IT Security, and Risk Management for Federal agencies from a broad spectrum of industries including Healthcare, Civilian, Defense and Financial Services. Jessica has supported various federal government financial statement audit, A-123, Federal Information Systems Management Act (FISMA), Security Diagnostics, and Statements on Standards of Attestation Engagements (SSAE) 16 /18 engagements.

 

Jessica is an active member of the National Capital Region Chapter of ISACA, Association of Government Accountants (AGA) and American Society of Military Comptroller (ASMC).

 

Jessica received her Bachelor of Science in Accounting, Minor Legal Environment of Business from Pennsylvania State University in 2010.

 

Professional qualifications and memberships

  • Certified Information Systems Auditor (CISA), ISACA
  • Certified Public Accountant (CPA)
  • Certified Defense Financial Manager (CDFM)
Cancellation Policy: 

Confirmed registrations who cancel within 3 business days of the program will be subject to a $250 cancellation fee. Registrations cancelled after the program starts are subject to the full registration fee. Substitutions can be made at any time. In the event a particular training workshop is cancelled, the liability of Potomac Forum, Ltd is limited to refund of any prepaid registration fee.

  • © 2017 Potomac Forum Ltd. All Rights Reserved
    Copyright also covers all workshop agendas and descriptions
  • 400 N. Washington Street, Suite 300, Alexandria, VA 22314