1 InternationalInformationIntegrityInstitute

I-4 Forum 80Houston, Texas

21-23 October 2013

International Information Integrity Institute

I-4 Forum 74 17th – 19th October 2011

Atlanta, Georgia

International Information Integrity Institute

I-4 Forum 80 21-23 October 2013

St Regis Hotel, Houston, Texas

Dear I-4 Member,

On behalf of the International Information Integrity Institute (I-4) we look forward to welcoming you to I-4 Forum 80 in Houston, Texas. I-4 Forums offer our Members the opportunity of active participation in an atmosphere of mutual trust and camaraderie. I-4 is all about the sharing of real experience and knowledge and getting on to the front foot with the ever changing challenges facing the world of information security and participants can expect to take back to the office real learnings that they simply won’t find at other events. As one senior Member participant commented after the June 2013 Forum in Edinburgh, “…was a great way to affirm my own interests and what our company is looking for…full of networking opportunities with the right people. Awesome Forum!” The main Forum sessions are now all finalised and just a few of the many highlights include the following. Case Studies – the real world Continuing the successful theme of the past two Forums we will again have a series of Member case study presentations that will unearth the real learnings across a range of topics and sectors. We will get into real Member experiences with sessions from GSK, Goldman Sachs and the hi-tech and oil & gas sectors. SCADA & Control System Security When we last heard of SCADA security at I-4 Forum 72 in March 2011, we were anticipating the potentially dramatic fall-out from the release of Stuxnet. What has happened in the world of Industrial Control System Security? Have we taught the engineers more about security and what have we learnt from them? This session will show the huge importance and reliance on these beyond the traditional boundaries of the process and utility sectors. Scenario Planning – make it real! Faced with an increasingly uncertain world of innovation, disruptive technologies, changing business processes, damaging cyber attacks, and constantly demanding consumer and user behaviours, organisations need to ensure that they are fully prepared to deal with the pace of such changes. Increasingly organisations are using scenario-based exercises to better plan their response – and the results of good planning in protecting long-term investment decisions, reputation and key services and assets, is clearly apparent. The takeaways from the session will allow you to adopt similar approaches for your own organisation, having seen the real world examples and the proven business case. Data Analytics – can information security benefit? Big Data analytics seems to have been used to solve problems and answer questions that were dilemmas in the past. Forward looking organisations are exploring if the Big Data analytics platform can be used to consolidate structured and unstructured security data, couple those results with forensic capabilities, and put the security team in a position to address the most daunting issues. The answer to this question is not as simple as “yes” or “no” and the session will provide background for thought leadership from the membership and I-4 Team. Cyber Security Framework (CSF) Presidential Policy Directive-21 – Improving Critical Infrastructure Cyber Security issued on 12 February 2013 establishes a security framework for privately-held critical infrastructure and a presidential policy directive on critical infrastructure security. The US National Institute for Standards and Technology (NIST) is required to develop within one year a framework incorporating "consensus standards and industry best practices" for voluntary adoption by operators of critical infrastructure. In this very timely session we will review the status of the framework, other frameworks under consideration by other entities, and have a legal brief from one of our members.

I-4: Aligning national security and commercial requirements for mobile security to influence product reality One of the missions of the US National Security Agency is to ensure that government departments have good security in the mobile technology that they use. Past experiences of developing special equipment have lead to long lead times to produce costly products with a very poor user experience. For their next generation the US government would like standard consumer technology vendors to produce commercial products that meet the security goals ‘off the shelf’, that is not much different to the business needs we all have. At Forum 78 in San Diego the BoF session came up with the idea of creating a member survey to collect our organisations’ security requirements for mobile devices. This session reports back our findings.

I-4 is a membership service provided by member firms of KPMG International, a Swiss entity. All rights reserved. © 2013 KPMG LLP, a UK limited

liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG

International, a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.

Proprietary: I-4 Member Use Only

Sunday 20 October 2013

1800 – 1930 I-4 Forum Welcome Reception

The focus of this informal drinks and hors d’oeuvres session is to re-establish connections, welcome first-time Forum participants and meet the KPMG I-4 Team in a relaxed environment. The Ambassador Room

Monday 21 October 2013

0800 – 0900 BREAKFAST To maximize your networking time, a continental breakfast buffet will be provided in a private area for the Forum participants.

Outside the Astor Ballroom

From 0800 REGISTRATION

Outside the Astor Ballroom

0815 – 0900 ♦ I-4 Orientation Workshop – Getting Value from the Forum and the I-4 Program This session is designed specifically for newcomers to I-4 to learn more about the I-4 Program and how to maximize the learning and networking opportunities that the Forum will bring.

The Plaza

Forum Kickoff and Welcome

0915 – 0930 ♦ Forum Kickoff Mark Waghorne, Head of the I-4 Program

The Astor Ballroom

♦ Forum Welcome Regina Mayer, KPMG

Session 1: Keynote

0930 – 1030 ♦ Title and speaker to be confirmed week beginning 16 September

1030 – 1100 BREAK

Proprietary: I-4 Member Use Only

Session 2: Case Studies – the real world Chair: David Morgan, I-4 Team Continuing the successful theme of the past two Forums we will again have a series of Member case study presentations that will unearth the real learnings across a range of topics and sectors.

1100 – 1105 ♦ Introduction David Morgan, I-4 Team

1105 – 1150 ♦ Gaining Business Buy-in to Identify and Protect the Corporate Crown Jewels Colleen McMahon, GSK GSK will share how they went about identifying and securing their critical business data. This will include the contrast between an IT versus a business led approach, what challenges they overcame, the things that worked well for them and the things that went less well.

1150 – 1235 ♦ Bringing Your SOC Back In-house Chip Calhoun, Head of Counter Threat Unit, BP In today’s world of ever increasing cyber-threat and continued leaps in sophistication by adversaries, it takes more than security tools to keep up with attacks. Over the years we have been through several iterations of the Security Operation Center and have finally landed on what we believe is the right recipe for success. Chip will discuss BP’s 13 year journey from what he calls a “pay and pray” service to a fully in-sourced and supported group with contextual knowledge about the environment they are meant to protect.

1235 – 1350 LUNCH

The Colonnade Room

1350 – 1435 ♦ Embracing and Securing BYOD Microsoft invited

1435 – 1520 ♦ Securing Big Data – Notes from the Field Phil Venables, Goldman Sachs The broader leverage of Big Data, and in particular massive scale data analytics, has now become a commercial imperative and is therefore something Goldman Sachs has been actively exploring. However, unless done correctly, data level access controls – or lack thereof – could easily become an impediment to achieving this important commercial objective. This presentation will provide an insight into current practical control options for Big Data environments in general. More specifically, it will focus on the firm’s experiences to date in the adoption of popular NoSQL technologies and will finally provide a perspective on enterprise options for cell-level security, data labeling and mandatory access controls, using technologies like Accumulo and Trusted Data Format.

1520 – 1530 ♦ Panel Discussions and Questions

1530 – 1600 BREAK

1600 – 1615 Birds of a Feather Previews

The facilitators of the three BoF sessions on Tuesday afternoon will share the work that has been carried out in advance of the Forum, what is intended to be achieved during the BoF and how the work items may be taken forward.

Proprietary: I-4 Member Use Only

Session 3: Late-breaking Matters to Challenge us all

1615 – 1630 ♦ Topics to be confirmed nearer the Forum

Session 4: I-4 Aligning national Security and Commercial Requirements for Mobile Security to Influence Product Reality One of the missions of the US National Security Agency is to ensure that government departments and key roles, including the US President himself, have good security in the mobile technology that they use. Past experiences of developing special equipment have lead to long lead times to produce costly products with a very poor user experience. For their next generation the US government would like standard consumer technology vendors to produce commercial products that meet the security goals ‘off the shelf, that is not much different to the business needs we all have. At Forum 78 in San Diego the BoF session came up with the idea of creating a member survey to collect our organisations’ security requirements for mobile devices – if they come close to what government departments want then we could have a very strong combined voice to the vendor community. This session reports back our findings.

1630 – 1715 Paul Dorey and Martin Tully, I-4 Team

Please hand in your completed evaluation form for Monday’s sessions

1800 Forum Reception at The Space Center, Houston Meet in the hotel lobby to board buses to The Space Center. On arrival we will enjoy drinks and appetizers in the new exhibit “Machines in Motion” and will also have access to International Space Station (ISS) exhibit and Shuttle mock-up. A buffet dinner will be served in the Astronaut Gallery followed by a visit to the “Blast Off Theater” where we will experience the launch of the Shuttle. We will then be greeted by a Mission Briefing Officer and enjoy a live presentation on the status of the space program and ISS.

Proprietary: I-4 Member Use Only

Tuesday 22 October 2013

0800 – 0900 BREAKFAST To maximize your networking time, a continental breakfast buffet will be provided in a private area for the Forum participants.

Outside the Astor Ballroom

0900 – 0905 ♦ Announcements Gerry O’Neill, I-4 Team The Astor Ballroom

Session 5: Data Analytics ̶ Can information security benefit? Chair: Charles King, I-4 Team Of late, Big Data analytics seems to have been used to solve problems and answer questions that were dilemmas in the past. Forward looking organisations are exploring if the Big Data analytics platform can be used to consolidate structured and unstructured security data, couple those results with forensic capabilities, and put the security team in a position to address the most daunting issues. The answer to this question is not as simple as “yes” or “no”. During this session we will pose a series of questions to Members and the session will provide background for thought leadership from the membership and I-4 Team.

0905 – 0915 ♦ Introduction Charles King, I-4 Team

0915 – 1000 ♦ Security Analytics’ Deployment Approaches Doug Graham, Senior Director, Governance Risk and Compliance, EMC2

As ever, the question of “where to begin?” can be as daunting as the issues solved. We will have three experts who will outline practical approaches their approach. Leverage in-house analytics capability Ronald Cloutier, VP and CSO, ADP Acquire or build security analytics capability Nik Whitfield, Head of Market Engagement, BAE Systems Detica Use managed service provider Michael Mitchell, Director Managed Service, Genesis Networks

1000 – 1015 BREAK

1015 – 1040 ♦ What does this mean for us? Moderator: Doug Graham, Senior Director, Governance Risk and Compliance, EMC2 Questions posed by the moderator to the experts will expand on deployment approaches and draw all Forum participants into the debate.

1040 – 1050 ♦ Take-aways and Next Steps Charles King, I-4 Team

Proprietary: I-4 Member Use Only

1050 – 1120 BREAK First time participants’ feedback First time participants meet for a short, informal discussion with the I-4 Team of their experiences of the Forum so far and give feedback or any suggestions for what may be done differently to enhance the I-4 experience.

Session 6: Think Piece

1120 – 1155 ♦ Future Math: Rubber hose crypto and other R&D on the horizon Zach Tudor, SRI International Researchers are developing novel new business uses for cryptographic techniques. This talk will present new concepts in the next generation of cryptographic systems including rubber hose cryptography, homomorphic encryption, and quantum cryptography.

Session 7: Future Themes for the I-4 Program and MAC Election The Member Advisory Committee (MAC) and Mark Waghorne, Head of the I-4 Program

1155 – 1230 The first part of the session provides the opportunity for the Membership and guests as a group to inject their ideas to identify subject coverage and potential speakers for future Forum, Regional and Webinar agendas.

Led by the MAC, the brief second part of the session deals with the election for the MAC position that becomes ‘vacant’ at the Forum.

1230 – 1345 LUNCH

The Colonnade Room

Session 8: Birds of a Feather Highly interactive sessions often bring out the best sharing in the I-4 environment. At the Forum we will have three facilitated, interactive breaking news/member requested Hot Topic Birds of a Feather groups. The BoF leaders will report back the outcomes of their BoF in plenary session on the final day of the Forum.

1345 – 1515 ♦ BoF 1: Late breaking hot topic to be confirmed nearer the Forum

♦ BoF 2: Late breaking hot topic to be confirmed nearer the Forum

♦ BoF 3: Late breaking hot topic to be confirmed nearer the Forum

1515 – 1545 BREAK

Proprietary: I-4 Member Use Only

Session 9: SCADA & Control System Security Chair: Paul Dorey, I-4 Team When we last heard of SCADA security at I-4 Forum 72 in March 2011, we were anticipating the potentially dramatic fall-out from the release of Stuxnet. What has happened in the world of Industrial Control System Security? Have we taught the engineers more about security and what have we learnt from them? This session will show the huge importance and reliance on these beyond the traditional boundaries of the process and utility sectors.

1545 – 1615 ♦ Introduction: The Hidden World of Embedded Control Devices Eric Byres, Chief Technology Officer, Tofino Security, a Belden Brand Over the past decade, corporations have spent billions of dollars trying to secure the obvious targets in the enterprise, namely desktop and server platforms. Unfortunately, another universe of even more insecure devices is rapidly growing inside most companies - the intelligent embedded device. Also known as Non-Person Entities (NPE), these range from simple physical security devices like cameras and card readers to HVAC controllers and data center environmental systems. At their most complex, NPEs can form large scale Supervisory Control and Data Acquisition systems (SCADA) and Industrial Control Systems (ICS) on the plant floor, on the grid or in the refinery. Many embedded devices operating in companies are poorly documented. Most are extremely insecure. And for many companies the numbers of NPEs are increasing exponentially - for some companies, the number of NPE will outnumber the traditional IT devices by a ratio of 20 to 1 in the next decade. This talk will explore the IT security risks from these “non-traditional" devices and how leading companies are managing them.

1615 – 1640 ♦ Solving Challenges with Public/Private Partnership Zach Tudor, SRI International Penny Wolter, LOGIIC Outreach Committee Chair (invited) Collaborations between government and industry, termed public-private partnerships, are seen as crucial in keeping critical infrastructures secure. The 9 year old LOGIIC oil and gas consortium connects the world's largest oil and gas companies with the US DHS. LOGIIC team members will discuss the consortium, and the care and feeding needed to maintain the collaboration.

1640 – 1705 ♦ A Case Study – Securing the Floating City Joe Hancock, Senior Manager, BAE Systems Detica

1705 – 1730 Discussion and Questions

Please hand in your completed evaluation form for Tuesday’s sessions

1800 Networking Event sponsored by RSA/EMC

RSA invite all Forum participants to an informal drinks and buffet dinner – a perfect way to make the most of networking at the Forum.

The Ambassador Room, St Regis Hotel

Proprietary: I-4 Member Use Only

Wednesday 23 October 2013

0800 – 0900 BREAKFAST To maximize your networking time, a continental breakfast buffet will be provided in a private area for the Forum participants.

0900 – 0905 ♦ Announcements David Morgan, I-4 Team The Astor Ballroom

Session 10: Scenario Planning – making it real! Chairs: Gerry O’Neill, I-4 Team and Tom Longstaff, U.S Department of Defense Faced with an increasingly uncertain world of innovation, disruptive technologies, changing business processes, damaging cyber attacks, and constantly demanding consumer and user behaviours, organisations need to ensure that they are fully prepared to deal with the pace of such changes. Increasingly organisations are using scenario-based exercises to better plan their response – and the results of good planning in protecting long-term investment decisions, reputation and key services and assets, is clearly apparent. This session will provide Members with a current state perspective, and will showcase several examples of how I-4 Members are using these techniques to real advantage. The takeaways from the session will allow you to adopt similar approaches for your own organisation, having seen the real world examples and the proven business case.

0905 – 0920 ♦ Introduction Gerry O’Neill, I-4 Team and Tom Longstaff, U.S Department of Defense

0920 – 0955 ♦ Member case example – Protecting the London 2012 Olympic Games Phil Packman, GM, Security Enablement, BT

0955 – 1030 ♦ Member case example – Scenario planning to protect the brand Ben Krutzen, Shell

1030 – 1100 BREAK

1100 – 1200 ♦ Art of the Long View – Strategic planning practical exercise Gerry O’Neill, I-4 Team and Tom Longstaff, U.S Department of Defense

1200 – 1315 LUNCH

The Colonnade Room

Proprietary: I-4 Member Use Only

Session 11: Cyber Security Framework (CSF) Chair: Charles King, I-4 Team Presidential Policy Directive-21 – Improving Critical Infrastructure Cyber Security issued on 12 February 2013 establishes a security framework for privately-held critical infrastructure and a presidential policy directive on critical infrastructure security. National Institute for Standards and Technology (NIST) is required to develop within one year a framework incorporating "consensus standards and industry best practices" for voluntary adoption by operators of critical infrastructure. The Department of Homeland Security (DHS) will coordinate an effort to identify a set of incentives to spur industry adoption, including those that could require legislation to activate. A preliminary version of the framework is due in October; a final version of the framework is planned for February 2014.In this session we will review the status of the framework, other frameworks under consideration by other entities, and have a legal brief from one of our members.

1315 – 1320 ♦ Introduction Charles King, I-4 Team

1320 – 1335 ♦ What is the CSF? Tim Grance, Computer Scientist, NIST

1335 – 1405 ♦ Panel: What are the practical implications? Practitioner’s view Michael Lewis, Senior Security Strategist, Chevron Academic view Dr Nader Mehravarik, CERT Cyber Resilience Center, Carnegie Mellon University, Software Engineering Institute (SEI) Legal view Pillsbury Winthrop Shaw Pittman

1405 – 1420 ♦ Panel discussion and questions

1420 – 1450 BREAK

Session 12: Birds of a Feather Report Backs The leader of each group will share the output from their group along with any proposals for next steps for discussion with the Forum participants in plenary session.

1450 – 1530

Session 13: Closing keynote

1530 – 1615 ♦ Title to be confirmed week beginning 16 September

Forum Close

1615 – 1630 Mark Waghorne, Head of the I-4 Program

Please complete your evaluation form and hand in at the registration desk

1830 Participants meet in hotel lobby to form informal dinner groups

Malcolm Marshall

malcolm.marshall@kpmg.co.uk

+44 (0)20 7311 5456

Mark Waghorne

mark.waghorne@kpmg.co.uk

+44 (0)20 7311 5220

Greg Bell

rgregbell@kpmg.com

+1 404 222 7197

Shahed Latif

f@slatif@kpmg.com

+1 650 404 4217

John Hermans

hermans.john@kpmg.nl

+31 206 568 394+31 206 568 394

Jörg Asma

jasma@kpmg.com

+49 221 2073-6233

I-4 is a membership service provided by member firms of KPMG p p yInternational, a Swiss entity. All rights reserved. © 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.