To learn more about additional tracks, click here:



Track 2 –IT Track

Performing Effective CyberSecurity Risk Assessments and Audits

Presented by Ken Cutler CISSP, CISM, CISA, Security+, CASP, Q/EH


This Track Will Cover the Entire 2.5-day Conference Period of

Wednesday, 11/15/2017 – Friday 11/17/2017


CyberSecurity represents the largest component of IT risks and related controls…and a major challenge to organizations of all sizes.   Following the lead of Homeland Security, NIST, FFIEC, SEC, and New York State Department of Financial Services have been encouraging or requiring substantially-enhanced cyber security risk assessments and audit procedures.


This practical how-to workshop, will cover the essential background information, resources, and techniques necessary to plan and execute thorough, hard-hitting CyberSecurity risk assessments and audits. Important common “red flag” CyberSecurity risks will be highlighted. We will explore a wide array of essential CyberSecurity administrative, technical, and physical controls for protecting valuable information assets and associated resources in today’s highly complex and rapidly changing Cyber world. Concepts and techniques will be reinforced through the use of group exercises associated with risk assessment and CyberSecurity control evaluations.


This course, geared for IT professionals including – including IT and Operational Auditors, Information Security Managers, Analysts, and Architects, IT Management, IT Architects, Compliance Officers and Consultants – covers the following learning objectives:

  • Identifying key indicators of significant CyberSecurity risk and measure their potential impact on your organization
  • Referencing important regulations, standards and frameworks relating to CyberSecurity and CyberAudit
  • Identifying methods for effectively assessing CyberSecurity controls using different levels of assessment procedures
  • Building audit programs leveraging prominent CyberSecurity regulatory requirements and industry best practices.

More specifically, the course covers the following in detail:

Developing Your Organization’s Inherent Risk Profile:  Organizational Characteristics and Culture; CyberSecurity and CyberAudit Expertise, Training, and Qualifications; Impact of Cyber Related Processes on the Organization’s Information Architecture [Information Technology and Connection; Types; Cloud Computing; Service Oriented Architectures (SOA); External Access to Internal Systems; Internet of Things (IoT); and, Mobility and Shadow IT]; CyberSecurity and the Organizational Strategy [Enterprise Data and Competitive Advantage; Delivery Channels – User Interface; and, Data and Fraud Targets]; Personally Identification Information (PII) and Privacy; Third Party Connections; and, External and Internal Threats.


Identifying Relevant Cyber Security Controls and Their Impact: CyberSecurity and CyberAudit Frameworks, Standards, and Baselines [CyberSecurity Controls Categorization, Benefits, and Limitations; and , Application Software Development Security]; CyberSecurity Governance and Accountability [Cyber Risk Management and Oversight; CyberSecurity Human Resource Awareness and Training; Cyber Incident Management and Resilience; and, External Dependency Management – Outsourcing, Collaboration]; Cybersecurity Controls [Administrative Security – Separation of Duties, Least Privilege; Vulnerability Management and Threat Intelligence; Identity and Access Management; Cryptography and Data Protection – protecting “ Data at Rest” and “Data in Motion/Transit”; Network Perimeter Security – Wired, Wireless; and, Operations Security].


Measuring Your CyberSecurity Posture:  Metrics for Measuring and Reporting CyberSecurity; Risk Frameworks and Information Classification; Defining Your CyberSecurity Baseline – Risk and Compliance Benchmarks; Selecting a Maturity Model and Target Maturity Levels; Using a Gap Analysis to Measure Your Level of Non-Compliance and CyberSecurity Shortfalls; Conducting Technical and Non-Technical Risk and Compliance Testing; Prioritizing and Planning Corrective Action Plans; Implementing Changes;  and, Reevaluating the CyberSecurity Posture.


Communicating Results to Different Levels of Management:  Reporting to Senior Management in a Concise and Understandable Manner; Addressing Non-Technical Business Management Concerns; and, Balancing the “Business” Needs against IT “Best Practices”.


About the Speaker

Ken Cutler CISSP, CISM, CISA, Security+, CASP, Q/EH is President of Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering Information Security and IT audit professional consulting services. He is Director of Prof. Cert. Programs for Security University and a Sr Teaching Fellow at CPEi (CPE Interactive), specializing in Technical Audits of IT Security and IT controls. Ken is an internationally recognized consultant and trainer in the Info. Sec. and IT audit fields and is a Qualified Ethical Hacker (Q/EH) and a Certified Meteorologist (USAF).  He was formerly VP of Info. Sec. for MIS Training Institute and has held numerous positions in IT mgt, including being CIO of a Fortune 500 company.  He directed company-wide IS programs for American Express Travel Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc. Ken has been a long-time active participant in international gov. and industry security standards initiatives including the President’s Commission on Critical Infrastructure Protection, Generally Accepted System Security Principles (GSSP), Information Technology Security Evaluation Criteria (ITSEC), US Federal Criteria, and Department of Defense Information Assurance Certification Initiative.  Mr. Cutler is the primary author of the widely acclaimed Commercial International Security Requirements; co-author of the original NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, and has published many other works in addition to being quoted as an expert in publications as well as tv appearances.