Register Early For Exclusive Discount !Exclusive Discount !Exclusive Discount !Exclusive Discount !Exclusive Discount !

Organizers

Platinum Sponsors

ww

w.i

ss

um

mit

.org

E

nq

uir

y (

85

2)

27

88

56

69

INFORMATION

SECURITYSUMMIT 2004

11 – 12 November 2004

Sheraton HotelHong Kong

PRE-SUMMIT WORKSHOP

10 November 2004POST-SUMMIT WORKSHOP

13 November 2004

PRE-SUMMIT WORKSHOP

10 November 2004POST-SUMMIT WORKSHOP

13 November 2004

Programme

Registration 08:45 – 09:15 Registration of Delegates

Opening 09:15 – 09:30 Officiated by Mr. KK Yeung, JP

Ceremony Executive Director, Hong Kong Productivity Council (HK)

Opening 09:30 – 09:45 Keynote Opening Address by Mr. Alan Wong, JP

Address Government Chief Information Officer, The Government of the Hong Kong Special Administrative Region (HK)

Keynote 1 09:45 – 10:45 Opening Keynote: Overcoming Obstacles to Effective Information Security Governance

Dr. John MitchellManaging Director, LHS Business Control (UK)

Coffee Break 10:45 – 11:00 Coffee Break

Management Track (1) Specialist Track (2)

Session 1 11:00 – 11:45 Cross-Border Cooperation in Addressing CyberSecurity Implementing Layer Security Across the Enterprise

Mr. Steve Orlowski Mr. Andy LeungFormer Chair, APEC eSecurity Task Group Corporate SE Manager, PM Security, APACIndependent IT Security Consultant (Australia) Juniper Networks, Inc. (HK)

Session 2 11:45 – 12:30 Microsoft IT Strategy to Address the Recent Security Framework for Product Identification

Security Risks Dr. Frank TongMr. Bremen Lee Assistant Director, E-Business Technology Institute,IT Manager, Microsoft Hong Kong (HK) The University of Hong Kong (HK)

Luncheon 12:30 – 13:30 Luncheon

Plenary I 13:30 – 14:30 Helping Customers Secure and Manage their Information Infrastructure

Mr. Robert A. ClydeVice President & Chief Technology Officer, Symantec Corporation (USA)

Session 3 14:30 – 15:15 Gone Phishing! Spam and the Risks of New Development in Wireless Security

Unfiltered Email Mr. Ray HuntMr. Mark Trudinger Associate Professor, Department ofVice President Asia, SurfControl Plc. Computer Science and Software Engineering,(Singapore) University of Canterbury (New Zealand)

Coffee Break 15:15 – 15: 30 Coffee Break

Session 4 15:30 – 16:15 Information Security Strategy - Prioritizing and Hacking the Top App Vulnerabilities

Staying Focused in the Changing Threat Environment

Mr. Meng-Chow Kang Mr. David RhoadesChief Security & Privacy Advisor, Microsoft Asia Pacific Principal Consultant, Maven Security Consulting Inc.(Singapore) (USA)

Session 5 16:15 – 17:00 Reserved Developing Effective Encryption Systems

(TBA) Mr. Thomas ParentyManaging Director, Parenty Consulting (HK)

The Information Security Summit is ...

Day 1 • 11 November 2004 • Thu

Day 2 • 12 November 2004 • Fri

Keynote 2 09:00 – 10:00 Combating Serious & Organised Hi-Tech Crime

Mr. Tony NeateIndustry Liaison, National High-Tech Crime Unit (United Kingdom) (UK)

Keynote 3 10:00 – 11:00 Security Lessons Learned from 'A' to 'B' (Athens to Beijing)

Mr. Con ConwayChairman of I.Tel Holdings Limited (HK)

Coffee Break 11:00 – 11:15 Coffee Break

Management Track (1) Specialist Track (2)

Session 6 11:15 – 12:00 Why Should Management Insist on Penetration Tests Security Integration: A Risk Based Approach

Professor Neil Barrett (Athens 2004 Olympics Case Study)Technical Director, IRM Plc (UK) Mr. David MacKay

Senior Manager – Enterprise Security Services Team,Atos Origin (Australia)

Luncheon 12:00 – 13:00 Sponsored by BSI Management Systems

Session 7 13:00 – 13:45 IT Governance Pass or Fail? Advantages of Obtaining a BS 7799 Certification

Mr. Ken Doughty Mr. Masatoshi MatsuzakiFormer Chief Information Officer, TAB Limited General Manager, System Planning Department,(Australia) IT Solution Division, Shimizu Corporation (Japan)

Session 8 13:45 – 14:30 IT Governance Challenges for Chinese Enterprises Are We Ready for 24x7 Support Services?

Mr. William Gee Mr. Jaime Lyndon A. YanezaPartner, PriceWaterhouseCoopers Senior Anti-Virus Consultant, TrendLabs,Vice President, ISACA (HK Chapter) (HK) Trend Micro Inc. (Philippines)

Coffee Break 14:30 – 15:00 Coffee Break

Plenary 2 15:00 – 16:00 Information Security Governance – Oops not an Option

Professor Dennis LongleyEmeritus Professor, Queensland University of Technology (Australia)

Panel 16:00 – 16:55 SPECIALIST PANEL DISCUSSION: Cross-Border Enforcement Challenges for Information Security Governance

Discussion Moderator: TBAPanelists: Professor Neil Barrett, Mr. Tony Neate, Mr. Steve Orlowski, HK Police Force (Representative)(International)

Closing 16:55 – 17:00 Closing Speech by Mr. Dale Johnstone

Ceremony Chairman, Organizing Committee - Information Security Summit (HK)

Note: The organizers reserve the right to change the program schedule without prior notice.

an international event with the aim to give participants practical insights intothe information security industry. Following the success of the inaugural in November 2003, this year’s Summit continues todemonstrate a strong alliance of many leading organizations in the information security field. They include Hong KongProductivity Council, British Standards Institution, Hong Kong Computer Emergency Response Team Coordination Centre,Hong Kong Computer Society Information Security Specialist Group, Information Systems Audit and Control Association HKChapter, and Professional Information Security Association. It shows a strong support from the industry to the development ofinformation security in the region.

The Summit will consist of both technology and management streams running concurrently over the course of the two-dayperiod. With the theme of “Management Challenges for Effective Information Security Governance”, the InformationSecurity Summit will provide attendees with the opportunity to participate in a forum delivering a diverse range of practicalinformation security experiences from all over the world.

INFORMATION

SECURITYSUMMIT 2004

www.issummit.org Enquiry (852) 2788 5669

John Mitchell is Managing Director of LHS Business Control, a consultancy founded by him in 1988 tospecialise in corporate governance issues. Prior to starting the consultancy, he was Deputy Chief InternalAuditor at British Telecom, with special responsibility for the audit of Information Technology and CapitalExpenditure. Before that, he was Computer Audit Manager at British Gas. Before moving into the informationtechnology control sphere, he held senior data processing positions in the educational, local governmentand aeronautical industry fields.Dr Mitchell is a recognised authority on corporate governance, risk management and IT security. He has

presented papers on the subject to many international conferences. He is a Chartered Engineer, a Chartered IT Professional, a Certified Fraud Examiner, a CertifiedInformation Systems Auditor, a Fellow of the Institute of Internal Auditors (UK) and a Fellow of the British Computer Society where he is a past member of its governingCouncil and a current member of its Security Expert Panel. He is currently the editor of one journal dealing with control issues and is on the editorial panel of another. Hehas been featured in a major British computing publication as the IT Detective. He has nearly 30 years practical control experience and an international reputation foradvising organisations on their control strategy and associated methodologies. This is coupled with a strong academic background, which includes research, extensivepublications and teaching at the post-graduate level.His doctorate in risk analysis techniques for audit planning was awarded by City University, London, England. His MBA in financial control was awarded, with distinction,by Middlesex University, England.

Tony Neate is a Detective with the South Wales Police now seconded to the National Hi-Tech Crime Unitbased in London. He has 26 years service, of which 23 have been as a working Detective in the Cardiff area.In 1989 Tony moved to the Fraud Squad where he has dealt with all aspects of Commercial Fraud. He wasalso responsible for all aspects of computer crime investigations within the South Wales Police area includingthe recovery of computer-based evidence.During his 13 years in the Fraud Squad, Tony has dealt with a number of large-scale fraud investigations. Hehas experience in all types of fraud investigation including major investment fraud, company fraud, large

scale Credit Card abuse as well as public sector corruption and election fraud cases.Since the mid 1990’s Tony has been heavily involved in the investigation of Hi-Tech Crime. He has dealt with numerous computer-related offences including unauthorisedaccess, cyber stalking, email abuse and paedophilia.Tony is the Secretary of the Association of Chief Police Officers (ACPO) Hi-Tech Crime Working Group which was formed in 1996 to look at all aspects of computer relatedcrime on a National basis.He sits on a number of other groups including The Internet Crime Forum and The Digital Evidence Group. Tony regularly attends at the National Police Staff College atBramshill and, as an Associate Tutor, assisting in the running of the National Computer Crime Investigation course, and Computer Based Evidence course. Tony also set upand ran a new Computer Examination and Investigation course specifically aimed for officers dealing with computer based evidence.On the 1st October 2001 Tony took up his position as Industry Liaison within the newly formed National Hi-Tech Crime Unit, based in London Docklands, the unit is thelynchpin in the United Kingdoms co-ordinated response to cyber-crime. Tony’s role with-in the unit is to form a co-ordinated partnership with industry and to ease the flowof Information between the Private sector and Law enforcement regarding Hi-tech Crime.

Mr AFM Conway, better known as Mr Con Conway, has been Chairman of I.Tel Holdings Ltd, an investmentholding company for IT related activities, since 1998.Con has been resident in Hong Kong for more than 40 years, and is well known in the information technologyindustry. Having worked on installing the first computer in Hong Kong, delivered to China Light & Powerin 1963, as a key team-member of vendor NCR, Con was nicknamed by the press as “Father of InformationTechnology in Hong Kong”.Con is a Fellow of the Hong Kong Institute of Directors, the Hong Kong Management Association, British

Computer Society, and the Hong Kong Institute of Engineers. He is also Vice President of the Olympic Committee Hong Kong SAR China and Honorary Life President of theHong Kong Hockey Association.Prior to his present position, he was a director of New World Telephone and prior to this had been a director of Hongkong Telecom for 11 years. Before joining HongkongTelecom, he had been Hong Kong chief executive of four computer firms, viz Honeywell Information Systems, Data General, Unisys and NCR.

Mr. Tony NeateIndustry Liaison,National High-Tech Crime Unit,United Kingdom (UK)

Opening Ceremony Opening Address

Keynote Speakers

Dr. John MitchellManaging Director,LHS Business Control (UK)

Mr. Con ConwayChairman, I.Tel Holdings Limited (HK)

As chief technology officer, Rob Clyde sets the technology vision and strategy for Symantec, a billion-dollar software company and the global leader in information security. Specialized teams at Symantecsuch as Symantec Security Response - a dedicated group of security experts focused on the latestsecurity threats - and Symantec Research Labs - a comprehensive assembly of scientists innovating thenext generation of technologies - were founded under Clyde's direction.With more than 25 years of information security experience, Clyde is a recognized industry authority and isa pioneer in the development of intrusion detection and policy compliance products. Throughout his career,

Clyde has worked with leading Fortune 500 companies and government agencies to implement sound and practical security policies and solutions. He was a member of theexecutive team that created AXENT Technologies, Inc., an early innovator in the information security market. Clyde served as vice president of engineering for securitymanagement, assisting in growing the company from $8M in 1994, to more than $125M in 2000. In 1980, Clyde was a founder of Clyde Digital Systems, a Utah-based enterprisesecurity software company before merging with Raxco Software eleven years later. Clyde Digital is credited with creating the first commercial intrusion detection system.Clyde is a founding board member of the IT industry's Information Sharing and Analysis Center (IT-ISAC) and currently serves as Treasurer on the Executive Committee.Clyde earned a bachelor of science degree in Computer Science from Brigham Young University, where he graduated magna cum laude.

Dennis Longley is Emeritus Professor of Queensland University of Technology, Brisbane. Formerly hewas Dean of Faculty of Information Technology, QUT, and more recently he was a Visiting Professor atthe City University of Hong Kong.After graduating with an Honours degree in Physics from Manchester University (UK), he served as a commissionedofficer in the Royal Air Force. Later he was an engineer in the aeroengine and nuclear power industries beforeentering academic life. He holds a Masters and a Doctorate degree and is a Fellow of the Institution of ElectricalEngineers. His research and consultancy interests are information security and risk management.

In recent years he has consulted widely for banks, government departments and large organisations in Germany, Hong Kong and Australia; his clients include the HongKong Futures Exchange, Hong Kong Jockey Club, Sparkasse Informatik Zentrum, Rabobank, Queensland and New South Wales government. He is the joint author ofseveral books including Information Security Handbook and Dictionary of Information Security. In 1997 he was joint author of the paper that won the best paper awardat the National Information Systems Security Conference in Washington D.C.

Plenary Speakers

Prof. Dennis LongleyEmeritus Professor,Queensland University of Technology(Australia)

Mr. Robert A. ClydeVice President,Chief Technology Officer,Symantec Corporation (USA)

Mr. K K Yeung, JPExecutive Director,Hong Kong Productivity Council(HK)

Mr. Alan Wong, JPGovernment Chief Information Officer,The Government of the Hong KongSpecial Administrative Region (HK)

Neil Barrett studied Mathematics and Computer Science at Nottingham University, graduating in 1983. Just twoyears later, he gained a PhD and the university’s research prize; York University appointed him as the UK’s youngestlecturer in 1985. In 1988 he left academe and became a consultant, specialising in UNIX and computer security.

Neil has appeared in court as a computer expert in great variety of cases, ranging from paedophilia throughmurder to computer hacking, and provides expert advice to lawyers and to police forces throughout the UK. Hehas also run penetration tests and security evaluations on a variety of government, military and financial computer

systems, and he contributed to the UK government examination of computer crime and of fraud on the Internet. He has delivered graduate seminars on electroniccommerce, computer crime, ethics, and information warfare at several universities. Additionally, Neil has been appointed as Visiting Professor of computer crime atRMCS Shrivenham, Cranfield University and as a Visiting Fellow of computer crime at Glamorgan University.

Ken Doughty is the former Chief Information Officer for Tab Limited, one of Australia’s Wagering and Gamingorganisations. He has over 20 years IS Auditing and Business Continuity experience both in the public and privatesectors. He has an Accounting Degree and a Graduate Diploma in Internal Auditing from the University ofTechnology, Sydney, Australia.

Ken lectures part-time at Macquarie University, Sydney, which is rated in the top 50 Universities in the Masters ofAccounting. He is highly sought after as a speaker at conferences and seminars. He has had a large number of

papers published in leading Auditing and Business Continuity Journals in Australia and the United States. In Sept 2000 he had his first book published - BusinessContinuity: Protecting Your Organisations Life by Auerbach Publications (USA).

In 2002 he received the ISACA’s John Kuyers Best Speaker/Conference Contributor Award.

William is a Partner in the Global Risk Management Solutions practice at PwC China, specialising in systems andprocess assurance services. William is a UK Chartered Accountant, and have some 14 years of experience in thearea of business and technology risk management. He has extensive experience in supporting clients operatingin a wide range of industries, including banking and finance, insurance, consumer products, transportation, oiland gas, and information technology.

Since 2002, William has been working in China assisting clients to better manage the risks, controls and securityissues relating to information technology. William is intimately familiar with international information security standards such as the ISO17799, and has been activelypromoting their adoption. William is currently involved in promoting the adoption of XBML (eXtensible Business Reporting Language) in China. He is also heavilyinvolved in Sarbanes-Oxley related work for Chinese enterprises.

Ray Hunt is an Associate Professor specialising in Networks and Security in the Department of Computer Scienceand Software Engineering at the University of Canterbury, New Zealand. He has provided numerous trainingworkshops in the area of network security throughout the Asia-Pacific region. He has also acted as atelecommunications and security consultant for a number of organisations in this region.

Ray has been involved with industry-based studies in the area of Wireless LAN performance and security and runsa laboratory with support from Telecom NZ in which a variety of performance and security experiments are carriedout. The results of this work have been reported recently to the IEEE. He has also been involved with the offering

workshops in the Network Security and Wireless LAN area and in 2003/2004 has provided training/education in Australia, Taiwan, Hong Kong, Singapore and Thailand.

Meng-Chow is the regional Chief Security & Privacy Advisor for Microsoft Asia Pacific and Greater China regions.Prior to joining Microsoft, Meng-Chow was Vice President and Regional Information Risk Officer of JPMorganChasefor the Asia region, responsible for promulgating the Firm’s IT Control Policies, and providing technical securityand risk management awareness and advice for managing risks relating to the use of IT systems in the Firm.

Meng-Chow chairs the Singapore IT Security and Privacy Standards Technical Committee, a member of the AsiaPKI Interoperability Project Working Group in 2001, and more recently, a member of ISO/IEC JTC1 newly formedPrivacy Technology Study Group.

Meng-Chow received his MSc degree in Information Security from the Royal Holloway and Bedford New College, University of London, has been a Certified InformationSystems Auditor (CISA) since 1997, and a Certified Information Systems Security Professional (CISSP) since 1998.

With over 10 years of experience, Bremen Lee has served in various capacities in the IT and Telecom industries.He has deep involvement and hands-on management in projects from all over Asia.

As an IT manager of Microsoft, Bremen is responsible for all IT services and operations of Hong Kong and Macauoffice. One of Bremen's challenges is to deploy Microsoft beta product without scarifying customers' satisfactionand services level. In addition, serving as a role of IT Head in Microsoft Hong Kong, Bremen lead the process thatdefines and delivers high-value IT solutions at both the business unit and enterprise level.

Prior to Microsoft, Bremen has worked in AT&T as Regional Technical Manager and spent a couple years in US working for startup companies of various sizes.

Bremen holds a Master of IT Management degree in Chinese University of Hong Kong and a bachelor degree in Electrical and Electronics Engineering in The Universityof Hong Kong.

In his past time, he is an outgoing individual dying for anything experimental in nature. He keeps himself busy with technology reading, golfing, playing baseball andmeeting with great friends!

Mr. Leung has over 14 years of experience in the IT industry with extensive experience in providing consultancyservices in the Silicon Valley as well as in Asia Pacific.

Mr. Leung’s previous role was the Systems Engineering Manager for NetScreen APAC. Prior to joining JuniperNetworks, Mr. Leung was the regional consultant for Sun Microsystems and subsequently IBM for Asia Pacific.

He is a CISSP and he holds a bachelor of science degree and a master’s degree in computer engineering from theUniversity of Southern California.

David Mackay is a Senior Manager working for the global IT Services Provider Atos Origin. David manages theAtos Origin Enterprise Security Services Team in Australia, which provides consulting, system integration andmanaged security services to manufacturing, utilities, and banking & finance clients across the Asia Pacific region.David has over 10 years experience in the IT industry working in technical, consulting, management and businessdevelopment roles. David is a Certified Information Systems Security Professional (CISSP).

Mr. William GeePartner,PriceWaterhouseCoopers,VP, ISACA (HK Chapter)(HK)

Speakers’ Profile

Prof. Neil BarrettTechnical Director, IRM Plc (UK)

Mr. Ken DoughtyFormer Chief Information Officer,TAB Limited(Australia)

Mr. Ray HuntAssociate Professor,Department of Computer Scienceand Software Engineering,University of Canterbury (NZ)

Mr. Meng-Chow KangChief Security & Privacy Advisor,Microsoft Asia Pacific(Singapore)

Mr. Andy LeungCorporate SE Manager,PM Security, APAC,Juniper Networks, Inc. (HK)

Mr. Bremen LeeIT Manager,Microsoft Hong Kong (HK)

Mr. David MacKaySenior Manager,Enterprise Security Services Team,Atos Origin (Australia)

With a total of 30 years’ security experience in designing of the mission-critical facilities, Mr. Matsuzaki has a wideranging knowledge of all security issues. He is currently the General Manager of System Planning Department,managing both R&D projects to develop security solutions and commercial projects to provide business solutionsto the clients. Mr. Matsuzaki is the team leader of implementing BS 7799 in IT Solution Division.

From 1997 to 2004 Steve was Chair of the APEC eSecurity Task Group leading its work on the security of informationand communications infrastructures and issues relating to cybercrime and the use of electronic authentication. Heprepared the report Electronic Authentication - issues relating to its selection and use.

In 2000 Steve retired as Special Adviser IT Security Policy in the Information and Security Law Division of theAustralian Attorney-General’s Department. His duties focused on the development and implementation of nationaland international policies and strategies for the security of information systems including Australia’s NationalInformation Infrastructure. He compiled the report Protecting Australia’s National Information Infrastructure.

Steve has represented Australia at various committees of the OECD, APEC and the United Nations dealing with IT security and electronic commerce issues. He representsthe Australian Internet Industry Association on a number of committees of the Standards Association of Australia dealing with IT security and electronic commerce issues.

In July 2004 Steve was awarded the designation Honorary Certified Information System Security Professional (CISSP) in recognition of his profound, positive impact onthe information security profession through his work in the Australian Government sector, APEC and the OECD.

He is now an independent IT security consultant.

Thomas Parenty is Managing Director of Parenty Consulting Ltd (Hong Kong) and President of Parenty Consulting,LLC (USA). He has over twenty years of experience in the computer security and cryptography fields, includingemployment with the (U.S.) National Security Agency. He has designed and evaluated the information securityprotection of numerous national and global systems, including those for banking, electronic commerce, healthcare,and nuclear command and control. Parenty has designed security features in enterprise applications that arecurrently used by governments and businesses across the globe, and he is the inventor of a patent-pendingInternet encryption system.

Mr. Parenty has testified numerous times before the (U.S.) Congress on encryption, national security, law enforcement, and global competitiveness. Harvard BusinessSchool Press published Parenty’s book, Digital Defense: What You Should Know About Protecting Your Company’s Assets, in September, 2003. Parenty earned his M.S.in Computer Science from the University of Massachusetts, Amherst, and his B.A. in Philosophy from the College of the Holy Cross, Worcester, Massachusetts, both inthe United States.

David Rhoades is a principal consultant with Maven Security Consulting Inc. (www.mavensecurity.com). MavenSecurity Consulting Inc. is headquartered outside Washington DC and provides information security assessmentsand training.

David’s expertise includes web application security, network security architectures, and vulnerability assessmentsfor networks and telecommunication systems. Past customers have included domestic and international companiesin various industries, as well as various US government agencies. David has been active in information security

consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore).

David teaches domestically and internationally at various security conferences, and has taught for the SANS Institute (www.sans.org), the MIS Training Institute (www.misti.com), ISACA (www.isaca.org), USENIX (www.usenix.org), and the Sensecurity Institute (based in Singapore www.sensecurity.org).David has a bachelor’s degree in computer engineering from the Pennsylvania State University.

Dr Frank Tong is the Assistant Director of the E-Business Technology Institute. He takes charge of the Wireless andRFID Application Laboratory in the Institute. His area of interest includes wireless security, RFID technologies,mobile computing in e-business applications as well as the web-based and grid computing technologies for serviceprovision and integration. Frank is in the research and development of application-oriented technologies. He iskeen on technology transfer and engagement with industries and end-users.

Mark Trudinger has worked in the Internet Filtering and Security market since 1996. He has held positions asDirector International Internet for Mattel Inc., and Director EMEA APAC for Microsystems Software.

He is currently Vice President Asia for SurfControl Plc.

He has spoken at a number of events around world on Internet Security and how to stop unwanted content.

Jaime Lyndon A. Yaneza, known as "Jamz" to his peers, is the Senior Antivirus Consultant for TrendLabs, TrendMicro Inc.'s network of research centers situated in key locations globally with its research headquarters in Manila,Philippines.

Before taking up his current responsibility he was part of the pioneer core group tasked to provide real-timecustomer case solutions in 1998.

In 1999 he created one of the first all-girl teams tasked to monitor internet malware activities as well as provide virus-related first-contact retail customer case inquiry andresolution. At the beginning of 2000 he formed an ad-hoc research group which was tasked to improve the heuristic macro detection on Trend Micro products as well asporting portions of the scan engine to alternative operating platforms. In 2001 he also handled the task of creating TrendLabs' first Antispam Team which these days nowprocesses phishing attacks, scams and shams, as well as hoaxes and commercial spam.

Jamz has been a resource speaker in different international conferences including EICAR, AVAR, CeBit and Virus Bulletin. His various whitepapers and articles are postedonline as well as in print through the years and are usually geared toward the end-users and decision makers. He is now involved in general content managementservices as well as developments in the core engine and feature testing of Trend Micro's product line not to mention as serving as the official APAC spokesperson.

Mr. Thomas ParentyManaging Director,Parenty Consulting (HK)

Mr. Jaime Lyndon A. YanezaSenior Antivirus Consultant,TrendLabs,Trend Micro Inc. (Philippines)

Mr. Steve OrlowskiFormer Chair, APEC eSecurityTask Group,Independent IT SecurityConsultant (Australia)

Mr. David RhoadesPrincipal Consultant,Maven Security Consulting Inc.(USA)

Dr. Frank TongAssistant Director,E-Business Technology Institute,The University of Hong Kong (HK)

Mr. Mark TrudingerVice President AsiaSurfControl Plc. (Singapore)

INFORMATION

SECURITYSUMMIT 2004

www.issummit.org Enquiry (852) 2788 5669

Mr. Masatoshi MatsuzakiGeneral Manager,System Planning Department,IT Solution DivisionShimizu Corporation (Japan)

Integrating CobiT with Other Governance Standards to Ensure Compliance Speaker: Dr. John Mitchell

Workshop 1 10 November 2004 (Wed) 09:00 – 17:00 Sheraton Hong Kong, Tang I

CobiT (Control Objectives for IT and Related Technologies) provides an open standard for the control of IT resources. The CobiTframework splits the supply of IT into 34 processes that cover the planning & organisation of IT, the acquisition & implementation of IT solutions, delivery and support ofthose solutions to the customer and monitoring of the processes. However, despite the extensiveness of its coverage CobiT suffers a significant drawback in that it doesnot have an accreditation programme. This is where standards such as ISO 17799 (Information Security Management), ISO 9126 (Software Development), BS 15000(Service Delivery) and ITIL (Information Technology Infrastructure Library) have an apparent advantage. Most CIOs want to know how well they are doing and anaccreditation programme allows them to display that they are operating to an accepted standard. But which standard to use? Does one size fit all, or must the CIO mix andmatch? How can compliance be measured?

This workshop will examine the advantages and disadvantages of integrating the various standards under a CobiT umbrella by comparing and contrasting them from thepoints of view of development and service delivery. A mechanism for proving compliance will be proposed, based on the Capability Maturity Model (CMM) framework,which should not only meet the requirements of the various regulatory agencies, but also provide CIOs and CSOs with the information needed to effectively manage theirIT resources.

Who Should Attend: Chief Information Officers, Chief Operating Officers, Chief Security Officers, MIS/IT Managers, Security Officers, IT/IS Auditors

Web Application Security Speaker: Mr. David Rhoades

Workshop 2 10 November 2004 (Wed) 09:00 – 17:00 Sheraton Hong Kong, Tang II

From sign-on to sign-off, and everything in between, this course goes beyond typical web server configuration tips. We will showyou how to test your web-based application for security flaws ranging from the subtle to the severe. Although there are numerous commercial and freeware tools to assistin locating network-level security vulnerabilities, these tools are incapable of locating application-level issues. This course will demonstrate how to identify securityweaknesses for web-enabled services that could be exploited by remote users. With numerous real-world examples, this informative and entertaining course is based onfact and experience, not theory. The course material is presented in a step-by-step approach, and will apply to web portals, e-commerce, online banking, shopping,subscription-based services, or any web-enable application. The key topics (with Live Demonstration) will include:

• Information Gathering Attacks - How hackers read between the lines to get • Session Trackinga jump on your web site. • OS & Web Server Weaknesses: Buffer overflows and Default material

• User Sign-On Process - Many sites contain serious flaws that expose them • Encryption - Finding the weakest link.to the threat of bad publicity and lose of customer confidence. • Authentication - Server, Session, Transactional

• User Sign-Off Process - Are users really signed off? • Transaction - Level Issues

Who Should Attend: People who are auditing web application security, developing web applications, or managing the development of a web application

Auditing Project Management Speaker: Mr. Ken Doughty

Workshop 3 13 November 2004 (Sat) 09:00 – 17:00 Sheraton Hong Kong, Ming I

There is a growing diversity within computing environments ranging from mainframe, client/servers, LANs to multi-tiers. With eachenvironment there are a number of system development methodologies that can be applied in the development of an organisation's strategic information technologysystem. However, there is one constant throughout this dynamic and changing environment - PROJECT MANAGEMENT. This 1-day workshop covers key projectfundamentals, why projects fail and how to audit system development project management. In the project, you will:

• Learn project management tools and techniques • Assess practical experiences in using the audit methodology• Examine the steps required to audit system development project management. • Receive an audit program for use in your organisation• Learn risk analysis techniques to identify potential project risks and

develop risk reduction techniques

Who Should Attend: Chief Information Officers, MIS/IT Managers, Project Managers, System and Software developers, IT/IS Auditors

Security in Wireless and Mobile Networks Speaker: Mr. Ray Hunt

Workshop 4 13 November 2004 (Sat) 09:00 – 17:00 Sheraton Hong Kong, Ming II

The growth and development of wireless and mobile networks requires careful consideration be given to the security issues ofthese networks. There are some important differences to be considered for the security architectures designed for fixed networks vs that for wireless and mobile networks.This tutorial will cover a number of very pertinent topics of interest in the area of Wireless LAN and WAN security and examines some of the real security issues facingWireless LAN and Wireless WAN network users. The tutorial commences by examining local and wide area lower layer wireless and mobile infrastructure including thetypes of threats that they face. It then proceeds to examine the protocols and architecture that go to make up the security infrastructure for these wireless and mobilenetworks. The key tutorial topics will include:

• Wireless LANs: Architecture, Standards, (Inter)operability, Developments • Integration of Wireless LAN and 3G Wide Area Mobile Networks• Cryptographic Tools for Wireless Network Security • QoS Provisioning in IP Mobile Networks• Security Architectures and Protocols in Wireless LANs • Security Testing and Evaluation Procedures• Security Architectures and Protocols in 3G Mobile Networks

Who should Attend: People involved in planning, building, operating and using wireless and mobile networks. Really anybody associated with use of Wireless LANs and

Mobile IP networks. The workshop will be appropriate for anybody who has a basic knowledge of security and networks in general, and who wants to know and

understand more of the key issues and new developments. A basic knowledge of wireless network architecture and basic familiarity with network security is assumed.

10 & 13 November 2004 • Wed & SatWorkshops

Registration

❑ Information we collected about you will be used by the organizers and sponsors in future in sending out information about their services and events. If you do not wish to receive such messages, please check this box so that we canstop sending you messages in future.

INFORMATION

SECURITYSUMMIT 2004

Grand Ballroom, Sheraton Hotel, 20 Nathan Road, Tsim Sha Tsui, Kowloon

For enquiry, please contact us: Email: secretariat@issummit.org Tel: (852) 2788 5669 Fax: (852) 2788 5860 www.issummit.org

Supporting Organizations

Please send this form to Information Security Summit 20042/F, HKPC Building, 78 Tat Chee Avenue, Kowloon, Hong Kong (Attn: Ms. Mary Chan)

or fax to (852) 2788 5860

Participation Fee for 2-day Summit and Workshop (including Luncheons) Please check ✔ in ❑ below

✽ Early Bird before 28 October 2004

Summit Only 1 x Workshop Only 2 x Workshop Only Summit + Summit +

1 x Workshop 2 x Workshop

Member Normal Fee ❑ HK$2,650 ❑ HK$1,750 ❑ HK$3,300 ❑ HK$4,250 ❑ HK$5,650Organizations Early Bird ✽ ❑ HK$2,500 ❑ HK$1,650 ❑ HK$3,150 ❑ HK$4,000 ❑ HK$5,350

Non MemberNormal Fee ❑ HK$2,950 ❑ HK$1,950 ❑ HK$3,700 ❑ HK$4,700 ❑ HK$6,250Early Bird ✽ ❑ HK$2,650 ❑ HK$1,750 ❑ HK$3,300 ❑ HK$4,250 ❑ HK$5,650

Corporation~ Normal Fee ❑ HK$2,400 ❑ HK$1,600 ❑ HK$3,050 ❑ HK$3,850 ❑ HK$5,1505 or more members Early Bird ✽ ❑ HK$2,250 ❑ HK$1,500 ❑ HK$2,850 ❑ HK$3,600 ❑ HK$4,750

(per attendee)

CPE Hours: A number of supporting organisations have indicated that recognition credits will be awarded for attendance and participation at the Information Security Summit. Please check with your localorganisation for the level of credits you will be entitled to receive.

Yes! I would like to register in the Information Security Summit 2004

Name: Title:

Company / Organization:

Phone: Fax: Email:

Address:

Payment Method:

❑ By Cheque: Cheque No # (Please enclose cheque made payable to “Hong Kong Productivity Council”)

❑ By Credit Card: ❑ Visa ❑ Master

Card Holder: Card No.:

Expiry Date (MM/YY): / Amount: HK$

Signature: Date:

Office of the Government Chief Information Officer

Commerce, Industry and Technology Bureau