Jason W. Allred has over 15 years of experience in IT governance, risk management, compliance, audit, and security. He currently works as an Information Technology Security and Compliance Analyst at Cash America International, where he leads internal and external audits, manages the IT risk program, designs compliance assessments, and updates policies. Prior to this, he held roles as an IT Auditor, Security and Compliance Analyst, and IT Consulting Supervisor, where he performed audits, risk assessments, security monitoring and reporting, and developed policies and programs to ensure regulatory compliance.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.”
Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation.
In this roundtable discussion, we will highlight:
• The security challenges facing utilities today
• The six critical elements to achieving economical NERC CIP compliance
• How utilities can secure critical infrastructure in today’s networked environment
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.”
Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation.
In this roundtable discussion, we will highlight:
• The security challenges facing utilities today
• The six critical elements to achieving economical NERC CIP compliance
• How utilities can secure critical infrastructure in today’s networked environment
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute.
The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
Cyber security experts David Meltzer, Chief Research Officer at Tripwire; Tony Gore, CEO at Red Trident Inc.; and John Powell, Senior Critical Infrastructure Engineer at Red Trident Inc., discuss the practical 1-2-3 basics of industrial cyber security and how to get started automating asset management. Attendees will also learn how to build an effective strategy for protecting industrial assets – networks, endpoints and controllers.
Key Takeaways:
· Learn how to automate and simplify the inventory process and secure your assets
· Understand what cyber security standards may apply to your unique environment
· Hear real-world tips on how to prioritize and work across functional silos within your company
· Receive an industrial cyber security assessment checklist to help gauge your starting point
190 compliance, risk, and control specialists participated in our class on cyber compliance at the IE Law School. I presented good practices and tips to comply with regulations involving data security, computer crime, corporate defense, IT and compliance controls, and sectorial requirements
While C2M2 is not the love child of C3PO and R2D2 (sorry), the Cybersecurity Capability Maturity Model (C2M2) program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE) is helping to enhance the security and resilience of the United States’ critical infrastructure.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Medical device security presentation - Frank SiepmannFrank Siepmann
Since I am not presenting (due to personal reasons) at the Medical Device Security conference 25/26 July 2016 in Arlington, VA I thought I post my slides about the current problems with Medical Device security and what can be done on a tactical level and what is needed at a strategic level.
Nana-Dictta’s work takes a warm-hearted approach to the art that brings the glorious images of everyday materials to life “the Green” she incorporates recycling awareness and arts education within her Master pieces teaching the message behind the art.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute.
The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
Cyber security experts David Meltzer, Chief Research Officer at Tripwire; Tony Gore, CEO at Red Trident Inc.; and John Powell, Senior Critical Infrastructure Engineer at Red Trident Inc., discuss the practical 1-2-3 basics of industrial cyber security and how to get started automating asset management. Attendees will also learn how to build an effective strategy for protecting industrial assets – networks, endpoints and controllers.
Key Takeaways:
· Learn how to automate and simplify the inventory process and secure your assets
· Understand what cyber security standards may apply to your unique environment
· Hear real-world tips on how to prioritize and work across functional silos within your company
· Receive an industrial cyber security assessment checklist to help gauge your starting point
190 compliance, risk, and control specialists participated in our class on cyber compliance at the IE Law School. I presented good practices and tips to comply with regulations involving data security, computer crime, corporate defense, IT and compliance controls, and sectorial requirements
While C2M2 is not the love child of C3PO and R2D2 (sorry), the Cybersecurity Capability Maturity Model (C2M2) program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE) is helping to enhance the security and resilience of the United States’ critical infrastructure.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Medical device security presentation - Frank SiepmannFrank Siepmann
Since I am not presenting (due to personal reasons) at the Medical Device Security conference 25/26 July 2016 in Arlington, VA I thought I post my slides about the current problems with Medical Device security and what can be done on a tactical level and what is needed at a strategic level.
Nana-Dictta’s work takes a warm-hearted approach to the art that brings the glorious images of everyday materials to life “the Green” she incorporates recycling awareness and arts education within her Master pieces teaching the message behind the art.
vertical in CISA certification and Five Domains are in CISAarjunnegi34
CISA certification validates expertise in auditing, controlling, and ensuring IT systems. Its five domains cover auditing, governance, risk management, information security, control assurance, ensuring comprehensive knowledge.
1. JASON W. ALLRED
6313 SEAL COVE, FORT WORTH, TX 76179, (817) 938-3298, JASON.W.ALLRED@GMAIL.COM
SUMMARY
A consummate leader in all areas of IT governance, risk, compliance, audit and security with a demonstrated
ability to clearly identify, design and implement policies, standards, procedures and best practices promoting
regulatory compliance (PCI, GLBA, S-Ox, MLA, ECOA, FCRA, CFPB, FISMA, DCAA, etc.) utilizing standard frameworks
(COBIT, ITIL, PCI-DSS, etc.)
WORK EXPERIENCE
JUNE 2011 – PRESENT Cash America International Fort Worth, TX
INFORMATION TECHNOLOGY SECURITY & COMPLIANCE ANALYST II
Lead and manage internal and external IT audits (S-Ox, PCI, MLA, GLBA, ECOA, FCRA and CFPB) by coordinating
risk/control matrix updates, receiving audit requests, obtaining and validating all audit evidence, hosting
walkthrough meetings with stakeholders, and communicating audit updates to IT and business
management
Develop, implement, and manage the IT risk management program inclusive of the chartering and chairing of
the IT Governance-Risk-Compliance (GRC) Committee
Design, execute, and manage internal IT compliance assessments against medium and high risk processes and
controls to measure for operating effectiveness
Track and monitor of all audit and compliance deficiencies through remediation in matrix driven processes
Update existing IT policies and procedures and aid in the development of new IT policies and procedures
Lead in the implementation and management of the NetIQ Access Governance Suite identity and access
management solution
Manage annual application and system user attestation reviews for all financially significant applications,
servers, and databases
Contribute in the ongoing operation and compliance of the IT change management, release management, and
configuration management practices as a backup to the primary manager of those functions
Liaise with all IT teams to process and manage exceptions to policies as needed
Lead the team on all corporate compliance work efforts and projects with an information technology
involvement and/or impact
OCTOBER 2010 – MAY 2011 Contineo Fort Worth, TX
INFORMATION TECHNOLOGY AUDITOR / CONSULTANT
Executed GLBA information technology audits for financial institution clients encompassing review of policy,
procedure and practice in the areas of risk management, information security, software acquisition and
development, strategic planning, vendor oversight, disaster recovery, and business continuity
Performed and interpreted internal and external network vulnerability assessments using vulnerability
assessment testing tools to include SAINT, Nessus, and GFI LANGuard
Conducted social engineering activities against financial institution clients to include dumpster diving, pretext
calling, and phishing all in attempt to test how well employees are trained on security policies and
procedures
Consulted with financial institutions to craft and implement information technology policies, standards, and
procedures for their institutions reflective of their operating practices
Analyzed and documented information flow processes covering points of entry, storage, transfer, use, and
destruction for financial institution clients followed by assessing compliance, reputation, financial, and
technological risk associated with those processes
Aided financial institution clients with strategic information systems planning by performing current use and
needs assessments, identifying inefficiencies with the existing environment, and making recommendations
for improvement for increased return on investment
JULY 2008 – SEPTEMBER 2010 Cash America International Fort Worth, TX
SENIOR INTERNAL INFORMATION TECHNOLOGY AUDITOR
Aided in the execution of risk assessments and development of risk based control frameworks to ensure the
integrity of data processing in revenue generating information technology resources to reduce the
likelihood of material financial misstatements
Developed and executed audit procedures inspired by risk and control matrices to test the design and
operating effectiveness of implemented information technology controls in pursuit of compliance with
Sarbanes Oxley requirements, Payment Card Industry requirements, etc.
2. Coordinated the timely remediation of control deficiencies detected through internal information technology
audit testing
Authored report of findings reflecting audit results and recommendations for improvements in daily operations
in pursuit of a more mature compliance posture
Presented report findings to executive management, audit committee, and board of directors
SEPTEMBER 2007 – JULY 2008 DynCorp International Fort Worth, TX
INFORMATION TECHNOLOGY SECURITY & COMPLIANCE ANALYST
Assisted in design, writing, and implementation of the IT change management policy, standards, and
procedures for all production applications, databases and infrastructure
Managed weekly change management oversight committee meetings by presenting all of the routine change
requests submitted for consideration and approval by committee members in addition to facilitating the
post mortem discussion of emergency changes implemented in the prior week
Implemented and managed the Ecora Auditor Professional application purchased by the company to facilitate
effective day to day IT configuration management, system audit, and change monitoring of all production
applications, databases and supporting infrastructure
Analyzed security logs from applications, operating systems, databases, routers, and firewalls for potential
security violations based on established thresholds and benchmarks
Participated in internal and external information technology audits along side Big Four audit firms to identify
risks associated with IT resources and processes in an effort to ascertain first year compliance with
Sarbanes Oxley Section 404
Coordinated the design and implementation of COBIT based IT controls to bring technology operations into
compliance with Sarbanes Oxley Section 404 to pass external audit
Managed quarterly recertification of production network operating system, application, and database users
and follow up with the removal of unauthorized and non-compliant users
Implemented and administered enterprise IT auditing software to collect application and security event logs
from in-scope IT resources and generate aggregate security reporting for review
JUNE 2004 – SEPTEMBER 2007 Credit Union Resources, Inc. Farmers Branch, TX
INFORMATION TECHNOLOGY CONSULTING SUPERVISOR
Performed information security risk assessments and technical network audits for over 75 credit unions per
mandates set forth in Sarbanes Oxley, Gramm Leach Bliley, NCUA, and other federal regulations
Authored information security policies and programs for credit union clients
Created and implemented a monthly security monitoring and reporting program entailing operating system,
application, and database log aggregation analysis for credit union clients
Managed and executed custom information technology projects to include network implementations and data
migration
Developed new information security and compliance programs to increase departmental revenue
Designed and presented information security and compliance seminars at industry trade shows and
conferences with audiences ranging from 50 to over 1000 attendees
Managed three other Information Technology Consultants that were direct reports
CERTIFICATIONS
ISACA – Certified in Risk and Information Systems Control (CRISC)
ISACA – Certified Information Systems Auditor (CISA)
ITIL v3 (2011) – Foundation Certificate in IT Service Management
ITIL v3 (2011) – Intermediate Certificate in Planning, Protection, and Optimization
ITIL v3 (2011) – Intermediate Certificate in Release, Control, and Validation
ITIL v3 (2011) – Intermediate Certificate in Service Operations
EDUCATION
2005 – 2009 Tarleton State University Stephenville, TX
M.B.A. BUSINESS ADMINISTRATION
1998 – 2002 Embry Riddle Aeronautical University Daytona Beach, FL
B.S. MANAGEMENT OF TECHNICAL OPERATIONS