Prepared / Tested / Compliant: The Modern Incident Response Strategy

Come and network with your friends, make new friends, and hear two great talks. There will be a buffet dinner and desert.

Meeting location will be announced soon.

Topic One: Prepared / Tested / Compliant: The Modern Incident Response Strategy

In today’s threat landscape, a structured Incident Response Plan (IRP) is not just a compliance checkbox—it’s a cornerstone of organizational resilience. We’ll explore the critical role of IR planning in safeguarding your data and meeting regulatory obligations under the NIST 800-171 framework. You’ll gain a high-level view of IRP components, including preparation, detection, containment, recovery, and post-incident analysis. We’ll also discuss the importance of tabletop exercises as a practical method to validate the IRP, uncover gaps, and strengthen coordination between departments. Hear how to integrate compliance requirements with operational readiness, ensuring a calm, rapid, and effective response to cyber incidents.

Speaker One: Eddie Darmawan

Since 1997, Eddie has combined his passion for technology with his belief that small and mid-sized businesses are the backbone of America. His career has spanned pivotal moments in technology—from helping migrate Los Angeles courthouses during Y2K, to weathering the dot-com bubble with one of the first free internet service providers (ISPs), to supporting a national bank through the financial crisis.

Through D1 Defend, an IT managed security service provider based in Ontario, California, Eddie helps businesses simplify the complexities of IT and Cybersecurity. Eddie serves on the Board of Putera Indonesia Sejahtera, a nonprofit in Jakarta, Indonesia, dedicated to creating educational opportunities for underserved communities.

Topic Two: Navigating the Global GRC Tsunami and the New Reality of AI Governance in 2026

The GRC landscape is no longer driven by voluntary standards; it is now being defined by mandatory, prescriptive regulations (DORA, NIS2, SEC Rules) that prioritize operational resilience and board-level accountability. Simultaneously, the rapid deployment of Generative AI is creating profound, unmanaged risks that traditional GRC frameworks are ill-equipped to handle. This session will provide cybersecurity professionals with an actionable blueprint for integrating operational resilience into their core GRC structure and establishing measurable, future-proof AI governance models for 2026 and beyond.

Key Learning Objectives & Discussion Points:

1. From Compliance to Resilience: Understanding the shift mandated by regulations like the EU's Digital Operational Resilience Act (DORA) and NIS2, and how to prove operational continuity to regulators, rather than just checking boxes.
2. AI Governance as the Next GRC Frontier: How to implement organizational controls (NIST AI RMF, EU AI Act principles) over the use, development, and data security risks associated with internal and third-party Agentic AI and Large Language Models (LLMs).
3. Accountability and Auditability: Strategies for quantifying AI risk (Model Risk Management) and establishing audit trails that satisfy regulators regarding the responsible use of high-risk AI systems.
4. The New Boardroom Mandate: Reviewing the impact of the US SEC Cybersecurity Disclosure Rules and CISA's CIRCIA on C-suite liability and mandatory incident reporting timelines, and what GRC teams must prepare for immediately.
5. Scaling GRC with Automation: Practical examples of leveraging integrated GRC platforms to harmonize controls across multiple frameworks (e.g., ISO 27001:2022, SOC 2, HIPAA) to meet the dramatically increased volume of global regulatory requirements.

Speaker Two: Alfred Ayala

Alfred is currently the GRC Chief at Longship International. He has created innovative, defensible, and purpose-engineered programs to protect banking, financial, technology, as well as the data infrastructures for $70M start-ups to $2.5T fortune-100 businesses.

His previous roles include Global Privacy Risk Compliance Manager for Meta, Chief Compliance Officer, SVP of Nano Banc, and Senior Compliance Officer, VP at MUFG. He holds CISM, CAMLS, CFLI, NMLS, and CIPP/US certifications. Alfred serves on many Boards, including EBPA and CSU-San Bernardino.

CPEs: There will be 2 CPE credits for the meeting.

Because ISSA Los Angeles makes commitments to our facilities well in advance of each event, we regret that we cannot offer any refunds or credits within 72 hours of any of our events. If you cannot attend an event you can send someone in your place as long as they have your written permission.

Disclaimer: ISSA-LA reserves the right to alter or delete items from the program in the event of unforeseen circumstances. Material has been prepared for the professional development of ISSA-LA members and others in the IT audit, control, security, and governance community. Neither the presenters nor ISSA-LA can warrant that the use of material presented will be adequate to discharge the legal or professional liability of the members in the conduct of their practices.

All materials used in the preparation and delivery of presentations on behalf of ISSA-LA are original materials created by the speakers, or otherwise are materials which the speakers have all rights and authority to use and/or reproduce in connection with such presentation and to grant the rights to ISSA-LA as set forth in speaker agreement. Subject to the rights granted in the speaker agreement, all applicable copyrights, trade secrets, and other intellectual property rights in the materials are and remain with the speakers. Please note: unauthorized recording, in any form, of presentations and workshops is prohibited.

Permission to be Photographed: By attending this event, the registrant grants permission to be photographed during the event. The resultant photographs may be used by ISSA-LA for future promotion of ISSA-LA’s educational events on ISSA-LA’s web site and/or in printed promotional materials, and by attending this event, the registrant consents to any such use. The registrant understands any use of the photographs will be without remuneration. The registrant also waives any right to inspect or approve the aforementioned use of any photographs now or in the future.