North America CACS Presentations and Descriptions 

 

 

Track 1—Big Data, Data Analytics & Visualization

111–Prepare for the Future of Internal Audit

Josh Smith
Deloitte

Digital Internal Audit, a term that encompasses more of a mindset than the technologies it represents, is at the tipping point of adoption. This session will explore how advancements in robotic process automation and cognitive computing will impact the internal audit profession and what you can do to prepare for the change.

After completing this session, you will be able to:

  • Describe how Internal Audit is expected to evolve
  • Understand the audit methodologies that will most likely support future IA departments
  • Build towards a function that supports the Insight-Driven Auditor

121–Additional Information Coming Soon!

 


131–Machine Learning for Auditors - An Overview

Andrew Clark
Principal Machine Learning Auditor
Capital One

Machine learning is permeating our world. As it gains wider adoption, what does it mean for assurance professionals? This session will help you cut through the buzzwords and discover how machine learning can be leveraged in audit and compliance.

After completing this session, you will be able to:

  • Understand the two groups of algorithms
  • Understand machine learning use cases
  • Describe use cases in assurance and compliance
  • Know where to learn more about machine learning

141–Contemporary Data Analytics Approaches

Yusuf Moolla
Director
Risk Insights

Supporting Directors discharge their duties, balancing performance and conformance. The use of DA beyond traditional conformance/compliance approaches to provide business focused performance insights. A Data Analytics demo, using open source tools.

After completing this session, you will be able to:

  • Identify performance focused analytics
  • Work with an open source analytics tool
  • Work with unstructured text data (e.g. CRM data)
  • Apply advanced techniques (e.g. Machine learning)

211–Innovating Audits with Data Analytics

Luis Jugo, CISA
Internal Auditor
Inter-American Development Bank

Participants will learn how to create a data analytics strategy in an internal audit function to innovate audit and advisory services, improve client collaboration and communication, and enhance internal audit’s value in the organization.

After completing this session, you will be able to:

  • Define and implement a Data Analytics Strategy
  • Innovate audit and advisory deliverables
  • Improve audit effectiveness and assurance levels
  • Increase data analytics skills in their offices

221–Building Skynet for Audit & Risk Management

Anand Jangid, CISA
Quadrisk Advisor Pvt, Ltd

The focus of the talk is going to be on key use case where Big Data Analytics & Machine learning can be used by the Risk management and audit Groups. The focus is to share 12 use cases of how unstructured data can be used along with Machine learning.

After completing this session, you will be able to:

  • Know Big Data analytics & Machine learning (BAM)
  • Knowledge to use (BAM) at their organization
  • Learn use case of applying BAM
  • Learn the challenges if using BAM

231–21st Century Compliance: Continuous Audit

K.C. Fike, CISA
The Cadence Group

There is no doubt that Continuous Auditing is a huge asset to IA and Compliance functions, but, if you have limited resources, how do you start? I'll lay out some areas you can target and how to effectively interact with IT to get the data you need.

After completing this session, you will be able to:

  • Speak with IT intelligently regarding databases
  • Have insight to write queries/stored procedures
  • Apply analytics to the audit process
  • Utilize various data visualization techniques

241–Data Visualization: Telling the Right Story

Simon Castonguay, CISA
Willis Towers Watson

 

 
 

Jack Martin, CISA
Client Relationship Director
KPMG

Visualization has been shown scientifically to make it easier to solve problems and to make better decisions. This presentation will cover best and worst practices as they pertain to data visualization and provide numerous examples to the audience.

After completing this session, you will be able to:

  • Understand how to build effective visuals
  • Convey the right messages using effective graphs
  • Use the right visual for the right audience
  • Get data and analytics to tell compelling stories

251–IA Analytics PwC & Microsoft

Kenneth Kozakura
Manager
PricewaterhouseCoopers

 

 

Pooja Sunda
Microsoft
 

This session explores strategies that IA can utilize to gain sponsorship, ensure usability, and minimize cost in building an analytic function. This will explore the story of Microsoft IA through case study and interactive demo.

After completing this session, you will be able to:

  • Describe the skillsets required for data analytics
  • Understand analytic governance challenges
  • Describe data analytic technologies in the market
  • Understand vendor vetting and selection

311–Additional Information Coming Soon!

 

Return to Event Page >>
 

Track 2—IT Operations for Auditors

112–Encryption: Lower Risk, Increase Compliance

2017 Top-Rated SpeakerUday Pabrai
CEO
Ecfirst

Encrypt, encrypt, encrypt! Encryption protocols, key strengths, choices across mobile devices, e-mail and more may all seem confusing and overwhelming. Understand how to simplify the use of encryption in your organization, and do so consistently.

After completing this session, you will be able to:

  • Examine encryption mandates
  • Review specific areas lowering enterprise risk
  • Step through core elements with encryption
  • Understand how to simplify the use of encryption

122–Understanding & Preparing for Emerging Risk

Adam Leigh, CISA, CISM, CGEIT, CRISC
Manager, IT Risk Governance
MetLife

Emerging IT Risks can be scary, so scary that sometimes a company's reaction to the risk is worse than the risk itself. The key to managing the unknown is to understand what has come before and what it tells us about what is still yet to come.

After completing this session, you will be able to:

  • Articulate what is an Emerging IT Risk
  • Understand previous disruptive technologies
  • Categorize upcoming emerging risks
  • Explain how to prepare for today’s emerging risk

132–Cloud Security Controls Revealed

Jeffrey Roth, CISA, CGEIT
Regional Director
NCC Group

This session will dive deep into the technical controls found with AWS IaaS and PaaS and typical SaaS solutions. Specifically, this session will walk though Access Control, Data and Object security and Identification and Authorization services.

After completing this session, you will be able to:

  • Understand standard cloud services architectures
  • Understand internal/external accounts controls
  • Understand object and data security capabilities
  • Understand identification & authorization service

142–Active Directory for Auditors

Andrew Clark
Principal Machine Learning Auditor
Capital One

Active Directory is audited loosely during SOX and ITGC audits, however, it is misunderstood and often audited ineffectively and inefficiently. This presentation will provide an overview of Active Directory design and guidelines for auditing it.

After completing this session, you will be able to:

  • Understand in broad strokes, Active Directory
  • Understand different forest designs
  • Understand how to use Powershell to audit AD
  • Understand how an AD audit database can be created

212–Build and Understand Tabletop Exercise

Ken Shaurette, CISA, CISM, CRISC
Director IT Services
FIPCO

At least annually the Business Continuity Plan must be tested. Objectives include providing an opportunity for management and staff to review the purpose and contents of the Business Continuity and Disaster Recovery Plan.

After completing this session, you will be able to:

  • Understand important components building tabletop
  • Understand different types of BCP/DR tests
  • Explain why tabletops are important
  • Audit a tabletop exercise for key deliverables

222–AWS Security Controls, Hardening the Cloud

Mario Navarro Palos, CISA, CISM
Information Security Officer
Portland State University

One of the top issues in the Cloud Computing Services is security. In this session, we will cover some of the areas and AWS security aspects needed to secure cloud environments.

After completing this session, you will be able to:

  • Learn about cloud related risks
  • Identify "MUST HAVE" security controls (Cloud)
  • Learn about security of AWS
  • Know about securing services and cloud tools

232–Auditor’s Guide to a Penetration Test

Herbert McMorris, CISA, CISM, CGEIT, CRISC
Information Security Analyst

Penetration testing identifies flaws in a security program including technical, process, and personnel failures. But what should the auditor or risk manager do with the results? This session discusses what the auditor and risk manager need to know.

After completing this session, you will be able to:

  • Define the different types of penetration tests
  • Discuss why penetration testing is needed
  • Understand the penetration test report
  • How resolution and mitigation should be verified

242–Assessing for Physical Security

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corp

Physical security is the protection of personnel, hardware, software, networks and data from physical actions that could cause loss or damage to your assets. Performing an assessment identifies the gaps that when remediated protects you.

After completing this session, you will be able to:

  • Describe the defense model of physical security
  • Determine an assets classification rating
  • Define how IoT affects physical security efforts
  • Define the assessment process of physical security

252–Security Monitoring & Incident Response

Sushila Nair, CISA, CISM, CRISC
Security Specialist
NTT Security

Effective critical incident response, CIR is a fundamental component of minimizing loss and destruction, mitigating weaknesses and building resilience. This session covers detecting security incidents using monitoring and responding effectively.

After completing this session, you will be able to:

  • Security threat detection models
  • Components of effective security monitoring
  • Tools for incident investigation & response
  • Best practices for critical incident response, CIR

312–Avoid Incident Response Pitfalls

James Meyer, CISM, CRISC
Senior Security Consultant
Sayers

 

 

Derek Milroy, CISA, CRISC
Security Architect
US Cellular

James Bothe
Director of Operations
Coordinated Response

Lessons learned from publicly available security incidents are reviewed, incidents including the New York Times, Penn State School of Engineering and the US Commerce Department Economic Development Administration. A response framework is introduced.

After completing this session, you will be able to:

  • Improve their incident response program
  • Identify gaps in their response program
  • Engage management on incident impact risks
  • Conduct a table top exercise of the response plan.

Return to Event Page >>
 

Track 3—Risk Management

113–Risk Assessments and Risk Management

2017 Top-Rated SpeakerLisa Young, CISA, CISM
Vice President
Axio Global

To identify the risks most relevant to an organization there needs to be a robust, repeatable, streamlined risk assessment process that can be used by staff who may not have formal training in risk management.

After completing this session, you will be able to:

  • Risk identification and analysis techniques
  • Understand the importance of impact thresholds
  • Differentiate between risk and audit mindset
  • Learn how standard impact criteria assist priority

123–Art of Performing Risk Assessments

2017 Top-Rated SpeakerUday Pabrai
CEO
Ecfirst

Compliance mandates & information security standards always require that a risk analysis exercise be performed on a regular schedule. This brief describes the remediation actions that must be performed to mitigate risk to the enterprise.

After completing this session, you will be able to:

  • Step through compliance mandates
  • Examine core components for a risk assessment
  • Integrate a vulnerability assessment within scope
  • Walk through a sample risk assessment report

133–Hidden Traps in Third-Party Risk Management

Baan Alsinawi, CISM, CRISC
CEO & President
TalaTek, LLC

 

 

Adriaen Morse

 

Most organizations must manage the risks inherent in employing third-party vendors. How can you work with your compliance & legal team to address such risks? What are the challenges? Do you have proper contract terms in place? Explore best practices.

After completing this session, you will be able to:

  • Understand all 3rd party vendor risks
  • Integrate 3rd party management into a risk program
  • Collaborate with legal & compliance to manage risk
  • Improve information assurance with 3rd party vendors

143–Overview of Blockchain Technology

Varun Ebenezer, CISA
VP & Senior Audit Manager
BMO Harris

What exactly is blockchain? What’s all the fuss about? Varun will be providing an overview of this evolving technological space to provide clarity, insights, and hopefully some demystification.

After completing this session, you will be able to:

  • Gain a fundamental understanding of blockchain
  • Describe the disruption the technology is causing
  • Understand the risks associated with blockchain
  • Ask the right questions of their CIOs and CTOs

213–Prepare for Blockchain Disruption

Anthony Chalker, CISA
Managing Director
Protiviti

Blockchain technology is founded on the basics of cryptography and has been used for years as the underpinning of Bitcoin and other cryptocurrencies. While it has obvious applications in the Financial Services industry for payments, Blockchain is a way of rethinking how we gain trust in transactions and documents of all kinds, from “smart contracts” to proxy votes. The system does not come without risk or pitfalls, such as a massive increase in computing power needs, vulnerabilities to cyber-attack, and a general lack of understanding or regulation.

After completing this session, you will be able to:

  • Understand the concept of blockchain
  • Articulate the impact to different industries
  • Outline the impact to the organization’s risk environment
  • Describe how this changes the company’s internal control structure

223–BIA: The Root of Security & Recovery Plans

Herbert McMorris, CISA, CISM, CGEIT, CRISC
Information Security Analyst

The Business Impact Analysis (BIA) is the root of security, risk & recovery programs, yet it is often performed incorrectly. How does the BIA drive risk management process, security programs, and recovery efforts, and who should perform the analysis?

After completing this session, you will be able to:

  • Explain the purpose of a Business Impact Analysis
  • How the BIA applies to risk and recovery programs
  • Determine the critical outputs from the analysis
  • How outputs apply to risk, security, and recovery

233–Container Security: Fake News or Opportunity

Anshul Arora
SAP America

 

 
 

Pandu Vangara
Technical Leader
Cisco

With the containerized cloud infrastructure deployment, there exists critical security risks and opportunities that an enterprise must be cognizant about before laying out a rigid strategy for customers keeping compliance aspects in the forefront.

After completing this session, you will be able to:

  • Focus on the approach to enhance security posture
  • Divulge Security blue print to deploy cloud apps
  • Insert security as part of Infrastructure codebase
  • Container hardening standards and compliance needs

243–Managing IT Risk Beyond Core IT

Justin Orcutt, CRISC
Manager
NCC Group

Shadow IT is a growing problem that represents risk to the organization but not identified by the organization as something that needs to be protected. Attend to learn how to develop an effective Risk Management program for Shadow IT.

After completing this session, you will be able to:

  • Steps that can be taken to manage shadow IT
  • Common strategies to building a shadow IR Risk Man
  • How to gain visibility into rogue apps
  • The importance of managing shadow IT

253–Got Risk? Risk Management in M&A

Sixin Shen
PricewaterhouseCoopers LLP

 

 
 

Eloisa Diaz-Insua, CISA
IT Audit Director
PricewaterhouseCoopers, LLP

 

 

Nick Roach
IT Auditor
PricewaterhouseCoopers LLP

Risk professionals’ role in driving effective RM (M&A). Most companies are not risk resilient to support M&A, increasing risk profile & jeopardizing success. Risk professionals are positioned to drive proactive development of responses to M&A risks.

After completing this session, you will be able to:

  • Understand risk considerations of M&A activity
  • Understand M&A trends for risk professionals
  • Recognize potential RM activities in M&A lifecycle
  • Operationalize risk professionals MA involvement

313–Additional Information Coming Soon!

 

Return to Event Page >>
 

Track 4—Security / Cybersecurity

114–Cryptocurrency Economic Attacks & Defenses

Edward Moyle
Director
ISACA

Discuss empirical observations about economic issues in cryptocurrency markets: liquidity crises stemming from exchange attacks, mining monopolies and other mining economic characteristics, arbitrage, and other issues.

After completing this session, you will be able to:

  • Understand basic patterns of cryptocurrency markets
  • Understand emerging issues for currency use
  • Understand mining economics and mining monopoly
  • Understand liquidity-based exchange attacks

124–Additional Information Coming Soon!

 


134–Cyber Resilience for the Changing World

2017 Top-Rated SpeakerLeonard Ong, CISA, CISM, CGEIT, CRISC
Associate Director
Merck & Co, Inc

With rapidly changing threat landscape, organizations are subjected to ever-increasing pressure to be resilient towards existing, new and unknown threats. This presentation discusses the proposed perspectives & approach to achieve cyber resilience.

After completing this session, you will be able to:

  • Understand the current concept of organization resilience and how to see them holistically
  • Hear about new and trending cyber threats that may render existing resiliency capability to be ineffective
  • Prepare against the new and trending cyber threats to increase their organizational cyber resiliency
  • Have key takeaways to implement suggestions offered in their organization

144–Why is Database Security so $^%# Difficult?

Ron BenNatan
CTO
JSonar

Database audit and security approaches continue to fall short as confirmed via ongoing breaches and compliance struggles. This session will review current process challenges and the benefits of a next-generation Database Security/Audit Data Lake.

After completing this session, you will be able to:

  • Better grasp today's technical/process limits
  • Envision a next-generation approach to DB audit
  • Describe examples of fully automated DB controls
  • Prescribe more effective DB audit processes

214–Determining Your Cyber Score Using NIST

Michael Simmons
President/CEO
Benchmark Cybersecurity & Consulting

We will explore how you can determine your cyber score using the NIST Core Framework in a practical discussion that will demonstrate how your organizations cyber score can demonstrate your organizations cyber resilience and cyber risk posture.

After completing this session, you will be able to:

  • Understand and shape your cybersecurity profile
  • Inject best-practice governance standards
  • Align policy/business objectives to manage risk
  • Create a Cyber Score defining your cyber resilience

224–How COBIT Supports the Security Expert

F. Charlene Watson, CISM
Cybersecurity Risk Management Analyst
Florida A&M University

C-Suites suffer from "Cyber Fatigue" and finding was to engage them for support is difficult. Using COBIT 5 the student will learn a practical application to integrate Cyber Resiliency into your IT Security Enterprise Processes.

After completing this session, you will be able to:

  • Describe how Risk Management can support Security
  • How Frameworks Fit Together in the COBIT Ecosystem
  • Use ISACA NIST Cybersecurity Audit Program w/COBIT
  • Create risk register tied to business goals

234–Insider Threat Investigation

Tony Gauda
AAE
InkHouse

In this session, Tony Gauda of ThinAir will walk attendees through 4 real-world critical insider breach scenarios. The presentation will dive into steps of the “threat kill chain” & examine how enterprises can stop an attacker in their tracks.

After completing this session, you will be able to:

  • Understand the insider threat problem
  • Build a case for insider threat preparedness
  • Assemble a tailored insider threat security program
  • Scope the business impact of insider threat risks

244–Defending Against the Insider Threat

Peter Morin, CISA, CGEIT, CRISC
Principal Cyber Engineer
Forcepoint

Research has shown that insider threat represents over 70% of cyber security threats - even though many still spend most of their budgets on defending against external threats.

After completing this session, you will be able to:

  • Defining the insider and their capabilities
  • Common techniques used by insiders and detection
  • Pros and cons of tech used to detect insiders
  • Build a successful insider threat program

254–SSH Keys—Lowest Cost, Highest Risk Tool

Mike Dodson
Sr. Director of Global Sales Engineering
Venafi

All enterprises rely on SSH to authenticate privileged users and establish trusted access to critical systems. But, the SSH keys are often left unprotected and inadequately audited. Hear common mistakes on security, policy, and auditing practices.

After completing this session, you will be able to:

  • How SSH keys enable unauthorized access & pivoting
  • Why PAM doesn’t protect against all SSH key risks
  • Common pitfalls in SSH key management
  • Best practice audit plan for SSH key management

314–Beyond the Audit: NIST in Action

Mike Shultz
CEO
Cybernance Corporation

If your organization isn’t using NIST, it should be. This session will discuss the gold standard for cyber auditing and how organizations should be harnessing the process to create a culture of information security, in and beyond their company.

After completing this session, you will be able to:

  • Determine gaps in maturity through NIST audit
  • Analyze risk in alignment with business goals
  • Create improvement plans based on audit data
  • Harness NIST to proactively mitigate evolving risk

Return to Event Page >>
 

Track 5—IS Audit and Assurance

115–SSH Guidance - What Does it Mean to You?

Fouad Khalil, CISA
VP of Compliance
SSH Communications Security

ISACA recently released the first of its kind SSH Guidance. Join this session to learn about SSH keys, background, audit and compliance ramifications and walk away with best practice steps to address this hidden elevated access.

After completing this session, you will be able to:

  • Gain a good understanding of the SSH Guidance
  • Understand audit ramifications of hidden SSH keys
  • Walk through best practice governance process
  • Gain visibility to available SSH keys resources

125–Sound IT Audit Based on FFIEC IT Booklets

2017 Top-Rated SpeakerAlejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Effective audit programs are risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies and inform the Board of Directors. This session will focus on to create a sound IT Audit Program based on the FFIEC IT Booklet.

After completing this session, you will be able to:

  • Prepare effective IT audit programs for banks
  • Identify areas of greatest IT risk exposure
  • Evaluate the adequacy of internal controls
  • Understand requirements of the FFIEC IT Booklets

135–Auditing in the Cloud: The Business Case

2017 Top-Rated SpeakerRobert Findlay
Global Head of IT Audit
Glanbia

Many organizations' IT departments are moving business services and applications into the cloud, but what are the implications for the internal auditor of such a strategy? How can we gain any assurance over controls on systems we don’t operate?

After completing this session, you will be able to:

  • Select an audit strategy to match cloud strategy
  • Understand the key risks posed by cloud computing
  • Prepare and execute strong audits
  • Suggest practical steps to mitigate the risks

145–Rise of the Drones: Prepare Your Enterprise

Albert Marcella, CISA, CISM
President
Business Automation Consultants, LLC

The use of Small Unmanned Aircraft Systems (sUAS) by organizations, without an implementation and control strategy, will create substantial risks. This presentation focuses on the risk assessment and audit of an organization’s emerging sUAS program.

After completing this session, you will be able to:

  • Identify relevant controls for sUAS usage
  • Evaluate preparedness for sUAS operations
  • Specify requirements for auditing a sUAS program
  • Develop a sample assessment/audit program

215–Cyber Assurance Plan

Gurmit Aujla, CRISC
Director Internal Audit
BCLC

Although we all understand the growing Cyber risk, few companies have developed a comprehensive assurance plan to address this risk. This session will take the audience through a real-life example of developing an audit approach.

After completing this session, you will be able to:

  • Implement an audit approach to address cyber risk
  • Communicate Cyber risk to key stakeholders (Board)
  • Tools to build Cyber risk into their audit plan
  • Learn and discuss some practical challenges

225–The Next Generation in Data Mapping

Top Rated SpeakerAndrew Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

Do you know what data you have and where it is? An accurate answer is foundational for any security, audit or compliance activity. This discussion offers a method for validated data-mapping in today’s perimeter-less and fluid data environments.

After completing this session, you will be able to:

  • Identify gaps in traditional data mapping
  • Describe a work flow for accurate data mapping
  • Leverage technical tools to validate data maps
  • List multiple GRC wins from the mapping effort

235–Compliance in the Cloud

Bradley Thies, CISA
Principal
Barr Assurance & Advisory, Inc.

The cloud "shared responsibility model" isn't new but defining these responsibilities and assigning accountability continues to evolve.

After completing this session, you will be able to:

  • Define the cloud shared responsibility model specific to security and compliance “of” the cloud and “in” the cloud from both the cloud service provider and cloud user perspective
  • Audit controls across the shared responsibility model using COBIT 5
  • Address cloud shared responsibilities, leveraging COBIT 5, across other requirements such as GDPR, NIST Cybersecurity, and SOC for Cybersecurity as well as industry specific requirements such as HITRUST, FedRAMP, PCI, etc.
  • Understand use cases for application of the above learning objective within popular cloud products such as AWS, Google Cloud, and Microsoft Azure

245–Auditing Internet of Things (IoT) Processes

Robert Moeller, CISA

 

Session will outline business environment IoT risks & internal control concerns and will outline IoT general and specific application audit control procedures, including establishing IoT continuous auditing processes and launching IoT data analytics.

After completing this session, you will be able to:

  • Understand IoT risks & internal control issues
  • Launch an IoT business application audit
  • Apply COSO principles for auditing IoT systems
  • Understand importance of IoT risks & audit issues

255–Control & Monitor Remote Access Pathways

Chris Maroun
National Sales Engineer Director
CyberArk

Remote vendors are everywhere. They are often granted access to systems and applications as a means to do business, but unmonitored access also introduces a potential pathway for audit and compliance risks, and potentially damaging cyber-attacks.

After completing this session, you will be able to:

  • Identify remote vendor risk in an organization
  • Trace and control remote vendor access
  • Create a reliable audit trail and remediate risk
  • Understand compliance & security best practices

315–Cyber Security - Audit Smarter Not Harder

Sajay Rai, CISM
CEO
Securely Yours LLC

Cyber security is getting a lot of attention. Organizations are constantly increasing security budget to counter cyber risks. Auditors can utilize the same tools deployed by the organization to perform smarter audits. Work Smarter - Not Harder!

After completing this session, you will be able to:

  • Understand the cyber risks facing organizations
  • Learn about the cyber tools used to reduce risks
  • Understand how to use cyber tools for audits
  • Identify the features of the cyber tools for audit

Return to Event Page >>
 

Track 6—IS Audit and Assurance

116–Cloud Security Strategy & Considerations

Rob LaMagna-Reiter CISSP, CHP, PCIP
Sr. Director, Information Security
First National Technology Solutions

Organizations in all industries can securely operate in the cloud. With proper planning & due diligence, it's possible to securely operate in the cloud regardless of your organization size, or risk appetite.

After completing this session, you will be able to:

  • Develop a cloud security strategy & risk appetite
  • Identify governance & audit considerations
  • Determine the right cloud provider
  • Understand the importance of data visibility

126–Automated Compliance

Chris Wilken, CISA, CGEIT
Consultant
Wilken Consulting, Inc.

 

 

David Carter, CISA, CISM
Wilken Consulting

When people talk about automating compliance, they focus on configuration settings or workflows. Automated process compliance hasn’t been addressed - until now. This presentation will show how data analytics can be used automate these audits.

After completing this session, you will be able to:

  • Determine processes/controls that can be automated
  • Extract data and build analysis models
  • Use automation to reduce corrective feedback time
  • Create higher value for audit and compliance

136–Securing and Auditing a Crisis Response

Top Rated SpeakerAndrew Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

Your organization is faced with a high impact or existential crisis. The response, at the direction of the C-suite, requires circumventing your standard data security protocols. How do you minimize risk while navigating the crisis response?

After completing this session, you will be able to:

  • List crises that may impact data security
  • Establish security contingency plans
  • Track and remediate data, post crisis
  • Audit the data security of a crisis response

146–Security Automation in Cloud Environments

Pandu Vangara
Technical Leader
Cisco

 

 

Anshul Arora
SAP America
 

With many workloads moving to the cloud environments at break-neck speed along with Continuous Integration and deployment multiple times each day to the production necessitates a need for robust cloud security automation.

After completing this session, you will be able to:

  • Think Security in terms of Security as Code
  • Integrate security automation into cloud CI/CD
  • Automate cloud security
  • Better audit and better controls in place

216–Software Assurance Audit Program

Mohammed Khan, CISA, CRISC, CIPM
Global Audit Manager
Baxter International

Software Development LifeCycle is an iterative process that is required for all application environments until it retires and phased out. For the success of the application and the ability to the function of the application to meet the needs of its users, the governance and the cycles within the SDLC have to be carefully adhered to and part of the DNA of the application. As the ability for on-demand code development and faster mode of deployment of code changes continue to take momentum, it is important to get back to the basics of why the SDLC process is important and more importantly lack of discipline in this space can lead to unintended consequences that can impact the enterprise and the users it serves.

After completing this session, you will be able to:

  • Plan for conducting an audit in the space of application development using SDLC processes
  • Discuss the benefits of SDLC and the key governance and cycles encompassing the SDLC methodology
  • Receive guidance on utilizing a work plan to assess the key areas to include in-scope as part of the SDLC audit
  • Develop ideas for auditing against various SDLC environments for the enterprise

226–Auditing Network Devices

Ashish Jain, CISA
Director of Internal Audit
USNH

This presentation will give an overview of top key areas to audit network devices, and will introduce attendees to network security risks, ideas to benchmark against best practices, and common network security requirement.

After completing this session, you will be able to:

  • Identify risk areas for a network device audit
  • Locate resources for common security practices
  • Plan a basic network device security audit
  • Identify common audit issues in this area

236–Zero Trust Networks for Audit & Compliance

Kevin Saucier
Conventus Corporation


Auditing groups have always struggled with Security Operations ability to provide accurate and up-to-date information about assets, users, and data. The Zero Trust Network is the answer to this problem.

After completing this session, you will be able to:

  • Understand the challenges of traditional networks
  • Understand the purpose of Zero Trust Networks
  • Comprehend why subject chose this architecture
  • Evangelize need for this in their own audits

246–Innovation & Analytics in Audit

Nathan Anderson
Divisional Vice President
Sears

Businesses are becoming more data-driven and digitally-focused in an effort to stay relevant and competitive. We will discuss how Internal Audit is being challenged to adopt and how we can challenge our organizations to address these risks.

After completing this session, you will be able to:

  • Assess your audit team's current use of data
  • Consider methods to increase audit's use of data
  • Assess data and digital maturity during audits
  • Leverage data to implement three lines of defense

256–Auditing Service Oriented Architecture

Brian Waage, CRISC
Solutions Architect
 

Understand the key principles and objectives of Service Oriented Architecture (SOA). Understand the risks that services introduce to an organization. Learn how to incorporate SOA in your audit plans and procedures.

After completing this session, you will be able to:

  • Understand SOA principles and objectives
  • Understand the risks services introduce
  • Verify the security settings of a service
  • Incorporate service security in an IS audit

316–Understanding the Role of a Bank ISO

Russell Horn, CISA, CRISC
President
CoNetrix

What is this thing we call an Information Security Office (ISO)? What role should an ISO have? Who should they report to? What skills do they need? During this session, we will address the needs and requirements for financial institution ISO.

After completing this session, you will be able to:

  • Become familiar with FFIEC guidance related to ISO
  • Recognize the value of an ISO
  • Identify the skills needed to be a successful ISO
  • Understand the role of a bank ISO

Return to Event Page >>
 

Track 7—IT Leadership: Career and Communications Development

117–The Art of Verbally Communicating

Pam Nigro, CISA, CGEIT, CRISC
Senior Director of Information Security
Blue Cross Blue Shield of Illinois

We thrive in our specific areas of audit/risk/security; what about effective communication and presentation skills? This session will help you formulate & express your ideas effectively, be more persuasive & confident when giving presentations.

After completing this session, you will be able to:

  • Understand the dynamics of speaking in public
  • Speak in public with reduced fear
  • Instill confidence in speaking publicly

127–Security KPI/Metrics for Senior Executives

Charles Shugg
Partner & COO
Sylint Group, Inc

Senior executives are often not properly informed of potential vulnerabilities or attacks to their critical IT systems. Three areas to examine include: poorly designed KPIs, inappropriately focused KPIs, and ineffective communication of KPIs.

After completing this session, you will be able to:

  • Create effective "Operational Status" KPIs
  • Create crucial "Suspicious/Abnormal Activity" KPIs
  • Create insightful "Incident Detection" KPIs
  • Make Security KPIs actionable communication tools

137–Board Director Concerns about Cyber & Technology Risk

Robert Clyde
Managing Director
Clyde Consulting LLC.
ISACA Board of Directors

The C-suite and boards of directors are increasingly concerned about cyber-attacks and risk. If asked, how should you present and discuss such issues with the board? Also, boards and executives are anxious to understand the business opportunity and impact and risk relative to new technologies. This session will explore ways to discuss new technologies with the board, including the Internet of Things, artificial intelligence and machine learning, augmented reality, and quantum computing. In addition, cyber-attacks continue to escalate with data breaches and RansomWare attacks being discussed at the board level. This session will explore likely questions your board will ask you as well as give advice on how guidelines for how to discuss them.

After completing this session, you will be able to:

  • Better understand business impact of new technologies and cyber risks
  • Understand board perspective relative to cyber and new technologies
  • Be prepared for likely questions the board will ask
  • Better articulate risks and options to the board of directors and C-suite

147–Tips for Effective Presenting

Paul Phillips, CISA, CISM
Technical Research Manager
ISACA

Additional Information Coming Soon!


217–How to Build & Grow Your IT Security Team

Tammy Moskites

Today, there are more IT security jobs than people to fill them. With few options, how do you find the right people for your IT security team? Get guidance on hiring, retaining, growing, and rewarding your team—customized for your company culture.

After completing this session, you will be able to:

  • Know what to look for when hiring
  • How to focus on team strengths
  • Grow the team using competency-based training
  • Develop a team culture that encourages growth

227–The Hidden in Sight: Addressing the Cybersecurity Skills Gap

Robin Lyons
Technical Research Manager
ISACA

The session provides an opportunity for managers to explore growing the skills needed to address the projected cybersecurity skills gap. The program will also serve as a career roadmap for IT professionals as they manage the next phases of their careers.

After completing this session, you will be able to:

  • Understand the cybersecurity skills shortage landscape
  • Learn how to assess cybersecurity skills needs within their own organizations
  • Accurately identify gaps between cybersecurity skills the organization has and cybersecurity skills the organization needs
  • Identify options to resolve the skills gap with a focus on growing the cybersecurity skills needed with existing talent
  • Compare the options and the steps required for implementation.

237–Cybersecurity for Leadership

Matthew Kipp, CISA
Director of Risk
The Mako Group

Learn how to discuss cybersecurity with the board/leadership and explain how to achieve cyber maturity when creating a model to follow as a road map.

After completing this session, you will be able to:

  • Build a cyber maturity model
  • Understand cyber frameworks
  • Know how to speak to the board and leadership on cyber
  • Cyber concerns with leadership

247–Insuring Your Cyber Assets

Sean Scranton, CISA, CISM, CRISC
Director, Underwriting
RLI Corp

Natasha Richard
Cyber Liability Director
RLI

Cyber Insurance – What is it? How does it work? Why is it so confusing? This session will demystify the current cyber insurance swamp of perplexing forms, high deductibles, hidden exclusions, and insurance companies that “never pay out”.

After completing this session, you will be able to:

  • Understand the current cyber insurance market landscape
  • Identify common coverages and exclusions
  • Ask for value-added services as part of coverage
  • Engage ERM and Security to determine appropriate coverages

257–Cyber Across the Organization

Gaurav Kumar, CISA, CRISC
Principal
Deloitte & Touche, LLP

2017 Top-Rated SpeakerGlenn Wilson, CRISC
Senior ERS Manager
Deloitte & Touche, LLP

Getting leaders across the organization on the same page with respect to cyber risk can be a challenge. Resolving the issue will require the organization to lead, navigate and disrupt to design a cyber program that transcends business boundaries.

After completing this session, you will be able to:

  • Advise on effectiveness of cyber risk mgmt program
  • Influence cybersecurity alignment across all lines
  • Report cybersecurity risks & status across the org
  • Use cyber as a driver to elevate the organization

317–Cybersecurity: Getting the Business Engaged

Allan Boardman, CISA, CISM, CGEIT, CRISC
Independent Business Advisor
CyberAdvisor.London

Business engagement is essential to provide appropriate and sufficient protection to its most critical information assets and systems. This session covers a practical approach to ensure that the business is fully engaged in cyber security efforts.

After completing this session, you will be able to:

  • Understand key challenges the businesses face
  • Adopt a structured approach to help business
  • Follow a risk based approach to managing cyber
  • Be armed with effective tools and best practices

Return to Event Page >>
 

Track 8—Governance and Compliance

118–Practical Application of Qualitative Risk 1

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

 

 

F. Charlene Watson, CISM
Cybersecurity Risk Management Analyst
Florida A&M University

Communicating to C-Suite about risk management usually appears to them as if we are managing security with our finger in the wind making professional guesses, or vendor pitches, or what the media reports the latest vulnerability scare du jour.

After completing this session, you will be able to:

  • Understand how to use techniques from various COBIT guides to effectively manage a risk management process
  • Learn how to create risk scenarios as a basis for an assessment, and link these to their effects on business goals
  • Analyze and assess risks, and determine appropriate responses
  • Create an enterprise risk register that can be flexible, and tied to various other business risk processes

128–Practical Application of Qualitative Risk 2

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

 

 

F. Charlene Watson, CISM
Cybersecurity Risk Management Analyst
Florida A&M University

Communicating to C-Suite about risk management usually appears to them as if we are managing security with our finger in the wind making professional guesses, or vendor pitches, or what the media reports the latest vulnerability scare du jour.

After completing this session, you will be able to:

  • Understand how to use techniques from various COBIT guides to effectively manage a risk management process
  • Learn how to create risk scenarios as a basis for an assessment, and link these to their effects on business goals
  • Analyze and assess risks, and determine appropriate responses
  • Create an enterprise risk register that can be flexible, and tied to various other business risk processes

138–Connecting the Dots: GLBA Risk Assessment

2017 Top-Rated SpeakerAlejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Recently more Banks are getting regulatory criticism leading to more and more MRAs related to risk assessment (specially GLBA), a proper risk assessment should include identification of IT assets, threats and vulnerabilities, and key control testing.

After completing this session, you will be able to:

  • Assess & evaluate threats to customer information
  • Identify common pitfalls in GLBA Risk Assessments
  • Learn best practices for a GLBA Risk Assessment
  • Evaluate a Bank's inherent and residual GLBA risk

148–Untangling the Spaghetti Diagram

Matthew Mabel, CISA, CRISC
Director - Technology Audit
American Express Co.

 

 

Phil Collett
Director, Information Security
American Express Co.

This session will focus on how a Fortune 100 financial services company is aligning all three lines of defense around a common IT risk management framework – including a common library of threats, risks and controls and control metrics.

After completing this session, you will be able to:

  • Develop integrated IT risk management framework
  • Map regulatory requirements to global IT framework
  • Develop metrics to monitor controls in framework
  • Align internal audit plan to global IT framework

218–IT Risk Management for Everyone

Berk Algan, CISA, CGEIT, CRISC
Director, IT Governance
Silicon Valley Bank

We will talk about how we evolved our IT risk management framework at a bank from a reactive firefighting mode to a proactive process where everyone is involved. We will review key components of our framework and provide real-life examples.

After completing this session, you will be able to:

  • Understand cornerstones of IT risk management
  • Implement IT risk management best practices
  • Learn ways to make everyone a risk manager
  • Avoid common implementation pitfalls

228–Managing Security with COBIT 5: Practical Guidance on Using the Framework

Peter Tessin
Sr. Manager, BT Risk & Compliance
Discover

Understanding COBIT 5 and knowing how to put it to practical use are two different things. In this session we will explore a practical example of applying COBIT 5 to a process. Session delegates will see an example going step by step through understanding a COBIT process and its related practices, how to tie management practices into higher level objectives, how to implement specific activities to achieve the process purpose, and how to measure process performance. These objectives will be illustrated using APO13 Manage Security from the COBIT 5 Enabling Processes publication.

After completing this session, you will be able to:

  • Understand a COBIT process and its related practices
  • Know how to tie management practices into higher level objectives
  • Implement specific activities to achieve the process purpose, and
  • Measure process performance

238–Building an Insider Threat Program

Jean Handy
Senior Member of the Technical Staff
Carnegie Mellon University - Software Engineering Institute

This session will discuss the foundational elements of building an effective Insider Threat Program, as well as some of the Best Practices which were updated and released this year.

After completing this session, you will be able to:

  • Identify Sources of Regulations and Best Practices
  • Describe the Insider Threat Framework & Components
  • Identify Organizational Entities to Participate
  • Explain Insider Threat Incident Response Process

248–When HIPAA and Cybersecurity Intersect

Craig Krivin, CISA, CISM
Compliance Evangelist
McKesson

Steven Nguyen, CISM
Director - IT Security & Compliance

Share our experience developing and implementing a successful solution meshing CyberSecurity and HIPAA compliance programs to streamline a large healthcare organization's IT security compliance program.

After completing this session, you will be able to:

  • Compare and Connect HIPAA & CyberSec compliance
  • Define Security Rule HIPAA/HITECH controls
  • Define top 20 CyberSecurity SANS/CIS controls
  • Manage Stakeholder expectations

258–Privacy by Design - Think Beyond GDPR

Sudhakar Sathiyamurthy, CISA, CGEIT, CRISC
Director, Cyber Risk
Grant Thornton LLP

Data such as personally identifiable information free flows across organizations. Silo approach to privacy has proven short of addressing consumer’s right to privacy. Building-in data protection safeguards should happen from the earliest stages.

After completing this session, you will be able to:

  • Learn business value drivers for privacy by design
  • Understand how to achieve privacy by design
  • Complying with GDPR and beyond
  • Integrating privacy by design into services

318–IT Governance Effectiveness

Ari Sagett, CISA, CRISC
Managing Director - IT Audit
Protiviti

Effective IT governance leads to the efficient deployment of IT resources in alignment with key business objectives. In a world where digitalization is upon us, IT governance is increasingly important. While IT governance is a huge area of spend for many organizations and information technology continues to transform itself, survey data suggests that most Internal Auditors still do not review this process.

After completing this session, you will be able to:

  • Understand the importance of IT governance
  • Describe how digitalization is changing
  • Understand the importance of innovation to the IT governance process in a world of rapid change.
  • Be able to recognize good examples of IT governance functions embracing digitalization at top performing companies – not theoretical explanations, but real life elements of strong IT governance.

Return to Event Page >>
 

Track 9—Industry Trends & Insights

Additional Information Coming Soon!

 

 

Workshops

WS1–COBIT 5 Foundation

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

Learn the importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven approach.

After this workshop, you will be able to understand:

  • How IT management issues are affecting organizations
  • The need for an effective framework to govern and manage enterprise IT
  • How COBIT meets the requirement for an IT governance framework
  • How COBIT is used with other standards and best practices
  • The functions that COBIT provides and the benefits of using COBIT
  • The COBIT Framework and all the components of COBIT
  • How to apply COBIT in a practical situation

WS2–Cybersecurity Fundamentals

Jeff Roth, CISA, CGEIT
Regional Director
NCC Group

Why become a cyber security professional? The protection of information is a critical function for all enterprises. Cyber security is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cyber security, and the integral role of cyber security professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.

After this workshop, you will be able to:

  • Understand basic cyber security concepts and definitions
  • Define network security architecture concepts
  • Recognise malware analysis concepts and methodology
  • Identify computer network defense (CND) and vulnerability assessment tools, including open source tools and their capabilities
  • Explain network systems management principles, models, methods, and tools
  • Distinguish system and application security threats and vulnerabilities
  • Classify types of incidents (categories, responses, and timelines for responses)
  • Outline disaster recovery and business continuity planning
  • Comprehend incident response and handling methodologies
  • Understand security event correlation tools, and how different file types can be used for atypical behavior
  • Be aware of the basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data
  • Recognise new and emerging information technology and information security technologies

WS3–CISA Cram Course

Al Marcella, CISA, CISM
President
Business Automation Consultants, LLC

Join fellow CISA exam candidates along with a CISA-certified trainer for a unique exam prep experience. The CISA Exam Prep Course is an intensive, cram-style course that will cover some of the more challenging topics from the CISA job practice. Drill through sample exam items, ask your most pressing questions and get the answers to build your confidence as you prepare for exam day.

After this workshop you will be able to:

  • Learn the specific requirements for passing the CISA Exam and attaining your Certification
  • Utilize ISACA materials to prepare for and pass the CISA Exam
  • Learn successful methods of "how to" evaluate Exam questions and answers, including analysis and explanations
  • Review useful, proven information on study and exam time management
  • Complete and review a mock exam, with every question and answer explained

WS4–Develop and Implement a Risk Management Process

2017 Top-Rated SpeakerLisa Young, CISA, CISM
Vice President
Axio Global

Risk management broadly defines the process used by organizations to identify, analyze, and address risks that can interrupt or disrupt the organization’s ability to carry out its core functions and meet its mission. Unlike other types of enterprise risks, operational risks emanate from the day-to-day activities and business processes used to meet the strategic objectives of the organization. This session will explore all of the components needed for a successful risk management process in your organization.

After this workshop you will be able to:

  • Set the context for risk management
  • Risk Taxonomy – a common language for describing risk
  • Understand how to use risk scenarios
  • Express risk in business impact terms using risk Impact Criteria
  • Quantify your Cyber and IT risk exposures using Impact Criteria
  • Risk Management Process – how it all works together

WS5–Cybersecurity for Auditors

Russ Horn, CISA, CRISC
President
CoNetrix

Cyber security focus is a requirement for any organization today, but how can a company know and understand what their cyber security posture is? A strong cyber security audit program with qualified, capable auditors and a robust work program or standard is a must. During this workshop, we will dig into the details of cyber security audit. We will evaluate the ISACA NIST Cybersecurity Framework Audit Work Program as well as various cyber security frameworks and tools including the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool.

After this workshop, you will be able to:

  • Audit an organization’s cyber security posture
  • Evaluate cyber security inherent risk
  • Define audit evidence requests needed to evaluate an institution’s cyber security controls
  • Create awareness of basic policies, practices, technologies, tools and controls used to enhance cyber security
  • Examine ways to assess an organization’s cyber security maturity
  • Recognize new and emerging cyber-attacks, threats, and vulnerabilities
  • Discuss cyber security frameworks and assessment tools currently available
  • Apply the principles of the ISACA NIST Cybersecurity Framework Audit Work Program

WS6–Leverage Data Analytics in Internal Audit

Michael Kostanecki, CISA
Senior IT Consulting Manager
Protiviti

During this course you will learn how to use Data Analytics to increase internal audit effectiveness, identify opportunities to analyze various data sources leading to powerful insights and resulting in improved decision making. This will be demonstrated by reviewing various Data Analytic techniques and scenarios which will include real world client examples and applications with demos using ACL Analytics and other tools.

After this workshop you will be able to:

  • Create automated processes to eliminate routine manual analysis and increase internal audit effectiveness
  • Learn how to use and translate data into a “story” about key characteristics or past trends
  • Combine different data sources to increase opportunities for driving management insight
  • How to capture data and what data to capture to achieve objective and the analyzation of data
  • How to translate the data into a summary report meaningful to senior management

WS7–PCI Data Security Standard

2017 Top-Rated SpeakerRex Johnson, CISA
Director
RSM US, LLP

 

 

2017 Top-Rated SpeakerAlan Gutierrez Arana, CISA, CRISC
Security & Privacy Director
RSM US, LLP

The Payment Card Industry Data Security Standard (PCI DSS) released version 3.2 in October of 2016 to address current threats to payment card security. Many of the changes were introduced as best practices, but became a requirement in 2018. This has created additional effort to be taken to meet compliance, especially for those entities with complex cardholder data environments. In this workshop we will discuss the following topics:

  • Understanding the card payment process: the role played by merchants, acquirers, card brands and service providers
  • Review the current threats and trends in payment card security
  • Defining and reducing your cardholder data environment scope
  • Using third party service providers: who is accountable?
  • Business as Usual activities to meet compliance effectively and efficiently

After this workshop you will be able to:

  • Understand the different actors and elements of the card payment process
  • Understand the changes and updates present in the latest version of the PCI DSS
  • Learn how the outsource of payment related processes can facilitate (or not!) your PCI compliance.
  • Identify and recognize technologies and solutions that could assist in reducing the scope of the PCI DSS assessment

 

Keynotes

2018 Opening Keynote Address

The Spark and the Grind: The Discipline of Creativity

Erik WahlErik Wahl
Internationally recognized artist, TED speaker, and No. 1 bestselling author

Erik’s keynote experience will create a dynamic multidimensional metaphor for how to systematically embrace innovation and risk. His message: disruption is the new normal and businesses must embrace creativity in a wholesale fashion, or risk being left behind. Erik’s presentation will inspire you to be increasingly agile and outline how to use disruption as a competitive advantage. Some companies will be disrupted others will choose to be the disruptor. Choose wisely. His new book, the Spark and the Grind, activates the essential components of translating ideas into action. His breakthrough thinking has earned praise from the likes of top influencers in both art and business. Erik’s previous book, a bestseller called Unthink, was hailed by Forbes Magazine as “the blueprint to actionable creativity”, and by Fast Company Magazine as “provocative with a purpose.” Inspired by street art, he became an acclaimed graffiti artist – though he has since stopped selling his works for personal gain, and instead uses his art to raise money for charities. His keynote is where his passion for business growth and art converge into a fantastic performance.


Leadership Brief

Theresa GrafenstineTheresa Grafenstine
Chair, ISACA Board of Directors
 

 

 

 


Closing Keynote

To be announced soon!

 


Leadership Brief

Robert Clyde
Managing Director
Clyde Consulting LLC.
ISACA Board of Directors

 

 

 


Return to Event Page >>