North America CACS Presentations and Descriptions 

 

View Learning Level Descriptions >>

Track 1: IS Audit & Assurance

111—Continuous Control Monitoring in Practice

  View Presentation

David Vohradsky, CGEIT, CRISC
Associate Director
Protiviti Inc.

 

 

Michael Laurence Franklin, CISA
Associate Director
Macquarie Bank

 

 

After completing this session, you will be able to:

  • Select IT controls suitable for a continuous control monitoring (CCM) approach
  • Develop a business case and detailed plan for a continuous control monitoring implementation
  • Develop formal assertions from control objectives, and determine which controls to test, and the appropriate approach to CCM based testing
  • Leverage lessons learnt from other industry CCM implementations, to guide your own program

121—Best Practices in Audit Committee Reporting

  View Presentation

David Malcom
Managing Director, IT Audit
Accenture

 

 

Jason Maslan, CISA, CRISC
Managing Director
Protiviti

 

 

After completing this session, you will be able to:

  • Determine the most appropriate content to provide to your Audit Committee
  • Set an Audit Committee agenda that covers all areas of interest to the Audit Committee, including engaging executives from outside the Internal Audit department to cover specific topics
  • Effectively communicate department performance to the Audit Committee through the use of metrics, dashboards, and benchmarking
  • Create visually appealing Audit Committee materials that effectively communicate the performance of the Internal Audit department

131—The Adaptable IT Auditor

  View Presentation

Graham Logsdon
Vice President, Managed Services
InteliSecure

 

 

After completing this session, you will be able to:

  • Learn how to be a proactive auditor without impairing your independence
  • Add value not only on the project execution but also to the final result
  • Enhance your skills and flexibility as well as utilize non-audit skills you’ve attained in other aspects of your life or career
  • Be viewed as a true business partner and not just as “The Auditor”

141—Auditors on Roller Skates?

  View Presentation

James Herbeck
Sr. Security Analyst
The Ohio State University, Enterprise Security

 

 

John Snedeker, CISA
Audit Manager
The Ohio State University

 

 

Annie Kowaleski, CISA
Senior IT Auditor
The Ohio State University

 

 

After completing this session, you will be able to:

  • Identify when your ability to audit is compromised by poorly defined/unmeasurable objectives or requirements
  • Develop a light-weight self-survey to approximate information risk and compliance
  • Develop an in-depth self-assessment to measure compliance and effectiveness
  • Use automated tools to increase the integrity of self-assessments and reduce the workload for self-assessors and auditors
  • Develop strategies for value-added auditing by leveraging the information already gathered from surveys, self-assessments, and automated tools

211—Vendor Controls Assurance - a New Approach

  View Presentation

Jeff Trent, CISA
Partner
PricewaterhouseCoopers LLP

 

 

Julianne Inozemcev, CISA
Partner
PricewaterhouseCoopers LLP

After completing this session, you will be able to:

  • Understand the current landscape of third party risk management programs and the related solutions in the marketplace used to achieve comfort over vendor operations and controls
  • Understand the emerging opportunities (Service Organization Controls Reporting standard 2, plus additional criteria “SOC2+”) designed to more effectively and efficiently address the need of ongoing third party
  • Comprehend the scoping and reporting process behind SOC 2+ and how these reports can be assimilated into Third Party Oversight programs
  • Appreciate the key benefits of SOC 2+ to both vendors and customers

221—IT Risk Assessment

  View Presentation

Rodney Almaraz, CISA
Senior Manager
Myers and Stauffer, LC

 

 

After completing this session, you will be able to:

  • Develop a methodology for performing a comprehensive IT risk assessment at the statewide and individual organization (agency) level. The completed risk assessment could be used for audit planning purposes
  • Prepare for the assessment by defining the scope of the assessment, identifying potential sources of information, identifying assumptions and constraints, and establishing a risk model and analytical approach
  • Conduct the assessment by utilizing information gathered from interviews and documents to populate an automated risk assessment tool (Microsoft Excel based). After populating the risk model, analyze and assess the data
  • Maintain the assessment for continuous IT risk assessment modeling

231—Auditing Agile

Chong Ee, CISA, CGEIT

 

 

 

After completing this session, you will be able to:

  • Describe key concepts and rationale behind Lean, Agile and Scrum methodology and terminology and see how they differ from traditional SDLC waterfall
  • Identify products, sprints, stories and scenarios and explore how these can lead to the identification of application controls, and explore the parallels between Scrum artifacts and traditional evidence
  • Emphasize importance of QA with focus on various types of testing and associated benefits and limitations and identify other areas of risk including incident response, technical debt and reporting metrics
  • Develop a way to audit Scrum by bridging Scrum methodology with traditional audit objectives and approach and identify what to look for to evidence controls when sampling audit population

241—How to Audit Customers for Defenses Against Ransomware

Jeffrey Wagar
Security Architect/Systems Architect

After completing this session, you will be able to:

  • Make decisions based on whether or not one user or computer in the office trying to logon to many office computers, rather than just the E-mail server or Fileserver
  • Adjust settings so that programs no longer set themselves to [silently] start each time the computer is started
  • Determine if any computers have Internet connections open, even though they do not have their web browser open
  • Discover an Internal Control that tests each night's backup to see if it is complete and all its files are readable

251—Transforming Internal Audit: A Digital Journey

  View Presentation

Robert Kress
Managing Director
Accenture

 

 

After completing this session, you will be able to:

  • Understand how to increase the business value from Internal Audit by leveraging a managed services approach
  • Learn the transformation journey, with a focus on results
  • Understand the importance of leveraging technology in internal audit, including analytics, eGRC, CRM to support continuous risk assessment, and collaboration technology
  • Assess your own IA capability and build a roadmap to change and strengthen your IA function

311—Open Debate: Is IA the 3rd Line of Defense?

  View Presentation

Danny Goldberg, CISA, CGEIT, CRISC
Founder, GoldSRD
GoldSRD

 

 

Cindy Kailly-Smith, CRISC
Manager, Audit Services
BCLC

 

 

After completing this session, you will be able to:

  • Determine where Internal Audit fits in the Three Lines of Defense Model
  • Learn how IA can partner with the business to create a more effective second line of defense
  • Understand the gray areas of Internal Audit independence
  • Determine the best role for internal audit in your organization


Return to Event Page
 

Track 2: Data Governance

112—Mastering the Human Side of Data Governance

  View Presentation

David Foote
Foote Partners, LLC

 

 
 

fter completing this session, you will be able to:

  • Understand the pillars of building the data governance people architecture and its key components and practices
  • Learn data governance compensation and incentive design and restructuring, including salary and skills/certifications pay premiums
  • Integrate hybrid model pay strategies with existing job/salary structures and practices and maintain and update them over time to compete in a volatile labor marketplace
  • Comprehend skills acquisition and development for data governance roles and job
  • Discover new data governance job paths and promotion alternatives
  • Streamline people management processes
  • Become familiar with the building of capability road maps, phase-gate blueprints, governance, and performance metrics
  • Review case studies of who’s doing data governance people architecture and what their experience has been
  • Determine what you need to be doing in your human capital strategies and practices to accommodate the workforce shift
  • Obtain forward thinking job definitions and May 2016 North American salary and skills pay premiums survey data for core data governance roles and jobs (architects, analysts, stewards, modelers, data scientists, and SMEs (benchmark data from 2,815 employers)

122—Auditing Big Data

  View Presentation

Philip Chukwuma, CISSP
CTO
Securely Yours LLC

 

 

Jayne Marie Suess, CISA
Senior Security Analyst
Erie Insurance

 

 

After completing this session, you will be able to:

  • Understand what Big Data environment looks like and the key components which comprise of Big Data. Examples will be provided on what are key components of a typical big data environment in organizations.
  • Identify how the big data is typically used within an organization. Provide examples of the data flow of structured and unstructured data.
  • Relate the key risks associated with big data. As organizations start to aggregate their sensitive information in one spot (big data), new risks have spawned and the session will discuss these risks.
  • Audit the big data environment and what are the key steps an audit must include.

132—Moving Beyond AP & Payroll with Analytics

Mary Breslin
President
Empower Audit

 

 

After completing this session, you will be able to:

  • Understand how data analytics can be applied throughout an audit function
  • Learn how to use data analytics in Risk Assessments and Planning
  • Understand various applications of data analytics in Performance and Operational Auditing
  • Discover how data analytics can be leveraged in the fight against fraud

142—A Pragmatic Approach to Sustaining Data Analytics

  View Presentation

Neil White, CISA
Deloitte & Touche LLP

 


  

After completing this session, you will be able to:

  • Define the role of internal audit as the third line of defense within an organization’s governance and risk management framework
  • Outline a plan to review the four tenants of a successful data analytics program: vision & strategy, people, processes and technology
  • Leading practices in developing and implementing an analytics capability that provides greater assurance, confidence, and insight into each audit
  • Avoid common pitfalls in unleashing the potential of a data-driven internal audit function

212—Data Analytics: Effectively Integrating Data Analytics into an Internal Audit Program

  View Presentation

Tim Penrose, CISA
Managing Director
TIAA CREF

 

 

Brian Joshua Karp, CISA, CRISC
Audit Data Analytics Manager
TIAA CREF

 

 

After completing this session, you will be able to:

  • Understand high-level industry trends for Internal Audit data analytics
  • Understand the value proposition, critical success factors, and challenges of data analytics programs in an internal audit environment
  • Learn how to select and leverage Audit Analytic Maturity Models
  • Discover uncommon data analytics practices and activities that can add value within Internal Audit

222—Road Map to Data Analytics Success

  View Presentation

Christopher Tennant, CISA, CRISC
AVP, Strategy, Operations, and QA, Internal Audit
Nationwide Insurance

 

 

Amish Amin, CISA
Senior Consultant, Data Analytics
Nationwide

 

 

After completing this session, you will be able to:

  • Identify keys to building a sustainable data analytics program matched with your needs
  • Develop a road map to success including clarifying the data analytics’ vision, mission, and overall strategy
  • Integrate data analytics into all aspects of the audit life-cycle
  • Effectively identify, recruit and retain the right talent

232—Leveraging Analytics and Data Visualization

Brian Gregory Greenberg, CISA
Director
KPMG

 

 

After completing this session, you will be able to:

  • Scope projects through the use of Data & Analytics
  • Transform analytical results into business insights
  • Use effective data visualization techniques to quickly identify business changes and challenges
  • Enable Your (and Your team's) Analytical Minds

242—The Future of Big Data

  View Presentation

Robert Clyde, CISM
Managing Director
Clyde Consulting LLC

 

 

After completing this session, you will be able to:

  • Understand where Big Data and analytics is headed and how it is and will change the world
  • Describe what Big Data is and how it differs from traditional data
  • Understand how Big Data is and will be used to combat security attacks
  • Explain security and privacy concerns and challenges relative to the future of Big Data

252—Identity Analytics Cuts Realtime Risk

Christopher Sullivan
General Manager, Intelligence/Analytics
Core Security and Courion

After completing this session, you will be able to:

  • Explain how identity analytics & intelligence (IAI) provide new ways to deter and detect breaches
  • Identify steps for collecting, analyzing and visualizing data to take action with identity analytics
  • Detail how identity analytics & intelligence fits into a company’s governance infrastructure
  • Determine how to counter the obstacles and pitfalls they encounter when deploying IAI

312—Big Data: Audit and Governance

  View Presentation

David Sentance
Director
PricewaterhouseCoopers LLP

 

 

Nusrath Mohammed
Risk Assurance Manager
PricewaterhouseCoopers LLP

 

 

After completing this session, you will be able to:

  • Understand the need for governance to ensure enterprise information is accurate, consistent across systems, and valuable to the business
  • Commence the building out of a roadmap for implementing Governance and Control over Big Data Initiative
  • Discuss what other companies are doing and how it can be leveraged
  • Understanding the issues and challenges involved


Return to Event Page
 

Track 3: Security/Cybersecurity

113—2020 Vision for the 2020 CISO

  View Presentation

Todd J. Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director Information Security
Grant Thornton International, Ltd.

 

 

After completing this session, you will be able to:

  • Communicate the historical evolution of the CISO over the past 20 years and why this is relevant today
  • Understand what makes a “leading information security program”
  • Incorporate trends impacting 2016-2020 Information Security programs
  • Examine soft skill areas, technologies, knowledge areas, and approaches to be successful in 2020
  • Develop important reporting and informal relationships with the “C-Suite”

123—Insider Threat: Building a Security Program for a Multi-Generational Workforce

  View Presentation

Andrew Plato, CISM
President / CEO
Anitian

 

 

After completing this session, you will be able to:

  • Design better security policies that foster engagement with people, especially younger "Millennials"
  • Identify insider threats
  • Design controls that trust, but verify
  • Align risk management practices with a culture of trust

133—Audit As An Impact Player for Cybersecurity

  View Presentation

Nathan Anderson, CISA, CRISC
IT Audit Director
Sears Holdings

 

 

Lucas Morris
Senior Manager
Crowe Horwath

 

 

After completing this session, you will be able to:

  • Understand what security skillset, methods, and tools, including traditional penetration testing activities, should be considered for adoption by Internal Audit.
  • Create a roadmap for developing the security skillset of IT auditors and be aware of cost-effective resources and methods for supporting this effort.
  • Engage effectively with audit leadership, the Audit Committee, and Information Technology leadership on the topic of cybersecurity.
  • Understand what security capabilities may be appropriate for your Internal Audit team and how to begin building a function that is effective, independent, and complementary of the activities performed by Information Security.

143—Payment Data Security

  View Presentation

Andrew Weidenhamer, CISA
Security and Privacy Director
RSM

 

 

After completing this session, you will be able to:

  • Understand how hackers are most commonly stealing your credit card information
  • Learn what happens after your credit card is stolen
  • Understand what to look for when using your credit card
  • Find out how evolving technology will be used to mitigate current risks

213—Planning for a Data Breach

  View Presentation

James Bothe
Director of Operations
Coordinated Response

 

 

James Meyer, CRISC
Managing Director
Coordinated Response

 

 

After completing this session, you will be able to:

  • Understand the wide range of impacts caused by a data breach as well as the wide range of actions required to contain, mitigate, and recover from a breach
  • Determine the various internal and external resources needed for an effective and coordinated data breach response
  • Audit an incident response program to determine its preparedness for handling a data breach
  • Communicate effectively with executive management on the cost/benefit of preparing for a data breach from prevention to response

223—Security Threat How Can You Lower Your Risk?

  View Presentation

Peter Allor
Sr. Security Strategist
IBM

 

 

After completing this session, you will be able to:

  • Learn how to secure your environment
  • Review critical infrastructures
  • Discover risk-management processes for business operations
  • Discuss how security professionals can lead the business to a more secure set of processes based on business risk for cyber security as part of the enterprise

233—Cybersecurity Service Level Agreements

  View Presentation

Lisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

After completing this session, you will be able to:

  • Better articulate their organizations reliance on third party services for IT in business impact terms
  • Identify and communicate cyber requirements to third party suppliers
  • How cybersecurity service level agreements (SLAs) can reduce risk to your organization
  • Start to develop their own metrics that can be included in SLAs

243—FFIEC Cybersecurity Assessment Tool

  View Presentation

Russell Horn, CISA, CRISC
President
CoNetrix

 

 

After completing this session, you will be able to:

  • Examine the FFIEC Cybersecurity Assessment Tool released on June 30, 2015
  • Understand the assessment inherent risk profile and cybersecurity maturity model
  • Interpret and analyze assessment results to improve your cybersecurity preparedness
  • Explore threat intelligence and collaboration, including intelligence gathering, monitoring and analyzing, and information sharing. We will also look at how ISACA CSX can help financial institutions

253—Encryption

  View Presentation

Uday Pabrai
CEO
Ecfirst

 

 

After completing this session, you will be able to:

  • Examine encryption mandates defined in HIPAA Security, HITECH Act, PCI DSS, State regulations and more
  • Review specific areas that encryption can have a significant impact in lowering enterprise risk, while improving compliance posture
  • Step through core elements of an encryption policy to address both at rest and in motion requirements
  • Understand the implications of a breach

313—Enterprise Security Governance

  View Presentation

Katie Stewart
CERT Program
Software Engineering Institute Carnegie Mellon

After completing this session, you will be able to:

  • Understand the evolution of operational resilience and how it is becoming a top board level concern
  • Discover the current state of the practice in governing operational resilience through the review of detailed interview findings and detailed secondary source review
  • Participants will review multiple case studies to understand the complex nature of governing operational resilience activities
  • Participants will discuss incremental moves to improve the governance of operational resilience


Return to Event Page
 

Track 4: Privacy

114—PIA: Highway to Hell or Stairway to Heaven?

  View Presentation

David Elfering, CRISC
Associate Vice President Information Security
Werner Enterprises

 

 

Rebecca Herold, CISA, CISM
Owner & CEO
Rebecca Herold & Associates, LLC

 

 

After completing this session, you will be able to:

  • Identify the key stakeholders to involve in a PIA.
  • Describe to executives the value of doing a PIA validated by an actual experience.
  • Plan for your own PIA by learning from the real-life experiences of the company within the case study.
  • Know what to do to most efficiently establish initial vendor inventory with associated personal information inventories and data flow graphs.

124—Healthcare Security and Privacy Challenges

  View Presentation

Kenneth Vander Wal, CISA
HITRUST

 


 

After completing this session, you will be able to:

  • Describe the current security, privacy and risk challenges in healthcare
  • Articulate why hackers see value in healthcare information
  • Understand the root causes of healthcare data breaches
  • Describe healthcare specific approaches and tools to improve the security and privacy environments in their organizations.

134—The One-hour Privacy Primer

  View Presentation

Todd J. Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director Information Security
Grant Thornton International, Ltd.

 

 

After completing this session, you will be able to:

  • Recognize the top global privacy issues today
  • Understand key principles, requirements and terminology of privacy
  • Gain an appreciation of the breath of information privacy issues
  • Examine the interrelationship of privacy, security, auditing, and laws and regulations

144—Privacy Lessons from the Field

  View Presentation

Nathan Anderson, CISA, CRISC
IT Audit Director
Sears Holdings

 

 

Ali Mobeen Rana
Sr. Internal Audit Manager
Sears Holdings Corp.

After completing this session, you will be able to:

  • Understand why audit is uniquely positioned to be a driving force for fine-tuning the privacy program at your organization. Identify the aspects of a privacy effort that audit is uniquely positioned to excel at
  • Understand who the key stakeholders should be for the privacy program, what their roles and responsibilities should be and how best to engage them. Understand how to effectively engage the business, the key to success
  • Identify key building-blocks and potential pitfalls on the path to a successful privacy program, including working effectively with legal, information security, and business units
  • Develop a roadmap with prioritized milestones that are customized to your organization’s unique Privacy risks

214—Hell is Empty and All the Devils are Here

  View Presentation

Reginald Harnish, CISA, CISM
Chief Security Strategist
GreyCastle Security

 

 

After completing this session, you will be able to:

  • Learn about privacy and security in the digital world.
  • Take away actionable advice for balancing security and privacy in your own lives
  • Gain knowledge on the quickly evolving world we live in and how to maintain security.
  • Obtain actionable advice for balancing security and privacy in your life.

224—No Party With Third Parties

  View Presentation

Jason Zahn, CISA
Sr. IT Audit Mgr.
UPMC

 

 

After completing this session, you will be able to:

  • Explain third-party and vendor risk to customers, clients, and executive management
  • Understand the leading third-party/ vendor assessment providers and benefits / concern points for each
  • Take away the key success factors to performing an audit of a third-party / vendor and most important assessment areas
  • See how an integrated payer/ provider/ academic health care enterprise has taken a multipronged approach to both being audited as a third-party AND managing the risks of your third-parties

234—Navigating the Data Breach Regulatory Maze

  View Presentation

Mahmood Sher-Jan
CEO
RADAR Business Unit, ID Experts

 

 

After completing this session, you will be able to:

  • Understand the many phases of incident response beyond discovery, containment and investigation
  • Learn how to implement proactive, consistent, repeatable, and scalable methods for incident risk assessment and notification obligations
  • Learn effective strategies for keeping up with the evolving regulatory landscape, including complex breach notification laws
  • Gain insight from the incidents that didn’t become public data breaches, to identify root causes and trends to better understand your organization’s greatest security vulnerabilities and breach risks

244—Data Privacy: The New Frontier

  View Presentation

Avani Desai, CISA, CRISC
Vice President
BrightLine CPAs & Associates

 

 

After completing this session, you will be able to:

  • Understand the data privacy fuss in our current data driven environment and be better positioned to break down related risks (wearables, big data, digital economy, smart phones, the cloud)
  • Obtain an end-to-end view of a data privacy program from the life of a data privacy officer (a backstage tour)
  • Learn the practical components to look for when conducting a data privacy audit
  • Speak the data privacy language of consent, choice, purpose, use, protection and retention of personal data

254—Containers: What YOU Need to Know

  View Presentation

Ed Moyle
Director of Thought Leadership and Research
ISACA

After completing this session, you will be able to:

  • Understand what containerization is and why it is important to security, audit, and risk professionals
  • Assess the risk and value implications of containerization
  • Incorporate specific container-related “gotchas” into your strategies
  • Implement practical next steps in your shop to discover, analyze, and control containerization

314—Is a Legacy System a Data Breach Candidate?

  View Presentation

Philip Young
Information Security Engineer - Red Team
Wells Fargo

 

 

After completing this session, you will be able to:

  • Understand why mainframe sensitive data migrates and why mitigating controls do not provide sufficient protection, but need to be protected as much as Windows or Linux machines, if not more
  • Learn why you should protect your Legacy sensitive data and which includes critical assets like PII, PHI, PCI and intellectual assets
  • Comprehend why these systems have been placed outside the scope of an audit, and why they shouldn’t be
  • Know that 70-80% of the world’s critical transactional data of sensitive information is located on legacy systems, and it should be audited and protected as much as a Windows's data


Return to Event Page
 

Track 5: GRC

115—A Real Case Study on Capability Models

Andre Pitkowski, CGEIT, CRISC
GRC Senior Consultant
Centro Universitario Senac

 

 

Orlando Tuzzolo, Jr., CISM, CGEIT, CRISC
Senior Consultant - IT Governance
World Pass IT Solutions

 

 

After completing this session, you will be able to:

  • Understand a case of converting COBIT 4.1 to COBIT 5 IT processes
  • Know the differences between the COBIT 4.1 Process Maturity assessment and the COBIT 5 Process Capability assessment.
  • Work with a tool to perform processes Capability assessment, according to the PAM 15504 method.
  • Use specific metrics to monitor the progress of IT processes performance, essential to ensure value delivery from IT.

125—Enable a Compliance Driven GRC Program

  View Presentation

Kevin Berman
Director, Performance GRC Enablement Services
PricewaterhouseCoopers LLP

Joseph R. DeVita
Partner
PricewaterhouseCoopers LLP

After completing this session, you will be able to:

  • Outline an approach to streamline your compliance efforts across multiple compliance initiatives, objectives, and the organization with alignment to additional GRC initiatives enterprise wide
  • Better understand how to leverage GRC technologies to enable and sustain compliance frameworks and reduce overhead on the business side. Determine how to identify GRC Technologies which best addresses the needs of the org
  • Better leverage your investment around integrated GRC process and technology. Understand key organizational drivers for Enterprise GRC Integration initiatives
  • Establish a foundational GRC capability which will help to better align process and technology capabilities around Compliance within the organization

135—GRC Innovation by Design

  View Presentation

Samit Khare, CISA, CISM
Director, Risk Consulting
SDG Corporation

 

 

After completing this session, you will be able to:

  • Establish, implement, maintain and continually improve an integrated ‘Innovation Management System (IMS)’ and ‘Information Security Management System (ISMS)’
  • Leverage the integrated management system to ensure a more efficient use of GRC resources, improved risk & compliance management, and increased customer satisfaction
  • Generate new ideas that may lead to a more secure, effective and efficient products, processes, services and technologies
  • Learn from a case-study to see how an innovative approach led to robust policies and procedures as well as reduced GRC burden

145—Enhanced Business Process Control Monitoring

  View Presentation

Christopher V. McGee, CISA
Managing Director
KPMG

 

 

Timothy Murphy, CISA, CRISC
Director
KPMG LLP

 

 

After completing this session, you will be able to:

  • Understand risks that, if unmitigated, may undermine the effectiveness of key business process controls supported by your Oracle ERP packages, including E-Business Suite and PeopleSoft.
  • Learn about functionality provided within the Oracle Advanced Controls (OAC) suite that well-controlled organizations are utilizing to prevent or detect and correct attempts to circumvent key business process controls.
  • Recognize segregation of duties and sensitive access monitoring, configuration controls monitoring, automated preventive control enhancements, and transaction monitoring.
  • Obtain innovative ideas for enhancing internal controls within your organization using the OAC suite, through real-life examples from the KPMG’s experience with other organizations

215—Sustainable IT Vendor Risk Management

  View Presentation

Adam Leigh, CISA, CGEIT, CRISC
Manager, IT Risk Management
MetLife

 

 

After completing this session, you will be able to:

  • Understand and be able to discuss the foundation of an effective Vendor IT Risk Assessment program and how it relates to business risk
  • Customize your Vendor IT Risk program to better fit the needs of your business
  • Develop a risk questionnaire that can be used to gauge vendor risk on a contact by contract basis
  • Begin to develop a full, standards based risk assessment questionnaire to administer to your vendors

225—Shadow IT Risk & Cloud Governance

  View Presentation

Gary Miller, CISA
Senior Director, Information Security
TaskUs

 

 

After completing this session, you will be able to:

  • Recognize the risks of cloud solutions, especially unknown services consumed in the shadows
  • Learn the importance of centralized IT control of cloud services within the enterprise
  • Explore best practices for the assessment of all shadow IT applications, including SaaS, and the organizational hurdles facing this centralization effort
  • Examine data security considerations of cloud deployments, including encryption, access control, user authentication (including 2FA), as well as disaster recovery and data breach liability within cloud services contracts

235—Intelligence Panel: What We Learned & How It Influenced Our Project

Alex Naveira, CISA, CISM
IT Director
Miami Children’s Health System

Christopher Sullivan
General Manager, Intelligence/Analytics
Core Security and Courion

Mark Teehan
IAM Program Manager
Harvard Pilgrim Healthcare

 

This session will showcase the recent experiences of three major organizations that have implemented a risk-aware identity governance and administration program that leverages identity analytics and intelligence. While each organization’s primary objective was different, all benefitted from the ability to improve IAM efficiency and effectiveness to reduce cyber threats, regulatory risk and operational costs.

After completing this session, you will be able to:

  • Gain a practical definition of “identity intelligence”
  • Learn how to embed intelligence in their security operations and processes
  • Understand how to measure and communicate the value of Intelligent IAM programs
  • Review how intelligent IAM is evolving and what to expect in the years to come.

245—Art of Performing Risk Assessments

  View Presentation

Uday Pabrai
CEO
Ecfirst

 

 

After completing this session, you will be able to:

  • Understand compliance mandates & standards for risk assessment (HIPAA, NIST, PCI DSS, ISO 27001)
  • Examine core components for a comprehensive and thorough risk assessment exercise
  • Walk through a sample risk assessment report to understand key sections such as a Corrective Action Plan (CAP)
  • Understand how to integrate a technical vulnerability assessment & penetration testing within the scope of a risk assessment

255—Enhancing Governance Through IA Activities

  View Presentation

Kaveh Rikhtegar, CISA
Director, Internal Audit
Canadian Commercial Corp

 

 

After completing this session, you will be able to:

  • Understand audience objectives and expectations: how they fit in an overall governance framework
  • Create a value added internal audit organization
  • Build an effective Performance Management System
  • See real-life performance measurement examples to ensure internal audit activities are in line with audience objectives

315—Digital Risk in Retail

  View Presentation

Shilpa Pai, CISA
ERS Senior Manager
Deloitte & Touche

 

 

Rajeev Singhal
Deloitte & Touche

After completing this session, you will be able to:

  • Describe the risks associated with an organization’s use of social media and mobile technologies
  • Gain an understanding of the key components of an effective risk management framework to tackle and address these risks
  • View a practical "what could go wrong" perspective when it comes to the fast paced use of digital technologies and how the process works/trends
  • Understand why retail is particularly vulnerable to these risks


Return to Event Page
 

Track 6: Career & Communications Management

116—Bridging the Gap

  View Presentation

Gerald F. Meyers, CISA
Director
Accell Global Risk Solutions

 

 

Robert Valenciano
Director
Accell Global Risk Solutions

 

 

After completing this session, you will be able to:

  • Better understand the differences between financial / operational auditors and IT auditors.
  • Understand the psychology behind those differences (which in turn, helps us understand ourselves)
  • Implement ideas on how to bridge the gap between the two groups
  • Identify and avoid common pitfalls (in other words, above the same 'ol, same 'ol)

126—Genius Is a Team Sport

Tim Sanders
Internet Pioneer, Best-Selling Author, Public Consultant

When it comes to information systems audio, control and security, the game moves at a fast pace. Technology seems to stay one step ahead of yesterday’s breakthrough solution, requiring genius to keep up. This can only be accomplished by cross-discipline collaboration, which will produce rapid problem solving. This session offers exercises on how to build teams, prepare them for collaboration meetings, and then execute on the ideas and plans that come from them. After this session, attendees will understand how to approach project challenges with cutting-edge collaborative techniques. They not only solve problems, in many cases they forge deeper connections across the enterprise and/or system wide improvements.

After completing this session, you will be able to:

  • Discover the three myths of creativity that hold back innovation in enterprises.
  • Learn how to find the true problem behind existing project challenges. (Includes use of the Fishbone and SIT templates.)
  • Become familiar with the art of team building across departments or disciplines.
  • Understand how to recruit, motivate, prepare and lead.
  • Take on the personas of Hacker, Chef and Artist to find creative solutions to project challenges.
  • Manage diverse groups with varying agendas.
  • Uncover why the Leader-Member Exchange is the key to converting creative thinking into innovative solutions.

136—Attributes of a Highly Effective IS Auditor

  View Presentation

Lou Barkman
Senior Manager
Deloitte & Touche LLP

 

 

After completing this session, you will be able to:

  • Become effective as an IS Auditor focusing on communication and interpretations between IT and the business
  • Ask open ended questions about building a rapport
  • Interpret inclusiveness across internal Deloitte departments
  • Interpret inclusiveness across a client’s IT and business and different compliance groups

146—Geek Speak to Business Speak

Mary Breslin
President
Empower Audit

 

 

After completing this session, you will be able to:

  • Understand why words matter, and how they impact understanding and relationships. Examples of how word choice can greatly impact perceived meaning
  • Recognize the “wall” - how it got there - and how to take it down. Audit or Geek speak can create a barrier between individuals that prevents the sharing of information and productive working relationships
  • Recognize when you are “doing it again” with geek speak. Understanding when someone is not fully understanding your meaning and changing approach (and words) to ensure your message is received
  • Translate IT speak to Finance Speak to Audit speak to layman terms everyone can understand so that every conversation is productive

216—Building your personal brand: Focus on Women

William Arruda
Founder and President
Reach

Personal branding provides women with the sense of stability, empowerment, value-creation, and recognition critical to success in an increasingly dynamic marketplace. In this high-energy workshop, Personal Branding Guru William Arruda takes you through his proven, three-step personal branding process so you can learn the secrets to uncovering, building and expressing your winning personal brand. You’ll learn how to define your brand and integrate it into everything you do every day. This inspiring workshop is designed specifically for women to help you advance your career, support the corporate brand and become influential, indispensable and incredibly happy in the process.


226—Building your personal brand: Focus on Women (cont'd)

William Arruda
Founder and President
Reach

Personal branding provides women with the sense of stability, empowerment, value-creation, and recognition critical to success in an increasingly dynamic marketplace. In this high-energy workshop, Personal Branding Guru William Arruda takes you through his proven, three-step personal branding process so you can learn the secrets to uncovering, building and expressing your winning personal brand. You’ll learn how to define your brand and integrate it into everything you do every day. This inspiring workshop is designed specifically for women to help you advance your career, support the corporate brand and become influential, indispensable and incredibly happy in the process.


236—Conflict Management and Negotiation Skills

  View Presentation

Shawn McBride
Managing Member
The R. Shawn McBride Law Office, P.L.L.C.

 

 

After completing this session, you will be able to:

  • Understand why conflict arises during the negotiation process
  • Know how to manage conflict
  • Handle negotiations strategically
  • Get better negotiating outcomes

246—People Centric Skills: Communication

  View Presentation

Danny Goldberg, CISA, CGEIT, CRISC
Founder, GoldSRD
GoldSRD

 

 

After completing this session, you will be able to:

  • Enhance rapport-building through tactical strategies and by "humanizing" the process and allow the client to "control" the results
  • Learn how to maximize the value of Emotional Intelligence and apply it proactively in the workplace
  • Improve public speaking and presentation development skills to become a more effective communicator in large groups
  • Learn the intricate art of "Auditor Speak" and what words to avoid when talking to a client
  • Develop a relationship bond and make auditees trust you so that you may communicate more effectively

256—Become a Chief Information Security Officer

  View Presentation

Lisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

After completing this session, you will be able to:

  • Better understand the role of a CISO
  • Communicate the value of the information security program in business language
  • Understand the organizational reporting structure that best supports the CISO role
  • Map your current skills and expertise against the Certified Information Security Manager (CISM) certification from ISACA

316—Releasing Leadership Brilliance – How to Empathize, Engage, and Energize Your Culture

Simon Bailey
Author, Speaker and Global Influencer

Stale. Stuck. Spiritless. This is what a leader, then a team, and ultimately a business becomes when mojo is lost. In order for leaders to reinvigorate and ignite a fresh mindset that enables a team and a business to thrive, they must stop communicating and start connecting. Connection begins when leaders make a commitment to bring out the best in themselves and then do the same for everyone around them. This challenges team members to raise the bar on their engagement and productivity. The ultimate benefactors of this shift in thinking are customers who opt-in to become your brand champions.

After completing this session, you will be able to:

  • Revitalize your role within your team and line of business
  • Improve your ability to connect with your team instead of just communicating
  • Create a high-performing team that exceeds expectations


Return to Event Page
 

Track 7: Industry Trends & Insights

117—All About Analytics: Turn Data into Weapons

  View Presentation

Brian Rizman
PricewaterhouseCoopers LLP

 


 

Elizabeth McNichol, CISA
PricewaterhouseCoopers LLP

 


 

After completing this session, you will be able to:

  • Gain understanding of external trends leading to focus on Enterprise Systems data to support compliance initiatives
  • Learn how to approach the implementation of repeatable and sustainable, data driven solutions
  • Articulate how data and analytics supports streamlining compliance and risk management
  • Vision on how to integrate data analytics with organization's existing technologies like SAP GRC and visualization tools

127—Automating and Modernizing z/OS Security Auditing and Compliance

Brian Marshall
Vice President, Research and Development
Vanguard Integrity Professionals

After completing this session, you will be able to:

  • Understand the critical place z/OS systems hold within various organizations
  • Be aware of successful penetrations of z/OS systems and vulnerabilities that lead to the exfiltration of data
  • Know the top severe z/OS Risk commonly identified in during Vanguards assessments

137—Managing Increased Regulatory Expectations of Technology Audit

Michael Smith
Partner
PricewaterhouseCoopers LLP

Khalid Wasti
Partner
PricewaterhouseCoopers LLP

After completing this session, you will be able to:

  • Understand emerging technology risks and the related regulatory expectations
  • Understand the potential impacts of the FFIEC CAT on Technology Audit
  • Understand the importance of having a comprehensive audit automation strategy

147—Aligning Audit Objectives to Enterprise Goals with the NIST CSF

  View Presentation

Greg Witte, CISM
Senior Security Engineer
G2, Inc

After completing this session, you will be able to:

  • Discover a view of the CSF and its components
  • Learn how CSF and COBIT5 can be used together to improve audit activity
  • Develop plans for updating the CSF based on recent NIST workshops
  • Comprehend how to align organizational audit processes and mission priorities
  • Reiterate how to use CSF as a common key for communicating and organizing audit plans

217—Top Ten Audit Issues for 2016

  View Presentation

Michael Juergens, CISA, CGEIT, CRISC
Principal
Deloitte & Touche LLP

 

 

After completing this session, you will be able to:

  • Identify emerging technology risks
  • Develop action plans to address emerging risks
  • Engage in meaningful dialogues with IT management on emerging risks
  • Deliver more value through the IT audit function

227—Introduction to Blockchain from a Risk Management Perspective

Mike Krajecki
Director, Emerging Technology Risk Services
KPMG LLP

 

 

Kiran Nagaraj
Director, Emerging Technology Risk Services
KPMG LLP

 

 

After completing this session, you will be able to:

  • Understand the concepts behind blockchain technology and applicability to different industries
  • Articulate blockchain use-cases and potential disruptive impact to legacy services and products
  • Identify the risks blockchain introduces related to security, privacy, and compliance

237— A Global Look at IT Audit Best Practices

  View Presentation

Robert Kress
Managing Director
Accenture

 

 

David Brand
Managing Director
Protiviti

 

 

After completing this session, you will be able to:

  • Identify key top technology trends and discuss how these impact the organization’s audit plan
  • Assess the status of the IT audit risk assessment process within organizations
  • Address IT audit training and resource needs within organizations
  • Discuss common standards and frameworks used to conduct IT audits across the globe

247—The Future of Managing Vendor Risk

  View Presentation

Carlos Krause, CISA
Manager of Professional Services
Modulo Security

After completing this session, you will be able to:

  • Learn what it takes to implement and run a successful Vendor Risk Management program.
  • Understand how managing vendor/3rd party risk fits into a broader IT GRC strategy.
  • Be prepared to manage future risks that inevitably arise as your company continues to add vendors and suppliers.

257—How To Become a Successful IT Audit Director for a Fortune 1,000 Company

Anthony Noble
VP IT Audit
Viacom, Inc.

Walter Blackwood
Senior Director, IT Audit
TIAA

Patrick Starnes
IT Audit Director
Fifth Third Bank

Nathan Anderson
IT Audit Director
Sears Holdings

After completing this session, you will be able to:

  • Learn the necessary skills to be a successful IT Audit Director
  • Uncover the typical career path to becoming an IT Audit Director
  • Understand the required and suggested education necessary to become a successful IT Audit Director
  • Gain insight into a day in the life of a IT Audit Director

 


Return to Event Page
 

Workshops

WS1—Creating a Privacy Program using ISACA’s Privacy Principles

 

Rebecca Herold, CISA, CISM
Owner & CEO
Rebecca Herold & Associates, LLC

 

 

After completing this session, you will be able to:

  • Understand basic privacy concepts and definitions
  • Identify and describe the ISACA privacy principles concepts and goals
  • Be aware of major data-protection legal requirements for personal information around the world
  • Explain how to use the ISACA privacy principles to build a comprehensive privacy program
  • Recognize, and distinguish between, privacy risks and privacy harms
  • Identify tools and methods to mitigate privacy risks and privacy harms
  • Define privacy roles and establish privacy-function staffing
  • Recognize privacy incident and breaches and establish a privacy breach response capability
  • Build a privacy training program and understand how to keep awareness levels high
  • Choose privacy program metrics and monitor privacy program effectiveness
  • Recognize new and emerging privacy impacting technologies (e.g., IoT, Big Data, smart devices, etc.) and address the associated harms and risks
  • Utilize privacy management skills based upon the real life examples, case studies, and tips for success provided

WS2—Database Security & Audit

John G. Tannahill, CISM, CGEIT, CRISC
Management Consultant
J. Tannahill & Associates

 

 

After completing this session, you will be able to:

  • Audit current versions of relational database management systems (SQL Server; Oracle and DB2)
  • Write SQL scripts to extract and analyze database security configurations
  • Review database security configurations
  • Understand Oracle; SQL Server and DB2 security fundamentals

WS3—Cybersecurity Fundamentals

Please Note: This workshop is currently sold out. Please contact conference@isaca.org to be placed on the waitlist.

Todd J. Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director Information Security
Grant Thornton International, Ltd.

Why become a cybersecurity professional? The protection of information is a critical function for all enterprises. Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cybersecurity, and the integral role of cybersecurity professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.

After completing this session, you will be able to:

  • Understand basic cybersecurity concepts and definitions
  • Define network security architecture concepts
  • Recognize malware analysis concepts and methodology
  • Identify computer network defense (CND) and vulnerability assessment tools, including open source tools and their capabilities
  • Explain network systems management principles, models, methods, and tools
  • Distinguish system and application security threats and vulnerabilities
  • Classify types of incidents (categories, responses, and timelines for responses)
  • Outline disaster recovery and business continuity planning
  • Comprehend incident response and handling methodologies
  • Understand security event correlation tools, and how different file types can be used for atypical behavior
  • Be aware of the basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data
  • Recognize new and emerging information technology and information security technologies

WS4—Measuring What Matters

Lisa Young, CISA, CISM
Senior Engineer
Carnegie Mellon University

 

 

Katie Stewart
Carnegie Mellon Software Engineering Institute

After completing this session, you will be able to:

  • Identify a core set of strategic business goals (requirements, objectives) to which the GRC measurement program will be applied. Participants provide one or more business goals/objectives from which metrics will be derived
  • Formulate one or more strategic questions for each goal in learning objective 1. The answers to these questions help determine the extent to which the goal/objective is being achieved
  • Identify one or more indicators for each strategic question. An indicator is data and information that further inform the answer to each question
  • Identify one or more metrics for each indicator that most directly inform the answer to one or more questions

WS5—Applied Data Analysis

Note:  Participation in this workshop requires you to bring a laptop that allows you administrator privileges for installing software. You must have permission to read data and copy it from a USB (or an optical DVD drive) on your laptop.

Michael T. Hoesing, CISA
Director Data Analysis Corporate Audit
University of Nebraska at Omaha

 

 

After completing this session, you will be able to:

  • Better understand which IS audit phases and which automated data analysis procedures will be beneficial, either in the planning phase, testing phase or follow-up phase
  • Learn techniques to apply data analysis to the IT event tracking systems to better understand the enterprise environment to aid annual planning, engagement planning and testing planning
  • Gain practice accessing and analyzing Active Directory data
  • Obtain techniques to analyze logical access data as it relates to segregation of duties, phantom access, access policy configuration and adherence
  • Compare system configuration files to determine drift
  • Apply analysis techniques to multiple files associated with change management

WS6—The Power of Strategic Vendor Risk Management – Turning Risks into Results

Please Note: This workshop is currently sold out. Please contact conference@isaca.org to be placed on the waitlist.

Debbie Lew, CISA, CRISC
Executive Director
Ernst & Young, LLP

 

 

Rolan Lucillo Moldes
ITRA Management
Ernst & Young, LLP

After completing this session, you will be able to:

  • Understand how vendor risk management programs help identify and manage risks to an organization
  • Understand the vendor risk management (VRM) life cycle, the contract life cycle and the key activities in each phase
  • Identify vendor management and contract risks, and the threat categories
  • Discuss key regulatory requirements in various sectors for vendor management (e.g., HIPAA Omnibus Rule for Health Care, FFIEC and Office of the Comptroller for the Currency (OCC) for Banking, PCI Data Security Standard for Payment Industry)
  • Identify the six functional components that enable efficient, consistent and enterprise-wide VRM program
  • Discuss how to apply inherent risk segmentation to target vendors for assessment
  • Understand the COBIT 5 vendor risk categories and risk mitigation strategy
  • Leverage the “Vendor Management Using COBIT 5” to conduct a VRM assessment utilizing available tools and enablers.

 


Return to Event Page

Spotlight Sessions

SS1—Personal Data Use Governance: Mitigate Risk While Unlocking Business Value

Jacky Wagner
Managing Director
PricewaterhouseCoopers LLP

After completing this session, you will be able to:

  • Learn how using data in innovative ways can benefit an organization and its customers, but how it can also cause risk
  • Discover a lifecycle approach to the overall protection and use of data
  • Study the data use governance maturity spectrum
  • Review data use governance capabilities

SS2—Automated Solution Toolkit to effectively Audit the IBM Systems Z

Brian Marshall
Vice President, Research and Development
Vanguard Integrity Professionals

After completing this session, you will be able to:

  • Understand that proper tools and knowledge lead to a secure enterprise
  • Understand how to use Vanguard Tools to find the top ten industry audit finding
  • Understand how automate solutions are available to audits for NIST/DISASTIGS

SS4—Achieving Intelligent, Adaptive, and Scalable Risk Management

Abhi Pandit

 

Prasant Vadlamudi

 

After completing this session, you will be able to understand how Internal Audit can:

  • Demonstrate Thought Leadership by highlighting emerging risks to the Board and Executive Management and enable them to manage these risks
  • Help the company achieve competitive advantage and change company culture
  • Achieve growth, create new career tracks and change perceptions about the profession

SS7—SSH Keys - Security and Compliance of the Hidden Production Access Engine

  View Presentation

Fouad Khalil
Director of Compliance
SSH Communications Security

After completing this session, you will be able to:

  • Obtain sufficient understanding of the pervasiveness of SSH keys and the access SSH keys provide across an enterprise’s network
  • Deeper understanding of what vulnerabilities and risks are associated with poorly deployed and managed SSH keys and the security needed for automated and Interactive SSH keys management
  • Walk away with best practices for SSH key deployments and how their usage relates to regulations and standards.

SS8—Digital Risk Officer: The Next Generation CISO

Jack Curatolo
Manager Digital Marketing
Modulo Security

After completing this session, you will be able to:

  • Learn how the most successful IT security organizations are preparing for the future.
  • Prepare your organization right now without hindering innovation in other business units.
  • Reap the full benefits of automating your IT GRC program, today and moving forward.

 


Return to Event Page

Flashback to the ‘40s

3 May 2016, 6:30-9:00PM at The National WWII Museum

Be treated to live music from the Victory Six swing band and the Victory Belles—the 1940s-era vocal trio.

Enjoy a delicious dinner buffet along with beer, wine and refreshments surrounded by vintage WWII aircraft and armor.

Experience a “4D” journey through the events that changed the world in the short film: Beyond All Boundaries—produced and narrated by Academy-Award winner Tom Hanks.

Tour the US Freedom Pavilion: The Boeing Center for more interactive exploration of mid-1940s’ life on the U.S. home front and overseas.

Socialize with fellow attendees, and connect with history at this exciting gala evening portion of North America’s leading conference of business and information systems audit, assurance, security and control professionals. Transport from the conference venue will be provided.


Return to Event Page

 


Beginner–Delegate has limited or no prior knowledge or experience or are new to the subject matter. Beginner sessions are geared toward attendees who are new to the field and seeking to learn basic concepts. Beginner’s sessions are intended to help attendees who seek to build foundational knowledge in an effort to gain a working knowledge of the topic.


Intermediate–Delegate has a working knowledge of the topic covered but is not yet an advanced practitioner. Intermediate sessions are geared toward delegates who have some competence in the subject under discussion resulting from prior training, education and/or work experience. Delegates who seek to build upon foundational knowledge, refine and better hone their skills, and advance their understanding of the topic may wish to consider intermediate-level sessions.


Technical Advanced–Delegate has a high level of technical understanding of the topic under discussion. Advanced technical sessions are geared toward delegates that have already achieved a high degree of technical competence in the subject of discussion resulting from extensive training in the area and supplemental work experience. Delegates, who wish to build upon intermediate knowledge, achieve mastery in a specific technical area, or build upon existing technical skills may wish to consider advanced technical sessions.


Managerial Advanced–Delegate has a high level of understanding of managerial concepts. Advanced managerial sessions are geared toward attendees that have already achieved a high degree of leadership competence in the subject of discussion resulting from extensive training in the area and several years of work experience. Delegates, who wish to build upon intermediate knowledge, achieve mastery in a specific managerial area, or build upon existing leadership skills may wish to consider advanced managerial sessions.